[Federal Register Volume 78, Number 145 (Monday, July 29, 2013)] [Proposed Rules] [Pages 45782-45839] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2013-17994] [[Page 45781]] Vol. 78 Monday, No. 145 July 29, 2013 Part IV Department of Health and Human Services ----------------------------------------------------------------------- Food and Drug Administration ----------------------------------------------------------------------- 21 CFR Part 1 and 16 Accreditation of Third-Party Auditors/Certification Bodies to Conduct Food Safety Audits and to Issue Certifications; Proposed Rule Federal Register / Vol. 78, No. 145 / Monday, July 29, 2013 / Proposed Rules [[Page 45782]] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration 21 CFR Parts 1 and 16 [Docket No. FDA-2011-N-0146] RIN 0910-AG66 Accreditation of Third-Party Auditors/Certification Bodies to Conduct Food Safety Audits and to Issue Certifications AGENCY: Food and Drug Administration, HHS. ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: The Food and Drug Administration (FDA) is amending its regulations to provide for accreditation of third-party auditors/ certification bodies to conduct food safety audits of foreign food entities, including registered foreign food facilities, and to issue food and facility certifications, under the FDA Food Safety Modernization Act (FSMA). Use of accredited third-party auditors/ certification bodies and food and facility certifications will help FDA prevent potentially harmful food from reaching U.S. consumers and thereby improve the safety of the U.S. food supply. FDA also expects that these regulations will increase efficiency by reducing the number of redundant food safety audits. DATES: Submit either electronic or written comments on the proposed rule by November 26, 2013. ADDRESSES: You may submit comments, identified by Docket No. FDA-2011- N-0146 and/or Regulatory Information Number (RIN) 0910-AG66, by any of the following methods. Electronic Submissions Submit electronic comments in the following way:Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Written Submissions Submit written submissions in the following ways: Mail/Hand delivery/Courier (for paper or CD-ROM submissions): Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852. Instructions: All submissions received must include the Agency name and Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66 for this rulemaking. All comments received may be posted without change to http://www.regulations.gov, including any personal information provided. For additional information on submitting comments, see the ``Comments'' heading of the SUPPLEMENTARY INFORMATION section of this document. Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov and insert the docket number, found in brackets in the heading of this document, into the ``Search'' box and follow the prompts and/or go to the Division of Dockets Management, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852. FOR FURTHER INFORMATION CONTACT: Charlotte A. Christin, Office of the Commissioner, Office of Policy, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 32, Rm. 4234, Silver Spring, MD 20993, 240-402- 3708. SUPPLEMENTARY INFORMATION: Executive Summary Purpose of the Proposed Rule This proposed rule, if finalized, will help FDA ensure the competence and independence of third-party auditors/certification bodies who conduct foreign food safety audits. It also will help ensure the reliability of food and facility certifications issued by third- party auditors/certification bodies that FDA will use in making certain decisions relating to imported food (including pet food and animal feed). These certifications include, for example, food certifications required by FDA as a condition of granting admission to a food determined to pose a safety risk. Having comprehensive oversight of a credible and reliable program for third-party audits and certifications of foreign food facilities will help FDA prevent potentially harmful food from reaching U.S. consumers and thereby improve the safety of the U.S. food supply. We believe that a trusted program for foreign food safety audits and food and facility certifications--with clear requirements, standards, and procedures and operated under government oversight--will be appealing to accreditation bodies, auditors/ certification bodies, and foreign food facilities. Widespread participation and broad acceptance of audits and certifications under the FDA program will help increase efficiency and reduce costs, by eliminating redundant auditing to assess foreign suppliers' compliance with the Federal Food, Drug, and Cosmetic Act (the FD&C Act). FSMA adds section 808 to the FD&C Act (21 U.S.C. 384d), which directs us to establish a new program for accreditation of third-party auditors \1\ conducting food safety audits and issuing food and facility certifications to eligible foreign entities (including registered foreign food facilities) that meet our applicable requirements. Under this provision, we will recognize accreditation bodies to accredit third-party auditors/certification bodies, except for limited circumstances in which we may directly accredit auditors/ certification bodies to participate in the accredited third-party audits and certification program. --------------------------------------------------------------------------- \1\ Section 808 of the FD&C Act uses the term ``auditor'' to describe an entity that conducts audits and issues certifications. We propose to use the term ``auditor/certification body,'' which adds the words ``certification body'' to better comport with the terminology used by the food industry and the international standards community when describing organizations that not only conduct audits but also issue certifications based on audit results. We will use the statutory term only when referring to the requirements of section 808 of the FD&C Act. --------------------------------------------------------------------------- [[Page 45783]] [GRAPHIC] [TIFF OMITTED] TP29JY13.008 We will use certifications issued by accredited third-party auditors/certification bodies in deciding whether to admit certain imported food into the United States that FDA has determined poses a food safety risk and in deciding whether an importer is eligible to participate in a program for expedited review and entry of food imports. We will exercise oversight of the accredited third-party audits and certification program and can remove an accreditation body or an auditor/certification body for good cause, by revoking recognition of the accreditation body or by withdrawing accreditation of the third-party auditor/certification body. We must issue implementing regulations that include measures to protect against conflicts of interest and must issue model accreditation standards that third-party auditors/certification bodies must meet to qualify for accreditation.\2\ The statute directs us to look to existing standards for guidance when developing these model accreditation standards. --------------------------------------------------------------------------- \2\ We will issue draft model accreditation standards to specify the qualifications for accreditation, such as the minimum requirements for education and experience for third-party auditors/ certification bodies (and their audit agents) to qualify for accreditation. We will open a public docket to accept comments on the draft standards and plan to take necessary procedural steps to finalize the model standards. --------------------------------------------------------------------------- Summary of the Major Provisions of the Proposed Rule This proposal contains eligibility requirements for accreditation bodies to qualify for recognition and requirements that accreditation bodies choosing to participate in the FDA program must meet, once recognized. It also contains eligibility requirements for third-party auditors/certification bodies to qualify for accreditation and requirements that third-party auditors/certification bodies choosing to participate in the FDA program must meet, once accredited. These requirements will ensure the competence and independence of the accreditation bodies and third-party auditors/certification bodies participating in the program for accredited third-party audits and certification that is established under this subpart. This proposal contains procedures for recognition and accreditation, as well as requirements relating to monitoring and oversight of participating accreditation bodies and auditors/ certification bodies. These include procedures that we will follow when removing an auditor/certification body or an accreditation body from the program. The proposed rule contains requirements relating to auditing and certification of foreign food facilities under the program and for notifying us of conditions in an audited facility that could cause or contribute to a serious risk to the public health. The proposed requirements for monitoring, oversight, and notification are needed to give us, consumers, and other stakeholders confidence in the program and in the accredited third-party auditors/certification bodies and recognized accreditation bodies who participate. The proposal also implements the authority granted by Congress in section 801(q) of the FD&C Act (21 U.S.C. 381(q)) to make a risk-based determination to require, as a condition of admissibility, that a food imported or offered for import into the United States be accompanied by a certification or other assurance that the food meets the applicable requirements of the FD&C Act. This clear authority to require [[Page 45784]] import certification for food, based on risk, is one of the tools we can use to help prevent potentially harmful food from reaching consumers. In addition, this document proposes requirements for accredited third-party auditors/certification bodies to follow when issuing facility certifications that will be used by importers to establish eligibility for the Voluntary Qualified Importer Program (VQIP) under section 806 of the FD&C Act (21 U.S.C. 384b(a)). The VQIP program offers participating importers expedited review and entry of food from facilities audited and certified by third-party auditors/certification bodies accredited under this subpart. Costs and Benefits We summarize the annualized costs (over a 10-year time period discounted at both 3 percent and 7 percent) of the third-party proposed rule in Table 1. We are unable to estimate quantitatively the benefits of the proposed rule. Although this proposed rule would not itself establish safety requirements for imported food, it would benefit the public health by helping to ensure that imported food is produced in compliance with applicable requirements of the FD&C Act. The Preliminary Regulatory Impact Analyses for the proposed rules on Current Good Manufacturing Practice and Hazard Analysis and Risk- Based Preventive Controls for Human Food (Preventive Controls) \3\ and the Standards for the Growing, Harvesting, Packing, and Holding of Produce for Human Consumption (Produce Safety) \4\ consider and analyze the number of illnesses and deaths that those proposed regulations are aimed at reducing. The greater the compliance with the Preventive Controls and Produce Safety proposed regulations, the greater the reduction in illnesses and deaths and associated costs expected. --------------------------------------------------------------------------- \3\ The Preventive Controls proposed rule was published in the Federal Register on January 16, 2013 (78 FR 3646). \4\ The Produce Safety proposed rule was published in the Federal Register on January 16, 2013 (78 FR 3503). --------------------------------------------------------------------------- This proposed rule would be an important mechanism for improving and ensuring compliance with the Preventive Controls and Produce Safety proposed regulations as they would apply to imported food. For this reason, we account for its public health benefits in the economic analyses for those proposed rules and other applicable food safety regulations, instead of in the analysis for this proposed rule. Table 1--Summary of Annualized Costs of the Proposed Rule ---------------------------------------------------------------------------------------------------------------- Third party accreditation costs 3 Percent 7 Percent ---------------------------------------------------------------------------------------------------------------- Third Party Accreditation Costs for All Participants........................ $55,548,432 $56,756,016 Third Party Accreditation Costs for FDA..................................... 17,063,089 17,640,083 ----------------------------------- Total Costs............................................................. 72,611,521 74,396,099 ---------------------------------------------------------------------------------------------------------------- Table of Contents I. Introduction II. Background A. Legal Authority B. FDA Initiatives on Third Parties C. FDA's Use of Certifications for Food D. External Recommendations on Third-Party Certification for Food E. FDA Standards for Assessing Capabilities of Food Safety Systems F. U.S. Government Policies on Consensus Standards and Conformity Assessment G. Industry Practices on Benchmarking Standards and Third-Party Audits and Certification for Food and Food Facilities III. FSMA Imports Public Meeting and Stakeholder Input IV. Purpose and Description of the Proposed Rule A. Proposed Revisions to Part 1, New Subpart B. Proposed Revisions to Part 16 V. Analysis of Environmental Impact VI. Federalism VII. Comments VIII. References I. Introduction Each year, about 48 million Americans (1 in 6) get sick, 128,000 are hospitalized, and 3,000 die from food-borne diseases, according to recent estimates from the Centers for Disease Control and Prevention (CDC). CDC food-borne illness outbreak data also show that an increased number of outbreaks due to imported foods were reported during the most recent years of surveillance. During 2005-2010, 39 outbreaks with 2,348 illnesses were reported where the implicated food was imported into the United States, representing 1.5 percent of reported outbreaks during that time. Of the 39 import-associated outbreaks, more were reported in 2009 and 2010 (n=6 and 8 outbreaks, respectively) than were reported in each of the years between 2005 and 2008. A greater percentage of the import-related outbreaks were multistate outbreaks as compared to the overall percentage of multistate outbreaks reported (Ref. 1).\5\ --------------------------------------------------------------------------- \5\ The CDC abstract on Foodborne Disease Outbreaks Associated with Food Imported Into the United States, 2005-2010 (Ref. 1) discussed 23 reported outbreaks with 1,994 illnesses associated with imported foods. These data were updated for a presentation at the International Conference on Emerging Infectious Diseases, to reflect the numbers discussed in this proposed rule. --------------------------------------------------------------------------- President Obama signed FSMA (Pub. L.111-353) into law on January 4, 2011. FSMA enables us to better protect public health by helping to ensure the safety and security of the U.S. food supply. The Web page describing our FSMA implementation activities is at http://www.fda.gov/fsma. Among other things, FSMA gave us important new tools to better ensure the safety of imported foods, which constitute approximately 15 percent of the U.S. food supply (including 80 percent of our seafood, 50 percent of our fresh fruit, and 20 percent of our vegetables). We place high priority on ensuring the accountability of importers to verify the safety of food produced overseas and to establish a new program for third-party auditing and certification of regulated foreign food firms. (By way of background, third-party audits are conducted by an entity independent of the audited firm or those who buy its products. Second-party audits are conducted by buyers for their suppliers and contractors or by one division within a firm of another division within the same firm. First-party audits are internal audits a firm conducts itself. This proposed regulation relates only to third- party audits.) In this document, we propose requirements for third-party auditors/ certification bodies choosing to become accredited to conduct food safety audits and to issue food and facility certifications to eligible foreign entities under this FDA program. The preamble that follows provides background on the following: (1) The FSMA requirement to establish an accredited third-party auditing and [[Page 45785]] certification program for food and related FSMA provisions, (2) other initiatives on third parties, (3) use of food certifications, (4) recommendations from external stakeholders on third-party certifications for food, (5) standards for assessing programs for oversight of food safety, (6) U.S. government policies on consensus standards and conformity assessment, and (7) industry programs for benchmarking standards and for auditing and certification for food facilities and their food. We seek comments on all aspects of this proposal. II. Background A. Legal Authority 1. Accreditation of Third-Party Auditors/Certification Bodies Section 307 of FSMA, Accreditation of Third-Party Auditors, amends the FD&C Act (21 U.S.C. 384d) to create a new provision, section 808, under the same name. Section 808(b)(1)(A) of the FD&C Act requires us to establish a system, within 2 years of enactment, for the recognition of accreditation bodies that accredit third-party auditors to conduct food safety audits and to issue certifications for eligible foreign food entities and their products. Section 808(b)(1)(A)(ii) of the FD&C Act further authorizes us to directly accredit third-party auditors if we have not identified and recognized an accreditation body that meets the requirements of the section within 2 years after establishing the system for recognition. If those conditions are met, we may begin to directly accredit third- party auditors. Section 808(c)(5)(C) of the FD&C Act directs us to issue implementing regulations for section 808 not later than 18 months after enactment (i.e., by July 4, 2012). The regulations must require audits to be unannounced and must contain protections against conflicts of interest between accredited auditors (and their audit agents) and the entities they audit or certify, including requirements on timing and public disclosure of fees and appropriate limits on financial affiliations. (21 U.S.C. 384d(c)(5)(C)(ii) and (c)(5)(C)(iii)). In addition, the regulations must require audits to be unannounced (21 U.S.C. 384d(c)(5)(C)(i)). Section 808(b)(2) of the FD&C Act contains an additional requirement to develop model accreditation standards to qualify third- party auditors for accreditation under this FDA program. The statute describes the model accreditation standards in terms of requirements an auditor must meet to qualify for accreditation. We are including in this proposed rule a framework for the model accreditation standards. We currently are developing the Model Accreditation Standards document, which elaborates on the framework and details the qualifications required for accreditation. We are considering existing international standards and particularly the work of the International Organization for Standardization Committee on conformity assessment (ISO/CASCO). For example, we are considering minimum requirements for education and experience of auditors/certification bodies. We plan to issue draft model standards for public comment, before finalizing them. 2. Voluntary Qualified Importer Program Facility certifications (as described in sections 806(a) and 808(c)(2) of the FD&C Act) will be used by FDA to help determine whether a facility is eligible to be a facility from which food may be offered for import under VQIP. The criteria and procedures for VQIP participation are outside the scope of this rulemaking. FDA plans to issue guidance on VQIP and will solicit public comment on VQIP at that time. 3. Authority To Require Import Certifications for Food Food certifications (as described in sections 801(q) and 808(c)(2) of the FD&C Act) will be required to meet a condition for admitting a food into the United States under section 801(a) of the FD&C Act, where necessary based on our determination of the risk of the food. Specifically, section 801(q) of the FD&C Act gives us express authority to require such certification based on a determination that includes the following factors: The known safety risks associated with the food; The known food safety risks associated with the country, territory, or region of origin (area of origin) of the food; A finding we make, supported by scientific, risk-based evidence, that: [cir] The food safety programs, systems, and standards in the area of origin of the food are inadequate to ensure that the article of food is as safe as a similar article of food that is manufactured, processed, packed, or held in the United States, in accordance with the requirements of the FD&C Act; and [cir] The certification would assist us in determining whether to refuse or admit the article of food into the United States; and Information submitted to us, under section 801(q)(7) of the FD&C Act, regarding improvements to a food safety program, system, or standard we previously found inadequate and demonstrating that those controls are adequate to ensure that an article of food is as safe as a similar article of food that is manufactured, processed, packed, or held in the United States under the requirements of the FD&C Act. In addition to giving FDA authority to require food certifications, section 801(q) of the FD&C Act grants FDA authority to require, alternatively, ``such other assurance'' as FDA determines appropriate, that the food complies with applicable requirements of the FD&C Act. When making a determination on whether mandatory certification is appropriate, we will consider the statutory factors in light of the specific circumstances involved and will evaluate various types of relevant information/evidence. We intend to exercise our authority under section 801(q) of the FD&C Act judiciously and in conjunction with our array of other available enforcement tools. Section 801(q)(3) of the FD&C Act states the food certifications or other assurances used for purposes of section 801(a) of the FD&C Act may be issued by third-party auditors accredited under section 808 of the FD&C Act or by the government of the country from which such food originated, if we so designate (21 U.S.C. 381(q)(3)). The certifications or other assurances may take the form of shipment- specific certificates, a listing of certified facilities that manufacture, process, pack, or hold such food, or in such other form as we may specify. Section 801(q) of the FD&C Act became effective upon enactment of FSMA in 2011 and is expressly linked to the accreditation of third- party auditors/certification bodies that is the subject of this proposed rule. 4. Compliance With International Agreements FSMA section 404 (21 U.S.C. 2252) states that nothing in the statute should be construed in a manner ``inconsistent with'' the agreement establishing the World Trade Organization (WTO) or any other treaty or international agreement to which the United States is a party. FSMA was notified to the WTO on February 14, 2011 (G/SPS/N/USA/ 2156) (Ref. 2), to provide information on the FD&C Act to WTO members. The notification included an electronic mailbox link to receive comments from members. Several comments have been received via the mailbox. The comments [[Page 45786]] note a high degree of interest in FSMA implementation, particularly with respect to how implementation will impact developing countries. Third-party certification for food is recognized as increasingly important for developing nations to gain market access for their products. Several international development agencies are focusing efforts in this area. The United Nations Industrial Development Organization, for example, is supporting the development of conformity assessment bodies and accreditation bodies in several developing nations (Ref. 3). The U.S. Agency for International Development has offered its assistance and support for developing nation governments to take a more proactive role in accreditation services, standards development, and institutional infrastructure to assist and protect their nationals operating in international food markets (Ref. 4). 5. Other Provisions of the Federal Food, Drug, and Cosmetic Act The authority for this proposed rule also derives from section 701(a) of the FD&C Act (21 U.S.C. 371(a)), which authorizes us to issue regulations for the efficient enforcement of the FD&C Act. Regulations for ensuring the competency and independence of recognized accreditation bodies and of accredited third-party auditors/ certification bodies will help assure us of the validity and reliability of certifications and other information resulting from the food safety audits they conduct. We will accept certifications issued by accredited third-party auditors/certification bodies for the two purposes identified in section 808 of the FD&C Act: To establish eligibility for VQIP participation; and to meet a condition of admissibility for imported food subject to a mandatory certification requirement. We also can use information from such audits for other related purposes in enforcing the FD&C Act. For example, we propose to allow importers to use reports of regulatory audits conducted by accredited third-party auditors/certification bodies in meeting any requirements for onsite audits of foreign suppliers, under the proposed rule entitled, ``Foreign Supplier Verification Programs for Importers of Food for Humans and Animals'' (FSVP), published elsewhere in this issue of the Federal Register. B. FDA Initiatives on Third Parties 1. Notice Requesting Comments on Third-Party Certification for Food and Feed In the Federal Register of April 2, 2008 (73 FR 17989), we issued a notice (2008 notice) requesting comments on the benefits, obstacles, and availability of third-party certification programs for food and animal feed. At the time, an increasing number of retailers and food services providers had begun to ask their foreign and domestic suppliers to become certified to their buyers' requirements for safety and quality. Suppliers (such as producers, comanufacturers, and repackers) also were increasingly looking to third-party certification programs as a means to verify compliance with U.S. regulatory requirements, even without requirements from buyers. In the 2008 notice, we asked questions about existing certification programs and criteria, as well as obstacles and incentives for participating in these voluntary programs. We received approximately 70 comments in response. The comments generally supported the use of third-party certification programs and suggested that our acknowledgment of such programs would provide additional incentives for participation. Further discussion of the comments on the 2008 notice is available in the ``Background'' section of the subsequently issued draft ``Guidance for Industry on Voluntary Third-Party Certification Programs for Foods and Feeds'' and is described in section II.B.2. 2. FDA Guidance on Third-Party Certification for Food and Feed In the Federal Register of July 10, 2008 (73 FR 39704), we announced the availability of the draft ``Guidance for Industry on Voluntary Third-Party Certification Programs for Foods and Feeds.'' The draft guidance describes the general attributes of a voluntary third- party certification program needed to help ensure that certification is a reliable verification that food from certified establishment meets applicable requirements. We finalized the guidance in January 2009, announcing its availability in the Federal Register of January 16, 2009 (74 FR 3058) (2009 Guidance) (Ref. 5). The 2009 Guidance describes the general attributes we believe a third-party certification program should have to give us confidence in the reliability of its certifications. It also explains our vision, prior to FSMA enactment, of how we might use such voluntary third-party certifications to assist in determining inspection, field exam, and sampling priorities, as well as in making admissibility decisions for imported food. We intend to withdraw the 2009 Guidance upon publication of a final rule for accredited third- party certification. 3. Pilot Project on Third-Party Certification for Aquacultured Shrimp In the Federal Register of July 10, 2008 (73 FR 39705), we published a notice inviting third-party certification bodies to participate in a pilot of voluntary third-party certification of aquacultured shrimp (shrimp pilot). The goal of the shrimp pilot was to gain knowledge and experience with third-party certification to assist us in evaluating the utility and feasibility of using third-party certification programs as part of our oversight of foreign food firms. The pilot data indicate that having the appropriate FDA infrastructure, including logistical and resource support, will be critical to the success of any full-scale accredited third-party certification program (Ref. 6). The role we played in the shrimp pilot was analogous to the role traditionally played by an accreditation body, monitoring the performance of certification bodies. The pilot demonstrated to us that direct accreditation, in which we ourselves accredit and provide direct oversight of a potentially unlimited number of third-party certification bodies, would be costly and administratively burdensome, though direct accreditation may be appropriate in limited circumstances, as will be discussed in section IV.A.8. 4. FDA Third-Party Program for Mammography In developing this proposed rule, we reviewed other Agency third- party programs, including the FDA program, required by the Mammography Quality Standards Act of 1992 (Pub. L. 102-539) (as amended), to approve accreditation bodies to evaluate and accredit mammography facilities based upon quality standards. Only facilities that are accredited by, or undergoing accreditation by, an accreditation body we approved, may receive our certificates (or the certificates of a State certifying agency we approved) to legally perform mammography (Ref. 7). C. FDA's Use of Certifications for Food For years, we have used certification as a tool for verifying that imported foods comply with our food safety requirements and reducing the need for [[Page 45787]] us to sample at entry. Since the late 1980s, for example, the Export Inspection Council of the Indian Ministry of Commerce has sampled, analyzed, and issued certificates of conformance for lots of black pepper exported directly to the United States. Indian black pepper shipments accompanied by such certifications are not subject to detention without physical examination under FDA Import Alert 28-02 (Ref. 8). Under Memoranda of Understanding (MOUs) with several foreign governments, we rely upon certifications that caseins and caseinates, and mixtures thereof, to be exported to the United States are in compliance with our requirements, which are intended to minimize the need for us to extensively sample certified products (Ref. 9). These are but a few examples of the ways we rely on certifications as a means to help assure that an article of food complies with our requirements and to minimize the need for extensive sampling at entry. D. External Recommendations on Third-Party Certification for Food In September 2012, the Government Accountability Office (GAO) issued a report discussing possible challenges associated with establishing and administering the accredited third-party certification program, including: offering incentives to encourage participation; meeting challenges associated with creating a new program; addressing stakeholder concerns; and conducting oversight of the program, once established (Ref. 10). We believe this proposed rule addresses the relevant challenges identified by GAO. In June 2010, a committee of experts convened by the Institute of Medicine and the National Research Council (IOM/NRC committee) released a report examining gaps in public health protection afforded by the farm-to-table food safety system under our purview and identifying opportunities to fill those gaps (Ref. 11). The IOM/NRC committee concluded that we need to address barriers to improving the efficiency of inspections by, among other things, exploring third-party auditing of food facilities as an alternative model for measuring compliance. The IOM/NRC committee's report specifically recommended that we consider the implications of accepting inspection data from third-party auditors inspecting facilities for compliance with food safety regulatory requirements. The IOM/NRC report also stated that, if we use this approach, we should set minimum standards for such auditors and audits, with oversight and implementation being assigned to an accreditation and standards body. E. FDA Standards for Assessing Capabilities of Food Safety Systems In developing the framework for recognition of accreditation bodies and accreditation of third-party auditors required by section 808 of the FD&C Act, we looked at our existing standards for assessing the capabilities of food safety systems at the State level, through the Manufactured Foods Regulatory Program Standards (MFRPS) (Ref. 12). The MFRPS establish a uniform foundation for the design and management of high-quality State regulatory programs for food manufacturers, focusing on ten key areas: (1) Regulatory foundation; (2) inspector training program; (3) risk-based inspection program; (4) audits of the inspection program; (5) protocols for food-related illnesses, outbreaks, and response; (6) compliance and enforcement program; (7) industry and other stakeholder relations; (8) program resources; (9) program assessment; and (10) laboratory support. We also considered a FDA-New Zealand pilot project for assessing food safety systems, authority, oversight and monitoring that was discussed at a public hearing in March 2011 (Ref. 13). We found particularly useful the draft FDA International Comparability Assessment Tool (ICAT) used in reviewing New Zealand's food safety regulatory system to determine if it provides a similar set of protections to that of FDA (Ref. 14). Following the successful completion of the New Zealand comparability pilot, in late 2012 FDA launched a bilateral pilot project with the Canadian Food Inspection Agency (CFIA) on systems recognition (previously known as comparability), sharing FDA's draft ICAT as a guide for the systems recognition process. FDA and CFIA currently are finalizing their respective systems recognition reviews. F. U.S. Government Policies on Consensus Standards and Conformity Assessment Implementation of section 808 of the FD&C Act occurs against the backdrop of the broader Federal policies on consensus standards and conformity assessment under the National Technology Transfer and Advancement Act of 1995 (NTTAA) (Public Law 104-113). The NTTAA, together with the Office of Management and Budget (OMB) Circular A-119, revised February 10, 1998 (Ref. 15), directs Federal Agencies to use voluntary consensus standards in lieu of government- unique standards except where inconsistent with law or otherwise impractical. OMB Circular A-119 states that the use of voluntary standards, whenever practicable and appropriate, is intended to eliminate the cost to government of developing its own standards and decrease the cost of goods procured and the burden of complying with Agency regulation; provide incentives and opportunities to establish standards that serve national needs; encourage long-term growth for U.S. enterprises and promote efficiency and economic competition through harmonization of standards; and further the policy of reliance upon the private sector to supply government needs for goods and services. In addition, the U.S. Government has issued a National Standards Policy and Federal guidance on conformity assessment activities (which are defined as activities concerned with determining directly or indirectly that requirements for products, services, systems, and organizations are fulfilled) (15 CFR 287.2). As directed by OMB in Circular A-119 (Ref. 15), the National Institute of Standards and Technology (NIST), in the Federal Register of August 10, 2000 (65 FR 48894), issued policy guidance on Federal conformity assessment activities (Federal conformity assessment guidance) (codified at 15 CFR part 287). The guidance applies to all Federal Agencies that set policy for, manage, operate, or use conformity assessment activities or results, domestically and internationally (except for activities conducted pursuant to treaties) and is intended to eliminate unnecessary duplication and complexity in conformity assessment requirements. (We note that OMB has announced it is currently revising Circular A-119, and NIST is revising the Federal conformity assessment guidance (Ref. 16)). The current Federal conformity assessment guidance provides for Federal Agencies to use, where appropriate, relevant guides or standards for conformity assessment \6\ practices from domestic and international standardizing bodies such as the Codex Alimentarius Commission (Codex),\7\ the International Organization [[Page 45788]] for Standardization (ISO)/International Electrotechnical Commission (IEC),\8\ and the American National Standards Institute (ANSI). The guidance also notes that each Agency retains the responsibility, and authority, to select the conformity assessment activities and procedures (e.g., guides and standards) that will best meet its legislative mandates and programmatic objectives (15 CFR part 287). --------------------------------------------------------------------------- \6\ ISO/IEC 17000:2004, Conformity assessment--Vocabulary and general principles (Ref. 17) defines ``conformity assessment'' as ``demonstration that specified requirements relating to a product, process, systems, person or body are fulfilled. \7\ The Codex Alimentarius Commission, established by Food and Agriculture Organization of the United Nations (FAO) and the World Health Organization (WHO) in 1963 develops harmonized international food standards, guidelines and codes of practice to protect the health of the consumers and ensure fair trade practices in the food trade. The Commission also promotes coordination of all food standards work undertaken by international governmental and non- governmental organizations. See, http://www.codexalimentarius.org/codex-home/en/. \8\ ISO is a voluntary, consensus, standards developer with standards covering many aspects of technology and business, including food safety. See, http://www.iso.org/iso/home/about.htm. --------------------------------------------------------------------------- In developing this proposed rule, we considered several voluntary consensus standards, specifically ISO/IEC 17000: 2004, Conformity assessment--Vocabulary and general principles (Ref. 17) and ISO/IEC 17011: 2004, Conformity assessment--General requirements for accreditation bodies accrediting conformity assessment bodies (Ref. 18), which contains the following major elements: (1) Legal responsibility, structure, and impartiality; (2) management systems, including records, internal audits, nonconformities, and corrective actions; (3) personnel associated with the accreditation body, personnel associated with the accreditation process, and monitoring performance assessments of accreditation personnel; (4) the accreditation process; and (5) and roles and responsibilities of the accreditation body and the certification body. We will address elements of ISO/IEC 17011: 2004 that are relevant to this rule in our discussion of the proposed requirements for accreditation bodies in section IV.A.2 through IV.A.4. In addition, we considered other ISO/IEC 17021: 2011, Conformity assessment--Requirements for bodies providing audit and certification of management systems (Ref. 19), which contains similar requirements for bodies auditing management systems: (1) Legal matters and contractual matters; (2) impartiality; (3) structural requirements; (4) resource requirements, including competence of management and personnel; (5) monitoring and surveillance; (6) internal audits; and (7) records. We also considered ISO/IEC Guide 65: 1996, General requirements for bodies operating product certification systems (Ref. 20).\9\ ISO also has issued the 22000 series of standards for food safety management systems, including ISO/TS 22003: 2007, Food safety management systems-- Requirements for bodies providing audit and certification of food safety management systems (Ref. 21).\10\ --------------------------------------------------------------------------- \9\ Subsequently, ISO/IEC Guide 65:1994 (Ref. 20) was updated and incorporated into ISO/IEC 17065. \10\ This series includes standards the food industry uses in establishing and maintaining its food safety management systems and also the standards that auditors/certification bodies use in assessing those systems. --------------------------------------------------------------------------- These standards are among the relevant information we used in developing this proposed rule. We do not propose to incorporate these standards by reference into our regulations, because they contain additional requirements that are not relevant to our program and might unnecessarily create disincentives to participation. A copy of each of these ISO standards has been placed in the docket for this rulemaking and is made available at the Division of Dockets Management at address listed in the ADDRESSES section of this document. The standards also are available electronically by purchase from ISO, at http://www.iso.org. As described more fully in section III, we developed this proposed rule having received information and input from a broad range of stakeholders that included public and private members of the standards community. We met with representatives of other U.S. Government agencies and foreign governments and participated in listening sessions requested by stakeholders wishing to share their views on section 808 of the FD&C Act. We believe the proposal aligns with the NTTAA, the National Standards Policy, and current versions of OMB Circular A-119 (Ref. 15) and the Federal conformity assessment guidance (15 CFR part 287), in relying upon the principles of voluntary consensus standards currently used globally and domestically by the food industry, the international standards community, and conformity assessment bodies. Under the guidance at 15 CFR 287.4(b), we seek comment on the rationale for the conformity assessment decisions we have made in developing this proposal. In particular, we seek comment on whether the voluntary consensus standards we cite are the appropriate standards upon which to base this rulemaking. If alternative standards are suggested, we request that copies of any such standards be submitted along with the comment(s). G. Industry Practices on Benchmarking Standards and Third-Party Audits and Certification for Food and Food Facilities As a result of consolidation within the food industry and the globalization of the marketplace, coupled with some high-profile food safety incidents, many food retailers and food service providers began to require their suppliers to be audited against their standards (more commonly known as ``buyer requirements'') (Ref. 11). Some of these supplier audits were conducted by auditors/certification bodies employed by, or acting as agents of, buyers. Other auditors were third parties, independent of both buyers and suppliers. As buyers increasingly relied on audits to assess compliance with their safety requirements, more and more suppliers began to face multiple food safety audits. The proliferation of buyers' requirements created inefficiencies that ultimately spurred several efforts to harmonize audits. These include the Global Food Safety Initiative (GFSI), which was established in 2000 by a group of international retailers (Ref. 22). GFSI benchmarks food safety schemes \11\ against a harmonized set of key elements for food safety and management systems. GFSI's benchmarking guidance (Ref. 23), and indeed many of the food safety schemes it benchmarks, use Codex as their foundational standards. --------------------------------------------------------------------------- \11\ A food safety scheme generally includes the food safety standard against which a food facility is assessed and the management system associated with the standard. --------------------------------------------------------------------------- GFSI's benchmarking assesses a scheme's food safety standards and the governance and management structure of the food safety scheme owner, such as technical competence, safeguards against conflicts of interest, and procedures for accreditation bodies to oversee the certification bodies that audit and issue certifications under the food safety scheme (Ref. 23). For example, the U.S.-based American National Standards Institute (ANSI) currently provides accreditation services for three GFSI-benchmarked food safety schemes: The Food Marketing Institute's Safe Quality Food Initiative scheme, the British Retail Consortium scheme, and the Global GAP scheme (Ref. 24). As is discussed in the Preliminary Regulatory Impact Analysis (Ref. 25) for this proposed rule, dozens of accreditation bodies worldwide accredit certification bodies to conduct food safety audits. Both large and small suppliers are increasingly relying on third-party audits and certification as a means to ensure [[Page 45789]] market access for their food products. In addition, domestic and foreign suppliers (such as producers, comanufacturers, or repackers) are increasingly looking to third-party certification programs to assist them in verifying that their facilities and food meet applicable food safety standards, whether private food safety schemes such as those benchmarked by GFSI or public standards such as the FD&C Act requirements, which are the relevant standards for purposes of the FDA accredited third-party audit and certification program. The Federal Government recognizes that rigorous voluntary certification programs can provide assurance that products meet U.S. requirements. Currently, private food and facility certifications are frequently used but can result in duplicate audits and certifications. Under this proposal, FDA will oversee a certification program that will, we believe, create efficiencies by reducing the number of redundant food safety audits and by allowing us to better target resources for verifying compliance with applicable requirements. III. FSMA Imports Public Meeting and Stakeholder Input Since enactment of FSMA, we have reached out to stakeholders in the food industry, the international community, standards organizations, accreditation and certification bodies, consumer groups, government agencies, and other interested parties to gain input and perspective on how best to implement FSMA. Among those activities, on March 29, 2011, we held a public meeting with stakeholders to discuss the implementation of the FSMA import safety provisions, including section 808 of the FD&C Act on accredited third-party certification. For additional information about this public meeting, including the agenda, transcripts, and an archived webcast, see http://www.fda.gov/Food/FoodSafety/FSMA/ucm249257.htm. In conjunction with the public meeting, we opened a public docket, with notice in the Federal Register of March 14, 2011 (76 FR 13643), soliciting comments on implementation of section 808 of the FD&C Act and other import provisions added or amended by FSMA. We received several comments on accredited third-party certification, from a variety of stakeholders including a foreign authority (1); trade associations (11); auditors/certification bodies and a laboratory (4); consumer groups (3); other non-profits (1); and an individual (1). Some common themes emerged, including comments on using existing systems as a model; considering impacts on small and medium-sized businesses; requiring notification of conditions that could cause or contribute to a serious risk to public health; ensuring auditor competency; and preventing conflicts of interest. This docket (FDA-2011-N-0146) is available electronically at http://www.regulations.gov, or at the Division of Dockets Management (see ADDRESSES). In addition to attending the public meeting, several stakeholders requested meetings to discuss their current programs and to share their views and recommendations for implementing section 808 of the FD&C Act. These stakeholders represented a broad range of interests, including consumer groups, trade associations, auditors/certification bodies and laboratories. We also met with representatives of foreign governments, as part of ongoing outreach and collaboration with foreign regulatory partners. Topics for these meetings included the statutory requirements for accreditation of third-party auditors, including FDA's authority to directly accredit third-party auditors/certification bodies; \12\ voluntary consensus standards and industry practices on accreditation, auditing, and certification; and international considerations. Additionally, we note that FDA representatives have been invited to attend meetings, hosted by stakeholders, which included discussions of third-party audits and certifications. --------------------------------------------------------------------------- \12\ The docket for this rulemaking contains, as background material, a letter from Caroline Smith DeWaal of the Center for Science in the Public Interest, which was received after the docket for the public meeting closed and before issuance of this proposed rule. The letter offers an analysis of FDA's authority for direct accreditation. --------------------------------------------------------------------------- The input and perspectives gained through each of these interactions helped shape this proposed rule. We have identified some common themes from these interactions. Most stakeholders expressed significant concerns regarding existing capacity of third-party food safety auditors/certification bodies and, for some stakeholders, the degree of competency demonstrated by the available cadre of auditors/ certification bodies. We recognize that the credibility of the new third-party program rests largely on the quality of the auditing and certification work performed by accredited third-party auditors/ certification bodies and have attempted to address those concerns in this rulemaking. In other areas, stakeholders' interests diverged. For example, consumer groups expressed a strong interest in transparency of the program, including public disclosure of audit reports. Current industry practice is to maintain the confidentiality of audit reports except to the extent that the audited firm waives confidentiality or where otherwise required by law. Industry also has expressed concern about the statutory requirement for accredited auditors to notify us of conditions in an audited firm that could cause or contribute to a serious risk to the public health. Some in industry have taken the position that stringent disclosure and transparency requirements may dissuade food firms from using third-party auditors/certification bodies accredited under our program. As an initial matter, we note that we are bound to implement FSMA as enacted and to comply with all other applicable disclosure laws (e.g., the Freedom of Information Act (FOIA)) (5 U.S.C. 552). Within that legal framework, we have balanced the following competing public interests: (1) Providing as much information to the public as possible about audits of foreign food entities and the performance of accredited auditors/certification bodies, so that individuals may assess the performance and credibility of the accredited third-party audits and certification program; (2) protecting the proprietary interests of food entities related to their trade secrets and confidential commercial information to the extent allowable by statute, as well concerns about public release of sensitive information that would not otherwise be publicly available; and (3) protecting the public health by being able to attract sufficient numbers of foreign food entities, third-party auditors/certification bodies, and accreditation bodies to make the program cost-effective and otherwise successful. To gain credibility with consumers and address industry views on sensitive information, this proposed rule seeks to balance disclosure and confidentiality concerns. It reflects our views on how best to strike the balance between these and other competing interests. We believe this proposal reflects the intent of section 808 of the FD&C Act and the purpose of the law, offering a practical, flexible, and effective approach to the accredited third-party audits and certification program. We seek comment on the framework this proposed rule would create for recognition of accreditation bodies and accreditation of third-party auditors/certification bodies, how it aligns with existing voluntary industry programs, and what expectations consumers have for the ability of this program to help us ensure the safety of imported food. [[Page 45790]] In addition, we invite comments on possible effects of the creation of an FDA program for accredited third-party audits and certification. We are particularly interested in receiving comments and data on the availability of competent auditors/certification bodies to participate in our program or about the likelihood of entities being able to scale- up their capacity to participate in our program and to serve demand outside the scope of our program. We understand from public comments and stakeholder meetings that industry and the conformity assessment community have concerns about access to sufficient numbers of qualified third-party auditors/certification bodies under current conditions. We also understand that some industry leaders have developed various strategies and plans for increasing auditor capacity. We request comments and information on the progress of these efforts and the impact the establishment of our program will have on accelerating these efforts. Given that this program is for food and facility certifications only for purposes of mandatory certification and VQIP eligibility under sections 801(q) and 806 of the FD&C Act (respectively), what effect, if any, do stakeholders anticipate this program will have on current capacity issues? We also request stakeholder input on any possible trade impacts of the program, once established. What effect might this program have on the existing issues with auditor capacity? Will it affect foreign or domestic food firms' ability to provide certifications to their customers? If so, are foreign and domestic firms likely to be affected in the same manner and to the same degree? If not, what are the likely impacts to each? Are there particular types of food firms or food products, or certain areas of the world in which capacity issues are more likely to be prevalent and to what degree? Are there other factors impacting the availability of competent auditors? Are there any solutions or approaches that might be practical and appropriate for FDA, as a regulatory Agency, to use in addressing auditor capacity issues within the accredited third-party audits and certification program? We encourage stakeholders to consider and comment on this proposed rule and the various interests at stake in this rulemaking, with recommendations about the proper balance of competing interests. IV. Purpose and Description of the Proposed Rule In section 808 of the FD&C Act, Congress directed us to establish an accredited third-party audits and certification program that leverages the work of existing private sector audit programs and efforts, while requiring measures to better ensure audit rigor and objectivity. We believe this proposed rule, coupled with our oversight of the program, will help ensure the competence and independence of third-party auditors/certification bodies who conduct foreign food safety audits. It also will help ensure the reliability of certifications issued by third-party auditors/certification bodies that we may use in making certain decisions relating to imported food. Having comprehensive oversight of a credible and reliable program for third-party audits and certifications of foreign food facilities will help us prevent potentially harmful food from reaching U.S. consumers and thereby improve the safety of the U.S. food supply. As explained previously, we believe this new program will draw a significant number of participants and will be broadly accepted by industry. Currently, buyers seeking to import regulated product from a foreign food facility often require food safety audits that are conducted under varying audit criteria. By establishing a trusted program for third-party audits and certification of foreign food facilities that operates under public oversight, we expect that the number of redundant food safety audits performed to assess compliance with the FD&C Act will be reduced, which, in turn, will increase efficiency and reduce costs to industry. Our estimates relating to reductions in redundant audits are addressed more fully in the Preliminary Regulatory Impact Analysis (Ref. 25). More broadly, we think that by capitalizing on private sector food safety efforts and linking them to the public assurance system, accredited third-party certification can help transform the way we ensure the safety of globally traded food that is consumed in the United States. In our vision of the future, we do not see third-party audits replacing public oversight, but rather helping us ensure that we make the best, most efficient use of both public and private resources to produce a safe food supply. We are proposing requirements that would apply to several different types of entities--i.e., accreditation bodies, third-party auditors/ certification bodies, and eligible entities--and an option for importers as well. We are organizing this proposed rule by those categories, with specific requirements for accreditation bodies (proposed Sec. Sec. 1.610 through 1.636), third-party auditors/ certification bodies (proposed Sec. Sec. 1.640 through 1.672), eligible entities (proposed Sec. Sec. 1.680 and 1.681), and importers (proposed Sec. 1.698). Provisions of general applicability appear in proposed Sec. Sec. 1.600 and 1.601 (definitions and scope), Sec. 1.690 (publicly available information), Sec. Sec. 1.691 through 1.693 (challenges to FDA decisions). Accordingly, we are proposing to amend our regulations in parts 1 and 16 (21 CFR parts 1 and 16) to implement FSMA section 307, which adds section 808 to the FD&C Act and is codified at 21 U.S.C. 384d. We are proposing to add new subpart M to part 1 and to amend existing part 16 (21 CFR part 16) as follows: A. Proposed Revisions to Part 1, New Subpart 1. Definitions and Scope a. What definitions apply to this subpart? (Proposed Sec. 1.600). Proposed Sec. 1.600 contains definitions of several terms used in this rule. Where possible, we propose to rely on existing statutory and regulatory definitions. Where necessary to provide clarity to this rule, we have developed some additional definitions that align with existing law and regulations, as well as current practices of the international community, accreditation and certification bodies, and the food industry. Proposed Sec. 1.600(a) and (b) state that definitions contained in section 201 of the FD&C Act (21 U.S.C. 321) will apply to this rule, except as those terms are otherwise defined in paragraph (c). Because ``food'' is defined in section 201(f) of the FD&C Act, but not in proposed Sec. 1.600(c), the definition of ``food'' that we propose to apply to this rule is the definition of ``food'' appearing in section 201(f). Examples of ``food'' under this proposed definition would include, but not be limited to, fruits, vegetables, fish, dairy products, eggs, raw agricultural commodities for use as food or components of food, animal feed (including pet food), food and feed ingredients and additives (including substances that migrate into food from packaging and other articles that contact food), dietary supplements and dietary ingredients, infant formula, beverages (including bottled water), live food animals, bakery goods, snack foods, candy, and canned food. (See, e.g., 21 CFR 1.377. See also the discussion of proposed Sec. 1.601(d) [[Page 45791]] regarding a limited exemption for alcoholic beverages and prepackaged foods from certain facilities.) ``Accreditation'' means a determination by a recognized accreditation body, or by FDA in the case of direct accreditation, that a third-party auditor/certification body is competent to perform the activities required of an accredited auditor/certification body for the purposes of this rule. In developing this definition, we considered international standards on accreditation, including ISO/IEC 17011:2004 (Ref. 18), which defines accreditation as an attestation ``conveying formal demonstration'' of a conformity assessment body's competence to carry out specific conformity assessment tasks. ``Accreditation body'' means an authority that performs accreditation of third-party auditors/certification bodies. This definition is already in use in section 808(a) of the FD&C Act and is consistent with international standards, such as ISO/IEC 17011:2004 (Ref. 18), which defines ``accreditation body'' as an ``authoritative body'' that conducts accreditation. ``Accredited auditor/certification body'' means a third-party auditor/certification body that a recognized accreditation body (or, in the case of direct accreditation, FDA) has determined meets the applicable requirements of this subpart and is authorized to conduct food safety audits and to issue food or facility certifications to eligible entities. This definition reflects the statutory definitions of ``accredited third party auditor'' and ``third party auditor'' and a common understanding of the activities to be performed under this program. ``Audit'' means: 1. With respect to an accreditation body, the systematic, independent, and documented examination (through observation, investigation, and records review) by FDA to assess the accreditation body's authority, qualifications (including its expertise and training programs), and resources; its procedures for quality assurance, conflicts of interest, and records; its performance in accreditation activities; and its capability to meet the applicable requirements of this subpart. 2. With respect to a third-party auditor/certification body, the systematic, independent, and documented examination (through observation, investigation, and records review) by a recognized accreditation body (or, in the case of direct accreditation, FDA) to assess the third-party auditor's/certification body's authority, qualifications (including its expertise and training programs), and resources; its procedures for quality assurance, conflicts of interest, and records; its performance in auditing and certification activities; and its capability to meet the applicable requirements of this subpart; and 3. With respect to an eligible entity, the systematic, independent, and documented examination (through observation, investigation, records review, and as appropriate, sampling and laboratory analysis) by an accredited auditor/certification body to assess the entity, its facility, system(s), and food for the purpose of determining whether the food or facility of the eligible entity is in compliance with the FD&C Act (which includes, where applicable, an assessment of the entity's preventative controls, sanitation, monitoring, verification, corrective actions, and recalls) and, for consultative audits, also includes an assessment of compliance with applicable industry standards and practices. The term describes the nature and scope of activities involved in the various types of audits and assessments that will be conducted under this program. We incorporated relevant language from the definitions of consultative audit and regulatory audit in section 808(a)(5) and (a)(7) of the FD&C Act and language specific to the requirements used in audits and assessments of accreditation bodies, third-party auditors/certification bodies, and eligible entities. We considered our 2009 guidance (Ref. 5) and the descriptions of audit activities under our MFRPS (Ref. 12). We also examined usage in international standards, such as the Codex Principles for Food Import and Export Certification (CAC/GL 20-1995) (Ref. 26), which define ``audit'' as a ``systematic and functionally independent examination to determine whether activities and related results comply with planned objectives.'' Additionally, we looked at ISO/IEC 17000:2004 (Ref. 17), which defines ``audit'' as a ``systematic, independent, documented process for obtaining records, statements of fact or other relevant information and assessing them objectively to determine the extent to which specified requirements are fulfilled.'' ``Audit agent'' means an individual who is an employee or other agent of an accredited auditor/certification body who, although not individually accredited, is qualified to conduct food safety audits on behalf of an accredited auditor/certification body. An audit agent includes a contractor of the accredited auditor/certification body. The term is based on section 808(a)(1) of the FD&C Act, which defines ``audit agent'' as an employee or agent of an accredited auditor[/certification body] who is qualified to conduct food safety audits on its behalf. In the definition, we clarify that contractors who are authorized to act for, and under the direction of, the accredited auditor/certification body are allowed to serve as an audit agents. ``Certification body'' means a foreign government, agency of a foreign government, foreign cooperative, or any other third party that is eligible to be considered for accreditation to conduct food safety audits and to certify that eligible entities meet the requirements of the FD&C Act. A certification body may be a single individual or an organization. A certification body may use audit agents to conduct food safety audits. Certification Body has the same meaning as Third-Party Auditor as that term is defined in section 808 of the FD&C Act and in this subpart. This definition emphasizes the role of ``third-party auditors,'' under section 808 of the FD&C Act, in issuing facility certifications that importers must use to establish eligibility for VQIP participation and food certifications that may be required to satisfy a condition of admissibility for an imported food we determine poses a safety risk under section 801(q) of the FD&C Act. In developing the definition of ``certification body,'' we looked at the definition of ``third-party auditor'' in section 808(a)(3) of the FD&C Act, as well as terminology used by the international community and the food industry. For example, ISO/IEC 17000:2004 (Ref. 17) explains that a ``certification system'' is a conformity assessment system that includes ``selection, determination, review and finally certification as the attestation activity'. See also, ISO/IEC Guide 65:1996 (Ref. 20) and ISO/IEC 17021: 2011 (Ref. 19). The term ``certification body'' also is used by those in the food industry who currently rely on audits and certifications as part of their business practices. We believe this proposed language more clearly explains the role of accredited auditors/certification bodies and the requirements for issuance of certification under this program. ``Consultative audit'' means an audit of an eligible entity: 1. To determine whether such entity is in compliance with applicable requirements of the FD&C Act and industry standards and practices; and [[Page 45792]] 2. The results of which are for internal purposes only and cannot be used to determine eligibility for a food or facility certification issued under this subpart or in meeting the requirements for an onsite audit of a foreign supplier under subpart L of this part. This reflects the definition of ``consultative audit'' in section 808(a)(5) of the FD&C Act and emphasizes that the results of a consultative audit cannot be used in lieu of a regulatory audit to meet the criteria for issuance of food or facility certification under section 808(c)(2)(C) of the FD&C Act. It also incorporates language from proposed Sec. 1.698, which would allow only reports of regulatory audits to be used by importers in meeting proposed verification requirements under the Foreign Supplier Verification Rule (FSVP) (to be codified in 21 CFR, part 1, subpart L). ``Direct accreditation'' means accreditation of a third-party auditor/certification body by FDA and is a term used in section 808(b)(1)(A)(ii) of the FD&C Act when describing FDA accreditation of third-party auditors/certification bodies, without the involvement of a recognized accreditation body. The distinction between direct accreditation and accreditation by an FDA-recognized accreditation body is relevant for some provisions of this rule. For example, under proposed Sec. 1.656(b), a directly accredited auditor/certification body must send its annual self-assessment reports to FDA, while an auditor/certification body accredited by a recognized accreditation body must submit its annual self-assessment reports to the accreditation body, who is responsible for monitoring and ensuring its accredited auditors/certification bodies take timely and effective corrective actions, where necessary. FDA will access the accredited auditor/certification body self-assessments in monitoring recognized accreditation bodies and in conducting the periodic monitoring required by section 808(f)(2) of the FD&C Act. This definition will help accredited auditors/certification bodies determine which requirements apply to them. ``Eligible entity'' means a foreign entity that chooses to be subject to a food safety audit by an accredited auditor/certification body. Eligible entities include foreign facilities subject to the registration requirements of 21 CFR part 1, subpart H. The definition of ``eligible entity'' corresponds to section 808(a)(6) of the FD&C Act, which defines ``eligible entity'' as including (and thus not limited to) foreign facilities subject to the registration requirements of section 415 of the FD&C Act (21 U.S.C. 350d). We seek comment on whether to provide examples of specific types of entities that may meet the definition of eligible entity. For example, are foreign cooperatives \13\ that aggregate product, such as fruits or vegetables, the types of entities that should be able to seek audits and certification under this program? We note that the National Organic Program (NOP) administered by the U.S. Department of Agriculture's (USDA's) Agricultural Marketing Service (AMS), allows producers who are located in geographic proximity, who are organized under a single management and marketing system and whose farms are ``uniform in most ways'' to be certified as a group (Ref. 27).\14\ We seek comment on whether these NOP criteria are relevant in determining whether a foreign cooperative is an ``eligible entity'' under this proposed rule, Are there other types of foreign entities or facilities that should be eligible to seek audits and certification under the FDA program? --------------------------------------------------------------------------- \13\ Under section 808 of the FD&C Act, foreign cooperatives are among the types of groups that are eligible to seek accreditation as third-party auditors, provided that they meet the standards and requirements for accreditation (e.g., for conflicts of interest). \14\ Per USDA, grower group certifications have historically been used for the certification of cooperatives located in geographical proximity, whose crops are marketed collectively. Primary crops produced by grower groups include coffee, cocoa, tea, spices, and tropical fruits (Ref. 27). --------------------------------------------------------------------------- ``Facility'' means any structure, or structures of an eligible entity under one ownership at one general physical location, or, in the case of a mobile facility, traveling to multiple locations, that manufactures/processes, packs, or holds food for consumption in the United States. Transport vehicles are not facilities if they hold food only in the usual course of business as carriers. A facility may consist of one or more contiguous structures, and a single building may house more than one distinct facility if the facilities are under separate ownership. The private residence of an individual is not a facility. Non-bottled water drinking water collection and distribution establishments and their structures are not facilities. This same definition of ``facility'' appears in subpart H (21 CFR 1.227(b)(2)). ``Facility certification'' means an attestation, issued for purposes of section 806 of the FD&C Act by an accredited auditor/ certification body, after conducting a regulatory audit and any other activities necessary to establish that a facility meets the applicable requirements of the FD&C Act. ``Food certification'' means an attestation, issued for purposes of section 801(q) of the FD&C Act by an accredited auditor/certification body, after conducting a regulatory audit and any other activities necessary to establish that a food meets the applicable requirements of the FD&C Act. These definitions reflect the requirements for, and purpose of, certification as described in section 808(c)(2)(B) and (c)(2)(C) of the FD&C Act, referencing sections 801(q) (food certification) and 806 (facility certification) of the FD&C Act. Food and facility certifications are the two types of certifications authorized by section 808 of the FD&C Act. Further, the food and facility certification definitions emphasize that certification is an attestation \15\ by the accredited third-party auditor/certification body that it has: (1) Conducted a regulatory audit (and any other activities necessary to establish compliance); (2) verified that the specified criteria have been met; and (3) determined, based on the results of those activities, that food or facility certification under this program is appropriate. --------------------------------------------------------------------------- \15\ We propose to use the word ``attestation'' in Sec. 1.600 to characterize the nature of the statement that certification represents. This is the term used in ISO/IEC 17000:2004 (Ref. 20) and also is the term we use when characterizing the nature of our export certifications (Ref. 28). We believe that ``attestation'' is similar to ``assurance,'' which is the term used in Codex CAC/GL 20- 1995 (Ref. 27). --------------------------------------------------------------------------- Codex CAC/GL 20-1995 (Ref. 26) defines ``certification'' as the procedure by which certification bodies provide ``written or equivalent assurance that foods or food control systems conform to requirements.'' ISO/IEC 17000:2004 (Ref. 17) describes certification as an ``attestation'' related to products, processes, systems, or persons.\16\ --------------------------------------------------------------------------- \16\ We are not defining ``facility certification'' or ``food certification'' as an ``approval'' by an accredited auditor/ certification body or by (or on behalf of) FDA, nor do we intend for it to be interpreted as such. Among other reasons, we do not have preapproval authority for food, except for certain additives that are required by law to have our approval prior to marketing. Moreover, neither Codex CAC/GL 20-1995 (Ref. 27), nor ISO/IEC 17000:2004 (Ref. 20) uses the term ``approval'' in defining ``certification.'' --------------------------------------------------------------------------- We seek comment on our proposed definitions of ``facility certification'' and ``food certification'' and on whether the scope of these definitions is sufficiently broad to fulfill the objectives of section 808 of the FD&C Act. In addition, we seek comment on whether to allow groups meeting the NOP criteria (i.e., having multiple sites operating under a single management system and whose [[Page 45793]] farms are ``uniform in most ways,'' to be issued (group) food certifications, facility certifications, or both. ``Food safety audit'' means a regulatory audit or a consultative audit by an accredited auditor/certification body under this program. This term is used throughout section 808 of the FD&C Act, including in the definitions of ``audit agent,'' ``third-party auditor,'' and ``accredited third-party auditor.'' The definition of ``third-party auditor'' in section 808(a)(3) of the FD&C Act in particular, mentions regulatory and consultative audits in the context of food safety audits. Therefore, we used the definitions of ``consultative audit'' and ``regulatory audit'' contained in section 808(a)(5) and (a)(7) of the FD&C Act in developing a definition of ``food safety audit.'' Table 1 describes consultative audits and regulatory audits and the distinctions between them. Table 1--Types and Characteristics of Food Safety Audits Under the Proposed Rule ---------------------------------------------------------------------------------------------------------------- Report submitted to Type of audit Purpose FDA? Records access by FDA? ---------------------------------------------------------------------------------------------------------------- Regulatory Audit..................... For certification and Yes.................... FDA may request report may be used Submitted no later than submission at any under FSVP. 45 days after the time. audit.. Consultative Audit................... Internal purposes...... No..................... FDA access under section 414 of the FD&C Act. ---------------------------------------------------------------------------------------------------------------- ``Foreign cooperative'' means an entity that aggregates food from growers or processors that is intended for export to the United States. Section 808 of the FD&C Act does not provide a definition of ``foreign cooperative,'' so we relied upon the statutory description of foreign cooperatives in section 808(c)(1)(B) of the FD&C Act. ``Recognized accreditation body'' means an accreditation body that FDA has determined meets the applicable requirements and is authorized to accredit third-party auditors/certification bodies under this program. This definition is based in part on the definition of accreditation body in section 808 of the FD&C Act and incorporates the concept of ``recognition'' that also appears there. The term ``recognition'' is also used in section 422 of the FD&C Act (21 U.S.C. 350k), as amended by FSMA, to describe the status we will accord to a laboratory accreditation body that accredits laboratories for purposes of food testing under the FD&C Act. We also use the term ``recognition'' in the 2009 guidance (Ref. 5) and in other FDA programs. In the 2009 guidance, which predates FSMA, we mentioned the possible future ``recognition'' of one or more third- party certification programs. Though FSMA directs us to structure our third-party program differently than we envisioned in 2009, the concept of ``recognition'' by FDA is similar. ``Regulatory audit'' is defined in the statute and means an audit of an eligible entity: 1. To determine whether such entity is in compliance with the provisions of the FD&C Act; and 2. The results of which are used in determining eligibility for food certification under section 801(q) of the FD&C Act or facility certification under section 806 of the FD&C Act. This definition includes language from proposed Sec. 1.698, which would allow an importer to use a regulatory audit report in meeting proposed requirements for verification of a foreign supplier under subpart L of this part. ``Relinquishment'' means: 1. With respect to an accreditation body, a decision to cede voluntarily its authority to accredit third-party auditors/ certification bodies as a recognized accreditation body; and 2. With respect to a third-party auditor/certification body, a decision to cede voluntarily its authority to conduct food safety audits and to issue food and facility certifications to eligible entities. We included a definition of ``relinquishment'' in this proposed rule because we recognize that an accreditation body, once recognized, or a third-party auditor/certification body, once accredited, may decide to leave the program and would need a process to voluntarily exit the program. Relinquishment differs from revocation of recognition and withdrawal of accreditation, as it occurs on the initiative of the accreditation body or third-party auditor/certification body and not as a result of our finding good cause to remove its recognition or accreditation status. Analogous language on relinquishment of accreditation appears in our mammography regulations in 21 CFR 900.3. ``Self-assessment'' means a systematic assessment conducted by an accreditation body to determine whether it meets the recognition requirements in Sec. Sec. 1.610 through 1.625, or by a third-party auditor/certification body to determine whether it meets the accreditation requirements in Sec. Sec. 1.640 through 1.658. ``Self- assessment'' is defined in this proposed rule in a manner consistent with its use in our MFRPS for State food regulatory programs (Ref. 12). The MFRPS require States to conduct periodic self-assessments of their manufactured food regulatory programs against each of the 10 program standards. These self-assessments are designed to identify the strengths and weaknesses of the State program by determining the level of conformance with the program standards and are independently verified through an audit. The results of the initial self-assessments are used to develop an improvement plan, and subsequent self- assessments are used to track the State's progress toward meeting and maintaining conformance with the MFRPS. The concept of self-assessment is used in international consensus standards as well. For example, ISO/IEC Guide 65:1996 (Ref. 20) requires a certification body to conduct periodic internal audits to verify that its quality system is implemented and effective, that corrective actions are taken in a timely and appropriate manner, and that records of such reviews are maintained. Both ISO/IEC 17011:2004 (Ref. 18) and ISO/IEC 17021:2011 (Ref. 19) require internal audits as well. Self-assessments are a valuable component of a continuous improvement process under our standards and the voluntary consensus standards described in this preamble. ``Third-Party Auditor'' means a foreign government, agency of a foreign government, foreign cooperative, or any other third party that is eligible to be considered for accreditation to conduct food safety audits and to certify that eligible entities meet the applicable requirements of the FD&C Act. A third-party auditor may be a single individual or an organization. A third-party auditor may use audit agents to conduct food safety audits. Third-Party Auditor has the same meaning as Certification Body as that term is defined in this subpart. [[Page 45794]] The definition of ``third-party auditor'' is based on section 808 of the FD&C Act and clarifies our role in direct accreditation and the relationship between audits and certifications under section 808 of the FD&C Act. For the reasons explained in the preamble discussion of the definition of ``certification body,'' ``third-party auditor'' will have the same meaning as ``certification body'' for purposes of this rule. b. Who is subject to this subpart? (Proposed Sec. 1.601). This proposed rule would apply to those accreditation bodies, third-party auditors/certification bodies, and eligible entities that seek to participate in our program for third-party food safety audits and certification. Participating is voluntary; however any accreditation body wishing to accredit third-party auditors/certification bodies under our program would have to comply with the applicable requirements of the final rule. Under the FDA program, any third-party auditor/ certification body wishing to conduct food safety audits and issue food and facility certifications and any eligible entity that seeks a food safety audit or food or facility certification would have to comply with the applicable requirements of the final rule.\17\ --------------------------------------------------------------------------- \17\ The terms, ``third-party auditor/certification body,'' ``consultative audit,'' ``regulatory audit,'' ``food certification,'' ``facility certification,'' and ``eligible entity'' are defined under this proposed rule. --------------------------------------------------------------------------- This proposed rule would codify a limited exemption created by section 116 of FSMA (21 U.S.C. 2206) applicable to certification of food under section 801(q) of the FD&C Act. Section 116(a) of FSMA states that, except as provided by certain listed sections in the FSMA, nothing in FSMA, or the amendments made by FSMA, will be construed to apply to a facility that (1) under the Federal Alcohol Administration Act (27 U.S.C. 201 et seq.) or chapter 51 of subtitle E of the Internal Revenue Code of 1986 (26 U.S.C. 5001 et seq.) is required to obtain a permit or to register with the Secretary of the Treasury as a condition of doing business in the United States; and (2) under section 415 of the FD&C Act is required to register as a facility because such facility is engaged in manufacturing, processing, packing, or holding one or more alcoholic beverages (with respect to the activities of such facility that relate to the manufacturing, processing, packing, or holding of alcoholic beverages). Section 116(b) of FSMA provides that section 116(a) does not apply to a facility engaged in the receipt and distribution of any non- alcohol food, except that section 116(a) does apply to a facility described in section 116(a) that receives and distributes non-alcohol food, provided such food is received and distributed (1) in a prepackaged form that prevents any direct human contact with such food, and (2) in amounts that constitute not more than 5 percent of the overall sales of such facility, as determined by the Secretary of the Treasury. Section 116(c) of FSMA provides that, except as provided in section 116(a) and (b), section 116 cannot be construed to exempt any food, other than alcoholic beverages, as defined in section 214 of the Federal Alcohol Administration Act (27 U.S.C. 214), from the requirements of FSMA (including amendments made by FSMA). The Preventive Controls proposed rule includes provisions implementing the exemptions provided in section 116 of FSMA to establish by regulation the reach of the exemptions. As discussed in the preamble to the Preventive Controls proposed rule, FDA tentatively concludes the following regarding the reach of the exemptions for the purposes of that rule: The phrase ``obtain a permit or register'' should be interpreted broadly, to include not only facilities that must obtain what is technically named a ``permit'' or must ``register'' with Treasury, but also those facilities that must adhere to functionally similar requirements as a condition of doing business in the United States, namely, by submitting a notice or application to Treasury and obtaining Treasury approval of that notice or application. The exemption would apply not only to domestic facilities that are required to secure a permit, registration, or approval from Treasury under the relevant statutes, but also to foreign facilities of a type that would require such a permit, registration, or approval if they were domestic facilities. Activities related to alcoholic beverages (including the manufacturing, processing, packing, or holding of alcoholic beverages) at facilities within the scope of section 116(a) of FSMA would not be subject to section 418 of the FD&C Act. Activities related to foods other than alcoholic beverages (including the receiving, manufacturing, processing, packing, holding, and distributing of such foods) would be subject to section 418 even if those activities occur at facilities that are otherwise within the scope of section 116(a) (unless they qualify for another exemption or are in prepackaged form and constitute 5 percent or less of the facility's overall sales). (For clarity, we use the term ``food other than alcoholic beverages'' rather than ``non- alcohol food'' in the Preventive Controls proposed rule and in this document.) Section 418 of the FD&C Act does not apply to the manufacturing, processing, packing, or holding of food other than alcoholic beverages to the extent that it is physically inseparable from the manufacturing, processing, packing, or holding of alcoholic beverages. Section 116 of FSMA is premised in part upon status as a facility required to register under section 415 of the FD&C Act (section 116(a)(2) of FSMA). As provided in section 808, eligible entities include foreign facilities registered under section 415 of the FD&C Act. Therefore, to implement the exemption in section 116 of FSMA, under proposed Sec. 1.601(d)(1), certification of food under section 801(q) of the FD&C Act would not apply with respect to alcoholic beverages from an eligible entity that is a facility that meets the following two conditions: Under the Federal Alcohol Administration Act or chapter 51 of subtitle E of the Internal Revenue Code of 1986 (26 U.S.C. 5001 et seq.), the facility is a foreign facility of a type that, if it were a domestic facility, would require obtaining a permit from, registering with, or obtaining approval of a notice or application from the Secretary of the Treasury as a condition of doing business in the United States; and Under section 415 of the FD&C Act, the facility is required to register as a facility because it is engaged in manufacturing/processing one or more alcoholic beverages. Proposed Sec. 1.601(d)(2) specifies that certification of food under section 801(q) of the FD&C Act also would not apply with respect to food other than alcoholic beverages from a facility described in paragraph (d)(2), provided such food: Is in prepackaged form that prevents any direct human contact with such food; and Constitutes not more than 5 percent of the overall sales of the facility, as determined by the Secretary of the Treasury. This exemption does not apply to facility certification required by section 806 of the FD&C Act. We request comment on our proposed exemption of alcoholic beverages and food other than alcoholic beverages under the conditions specified in proposed Sec. 1.601(d). As described in the ``Summary of Major Provisions of the Proposed Rule,'' this rule would apply only to entities [[Page 45795]] that voluntarily participate in our accredited third-party audits and certification program, which would be the following: (1) Accreditation bodies seeking recognition, or recognized, under this program; (2) third-party auditors/certification bodies (including their audit agents) that seek accreditation, or are accredited under this program; and (3) eligible entities that seek food safety audits from, or that are audited or certified by, accredited auditors/certification bodies under this program, except for an eligible entity that meets the criteria for exemption under section 116 of FSMA. We invite comment on the scope of this proposed rule, including comments on its anticipated effects on accreditation bodies and third- party auditors/certification bodies already performing these activities, or that may be interested in doing so. We also seek comment on its anticipated effect on foreign food facilities and other eligible entities that are currently audited by third-party auditors/ certification bodies. 2. Recognition of Accreditation Bodies This rule would establish the following: (1) The eligibility requirements for an accreditation body to be authorized (``recognized'') by FDA to accredit third-party auditors/certification bodies under the accredited third-party audits and certification program; (2) requirements on recognized accreditation bodies for activities conducted under our program; and (3) procedures FDA and accreditation bodies will follow relating to recognition, including application, renewal, revocation, voluntary relinquishment, and reinstatement of recognition. Table 2--Proposed Requirements for Accreditation Bodies ------------------------------------------------------------------------ Proposed rule section Title ------------------------------------------------------------------------ Recognition of accreditation bodies under this subpart ------------------------------------------------------------------------ 1.610.................. Who is eligible for recognition? 1.611.................. What legal authority must an accreditation body have to qualify for recognition? 1.612.................. What competency and capacity must an accreditation body have to qualify for recognition? 1.613.................. What protections against conflicts of interest must an accreditation body have to qualify for recognition? 1.614.................. What quality assurance procedures must an accreditation body have to qualify for recognition? 1.615.................. What records procedures must an accreditation body have to qualify for recognition? ------------------------------------------------------------------------ Requirements for recognized accreditation bodies under this subpart ------------------------------------------------------------------------ 1.620.................. How must a recognized accreditation body assess third-party auditors/certification bodies seeking accreditation? 1.621.................. How must a recognized accreditation body monitor the performance of auditors/ certification bodies it accredits? 1.622.................. How must a recognized accreditation body monitor its own performance? 1.623.................. What reports and notifications must a recognized accreditation body submit to FDA? 1.624.................. How must a recognized accreditation body protect against conflicts of interest? 1.625.................. What records requirements must a recognized accreditation body meet? ------------------------------------------------------------------------ Procedures for recognition of accreditation bodies under this subpart ------------------------------------------------------------------------ 1.630.................. How do I apply to FDA for recognition or renewal of recognition? 1.631.................. How will FDA review applications for recognition and for renewal of recognition? 1.632.................. What is the duration of recognition? 1.633.................. How will FDA monitor recognized accreditation bodies? 1.634.................. When will FDA revoke recognition? 1.635.................. How do I voluntarily relinquish recognition? 1.636.................. How do I request reinstatement of recognition? ------------------------------------------------------------------------ Section 808 of the FD&C Act directs us to establish a system for recognition of accreditation bodies to accredit third-party auditors/ certification bodies and generally describes the roles and responsibilities of recognized accreditation bodies under the accredited third-party audits and certification program. The statute requires each recognized accreditation body to: (1) Ensure that third- party auditors/certification bodies (and audit agents) meet FDA's model accreditation standards; (2) perform such reviews and audits necessary to determine that a third-party auditor/certification body meets the statutory requirements for accreditation; \18\ (3) require a third- party auditor/certification body to agree to issue certifications in a form required by FDA, as a condition of accreditation; and (4) submit to FDA a list of all third-party auditors/certification bodies it accredited (and the audit agents of each). --------------------------------------------------------------------------- \18\ See section 808(c)(1)(A) and (c)(1)(B) of the FD&C Act. --------------------------------------------------------------------------- a. Who is eligible for recognition? (Proposed Sec. 1.610). This proposed rule would establish eligibility requirements an accreditation body would have to meet to qualify for recognition by FDA under the accredited third-party audits and certification program. Proposed Sec. 1.610 states that an accreditation body is eligible for recognition if it can demonstrate that it meets requirements relating to legal authority, competency, capacity, conflicts of interest, quality assurance, and records in proposed Sec. Sec. 1.611 through 1.615. In developing this proposed rule, we considered eligibility requirements that would help us ensure that accreditation bodies seeking recognition--whether public or private, newly formed or long standing--are sufficiently qualified to accredit third-party auditors/ certification bodies under our program. We considered the approach taken by NIST in its National Voluntary Conformity Assessment Systems Evaluation (NVCASE) Program, which is a voluntary program to evaluate and recognize organizations which support conformity assessment activities (Ref. 28). The NVCASE program handbook states that ISO/IEC 17011:2004 (Ref. 18) provides that the basic general criteria [[Page 45796]] that an accreditor of certification bodies must satisfy for NVCASE recognition (Ref. 28). We have tentatively concluded that key elements of ISO/IEC 17011: 2004 (Ref. 18) provide an appropriate basis for these requirements.\19\ We also considered our 2009 FDA guidance (Ref. 5),\20\ which states that conformance to ISO/IEC 17011:2004 (Ref. 18) helps provide assurance of the reliability and competence of accreditation bodies. --------------------------------------------------------------------------- \19\ ISO/IEC 17011:2004 contains requirements that are not applicable to our program (e.g., liability arrangements). While an accreditation body would not need to conform to ISO/IEC 17011:2004 to qualify for recognition under our program, an accreditation body that satisfies the requirements of ISO/IEC 17011:2004 could use that in demonstrating it meets the recognition requirements in this rule. \20\ We intend to withdraw the 2009 Guidance upon publication of a final rule for accredited third-party audits and certification under section 808 of the FD&C Act. --------------------------------------------------------------------------- We also considered current food industry practices. For example, GFSI requires food safety scheme owners to use accreditation bodies that comply with ISO/IEC 17011:2004 (Ref. 18) for GFSI-benchmarked food safety schemes (Ref. 29). In stakeholder meetings, some stakeholders have suggested that FDA consider requiring accreditation bodies participating in the accredited third-party audits and certification program to be signatories to a multilateral recognition agreement of the International Accreditation Forum (IAF). IAF is an organization for accreditors of conformity assessment bodies and is a counterpart to International Laboratory Accreditation Cooperation (ILAC), for laboratory accreditation bodies.\21\ The IAF multilateral recognition arrangement (IAF-MLA) (Ref. 30) requires signatories to conform to ISO/ IEC 17011:2004, among other things. --------------------------------------------------------------------------- \21\ The ILAC is an international body, established in 1977, to help ensure the competency, independence, rigor, and objectivity of accreditation bodies that accredit laboratories against international standards. The ILAC-mutual recognition agreement requires signatories to conduct their activities in accordance with ISO/IEC 17011:2004. FDA laboratory programs have worked with ILAC and other ILAC signatories for many years. --------------------------------------------------------------------------- Unlike our established history with ILAC and ILAC signatories, our food and feed programs lack similar experience with the IAF. We have found few examples of Federal agencies that require accreditation bodies for conformity assessment bodies to be signatories to the IAF- MLA (for accreditation of product and management system certification) and that use signatory status as the sole criterion for accreditation bodies. For example, the Department of Health and Human Services is not requiring approved accreditors in its Health Information Technology certification program (45 CFR part 170) to be signatories to the IAF- MLA, although signatory status could be provided in support of an applicant's request for approval. By contrast, the Environmental Protection Agency's WaterSense program (Ref. 31) requires product accreditors to be signatories to the IAF-MLA (Ref. 30). The WaterSense program is not a regulatory program; rather, it is a partnership program. We do not have adequate information at this time to propose to require accreditation bodies participating in the accredited third- party audits and certification regulatory program to be IAF-MLA signatories--whether as the sole requirement for recognition under Sec. 1.610 or as one of several factors in support of recognition. We have, however, tentatively concluded that documented conformance to ISO/IEC 17011:2004 (Ref. 18) would be relevant in demonstrating that an accreditation body is qualified for recognition. We invite comments and examples (in particular, examples from regulatory programs) in support of, or opposition to, using an accreditation body's status as a signatory to an IAF MLA as the sole criterion for recognition or as a factor weighing in favor of an application for recognition under the accredited third-party audits and certification program. b. What legal authority must an accreditation body have to qualify for recognition? (Proposed Sec. 1.611). This proposed rule would require accreditation bodies seeking recognition to demonstrate they have sufficient legal authority to adequately assess third-party auditors/certification bodies for accreditation and in conducting oversight of them, once accredited. Proposed Sec. 1.611 would allow both governmental bodies, with accreditation authority inherent in their roles as public officials, and private bodies, who have authority under contracts with third-party auditors/certification bodies, to qualify for recognition if they have the sufficient authority to conduct accreditation activities. This includes adequate authority to access records; to conduct onsite performance assessments, reassessments, and surveillance; and to grant, modify, and remove accreditation status. ISO/IEC 17011:2004 (Ref. 18) contains similar requirements for bodies accrediting third-party auditors/certification bodies for product and management system certification. Clause 4.1 requires accreditation bodies to be registered legal entities and explains that governmental accreditation bodies are considered legal entities because of their governmental status. Clause 4.2.2 states that accreditation bodies must have the authority and responsibility to decide on granting, maintaining, extending, reducing, suspending, and withdrawing accreditation.\22\ --------------------------------------------------------------------------- \22\ ISO/IEC 17011:2004 also contains requirements relating to documentation of the roles and responsibilities of accreditation body management and personnel involved in accreditation activities. Matters such as these will be more fully explained in the Model Accreditation Standards we plan to issue. --------------------------------------------------------------------------- Proposed Sec. 1.611(b) would require an accreditation body to demonstrate that it has the adequate legal authority to meet the requirements for a recognized accreditation body in proposed Sec. Sec. 1.611 through 1.615, including assessing third-party auditors/ certification bodies for accreditation, monitoring accredited auditors/ certification bodies, perform self-assessments, submitting reports and notifications to FDA, implementing procedures to protect against conflicts of interest, establishing and maintaining records, and following the applicable procedural requirements of our program. We are not proposing to require a newly recognized accreditation body to wait a certain period of time before beginning to conduct accreditation activities under our program. Its accreditation authority goes into effect at the moment of recognition. Therefore, we believe that an accreditation body seeking recognition must demonstrate its capacity to fulfill the roles and responsibilities of recognition, if granted. We believe that an accreditation body could meet this requirement by providing documentation of its authority to perform activities required by proposed Sec. Sec. 1.611 through 1.615. We expect this documentation to be provided primarily in the form of standard language for contracts with eligible entities under the FDA accredited third-party audits and certification program. However, we will accept other types of documents (e.g., Standard Operating Procedures) that can (individually or as part of a set of documents) demonstrate that the accreditation body has adequate legal authority to conduct the activities required by proposed Sec. 1.611 through 1.615. We invite comment on our proposal to require accreditation bodies to have demonstrable evidence to support a conclusion that they would have adequate legal authority to meet our requirements (e.g., authority to withdraw accreditation for cause), if recognized. We also seek examples of other types of evidence that might [[Page 45797]] demonstrate the scope of an applicant's legal authority. For comments opposing this requirement, we request comment on what, if any, requirements we should put in place to ensure that an accreditation body applying to us for recognition would be equipped, upon recognition, to perform the obligations required under the program. c. What competency and capacity must an accreditation body have to qualify for recognition? (Proposed Sec. 1.612). This rule would require accreditation bodies seeking recognition to demonstrate adequate resources to fully implement its accreditation program. Under proposed Sec. 1.612, an accreditation body must have adequate numbers of personnel or other agents with relevant knowledge, skills, and experience to adequately assess and monitor third-party auditors/ certification bodies. The accreditation body also would have to show it has adequate financial resources for its operations. In the guidance, we will explain the types of expertise and training we expect to see when reviewing accreditation body records and conducting onsite performance assessments. We also will explain the types of documentation that might be used to demonstrate financial viability. ISO/IEC 17011: 2004, clause 6.1 (Ref. 18) requires accreditation bodies to have a sufficient number of competent personnel (internal and external) with the educational background, technical qualifications, training, skills, and experience necessary for the accreditation body's activities. Clause 4.5.2 requires accreditation bodies to demonstrate they have financial resource required for accreditation activities.\23\ --------------------------------------------------------------------------- \23\ ISO/IEC 17011:2004 contains some requirements that are not applicable to our program. For example, it contains requirements relating to liability coverage. --------------------------------------------------------------------------- Under proposed Sec. 1.612(b) an accreditation body seeking to qualify for recognition must demonstrate that it has the capability to adequately assess third-party auditors/certification bodies seeking accreditation and to monitor accredited auditors/certification bodies through performance assessments. It also must be capable of submitting reports and notifications to FDA in the manner we propose and to follow the procedural requirements under our program. As previously explained, an accreditation body will be authorized to begin accreditation activities under our program immediately upon recognition. Therefore, we need to have adequate assurance of its ability to meet the competency and capacity requirements of a recognized accreditation body when deciding whether to grant recognition. d. What protections against conflicts of interest must an accreditation body have to qualify for recognition? (Proposed Sec. 1.613). This proposed rule would require accreditation bodies to have established programs to safeguard against conflicts of interest that might compromise their objectivity and independence from third-party auditors/certification bodies. Proposed Sec. 1.613 would require accreditation bodies seeking recognition to have written measures to safeguard against financial conflicts of interest between the accreditation body (and its officers, personnel, and other agents) and third-party auditors/certification bodies (and their officers, personnel, and other agents). Without these conflict of interest requirements, we believe it would be difficult for an accreditation body to demonstrate adequate independence in accrediting auditors/ certification bodies, as required under our accredited third-party auditing and certification program. ISO/IEC 17011: 2004, clause 4.3.4 (Ref. 18) requires accreditation bodies to ensure that personnel and committees that could influence the accreditation process act objectively and be free from any undue commercial pressures that could compromise impartiality.\24\ --------------------------------------------------------------------------- \24\ ISO/IEC 17011 contains additional requirements relating to opportunities for involvement by interested parties and the manner in which the accreditation body presents its services. Such matters are beyond the scope of our program. --------------------------------------------------------------------------- Under proposed Sec. 1.613(b), an accreditation body seeking recognition must demonstrate the capability to meet the conflict of interest requirements that would apply under Sec. 1.624, upon recognition. This measure is necessary to help ensure that any accreditation activities conducted after recognition would be considered objective and independent under our program. e. What quality assurance procedures must an accreditation body have to qualify for recognition? (Proposed Sec. 1.614). This proposed rule would require accreditation bodies seeking recognition to have written quality assurance procedures in place. Proposed Sec. 1.614(a) requires an accreditation body seeking recognition to have a program for monitoring and assessing the performance of its officers, personnel, and other agents and for assessing the effectiveness of its accreditation program. The program must include procedures for identifying areas for improvement and quickly executing corrective actions. ISO/IEC 17011 (Ref. 18) requires accreditation bodies to establish procedures for internal audits (clause 5.7.1) and to identify nonconformities in its operations (clause 5.5), opportunities for improvement, and preventive actions to address root causes (clause 5.6). Clause 5.8 requires periodic management reviews. Proposed Sec. 1.614(b) requires the accreditation body to demonstrate it has the capability to meet the quality assurance requirements of Sec. 1.622, for performing annual self-assessments against our requirements and reporting the results of such self- assessments. The guidance we plan to issue will discuss the elements of an effective quality assurance program for accreditation bodies. f. What records procedures must an accreditation body have to qualify for recognition? (Proposed Sec. 1.615). This proposed rule would require accreditation bodies seeking recognition to have written records procedures in place. Under proposed Sec. 1.615(a), an accreditation body would have to demonstrate that it has written procedures for establishing, controlling, and retaining records on its accreditation program and activities. While we are not proposing that an accreditation body must have retained records for a specified period of time prior to its recognition, we believe it is necessary for an accreditation body to have maintained records for such length of time to allow us to adequately assess its program and performance to determine whether it is qualified for recognition. The accreditation body also must maintain records as required by its existing legal obligations. Our guidance will explain these recordkeeping, document control, and retention requirements. Clause 5.4.1 of ISO/1EC 17011: 2004 (Ref. 18) requires accreditation bodies to establish procedures for identification, collection, filing, storage, maintenance, and disposal of records. Under clause 5.4.2, records procedures must require records to be retained for a period consistent with the accreditation body's contractual and legal obligations. The accreditation body must have procedures to control internal and external documents relating to its activities, under clause 5.3.\25\ --------------------------------------------------------------------------- \25\ Requiring accreditation bodies to exert control over external documents relating to its accreditation activities would be inconsistent with our program. --------------------------------------------------------------------------- Proposed Sec. 1.615(b) would require an accreditation body seeking recognition to demonstrate its capability to meet the requirements of a recognized accreditation body. This would include, [[Page 45798]] for example, capacity for maintaining records for 5 years, which is the maximum length for which recognition could be granted. It also requires recognized accreditation bodies to give us access to records on activities conducted under our program. Clause 4.4 of ISO/IEC 17011: 2004 (Ref. 18) requires accreditation bodies to have adequate arrangements to maintain the confidentiality of information obtained through its accreditation activities. Confidential information about a third-party auditor/certification bodies must not be disclosed without the written consent of the auditor/certification body unless the law requires the information to be disclosed without such consent. Accreditation bodies applying for recognition must demonstrate their capacity, if recognized, to grant us access to confidential information, including information contained in records, without prior written consent of the auditor/certification body involved. Having access to records relating to accreditation activities (including confidential information) under this subpart is necessary to ensure the rigor, credibility, and independence of the program. 3. Requirements for Recognized Accreditation Bodies Table 3--Proposed Requirements for Accreditation Bodies Recognized by FDA ------------------------------------------------------------------------ Proposed Rule Section Title ------------------------------------------------------------------------ 1.620.................. How must a recognized accreditation body assess third-party auditors/certification bodies seeking accreditation? 1.621.................. How must a recognized accreditation body monitor the performance of auditors/ certification bodies it accredits? 1.622.................. How must a recognized accreditation body monitor its own performance? 1.623.................. What reports and notifications must a recognized accreditation body submit to FDA? 1.624.................. How must a recognized accreditation body protect against conflicts of interest? 1.625.................. What records requirements must a recognized accreditation body meet? ------------------------------------------------------------------------ Proposed Sec. Sec. 1.620 through 1.625 contain the requirements that a recognized accreditation body would have to meet when conducting activities under our program. a. How must a recognized accreditation body assess third-party auditors/certification bodies seeking accreditation? (Proposed Sec. 1.620). This proposed rule would establish criteria and procedures a recognized accreditation body must use in assessing third-party auditors/certification bodies for accreditation. Proposed Sec. 1.620(a)(1) requires a recognized accreditation body to assess foreign governments/agencies by evaluating the food safety programs, systems, and standards of the government/agency to determine that the government/agency meets the eligibility requirements for accreditation under Sec. 1.640(b), except where the criteria for direct accreditation in proposed Sec. 1.670(a) are met.\26\ Proposed Sec. 1.620(a)(2) requires a recognized accreditation body to assess the internal systems and the training and qualifications of audit agents used by a foreign cooperative or other third party to determine that the cooperative/party meets the eligibility requirements for accreditation under Sec. 1.640(c). --------------------------------------------------------------------------- \26\ Under section 808(b)(1)(A)(ii) of the FD&C Act, we may begin to directly accredit third-party auditors/certification bodies if we have not identified and recognized an accreditation body to meet the requirements of the section within 2 years after establishing the system. --------------------------------------------------------------------------- Proposed Sec. 1.620(a)(1) and (a)(2) are based on section 808(c)(1) to (c)(3) of the FD&C Act, which distinguishes between the assessments of foreign governments/agencies and the assessments for foreign cooperatives/other third parties seeking accreditation. They also require a recognized accreditation body to assess any third-party auditor/certification body under the model accreditation standards we must issue under section 808(b)(2) of the FD&C Act. The model accreditation standards will specify the authority, competency, capacity, impartiality, quality assurance, and records that a third- party auditor/certification body must have to qualify for accreditation under our program. Proposed Sec. 1.620(a)(3) requires recognized accreditation bodies to observe a statistically significant number \27\ of onsite food safety audits by a third-party auditor/certification body (or its audit agents) seeking accreditation. Correspondingly, ISO/IEC 17011: 2004, clause 7.7.3 (Ref. 18) requires an accreditation body's assessment team to witness the performance of a representative number of staff to provide assurance of the auditor's/certification body's competency. --------------------------------------------------------------------------- \27\ Generally speaking, we consider ``statistical significance'' to be an interpretation of statistical data indicating that an occurrence was likely the result of a causative factor and not simply a chance result. With observations of a statistically significant number of accredited auditors/ certification bodies, recognized accreditation bodies will be able to exert an appropriate degree of oversight of its accredited auditors/certification bodies, using the data to help determine whether its accreditation program and activities are functioning appropriately. --------------------------------------------------------------------------- Proposed Sec. 1.620(b) requires a recognized accreditation body to impose three conditions on any accreditation under this program as follows: The third-party auditor/certification body must comply with the audit reporting requirements contained in proposed Sec. 1.656, which is drawn from section 808(c)(3) of the FD&C Act (which makes it a condition of accreditation to prepare consultative audit reports within 45 days after conducting an audit and, for regulatory audits, to submit an audit report within 45 days after conducting an audit). The third-party auditor/certification body must agree to submit electronic certifications to FDA, where appropriate based on the results of a regulatory audit. Under section 808(c)(2)(A) of the FD&C Act, we have tentatively concluded that submission of electronic certification (as opposed to paper certification) is appropriate for the following reasons: [cir] It would be too time-consuming and resource intensive to review paper-based facility certifications and might result delays that would frustrate the purpose of the VQIP program for expedited review and entry of products; and [cir] Requiring submission and manual review of paper food and facility certifications would undermine to our efforts to use robust, integrated databases to replace manual review, analysis, and reporting of data. A third-party auditor/certification body would have to comply with the requirement in section 808(c)(4)(A) of the FD&C Act to notify us immediately upon discovering, during a food safety audit, a condition that could cause or contribute to a serious risk to the public health, as a condition of its accreditation. Having timely notification of such risks directly affects our ability to respond rapidly to protect the public health. We believe this notification [[Page 45799]] requirement is of such a critical nature that, we are proposing to require compliance as a condition of accreditation. We seek comment on our tentative conclusion to require compliance with section 808(c)(4)(A) of the FD&C Act a condition of accreditation. Proposed Sec. 1.620(c) requires recognized accreditation bodies to maintain records relating to its accreditation activities under the program. These include records on any denial of accreditation and on any withdrawal, suspension, or decision to reduce the scope of an accreditation for cause.\28\ Such records must include the name and contact information for such certification body, the scope of accreditation denied, withdrawn, suspended, or reduced, and the basis for the action. Having access to records on denials of accreditation and actions taken due to nonconformities will help us in assessing the performance of the recognized accreditation body and also will allow us to determine whether poorly performing third-party auditors/ certification bodies are attempting to ``shop'' for favorable accreditation decisions elsewhere. Both are important for our oversight of the program. --------------------------------------------------------------------------- \28\ Denial, withdrawal, suspension, and reduction in scope of accreditation differ from voluntary relinquishment of accreditation under proposed Sec. 1.665, which is an action taken on the initiative of the auditor/certification body and is not based on a finding of nonconformity by its accreditation body. --------------------------------------------------------------------------- In proposed Sec. 1.620(d), we require recognized accreditation bodies to have written procedures in place to consider appeals from third-party auditors/certification bodies to adverse accreditation decisions. The written procedures must offer protections similar to those afforded by FDA under proposed Sec. Sec. 1.692 and 1.693 and include requirements to make the appeals procedures publicly available, have the appeal investigated and decided upon by people different than those involved in the subject matter of the appeal, notify the auditor/ certification body of the final decision on the appeal, and maintain records on the appeal, the final decision, and the basis for the decision. This provision is analogous to clause 7.10.2 of ISO/IEC 17011:2004 (Ref. 18), which requires accreditation bodies to establish similar procedures for handling appeals by auditors/certification bodies. We emphasize that we are not proposing to review a decision by a recognized accreditation body to deny, withdraw, suspend, or reduce an accreditation, nor do we propose to consider appeals from third- party auditors/certification bodies to such actions by recognized accreditation bodies. We have considered the language of section 808 of the FD&C Act and tentatively concluded that it does not require us to review such decisions. We believe our proposal is appropriate and consistent with international standards that identify these as matters between the recognized accreditation body and the third-party auditor/ certification body affected by the decision. Comments suggesting alternatives should provide the following: (1) A detailed legal rationale for us to review and decide on a challenge to an accreditation decision of a recognized accreditation body, including the authority to compel a recognized accreditation body to grant an accreditation and to conduct the ongoing monitoring of the auditor/ certification body required under this FDA program; (2) a description of the procedures FDA should follow, including whether to compile an administrative record based on documents from the accreditation body and the third-party auditor/certification body, whether to accept new evidence or conduct its own investigation, and whether to conduct a public hearing; and (3) a prioritization of FDA's program activities as between, for example, monitoring the performance of accredited auditors/certification bodies under section 808(f) of the FD&C Act and determining whether a recognized accreditation body correctly denied an application for accreditation. b. How must a recognized accreditation body monitor the performance of auditors/certification bodies it accredits? (Proposed Sec. 1.621). This proposed rule describes the type and frequency of monitoring a recognized accreditation body would have to perform for third-party auditors/certification bodies it accredits under our program. Proposed Sec. 1.621 requires a recognized accreditation body to annually evaluate each of its accredited auditors/certification bodies to determine whether it is complying with the applicable provisions of this rule. For each such auditor/certification body, the accreditation body must review its self-assessments (including information on compliance with the conflict of interest requirements under Sec. 1.657); its regulatory audit reports and notifications to FDA (and supporting documents for each), and any other information reasonably available to the accreditation body regarding the compliance history of eligible entities the accredited auditor/certification body certified or that would otherwise be relevant in determining its compliance with this rule. The monitoring requirements we propose are consistent with section 808(f)(2) of the FD&C Act, which requires us to evaluate each accredited auditor/certification body by reviewing its regulatory audit reports and the compliance history (as available) of eligible entities it certified, and to take any other necessary measures. We believe these elements are equally important for recognized accreditation bodies to use when monitoring accredited auditors/certification bodies under our program. We believe that the conflict of interest disclosures and public health notifications are of such importance to the reliability and credibility of the program that recognized accreditation bodies should review them as well. To provide flexibility to a recognized accreditation body that is aware of additional information relevant to its evaluation, and consistent with the last clause in section 808(f)(2) of the FD&C Act, we propose to allow the accreditation body to rely on other information relevant to its evaluation. We note that accreditation bodies need only consider information that is ``reasonably available'' to them. We do not expect an accreditation body to launch an investigation of each auditor/ certification body it accredited, absent cause; however, we expect that accreditation bodies will actively monitor for public information about their accredited auditors/certification bodies and will not ignore public information about problems associated with one or more of this accredited auditors/certification bodies. ISO/IEC 17011:2004, clause 7.11.3 (Ref. 18) requires accreditation bodies to plan for reassessment and surveillance of each accredited auditor/certification body at frequencies between 1 and 5 years, depending on the nature of reassessment and surveillance performed. In general, clause 7.11.3 requires these monitoring activities to occur every 2 years. We have tentatively concluded that the assessments under proposed Sec. 1.621 should be performed on an annual basis because formal reviews at that frequency, throughout the duration of an accreditation, will help the accreditation body determine whether the auditor/ certification body continues to meet the applicable program requirements and the conditions of its accreditation. Not only will these assessments help ensure that accredited auditors/certification bodies individually comply with our requirements, but also can be used by [[Page 45800]] the recognized accreditation body to identify trends and any deficiencies in its own performance or program. We seek comment on our proposal and on whether the information we describe in Sec. 1.621 will provide an appropriate basis for recognized accreditation bodies to use in evaluating auditors/ certification bodies they accredited. Should we require recognized accreditation bodies to conduct witness audits or visits to the headquarters of each auditor/certification body it accredits under the program, or a subset thereof? For comments recommending other methods of performance assessment, we are interested in information on the potential costs and benefits associated with these alternatives. c. How must a recognized accreditation body monitor its own performance? (Proposed Sec. 1.622). This proposed rule would require recognized accreditation bodies conduct self-assessments on an annual basis and as required under proposed Sec. 1.664(g) (following FDA withdrawal of accreditation of a third-party auditor/certification body it accredited). Proposed Sec. 1.622(a) requires a recognized accreditation body to evaluate the performance of its officers, employees, and other agents; compliance with applicable conflict of interest requirements; and any other aspects FDA requests, to determine whether the accreditation body meets our program requirements. Proposed Sec. 1.622(b) requires a recognized accreditation body to observe onsite regulatory audits conducted by a statistically significant number of its accredited auditors/certification bodies.\29\ --------------------------------------------------------------------------- \29\ As described in footnote 26, we generally interpret statistically significant numbers as those indicating that an occurrence was likely the result of a causative factor and not a chance result. --------------------------------------------------------------------------- Based on these assessments, proposed Sec. 1.622(c) requires recognized accreditation bodies implement corrective actions to address any area needing improvement that was identified through its self- assessment. The requirements in proposed Sec. 1.622(a), (b), and (c) build on proposed Sec. 1.614, which requires accreditation bodies to have quality assurance programs to qualify for recognition. Proposed Sec. 1.622(d) requires the accreditation body to prepare a written report of the findings of its self-assessment, including: (1) A statement disclosing the extent to which the accreditation body, and its officers, employees, and other agents, complied with the conflict of interest requirements in Sec. 1.624 and other applicable requirements; and (2) identifying any corrective actions taken to address identified deficiencies. The timelines for a recognized accreditation body to submit its self-assessment reports to FDA appear in proposed Sec. 1.623(b). ISO/IEC 17011: 2004, clause 6.3.1 (Ref. 18) requires accreditation bodies to establish procedures for monitoring the performance of its personnel. Clauses 5.5 and 5.6 require accreditation bodies to establish procedures to identify nonconformities in its operations and any opportunities for improvement and to record the results of any corrective or preventive actions taken. d. What reports and notifications must a recognized accreditation body submit to FDA? (Proposed Sec. 1.623). This proposed rule would require recognized accreditation bodies to submit to FDA reports of its self-assessments and monitoring, as well as notice of matters affecting recognition and accreditation status. The reports and notifications described in proposed Sec. 1.623 would have to be submitted electronically and in English. Here and other places in this proposed rule, we suggest that any information for FDA be submitted in English. For applications or requests to FDA, we also propose to require that any translation or interpretation services necessary for us to process the application or request be made available by the submitter. We invite comment on our proposal to require submissions in English and to require translation or interpretation services as necessary. For comments in opposition, we seek input on how FDA might address translation and interpretation issues in a manner that is not overly burdensome or infeasible for the Agency and for submitters. How can FDA mitigate indirect effects on others submitting applications or requests? For example, is there a limit on the amount of time or resources FDA should spend translating and processing an application submitted in a foreign language? Are there other factors we should consider in deciding whether to require submissions in English and translation and interpretation services where necessary? Proposed Sec. 1.623(a) requires recognized accreditation bodies to submit reports of their annual assessments of accredited auditors/ certification bodies under proposed Sec. 1.621 within 45 days of completion of the assessment. The report must include updated lists of any audit agents used by such auditors/certification bodies. We believe that the results of such assessments will help us evaluate the performance of recognized accreditation bodies in reassessing their accredited auditors/certification bodies. The results also will help us perform our own monitoring of each accredited auditor/certification body. For example, having data about trends in performance deficiencies that the recognized accreditation body identified in its assessments, and the corrective actions that were implemented to address such deficiencies, gives us useful information on the accredited auditor/ certification body and offers insight into how the recognized accreditation body oversees its accredited auditors/certification bodies. Proposed Sec. 1.623(b) requires recognized accreditation bodies to submit reports of their self-assessments under proposed Sec. 1.622. These too will be useful to us in overseeing the recognized accreditation bodies. Annual self-assessments would have to be submitted within 45 days after completing the self-assessment. In establishing this timeframe, we considered the statutory requirement that accredited auditors/certification bodies submit reports of regulatory audits within 45 days after completing the audit. We tentatively concluded that the reports of formal assessments under Sec. 1.621 and self-assessments under Sec. 1.622, though different in nature from regulatory audits, are similarly important to our ability to ensure the rigor and credibility of the accredited third-party audits and certification program and thus should be submitted to us under a similar deadline. Additionally, proposed Sec. 1.623(b) provides that reports from self-assessments required by proposed Sec. 1.664(g)(1) (following withdrawal of accreditation of a third-party auditor/certification body) would have to be submitted to FDA within 2 months after the date of withdrawal. Proposed Sec. 1.623(c) requires recognized accreditation bodies to immediately notify us when they grant accreditation to an auditor/ certification body or when they withdraw, suspend, or reduce the scope of an accreditation under our program. Immediate notice is essential so that we can take timely action to begin to accept certifications from newly accredited auditors/certification bodies and to refuse to accept certifications from auditors/certification bodies no longer authorized to issue them. For each such notification, an accreditation body must provide contact information for the auditor/certification body, the name(s) of one or more of its officers, and the scope of accreditation. For withdrawal, [[Page 45801]] suspension, or reduction in scope, the recognized accreditation body must specify the basis for the decision and must update any other previously submitted information about the auditor/certification body. A recognized accreditation body also must immediately notify us if it has determined that an accredited auditor/certification body failed to comply with the requirements for issuance of a food or facility certification under Sec. 1.653 and must include the basis for the determination and update any other information previously submitted about the auditor/certification body. Each type of notification must be made electronically and in English. This information is essential to our oversight and management of the accredited third-party audits and certification program and the programs that rely on certifications issued by accredited third-party auditors/certification bodies. For example, section 808(c)(6)(A)(ii) of the FD&C Act requires us to withdraw accreditation from a certification body if we determine that the certification body no longer meets the requirements for accreditation. Having information on the reason(s) for withdrawal, suspension, or reduction in scope of an accreditation will help us in determining whether and how to conduct such evaluation. (Concerns regarding the performance of an accredited auditor/ certification body are of a different nature than, for example, suspension of accreditation for failure to make timely fee payments.) Without information on the reason an accreditation was withdrawn, suspended, or reduced, we believe we will need to automatically consider withdrawal of accreditation whenever an accreditation is withdrawn, suspended, or reduced. We request comment on our tentative conclusion that our oversight of the program will be enhanced by timely notice of accreditations, withdrawals, suspensions, and reductions in scope of accreditation by a recognized accreditation body, and of violations of proposed Sec. 1.653. In proposed Sec. 1.623(d)(1), we require a recognized accreditation body to notify us within 30 days after denying accreditation to an auditor/certification body (in whole or in part) and including the basis for such denial. Proposed Sec. 1.623(d)(1) is based on the requirement in proposed Sec. 1.620(c), which requires recognized accreditation bodies to maintain records on any denial of accreditation under this program. We are not proposing to prohibit accreditation of an auditor/certification body previously denied accreditation, if the auditor/certification body is subject to a separate, full assessment and found to have adequately addressed the problems that led to the denial. Proposed Sec. 1.623(d)(2) requires recognized accreditation bodies to notify FDA within 30 days after making any significant change that would affect the manner in which it complies with the recognition requirements in Sec. Sec. 1.610 to 1.625 and include an explanation for the purpose of the change. For example, the merger of two accreditation bodies, or the contracting out of assessment services at an accreditation body that previously employed in-house assessors, would be the types of changes that should be notified to us. The intent of this proposed requirement is to help ensure that we obtain timely notice of any changes that could affect the basis upon which we recognized the accreditation body. We are not seeking prior notice, nor are we suggesting that we have a role in approving or denying such change. We are, however, required by section 808(b)(1)(C) of the FD&C Act to revoke recognition of any accreditation body found not to be in compliance with section 808 of the FD&C Act. A significant change that prevents or undermines the accreditation body's compliance with this rule may result in revocation of recognition under proposed Sec. 1.636. e. How must a recognized accreditation body protect against conflicts of interest? (Proposed Sec. 1.624). This proposed rule would require a recognized accreditation body to take certain steps to safeguard against conflicts of interest, including the requirement to implement a written conflict of interest program. Section 808 of the FD&C Act requires us to establish the accredited third-party audits and certification program through, in large part, recognition of accreditation bodies to themselves accredit third-party auditors/certification bodies. Various stakeholders have expressed concern about possible conflicts of interest between the accreditation bodies and the third-party auditors/certification bodies seeking to participate in the program we implement. We believe that the credibility of the program will rest, in part, on whether we establish effective measures to protect against conflicts of interest among the program participants. We considered ISO/IEC 17011:2004 (Ref. 18), which requires that all accreditation body personnel and committees that could influence the accreditation act objectively and be free from any undue commercial, financial, and other pressures that could compromise impartiality. We believe that, in keeping with the purpose of section 808 of the FD&C Act, recognized accreditation bodies should be held to conflict of interest provisions of similar rigor to those placed on accredited third-party auditors/certification bodies under section 808(c)(5) of the FD&C Act and this proposed rule. Failure to have documented safeguards against conflicts of interest between a recognized accreditation body and the third-party auditor/certification body seeking its accreditation could undermine the system at its foundation by introducing the possibility of bias into the system. We believe that nothing short of rigorous safeguards will offer the transparency and credibility we believe necessary for our oversight of, and consumer confidence in, this accredited third-party audits and certification program. Proposed Sec. 1.624(a)(1) addresses conflicts involving ownership, management, or control of, or financial interests in, an auditor/ certification body (including its officers, personnel, or other agents) or any affiliate, parent, or subsidiary of the auditor/certification body. We believe proposed Sec. 1.624(a)(1) aligns with the requirement in section 808(c)(5)(A)(i) of the FD&C Act, which prevents an accredited third-party certification body from being owned, managed, or controlled by any person that owns or operates an eligible entity to be certified by such certification body. It also aligns with the requirement, in section 808(c)(5)(B)(i) of the FD&C Act, that an audit agent of an accredited third-party certification body not own or operate an eligible entity to be audited by such agent. Proposed Sec. 1.624(a)(2) prohibits officers, employees, or other agents of a recognized accreditation body from accepting any monies, gifts, gratuities, or items of value other than the payment of fees for accreditation services, reimbursement of direct costs associated with accreditation, and onsite meals, of a de minimis value, provided during an audit or assessment. We believe this is consistent with the requirements in section 808(c)(5)(A)(ii) and (c)(5)(B)(ii) of the FD&C Act, which requires an accredited auditor/certification body and its audit agents to have procedures to safeguard against financial conflicts of interest between any officer, employee, or audit agent and any eligible entity to be audited or certified. We have tentatively concluded that onsite meals of a de minimis nature are not gifts, gratuities, or items of value [[Page 45802]] likely to influence the outcome of an audit or assessment, nor do we think they are likely to undermine the credibility of the program. Onsite meals may help expedite audits and assessments, because the accreditation body's assessors would not have to leave the premises for meals. We seek comment on whether to define de minimis value according to the limits established for U.S. Government employees for accepting gifts or gratuities. Proposed Sec. 1.624(b) imputes the financial interests of immediate family members to an officer, employee, or other agent of a recognized accreditation body. This proposed requirement is based on the approach we recommended in the 2009 Guidance with respect to conflicts of accredited certification bodies (Ref. 5). We believe that imposing a similar requirement on the immediate family of the officers, employees, or other agents of a recognized accreditation body will help to ensure the credibility of the accredited third-party audits and certification program at every level. Proposed Sec. 1.624(c) requires transparency in the payment of fees or reimbursement of direct costs by an accredited auditor/ certification body to a recognized accreditation body. We have considered the types of disclosures that are necessary to help ensure the credibility of the program (and are consistent with existing disclosure laws). We recognize the amount or manner of payment by a third-party auditor/certification body for accreditation services may give rise to questions about whether the payment might affect the outcome of the accreditation process. Where, for example, a third-party auditor/certification body makes multiple payments to an accreditation body or makes payments under a different schedule than the accreditation body's usual practice, this may spur questions about whether those payments are linked to a favorable outcome for the third- party auditor/certification body. We have tentatively concluded that, to maintain confidence in the program through transparency, recognized accreditation bodies disclose the timing of payments and reimbursement they receive from auditors/ certification bodies, to the extent that such disclosures are consistent with existing law. While we do not believe that information on timing of payment of fees would be protected from disclosure under existing disclosure laws, we seek comment on this matter. Proposed Sec. 1.624(c) also requires recognized accreditation bodies to maintain on their Web sites an up-to-date list of each auditor/certification body accredited under this program, including the scope and duration of such each accreditation and date(s) on which the auditor/certification body paid any fee or reimbursement associated with such accreditation. Information on the timing of payments to recognized accreditation bodies for accreditation services is useful because it allows for analysis of such data in the aggregate. Unusual patterns in payments by one or more auditors/certification bodies may trigger a closer evaluation by us to determine whether the independence and objectivity of the recognized accreditation body may have been compromised by such payments. Requiring the recognized accreditation body to make information on the timing of payments available on its Web site creates transparency, thereby lending to the credibility of the program. We seek comment on the tentative conclusions identified here, namely that we should require recognized accreditation bodies to: (1) Have a written program to safeguard against conflicts of interest; (2) include the interest of any affiliate, parent, or subsidiary of a third-party auditor/certification body within the scope of interests covered by the accreditation body's conflict of interest program; (3) impute the interests of immediate family members of an officer, employee, or other agent to such officer, employee, or other agent; and (4) maintain on its Web site a list of its accredited auditors/ certification bodies, including duration and scope of each such accreditation, and information about the timing of payments by each such auditor/certification body. For interested parties recommending alternative approaches regarding public disclosure of payments, we request that such comments be accompanied by any examples or other information to describe or support the recommended approaches. We also seek comment on whether there are conflicts other than financial interests of recognized accreditation bodies that should be addressed in these regulations. For any comment recommending that we address other types of conflicts, we are seeking recommended measures to address such conflicts, any documents or references that are available to support the recommendation, and input on whether similar measures should apply to accredited auditors/certification bodies under this program. f. What records requirements must a recognized accreditation body meet? (Proposed Sec. 1.625). This proposed rule identifies specific types of documents a recognized accreditation body would be required to establish, control, and maintain to document compliance with applicable requirements. The recognized accreditation body also would be required to provide FDA access to such records. The records required by proposed Sec. 1.625 include documents and data relating to the following: (1) Applications for accreditation and for renewal; (2) decisions to grant, deny, or suspend accreditation, or to reduce the scope of an accreditation; (3) challenges to adverse accreditation decisions; (4) monitoring of accredited auditors/ certification bodies; (5) the accreditation body's self-assessments and corrective actions (which includes information on compliance with conflict of interest requirements under proposed Sec. 1.624); (6) significant changes to the accreditation program that might affect compliance with this rule; (7) regulatory audit reports and supporting information from its accredited auditors/certification bodies; and (8) any other reports or notifications submitted under Sec. 1.623. Proposed Sec. 1.625 requires such records to be maintained, electronically and in English, for a period of 5 years. Requiring recognized accreditation bodies to maintain records in English is necessary to allow FDA to conduct timely and rigorous oversight of the accreditation bodies the Agency recognizes. We believe these are the types of records that accreditation bodies currently maintain and that such records are routinely maintained by accreditation bodies for a minimum of 5 years. In addition, by requiring recognized accreditation bodies to maintain their records for at least 5 years, it will help us ensure that we have an adequate basis for monitoring its performance and determining whether to renew recognition, which may be granted for a period of up to 5 years. Proposed Sec. 1.625(b) requires a recognized accreditation body to make such records available to us for inspection and copying upon the written request of an authorized FDA representative or, if requested by us electronically, to submit them electronically, in English, no later than 10 business days after the date of the request. Proposed Sec. 1.625(c) prohibits a recognized accreditation body from preventing or interfering with our access to its accredited auditors/certification bodies and the records of the auditors/certification bodies. We have tentatively concluded that the records identified and the records [[Page 45803]] maintenance and access requirements in proposed Sec. 1.625 are necessary for us to adequately monitor recognized accreditation bodies, as directed by section 808(f) of the FD&C Act. We understand that accreditation bodies frequently include confidentiality provisions in standard contracts with third-party auditors/certification bodies. Many of those contract provisions may, in the past, have prevented disclosure of these records to us. If so, the requirements of proposed Sec. 1.625, would require revisions to such contracts (and perhaps other documents) establishing and limiting the scope of an accreditation body's authority to grant us records access. We believe that such access is necessary for us to conduct the monitoring required by section 808(f) of the FD&C Act and to otherwise exercise adequate oversight of the accredited third-party audits and certification program. We seek comment on this tentative conclusion and on the specific requirements we propose in this section. 4. Procedures for Recognition of Accreditation Bodies Table 4--Proposed Procedures for Accreditation Bodies ------------------------------------------------------------------------ Proposed rule section Title ------------------------------------------------------------------------ 1.630.................. How do I apply to FDA for recognition or renewal of recognition? 1.631.................. How will FDA review applications for recognition and for renewal of recognition? 1.632.................. What is the duration of recognition? 1.633.................. How will FDA monitor recognized accreditation bodies? 1.634.................. When will FDA revoke recognition? 1.635.................. How do I voluntarily relinquish recognition? 1.636.................. How do I request reinstatement of recognition? ------------------------------------------------------------------------ a. How do I apply to FDA for recognition or renewal of recognition? (Proposed Sec. 1.630). This proposed rule would establish procedures for accreditation bodies to follow when applying to FDA for recognition or for renewal of recognition. Under proposed Sec. 1.630(a) (initial application) and Sec. 1.630(b) (renewal), the applicant must demonstrate that it meets the eligibility requirements for recognition in proposed Sec. 1.610. Applications for recognition and for renewal are subject to the same requirements for the form and manner of submission under proposed Sec. 1.630(c) and (d). The accreditation body must submit a signed application, accompanied by any supporting documents, electronically and in English. We also propose to require an applicant to provide any translation or interpretation services we need to process the application. This may include providing translators or interpreters for FDA staff conducting onsite audits or assessments of the applicant. We tentatively conclude that the application procedures in proposed Sec. 1.630 are reasonable requirements for accreditation bodies to meet. We believe that an accreditation body having the competency and capacity to qualify for recognition under the criteria in proposed Sec. 1.610 would be similarly capable of meeting the application requirements in proposed Sec. 1.630. Requirements for electronic, English language communications are necessary for us to make well- informed and timely decisions on applications and to conduct appropriate oversight of accreditation bodies, once recognized. We seek comment on these conclusions and the proposed requirements of Sec. 1.630. b. How will FDA review applications for recognition and for renewal of recognition? (Proposed Sec. 1.631). This proposed rule would establish the procedures we will follow in reviewing and deciding on applications for recognition and for renewal of recognition. Under proposed Sec. 1.631(a), we will create an application queue, organized by the date on which each such application submission is complete. In the interest of fairness, we are proposing to order the queue on a first in, first out basis. We will inform applicants of deficiencies in application documentation. To encourage applicants to supply any missing information promptly, we will not place an application in the queue until it is complete. Allowing incomplete applications in the queue might block applications that are ready for review, but were submitted later in time. We will inform an applicant once its application has been placed in the queue. We will review each recognition or renewal application to determine whether the applicant meets the eligibility requirements of proposed Sec. 1.630(a) and (b). We anticipate that initial applications for recognition will require lengthier review times than renewal applications will. We will communicate anticipated processing periods to applicants. We are not, however, proposing to include specific timeframes for review, for the following reasons: (1) It is difficult to project the amount of resources that will be available for application review, as the program is authorized to be funded by user fees under section 808(c)(8) of the FD&C Act; and (2) we expect to become more efficient in processing applications as we gain experience but currently lack data to reasonably estimate the effect of efficiency gains on review times. Proposed Sec. 1.631(b), (c), and (d) describe the basis on which we will decide whether to approve a recognition or renewal application and explains that we will notify the applicant of our decision in writing. We may send the notice electronically. If we approve an application, the notice will include any conditions we may impose on the recognition. (For example, we may adjust the date that an accreditation body's annual self-assessment would be due, if the anniversary date of its recognition would otherwise require the self-assessment to be submitted on a weekend.) If we deny a recognition or renewal application, we will explain the reason for our denial and will give the address and procedures for requesting that we reconsider. Proposed Sec. 1.631(e) applies only to applications for renewal of recognition and allows us to extend the length of an existing recognition to complete our review of the renewal application. We can extend the recognition until a specific date or may extend the recognition for as long as necessary for us to decide on the application. c. What is the duration of recognition? (Proposed Sec. 1.632). This proposed rule would allow us to grant recognition to an accreditation body for up to 5 years, though we will determine the length of recognition on a case-by-case basis. In deciding that 5 years is the maximum appropriate length of recognition, we considered approaches [[Page 45804]] taken in other government programs. Another DHHS operating division, the Substance Abuse and Mental Health Services Administration (SAMHSA), approves accreditation bodies to accredit programs that use opioid agonist treatment medications. SAMHSA may approve an accreditation body for a period not to exceed 5 years (42 CFR 8.3). Under the FDA mammography program, we may approve accreditation bodies for terms of up to 7 years (21 CFR 900.3(g)). We are proposing to recognize accreditation bodies for a period of up to 5 years, based in part on these examples. We do not expect to grant every recognition at the maximum duration. We believe that shorter terms of recognition may be appropriate in the early years of the program or for accreditation bodies with fewer years of experience accrediting auditors/certification bodies for food safety auditing and certification. As we gain experience with the program, we may revisit this matter. We seek comment on proposed Sec. 1.632 and the factors we considered in developing it. We do not claim to have compiled an exhaustive list of government programs for approving accreditation bodies and are interested in comments offering other examples that are relevant to the type of program we are establishing. To the extent that an alternative term of recognition is suggested, we seek any information that can be provided in support of such alternative. d. How will FDA monitor recognized accreditation bodies? (Proposed Sec. 1.633). This proposed rule would establish the frequency and manner for our formal evaluations of recognized accreditation bodies. Proposed Sec. 1.633 builds on the self-assessment requirements of proposed Sec. 1.622, which are submitted to us under proposed Sec. 1.623. Section 808(f)(1) of the FD&C Act requires us to reevaluate a recognized accreditation body at least once every 4 years to determine its compliance with applicable FDA requirements. Proposed Sec. 1.633(a) describes the timeframes in which we will conduct reevaluations: At least 4 years after the date of accreditation for an accreditation body recognized for a 5-year term, and the mid- term point for recognitions granted for less than 5 years. These represent the maximum times that may elapse before we conduct a formal reevaluation of a recognized accreditation body. We lack data to set a more definitive schedule for reevaluations but may be able to do so as we gain experience under the program. Proposed Sec. 1.633(a) explains that we may perform additional performance evaluations of recognized accreditation bodies at any time. Proposed Sec. 1.633(b) describes the types of information we may gather as part of a performance evaluation. Section 808(f)(3) of the FD&C Act gives us authority to conduct onsite audits of eligible entities that have been issued certification by an accredited auditor/ certification body at any time, with or without the accredited auditor/ certification body present, and section 808(f)(4) gives us authority to take any other measures we deem necessary. Proposed Sec. 1.633(b) explains that we may conduct onsite audits of eligible entities certified by the accreditation body's accredited auditors/certification bodies, as indicators of the effectiveness of the recognized accreditation body's performance, including its assessments and decisionmaking. These assessments and audits may be conducted at any time, with or without the accredited auditor/certification body present. We believe it is necessary for us to have the option to conduct onsite audits of certified eligible entities outside the presence of a recognized accreditation body with an interest in the outcome of FDA's evaluation. Therefore, proposed Sec. 1.633(b) allows us to conduct onsite assessments of accredited auditors/certification bodies at any time, with or without the recognized accreditation body present. We believe that such spot checks are useful in testing the program and ensuring compliance, which is the purpose of section 808(f) of the FD&C Act. e. When will FDA revoke recognition? (Proposed Sec. 1.634). This proposed rule would establish the criteria and procedures for revocation of recognition of an accreditation body. It also describes the effects (if any) of revocation on accreditations and certifications occurring prior to the revocation. Section 808(b)(1)(C) of the FD&C Act requires us to revoke the recognition of an accreditation body for failure to comply with section 808 of the FD&C Act and the implementing regulations in this subpart. Proposed Sec. 1.634 describes several circumstances that we believe each warrant revocation of recognition: Under proposed Sec. 1.634(a)(1), we will revoke recognition of any accreditation body that refuses to grant us access to records or to conduct audits, assessments, or investigations necessary to ensure the recognized accreditation body's continued compliance. Denial of access to perform our oversight functions would prevent us from meeting our statutory responsibilities for monitoring recognized accreditation bodies under section 808(f)(1) of the FD&C Act. We will revoke recognition under proposed Sec. 1.634(a)(2)(i) for failure to take timely and necessary corrective action after we withdraw accreditation of one of its accredited auditors/certification bodies for unjustifiably certifying a facility or food that was linked to an outbreak with a reasonable probability of causing serious adverse health consequences or death in humans or animals. When we withdraw the accreditation of an auditor/certification body, we believe its accreditor should promptly conduct an internal review to identify whether any problems in its accreditation program or performance may have caused or contributed to the circumstances leading to withdrawal and to effectively address any problems found. For example, we expect such an accreditation body to review its monitoring program to determine whether it should conduct more frequent onsite assessments of the auditors/certification bodies it accredited under our program. We also will revoke recognition under proposed Sec. 1.634(a)(2)(ii) for failure to take timely and necessary corrective action when the results of the accreditation body's self-assessment or the self-assessments or monitoring of one or more of its accredited auditors/certification bodies identify a significant problem with the accreditation body's performance. This provision focuses on significant problems the accreditation body knew or should have known it needed to address through prompt and effective corrective actions. For example, we believe it appropriate to revoke the recognition of an accreditation body that ignores obvious, significant problems in its performance yet chooses to take no corrective action to address the problems. In addition, we will revoke recognition under proposed Sec. 1.634(a)(2)(iii) when a recognized accreditation body fails to promptly implement corrective actions we direct to bring the accreditation body into compliance. This provision is based on the requirement of section 808(b)(1)(C) of the FD&C Act to promptly revoke the recognition of an accreditation body found not to be in compliance with section 808 of the FD&C Act. Proposed Sec. 1.634(a)(3) allows us to revoke recognition when we determine that a recognized accreditation body has committed fraud or submitted material false statements to us. Fraud and falsehood undermine the credibility of the program and our ability to rely on [[Page 45805]] the certifications issued by auditors/certification bodies it accredited. Proposed Sec. 1.634(a)(4) describes circumstances that we believe warrant revocation but do not fit into the categories in proposed Sec. 1.634(a)(1), (a)(2), and (a)(3), such as a lack of objectivity (demonstrated bias) in its activities or failure to adequately support one or more of its accreditation decisions. There may be unforeseen circumstances that we determine provide good cause for revocation of recognition for failure to comply with applicable requirements. Proposed Sec. 1.634(a)(4) gives accreditation bodies notice of our intention to revoke recognition where we find good cause. Proposed Sec. 1.634(b) specifies that we may request records from the accreditation body or one or more of its accredited auditors/ certification bodies to assist us in deciding whether to revoke recognition. Proposed Sec. 1.634(c)(1) establishes the procedures for us to notify the accreditation body of revocation of recognition and its opportunity to challenge the revocation in an informal hearing conducted under part 16 of our regulations. Part 16 hearings are used for, among other things, approval, reapproval, or withdrawal of approval of mammography accreditation bodies under 21 CFR 900.7. We believe part 16 hearings provide adequate process for accreditation bodies subject to revocation of recognition under this proposed rule. The notice of revocation also will identify the procedures for requesting reinstatement of recognition under proposed Sec. 1.634(c)(1). Regardless of whether the accreditation body challenges its revocation or seeks reinstatement, under proposed Sec. 1.634(c)(2), it must notify us of the location where the records required by proposed Sec. 1.625 will be maintained. Proposed Sec. 1.634(d) addresses the possible effects of revocation of recognition on an auditor/certification body accredited prior to the revocation. Under proposed Sec. 1.634(d)(1), FDA would notify any auditor/certification body accredited by an accreditation body whose recognition was revoked. The auditor's/certification body's accreditation will remain in effect provided that it conducts a self- assessment under proposed Sec. 1.655 and reports its results to FDA within 2 months of the revocation under proposed Sec. 1.656(b). We believe the accredited auditor/certification body that complies with these requirements should not face adverse consequences when its accreditation body fails to meet its obligations as a recognized accreditation body. Requiring the accredited auditor/certification body to verify that it is in compliance with the applicable requirements through self-assessment and reporting would help provide confidence that the auditor's/certification body's program is under control during the time it is transitioning from one accreditation body to another. The auditor/certification body would have 1 year after the revocation of its accreditation body's recognition to become reaccredited, under proposed Sec. 1.634(d)(1)(ii). We believe this gives the auditor/ certification body sufficient time to find a new recognized accreditation body and to go through its accreditation process, but would not allow a prolonged period of auditing and certification activity without the immediate oversight of an accrediting body. Proposed Sec. 1.634(d)(2) explains that FDA may withdraw accreditation of an auditor/certification body whenever FDA finds good cause under proposed Sec. 1.664. Where an accredited auditor/certification body fails to comply with the requirements of proposed Sec. 1.634(d)(1)(i) or (d)(1)(ii), we may withdraw the accreditation for cause under proposed Sec. 1.664. Our decision to withdraw accreditation will be based on the circumstances associated with the auditor/certification body. Revocation of the recognition of its accrediting body does not, by itself, provide cause for withdrawal of the accreditation of an auditor/certification body that is in compliance with this rule. If evidence from a revocation proceeding reveals problems with the auditor/certification body, then we may pursue withdrawal of accreditation under proposed Sec. 1.664 based on evidence associated with the auditor/certification body--not because of the revocation of recognition of its accrediting body. Under proposed Sec. 1.634(e), certifications issued by an auditor/ certification accredited by an accreditation body whose recognition is subsequently revoked will remain in effect until the certifications terminate by expiration. We believe that eligible entities should not face adverse consequences solely because of the failure of an accreditation body selected by its auditor/certification body. However, we retain the authority, under section 801(q) of the FD&C Act, to refuse to accept a food certification, offered for admissibility purposes, if we reasonably believe the certification is not valid or reliable. Revocation of the recognition of its accrediting body does not, by itself, provide the basis for refusing a certification under section 801(q) of the FD&C Act. We will look to circumstances bearing on the issuance of a food certification to an eligible entity and submission by an accredited auditor/certification body in determining its validity or reliability. For example, if an investigation of fraud by an accreditation body also reveals evidence of fraud by the eligible entity or by the auditor/certification body, we may determine that the food certification is not valid or reliable. Proposed Sec. 1.634(f) explains that we will provide notice on our public Web site when we revoke the recognition of an accreditation body. We believe that public notice of matters such as revocation are necessary to help ensure the credibility of the program. We solicit comment on our tentative conclusions regarding possible grounds for revocation, particularly revocation for cause. We seek examples that commenters believe do or do not represent good cause for revocation. We also solicit input on our proposal to use the informal hearing procedures set out in part 16 for challenges to a revocation decision. f. How do I voluntarily relinquish recognition? (Proposed Sec. 1.635). This proposed rule would offer an accreditation body a mechanism for voluntarily relinquishing its recognition before it terminates by expiration. Relinquishment on the initiative of the accreditation body is distinct from FDA revocation of recognition for good cause. Proposed Sec. 1.635 describes the procedures that an accreditation body must follow when it intends to relinquish its recognition. Current mammography regulations in 21 CFR 900.3 offer accreditation bodies the opportunity to voluntarily relinquish their authority to grant accreditation. We believe that accreditation bodies operating under our accredited third-party audits and certification program should likewise have the option to voluntarily relinquish their recognition. We are proposing certain procedural requirements--similar to those in the mammography regulations--that accreditation bodies must follow in relinquishing recognition. We believe these procedures are necessary to ensure an orderly transition for auditors/certification bodies accredited by an accreditation body that is relinquishing its recognition and for us to make necessary adjustments in the program, such as preparing to review self-assessments from any auditor/ certification body accredited by such accreditation body. Proposed Sec. 1.635(a) requires accreditation bodies to notify us at least 6 months before relinquishing recognition. The notifications must be submitted electronically and in English. [[Page 45806]] It is essential that we have the ability to maintain adequate oversight of the program, and particularly accredited auditors/certifications bodies that will no longer be under the oversight of a recognized accreditation body. Therefore, we are proposing to require an accreditation body relinquishing its recognition to identify the location where the records required by proposed Sec. 1.625 will be maintained. The decision to relinquish recognition is made solely by the accreditation body, without FDA involvement. Therefore, in relinquishing recognition under proposed Sec. 1.635(a), the accreditation body would waive its rights to appeal, because there is no FDA action to serve as the basis for appeal. Proposed Sec. 1.635(b) requires the accreditation body to notify any third-party auditor/accreditation body, currently accredited, of the date on which it intends to relinquish recognition. An accredited auditor/certification body needs timely notice of its accreditation body's intent to relinquish recognition so that the auditor/ certification body can begin to seek accreditation from another recognized accreditation body. Proposed Sec. 1.635(c) explains that an accreditation granted by a recognized accreditation body prior to relinquishing its recognition will remain in effect until it expires, except where we determine there is good cause for withdrawal under proposed Sec. 1.664. In general, we believe an accredited auditor/certification body should not face adverse consequences from its accreditation body's decision to withdraw from our program and upon expiration of its accreditation would apply for accreditation from a different accreditation body under proposed Sec. 1.660. If however we determine that there are grounds for us to withdraw the accreditation of the auditor/certification body, the auditor/certification body would have to seek reaccreditation under proposed Sec. 1.666. Proposed Sec. 1.635(d) explains that an accreditation granted by an accreditation body that voluntarily relinquished recognition will not affect certifications issued by auditors/certification bodies accredited prior to its voluntary relinquishment, except that we may refuse to consider such certification in determining the admissibility of an article of food under section 801(q) of the FD&C Act if we determine the certification is not valid or reliable. Such certifications generally will remain in effect until they terminate by expiration. In considering the impact of relinquishment of recognition on certifications, we were mindful that eligible entities would not have input into the accreditation body's decision to relinquish recognition and that voluntary relinquishment likely would have no bearing on the performance of its accredited auditors/certification bodies and the validity or reliability of certifications they issue. Proposed Sec. 1.635(e) states that we will provide notice on our public Web site of the voluntary relinquishment of recognition by an accreditation body. To provide notice to program participants and to provide certainty to the markets, we also will post information on the status of accreditations and certifications as described under proposed Sec. 1.635(c) and (d). g. How do I request reinstatement of recognition? (Proposed Sec. 1.636). This proposed rule describes the procedures that an accreditation body would have to follow when seeking reinstatement of its recognition. Under proposed Sec. 1.636(a), an accreditation body that has had its recognition revoked may seek reinstatement by submitting a new application for recognition if it did not seek a regulatory hearing on the merits of the revocation of its recognition under proposed Sec. 1.634 or if required to do so by a decision following a regulatory hearing. Proposed Sec. 1.636(b) requires such application to be supported by evidence demonstrating that the grounds for revocation have been resolved and are unlikely to recur. We believe that a new application would be an appropriate requirement for an accreditation body that had been previously shown not to be in compliance with the requirements of this rule, and any conditions we imposed on its recognition. We seek comment on this tentative conclusion and on the requirements we propose in Sec. 1.636 for reinstatement of recognition. 5. Accreditation of Third-Party Auditors/Certification Bodies This proposed rule would establish: (1) The eligibility requirements for an auditor/certification body to be authorized (``accredited'') by a recognized accreditation body or by FDA (``direct accreditation'') under the accredited third-party audits and certification program; (2) requirements for accredited auditors/ certification bodies, including auditing, reporting, certification, and assessments; and (3) procedures FDA and third-party auditors/ certification bodies will follow under the program. Table 5--Proposed Requirements for Third-Party Auditors/Certification Bodies ------------------------------------------------------------------------ Proposed rule section Title ------------------------------------------------------------------------ Accreditation of third-party auditors/certification bodies under this subpart ------------------------------------------------------------------------ 1.640.................. Who is eligible to seek accreditation? 1.641.................. What legal authority must a third-party auditor/ certification body have to qualify for accreditation? 1.642.................. What competency and capacity must a third-party auditor/certification body have to qualify for accreditation? 1.643.................. What protections against conflict of interest must a third-party auditor/certification body have to qualify for accreditation? 1.644.................. What quality assurance procedures must a third- party auditor/certification body have to qualify for accreditation? 1.645.................. What records procedures must a third-party auditor/certification body have to qualify for accreditation? ------------------------------------------------------------------------ Requirements for accredited auditors/certification bodies under this subpart ------------------------------------------------------------------------ 1.650.................. How must an accredited auditor/certification body ensure its audit agents are competent and objective? 1.651.................. How must an accredited auditor/certification body conduct a food safety audit of an eligible entity? 1.652.................. What must an accredited auditor/certification body include in food safety audit reports? 1.653.................. What must an accredited auditor/certification body do when issuing food or facility certification? 1.654.................. When must an accredited auditor/certification body monitor an eligible entity with food or facility certification? 1.655.................. How must an accredited auditor/certification body monitor its own performance? 1.656.................. What reports and notifications must an accredited auditor/certification body submit? 1.657.................. How must an accredited auditor/certification body protect against conflicts of interest? [[Page 45807]] 1.658.................. What records requirements must an accredited auditor/certification body meet? ------------------------------------------------------------------------ Procedures for accreditation of third-party auditors/certification bodies under this subpart ------------------------------------------------------------------------ 1.660.................. Where do I apply for accreditation or renewal of accreditation from a recognized accreditation body? 1.661.................. What is the duration of accreditation? 1.662.................. How will FDA monitor accredited auditors/ certification bodies? 1.663.................. How do I request an FDA waiver or waiver extension for the 13-month limit for audit agents conducting regulatory audits? 1.664.................. When can FDA withdraw accreditation? 1.665.................. How do I voluntarily relinquish accreditation? 1.666.................. How do I request reaccreditation? ------------------------------------------------------------------------ Additional procedures for direct accreditation of third-party auditors/ certification bodies under this subpart ------------------------------------------------------------------------ 1.670.................. How do I apply to FDA for direct accreditation or renewal of direct accreditation? 1.671.................. How will FDA review applications for direct accreditation and for renewal of direct accreditation? 1.672.................. What is the duration of direct accreditation? ------------------------------------------------------------------------ Section 808 of the FD&C Act directs us to establish a voluntary program for accreditation of third-party auditors/certification bodies to conduct food safety audits and to issue certifications to eligible foreign entities. Sections 808(b)(2) and (c)(5)(C) of the FD&C Act require us to issue model accreditation standards to qualify third- party auditors/certification bodies as accredited auditors/ certification bodies and to issue implementing regulations for the program. The statute requires accredited auditors/certification bodies to: (1) Issue a written (and, as appropriate, electronic) food or facility certification after conducting a regulatory audit and such other activities necessary to determine compliance with the FD&C Act; (2) submit regulatory audit reports within 45 days; (3) complete reports of consultative audits within 45 days; (4) maintain onsite audit reports and other audit documents in its records; (5) immediately notify us of a condition that could cause or contribute to a serious risk to the public health; (6) prevent an audit agent from conducting a regulatory audit of an eligible entity for which the agent conducted a consultative or regulatory audit within the preceding 13 months, unless waived by FDA; and (7) comply with conflict of interest requirements. a. Who is eligible for accreditation? (Proposed Sec. 1.640). This proposed rule would establish the eligibility requirements for a third- party auditor/certification body to be qualified for accreditation by a recognized accreditation body or for direct accreditation by FDA. Under section 808(a)(3) of the FD&C Act, a third-party auditor can be a foreign government, an agency of a foreign government, a foreign cooperative, or any other third party, as FDA determines appropriate according to the Agency model accreditation standards. Section 808(c)(1)(A) of the FD&C Act requires a foreign government/agency seeking accreditation to demonstrate that its food safety programs, systems, and standards are capable of adequately ensuring that eligible entities or foods it certified meet applicable FDA requirements for food manufactured, processed, packed, or held for import into the United States. Section 808(c)(1)(B) of the FD&C Act requires a foreign cooperative or other third party seeking accreditation to demonstrate that each eligible entity it certified has systems and standards in use to ensure that the entity or food meets the applicable requirements of the FD&C Act. The statute requires us to issue model accreditation standards under section 808(b)(2) of the FD&C Act to qualify third- party auditors/certification bodies for accreditation.\30\ --------------------------------------------------------------------------- \30\ Section 808(b)(2) of the FD&C Act directs us to include requirements for regulatory audit reports in the model accreditation standards. Because such reports are prepared by accredited third- party auditors/certification bodies, we have included requirements for regulatory audit reports in the proposed requirements for accredited auditors/certification bodies in this subpart. --------------------------------------------------------------------------- Proposed Sec. 1.640(a) aligns with the definition of third-party auditor in section 808(a)(3) of the FD&C Act, describing the types of organizations that may be eligible for accreditation under our program: Foreign governments and agencies of foreign governments, foreign cooperatives, and other third parties. Proposed Sec. 1.640(b) reflects the requirements of section 808(b) and (c)(1)(A) of the FD&C Act, stating that a foreign government or agency of a foreign government is eligible for accreditation if it meets the requirements of Sec. Sec. 1.641 through 1.645, as specified in FDA model standards on qualifications for accreditation, including legal authority, competency, capacity, conflicts of interest, quality assurance, and records. We believe the scope of the review of a foreign government/ agency's food safety programs, systems, and standards for accreditation purposes should focus on the program, systems, and standards relevant to the scope of accreditation sought. Under proposed Sec. 1.640(c), a foreign cooperative or other third party is eligible for accreditation if it can demonstrate that the training and qualifications of its audit agents and its internal systems and standards meet the requirements of Sec. Sec. 1.641 through 1.645, as explained in FDA model standards on qualifications for accreditation, including legal authority, competency, capacity, conflicts of interest, quality assurance, and records. These proposed eligibility requirements build on the language in section 808 of the FD&C Act, using the approach we described in our 2009 guidance on voluntary certification for food and feed (Ref. 5), which contained recommendations relating to authority, competency, capacity, conflicts of interest, quality assurance, and recordkeeping. We also considered the FDA MFRPS (Ref. 12) and draft ICAT (Ref. 14) for similar standards that could help assure the maximum degree of consistency across domestic and international foods programs. Looking externally, we considered the GFSI Guidance version 6 (Ref. 23), which requires food safety scheme owners to use third-party auditors/ certification bodies that comply with either ISO/IEC Guide 65:1996 (Ref. 20) for product [[Page 45808]] certification or ISO/IEC 17021:2006 (revised in 2011) (Ref. 19) coupled with ISO TS 22003:2007 (Ref. 21) for management systems certification. b. What legal authority must a third-party auditor/certification body have to qualify for accreditation? (Proposed Sec. 1.641). This proposed rule would require third-party auditors/certification bodies seeking accreditation to demonstrate that they have sufficient legal authority, which may include authority established by contract, to adequately audit food facilities and to certify them for compliance with food safety requirements, once accredited. Proposed Sec. 1.641(a) would allow governmental bodies, with auditing and certification authority inherent in their roles as public officials, and private bodies, who have authority under contracts with food facilities, to qualify for accreditation if they have sufficient authority to conduct auditing and certification activities. This includes adequate authority to access records; conduct onsite audits; and to grant, suspend or withdraw certification. Clause 4.2(d) of ISO/ IEC Guide 65:1996 (Ref. 20) requires auditors/certification bodies to be legal entities. Clause 5 of ISO/IEC 22003:2007 (Ref. 21), by cross reference to ISO/IEC 17021:2011 (Ref. 19), clause 5, requires auditors/ certification bodies to be legal entities, or defined parts of a legal entity that can be held legally responsible for its certification activities. Clause 5.1.3 requires auditors/certification bodies to retain authority for their certification decisions, including granting, maintaining, renewing, extending, reducing, suspending, and withdrawing certification. Proposed Sec. 1.641(b) would require a third-party auditor/ certification body to demonstrate that it has adequate legal authority to meet the requirements for an accredited auditor/certification body in proposed Sec. Sec. 1.650 through 1.658, including conducting food safety audits using FDA requirements and industry standards and practices as audit criteria, preparing audit reports, issuing certifications, submitting reports and notification to us, implementing procedures to protect against conflicts of interest, maintaining records, conducting monitoring when necessary, and following the procedural requirements of our program. Consistent with our procedures for recognition of accreditation bodies, we are not proposing to require a newly accredited auditor/ certification body to wait a certain length of time before beginning to conduct foods safety audits and issue certifications under our program. Its certification authority goes into effect at the moment of accreditation. Therefore, we believe a third-party auditor seeking accreditation must demonstrate its capacity to fulfill the roles and responsibilities of an accredited auditor/certification body, if granted. We seek comment on this tentative conclusion and our proposal to require third-party auditors/certification bodies to have demonstrable evidence to support a conclusion that they would be capable of meeting our requirements, if accredited. For comments opposing this requirement, we seek comment on what, if any, requirements we should put in place to ensure that a third-party auditor/certification body seeking accreditation would be equipped, upon accreditation, to perform the obligations required under the program. c. What competency and capacity must a third-party auditor/ certification body have to qualify for accreditation? (Proposed Sec. 1.642). This proposed rule would require third-party auditors/ certification bodies seeking accreditation to demonstrate adequate resources to fully implement their auditing and certification programs. Under proposed Sec. 1.642(a), a third-party auditor/certification body must have adequate numbers of personnel and other agents with relevant knowledge, skills, and experience to effectively audit for compliance with applicable FDA requirements and industry standards and practices and to issue valid and reliable certifications. The third-party auditor/certification body would have to show it has adequate financial resources for its operations. In the model accreditation standards, we will explain the types of expertise and training we expect third-party auditors/certification bodies to demonstrate. We also will explain the types of documentation that might be used to demonstrate financial viability. Standards associated with auditor competency are critical to international standards for certification bodies and are an area of focus for GFSI and other stakeholders. Audit agents and other personnel that lack the necessary knowledge, skills, and abilities will be unable to perform credible audits and may result in flawed certification decisions. ISO/IEC 17021:2011 (Ref. 19), clauses 7.2.1 and 7.2.2, requires certification bodies to have personnel with sufficient competence to manage their audit and certification work and to employ, or have access to, sufficient numbers of auditors and technical experts to cover the volume and types of its activities. Under proposed Sec. 1.642(b), a third-party auditor/certification body seeking to qualify for recognition must demonstrate that it has the competency and capacity to adequately audit eligible foreign entities to determine if they are in compliance with applicable FDA requirements and, for consultative audits, industry standards and practices. It also must be capable of making certification decisions that are valid and reliable, submitting reports and notifications to FDA in the manner we propose, and following the procedural requirements of our program. As previously explained, a third-party auditor/ certification body will be authorized to begin auditing and certification under our program immediately upon accreditation. Therefore, it needs to sufficiently demonstrate its ability to meet the competency and capacity requirements of an accredited auditor/ certification body in its application for accreditation. d. What protections against conflicts of interest must a third- party auditor/certification body have to qualify for accreditation? (Proposed Sec. 1.643). This proposed rule would require third-party auditors/certification bodies to have established programs to safeguard against conflicts of interest that might compromise their objectivity and independence from food facilities they audit and certify. Proposed Sec. 1.643(a) would require accreditation bodies seeking recognition to have written measures to safeguard against financial conflicts of interest between the third-party auditor/certification body (and its officers, personnel, and other agents) and food facilities (and owners and operators). Without these conflict of interest requirements, we believe it would be difficult for a third-party auditor/certification body to demonstrate it has adequate independence, as a third party, in auditing and certifying food facilities. The model accreditation standards will describe appropriate measures to protect against conflicts of interest. ISO/IEC 17021: 2011 (Ref. 19), clause 4.2.2, recognizes that payment for certification services can be a potential threat to impartiality. Clause 5.2.2 requires auditors/certification bodies to identify, analyze, and document the possibilities for conflicts of interest and how it eliminates or minimizes such threats. Under proposed Sec. 1.643(b), a third-party auditor/certification body seeking accreditation must demonstrate its capability to meet the conflict of interest requirements that would apply under Sec. 1.657, upon accreditation. This measure is necessary to help ensure that any auditing and certification activities conducted after accreditation would be [[Page 45809]] considered objective and independent under our program. e. What quality assurance procedures must a third-party auditor/ certification body have to qualify for accreditation? (Proposed Sec. 1.644). This proposed rule would require third-party auditors/ certification bodies seeking accreditation to have quality assurance procedures in place. Proposed Sec. 1.614(a) requires a third-party auditor/certification body seeking accreditation to have a written program for monitoring and assessing the performance of its officers, personnel, and other agents. The program must include procedures for identifying areas for improvement and quickly executing corrective actions. The model accreditation standards will describe types of quality assurance measures that may be used to qualify for accreditation. We considered both international and domestic standards in developing proposed Sec. 1.644. ISO/IEC Guide 65: 1996 (Ref. 20), clause 4.7.1, requires auditors/certification bodies to conduct periodic internal audits to verify that their quality systems are implemented and effective, to take timely and appropriate corrective actions, and to document results. The MFPRS (Ref. 12), which apply domestically, also include requirements for quality assurance/internal audit programs that involve assessment, corrective action, and continuous improvement. Proposed Sec. 1.644(b) requires the third-party auditor/ certification body to demonstrate it has the capability to meet the quality assurance requirements of Sec. 1.655, for performing annual self-assessments against our requirements and reporting the results of such self-assessments. f. What records procedures must a third-party auditor/certification body have to qualify for accreditation? (Proposed Sec. 1.645). This proposed rule would require third-party auditors/certification bodies seeking accreditation to have written records procedures in place. Under proposed Sec. 1.645(a), a third-party auditor/certification body would have to demonstrate that it has written procedures for establishing, controlling, and retaining records on its auditing and certification program and activities. While we are not proposing that a third-party auditor/certification body must have retained records for a specified period of time prior to its accreditation, we believe it is necessary for a third-party auditor/certification body to have maintained records for such length of time to allow for its program and performance to be adequately assessed in determining whether it is qualified for accreditation. The third-party auditor/certification body also must maintain records as required by its existing legal obligations. The model accreditation standards will explain these recordkeeping, document control, and retention requirements. In developing proposed Sec. 1.645(a), we considered the records requirements in ISO/IEC 17021:2011 (Ref. 19), clause 9.9.1, which requires auditors/certification bodies to maintain records on audits and other certification activities for all clients, including all organizations submitting applications and all organizations audited, certified, or with suspended or withdrawn certifications. Clause 9.9.4 requires auditors/certification bodies to have documented records policies and procedures for retaining records for the current cycle and an additional certification cycle, noting that records may need to be retained for a longer period, where required by law. Proposed Sec. 1.645(b) would require a third-party auditor/ certification body seeking accreditation to demonstrate its capability to meet the requirements of an accredited auditor/certification body, if accredited. This would include, for example, capacity for maintaining records for 4 years, which is the maximum length for which accreditation could be granted. It also requires accredited auditors/ certification bodies to give us routine access to records of regulatory audits and, for consultative audits, access to records in specific circumstances. We realize that existing third-party auditors/ certification bodies might need to modify the confidentiality provisions in their standard contracts with food facilities. Third- party auditors/certification bodies applying for accreditation under this voluntary program must demonstrate their capacity to grant us access to relevant records, upon accreditation, because records are necessary to ensure the rigor, credibility, and independence of the accredited third-party audits and certification program. 6. Requirements for Accredited Auditors/Certification Bodies Table 6--Proposed Requirements for Third-Party Auditors/Certification Bodies Accredited by Recognized Accreditation Bodies or by FDA ------------------------------------------------------------------------ Proposed rule section Title ------------------------------------------------------------------------ 1.650.................. How must an accredited auditor/certification body ensure its audit agents are competent and objective? 1.651.................. How must an accredited auditor/certification body conduct a food safety audit of an eligible entity? 1.652.................. What must an accredited auditor/certification body include in food safety audit reports? 1.653.................. What must an accredited auditor/certification body do when issuing food or facility certifications? 1.654.................. When must an accredited auditor/certification body monitor an eligible entity with food or facility certification? 1.655.................. How must an accredited auditor/certification body monitor its own performance? 1.656.................. What reports and notifications must an accredited auditor/certification body submit? 1.657.................. How must an accredited auditor/certification body protect against conflicts of interest? 1.658.................. What records requirements must an accredited auditor/certification body meet? ------------------------------------------------------------------------ a. How must an accredited auditor/certification body ensure its audit agents are competent and objective? (Proposed Sec. 1.650). This proposed rule would require an accredited auditor/certification body to ensure that any audit agents it uses are competent and objective. (Where an accredited auditor/certification body is an individual, the determination of whether such auditor/certification body is competent and objective will be made as part of the accreditation decision.) Proposed Sec. 1.650(a)(1) and (a)(2) require an accredited auditor/certification body to use audit agents that have knowledge and experience to conduct food safety audits within the scope of its accreditation. We believe that competency and independence cannot be demonstrated solely by records or by an interview. We have tentatively concluded that a determination of competency must be based in part on observations of the audit agent conducting food safety audits that use the requirements of the [[Page 45810]] FD&C Act as the standard against which eligible entities are audited. We recognize that many audit agents currently are being assessed for their performance in conducting audits under private food safety schemes. However, section 808(a)(7) of the FD&C Act clearly states that regulatory audits performed under this system must assess firms for compliance with the FD&C Act and the results of such audits are to be used to determine whether certification may be issued. Even consultative audits for internal purposes must include assessments of compliance with the FD&C Act, although they also include audits on industry standards and practices. For these reasons, we are proposing to require that audit agents be qualified through observation of audits assessing compliance with the FD&C Act. ISO/IEC Guide 65:1996 (Ref. 20), clauses 5.1.1 and 5.2.1, require auditors/certification bodies to establish minimum criteria for competence to ensure that personnel are competent for the functions they perform and that auditors'/certification bodies' evaluations and certifications are carried out effectively and uniformly. ISO/IEC 17021:2011 (Ref. 19), clause 7.1.3, requires auditors/certification bodies to have documented processes for initial competency evaluations and ongoing monitoring of personnel performance and competency. Clauses 7.2.11 and 7.2.12 state that the documented monitoring procedures for auditors/certification bodies must include onsite observation at a frequency based on need determined from all monitoring information available (e.g., review of audit reports and client feedback). Proposed Sec. 1.650(a)(3) requires audit agents to participate in annual food safety training. ISO/IEC 17021:2011 (Ref. 19), clause 7.2.8, requires auditors/certification bodies to identify training needs and to offer or provide access to specific training to ensure competency of its auditors, technical experts, and personnel. The FDA MFRPS (Ref. 12), Standard Two, requires each State inspector to receive 36 contact hours of classroom training and participate in at least two joint or audit inspections with a qualified trainer, every 3 years. Proposed Sec. 1.650(a)(4) requires the accredited auditor/ certification body to ensure that its audit agents have no conflicts of interest with the eligible entity to be audited and is in compliance with the conflicts of interest requirements of Sec. 1.657. Section 808(c)(5)(B) of the FD&C Act prohibits audit agents from owning or operating an eligible entity to be audited by such agent. Accredited certification bodies also are required to have procedures to ensure against using any of its officers or employees that has a financial conflict of interest regarding an eligible entity to be certified by the certification body under section 808(c)(5)(A) of the FD&C Act. We believe that proposed paragraph (a)(4) is an appropriate way to implement these requirements. The language in proposed Sec. 1.650(a)(4) also is consistent with existing international standards, including ISO/IEC Guide 65:1996 (Ref. 20), clause 5.2.2, which requires personnel to agree to comply with the auditor's/certification body's conflict of interest rules and to declare any prior or present association with a supplier or designer of products they are to be assigned to audit or certify. ISO/IEC 17021:2011 (Ref. 19), clause 5.2.12, states that certification body personnel who could influence certification activities must act impartially and must not allow commercial, financial, or other pressures to compromise impartiality. Proposed Sec. 1.650(a)(5) requires audit agents to agree to notify their certification bodies immediately upon discovering, during a food safety audit, any condition that could cause or contribute to a serious risk to the public health, cross-referencing proposed Sec. 1.656(c), which requires the accredited auditor/certification body to immediately notify FDA of such condition. Proposed Sec. 1.650(a)(5) reflects the language of section 808(c)(4)(A) and (c)(4)(B) of the FD&C Act, which require notification based on conditions found during an audit and identifies ``audits'' as both consultative and regulatory audits. To ensure that roles and responsibilities of the audit agent and accredited auditor/certification body are clearly delineated, proposed Sec. 1.650(a)(3) places the audit agent under an obligation to report to its auditor/certification body immediately upon discovering a notifiable condition. (Having been informed by its agent, the accredited auditor/certification body must immediately notify FDA, under proposed Sec. 1.656(c).) ISO/IEC Guide 65: 1996 (Ref. 20), clause 5.2.2, requires auditor/ certification body personnel to sign a contract or other commitment by which they agree to comply with the certification body rules, which often include confidentiality requirements. The legal obligation to alert FDA, as a regulator, of a notifiable condition is a new requirement. Voluntary notification is not a common practice of third- party auditors/certification bodies. We believe the statutory notification requirement is of such importance to our program that an individual serving as an audit agent should agree to notify its accredited auditor/certification body upon finding any condition meeting the notification criteria of section 808(c)(4)(A) of the FD&C Act. We believe this will help ensure that audit agents and accredited auditors/certification bodies are aware of the notification requirements for food safety audits conducted under the FDA program. Proposed Sec. 1.650(b) contains additional requirements that the accredited auditor/certification body must meet before assigning any individual acting as its audit agent to conduct an audit of a particular eligible entity. This requirement is intended to ensure that each food safety audit assigned to an audit agent is conducted by a qualified audit agent. Put another way, in order to meet proposed Sec. 1.650(b), an accredited third-party certification body would have to ensure not only that a food safety audit is within the scope of its accreditation but also that the audit is within the scope of qualifications of any audit agent the certification body assigns to conduct it. Clauses 7.1.1 and 7.1.2 of ISO/IEC 17021: 2011 (Ref. 19) require auditors/certification bodies to ensure that their personnel have appropriate relevant knowledge and set competence criteria of required knowledge and skills necessary to effectively perform audit and certification tasks to achieve the intended results. Clause 7.2.7 requires the auditor/certification body to use auditors and technical experts only for those certification activities (including audits) where they have demonstrated competence. Similarly, ISO/IEC Guide 65:1996 (Ref. 20), clause 5.1.1, requires auditors'/certification bodies' personnel to be competent for the functions they perform. Proposed Sec. 1.650(c) imposes additional statutory restrictions on audit agents conducting regulatory audits. Under section 808(c)(4)(C) of the FD&C Act, an audit agent may not conduct a regulatory audit of an eligible entity if such agent conducted a consultative or regulatory audit for the same eligible entity in the preceding 13 months (except that such limitation may be waived under proposed Sec. 1.663 if the accredited auditor/certification body demonstrates there is insufficient access to accredited certification bodies in the country or region where the eligible entity is located.) We seek comment on the requirements we propose to ensure that audit agents as competent and objective and on any other requirements necessary to achieve this objective. In [[Page 45811]] particular, we seek input on whether we should place other requirements or limitations to help ensure auditor competency. Any recommendations that are based on common industry standards or practices should be so identified. b. How must an accredited auditor/certification body conduct a food safety audit of an eligible entity? (Proposed Sec. 1.651). This proposed rule would establish requirements for the conduct of consultative and regulatory audits by accredited auditors/certification bodies. Proposed Sec. 1.651 implements section 808(c)(3) of the FD&C Act regarding audit reports and sets out requirements we believe are necessary for planning and conducting audits in a manner that fulfills the purposes of section 808 of the FD&C Act, including ensuring that audits are of sufficient rigor to allow us to rely on the certifications that issue based on the results of such audits. Proposed Sec. 1.651(a) requires accredited auditors/certification bodies to obtain basic information from the eligible entity about the type and nature of the requested audit, which will allow the accredited auditor/certification body to determine whether: (1) The requested audit is within the scope of its accreditation and which of its audit agents would be qualified to conduct the audit; (2) whether any conflicts of interest prevent it from conducting an audit; or (3) whether any other limitations apply, such as the 13-month limit described in proposed Sec. 1.650(c). ISO/IEC Guide 65:1996 (Ref. 20), clause 8.2.1, is similar, requiring auditors/certification bodies to ensure that their clients complete a signed application that describes the scope of the desired certification and to provide information on the products to be certified, the certification system, and the certification standards, if known. The information we propose to require under Sec. 1.651(a) is essential for ensuring that the accredited auditor/certification body (and any audit agent assigned) has the appropriate qualifications to conduct the food safety audit. Proposed Sec. 1.651(a) also requires the auditor/certification body to obtain the eligible entity's operating schedule for a 30-day window, including information relevant to the scope and purposes of the audit. This information will help accredited auditors/certification bodies in meeting the requirements of section 808(c)(5)(C)(i) of the FD&C Act for ``unannounced'' food safety audits. Having the facility's operating schedule for a certain period of time will allow the auditor/ certification body to determine when to appear at the facility to conduct a food safety audit under proposed Sec. 1.651(b). ISO/IEC 17021:2011 (Ref. 19) has several provisions on audit planning, such as clause 9.1.2.1, which requires them to establish an audit plan for each audit. The requirement to provide a production schedule to enable audit planning also is a feature of the British Retail Consortium's Global Standard for Food Safety (BRC scheme) (Ref. 32). In advance of an audit, a facility subject to audit under the BRC scheme (Ref. 32) may be asked to provide, among other things, a production schedule and typical shift pattern to allow planning to cover relevant processes.\31\ --------------------------------------------------------------------------- \31\ Section III, Part I, Clause 7.2 states that a certification body may request ``production schedules, to allow audits to cover relevant processes, for example night-time manufacture or where production processes are not carried out each day'' and ``typical shift patterns.'' --------------------------------------------------------------------------- Proposed Sec. 1.651(b) would require accredited auditors/ certification bodies to develop contracts or other arrangements granting them adequate authority to conduct unannounced audits, access records and any area in the facility relevant to the scope of the audit, use an accredited laboratory for analytical results, notify FDA of a condition that could cause or contribute to a serious risk to the public health, prepare and submit audit reports, as appropriate, and allow FDA to observe any food safety audit it conducts. This provision is intended to help ensure that the auditor/certification body has such access to areas within the facility and records maintained by the eligible entity as is necessary to conduct a rigorous food safety audit. Proposed Sec. 1.651(b) also ensures that that auditor/ certification body has authority to use a laboratory accredited under section 422 of the FD&C Act to perform analytical work, and authority to provide any reports and the notifications that must be submitted to us under this subpart. Under clause 8.6.1(d)(2) of ISO/IEC 17021:2011 (Ref. 19), auditors/ certification bodies must require prospective clients to make all necessary arrangements for the conduct of the audits, including for examining records and access to all processes, areas, records, and personnel. An application for certification must include a statement that the applicant agrees to supply any information needed for evaluation of the products to be certified, under clause 8.2.1(b) of ISO/IEC Guide 65:1996 (Ref. 20). Proposed Sec. 1.651(c) addresses the protocols for food safety audits under this rule. The audit must be conducted in a manner consistent with the identified scope and purpose of the audit, on an unannounced basis as required by section 808(c)(5)(C)(i) of the FD&C Act, and must be sufficiently rigorous to give confidence in the reliability and validity of the audit outcomes. ISO/IEC 17021:2011 (Ref. 19), clause 9.1.9.5.1, requires that information relevant to the audit objectives, scope, and criteria be collected by appropriate sampling and verified to become audit evidence. Information may be collected through observation, records review, and interviews. Under clause 9.1.9.6, audit findings, summarizing conformity and detailing nonconformity and its supporting audit evidence must be recorded and reported to enable an informed certification decision. Proposed Sec. 1.651(c) requires the facility audit portion of the food safety audit to be conducted at an appropriate time within the 30 days covered by the operating schedule provided by the eligible entity under proposed Sec. 1.651(a)(1)(ii). Though most private food safety audit standards rely on announced audits, the BRC scheme (Ref. 32) has protocols for both announced and unannounced audits.\32\ An unannounced audit under the BRC scheme may be conducted in 2 parts, with the ``Good Manufacturing Practices-type audit'' unannounced and occurring prior to a records review, which may be a planned visit. --------------------------------------------------------------------------- \32\ The BRC scheme (Ref. 32) only allows facilities that have achieved sufficiently high scores on announced audits to be audited under the unannounced protocol. --------------------------------------------------------------------------- We considered several factors in developing the audit protocols in proposed Sec. 1.651(c), including the 2-part BRC unannounced audit protocol. We have tentatively concluded that it is reasonable and appropriate to interpret the ``unannounced audit'' requirement of section 808(c)(5)(C)(i) of the FD&C Act to apply to the onsite facility assessment portion of a food safety audit. We have further concluded that an accredited auditor/certification body, equipped with a 30-day facility operating schedule, would have adequate opportunity to plan and conduct an unannounced facility audit. We anticipate that an eligible entity seeking a food safety audit would sign a contract with an accredited auditor/certification body at eligible entity (e.g., its headquarters), where some or all of the relevant records of the entity would be maintained. We think it is appropriate and efficient to allow an auditor/certification body to review records maintained at the eligible entity on the same day that the contract is signed, even though the signing of the contract is a planned event. [[Page 45812]] We propose to sequence our audit protocol different than that of the BRC, in that we would allow the planned records review to occur prior to the unannounced onsite facility audit. We believe it will be important for accredited auditors/certification bodies to gather information about the facility before going onsite to audit it. (Unannounced audits under the BRC scheme occur only after an announced audit has been conducted, which allows the auditors/certification bodies to become familiar with the facility and its records before conducting an unannounced audit.) Accredited auditors/certification bodies operating under the FDA program would have a limited opportunity, if any, to gain knowledge about a facility prior to conducting an unannounced audit. For this reason, we believe that accredited auditors/certification bodies under the FDA program should sequence the unannounced audit differently than the 2-part BRC unannounced audit. We propose to require accredited auditors/ certification bodies to first review an eligible entity's management systems (e.g., records) before conducting an onsite food safety audit at the facility. We believe that the requirement for unannounced audits will help provide confidence in our program. It helps ensure that food facilities will remain ``audit ready.'' It also reinforces the independence of the accredited auditor/certification body. We seek comment on our proposed approach for ``unannounced'' audits, including whether it is feasible and appropriate. We also request information on current industry practice on arranging audits-- e.g., does industry commonly provide an auditor/certification body information about its operating schedule? If not, what other means are used to ensure that the auditor/certification body visits a facility at the appropriate time to conduct the requested activities? For comments suggesting other approaches, we request information on the practical implications of the recommended alternate approach(es). c. What must an accredited auditor/certification body include in food safety audit reports? (Proposed Sec. 1.652). This proposed rule would implement the audit reporting requirements of section 808 of the FD&C Act and describes the elements of consultative and regulatory audit reports that we believe would be appropriate. As required by section 808(c)(3) of the FD&C Act, proposed Sec. 1.652(a) requires a report of a consultative audit be prepared not later than 45 days after the audit was completed. Proposed Sec. 1.652(a) also sets requirements for the content of reports of consultative audits, based on the content required by section 808(c)(3)(A)(i) through (c)(3)(A)(iv) of the FD&C Act: (1) The identity of the persons at the eligible entity responsible for compliance with food safety requirements; (2) the dates and scope of the audit; and (3) any other information we require that relates to or may influence an assessment of compliance with the FD&C Act. ISO/IEC 17021:2011 (Ref. 19), clause 9.1.10.2, requires audit reports to provide an accurate, concise, and clear record of the audit to allow for informed certification decisions and include or refer to the name and address of the client, the type of audit, the audit scope, the dates and places where audit activities were conducted, audit findings, evidence, and conclusions, consistent with the requirements of the type of audit, and any unresolved issues, if defined. Under proposed Sec. 1.652(a)(1) and (a)(2), we propose to require that the following identifying information for the facility and the eligible entity (if it differs from the facility) that chooses to participate in the voluntary third-party certification program be included in the consultative audit report: Name, address, and a unique facility identifier (UFI), as required by FDA. We are proposing to require this information to help ensure that we have comprehensive, accurate, and up-to-date on eligible entities and audited facilities that chose to participate in the program, which will allow us to conduct efficient and effective oversight of the program. Firm name and address alone may not provide sufficient information to allow us to correctly identify an eligible foreign entity, such as a farm that is not subject to the FDA facility registration requirements and that may be located in a remote area in the foreign country. An UFI could help us with eligible entities and facilities that would otherwise be difficult to identify or locate. After considering the types of information available, we have tentatively concluded that an UFI should include two elements: (1) A common business identifier, and (2) information on the firm's geographic location. For the business identifier, we believe the Data Universal Numbering System (D-U-N-S[supreg]) numbers system is appropriate because it is a commonly used international business entity listing system under which a company can obtain, at no charge, a unique identification number for its business. D-U-N-S[supreg] numbers are distinct, site-specific, 9-digit numbers that would allow us to identify and verify certain business information, e.g., its trade names, the name of each corporate officer and director, and additional ownership information that may be useful in determining possible conflicts of interest between eligible entities and accredited auditors/certification bodies.\33\ The use of D-U-N-S[supreg] numbers, as a unique numerical identification system, is less prone to mistake or ambiguity than the use of an eligible entity's or facility's name and address. Similarly, geographic information, such as Global Positioning System (GPS) coordinates, would identify precisely where a facility or eligible entity (if different) is located. We believe this is a necessary element of a UFI, particularly for facilities such as farms that are not required to register with us under Sec. Sec. 1.225 through 1.243 and that may be difficult to locate by street address. We expect that accredited auditors/certification bodies that are qualified to participate in our program likely would already own GPS units or would be adequately resourced to purchase them. --------------------------------------------------------------------------- \33\ D-U-N-S[supreg] numbers are assigned by Dun & Bradstreet and maintained in their database of D-U-N-S[supreg] numbers. If the D-U-N-S[supreg] Number for a location has not been assigned, a business may obtain one for no cost directly from Dun & Bradstreet (http://www.dnb.com). --------------------------------------------------------------------------- Proposed Sec. 1.652(a)(3) and (a)(4) requires reports of consultative audits to include the contact information for the person(s) responsible for food safety compliance, the dates and scope of the consultative audit, both of which are statutory requirements. Proposed Sec. 1.652(a)(5) requires information on any deficiencies observed during the audit that require corrective action and the date on which such corrective actions were completed. ISO/IEC 17021:2011 (Ref. 19), clause 9.1.11, states that [audit/]certification bodies must require their clients to analyze the cause of nonconformities and the corrective actions to address such nonconformities within a defined time. [Auditors/]certification bodies must verify and document the effectiveness of the corrective actions based on document review or, where necessary, onsite verification or additional audits under clauses 9.1.12 and 9.1.13. Proposed Sec. 1.652(a)(5) would require such documentation be included in the consultative audit report. Proposed Sec. 1.652(b) requires an accredited auditor/ certification body to prepare a report of a regulatory audit and submit it to us electronically, in English, within 45 days after conducting such audit, as mandated by section 808(c)(3) of the FD&C Act. We have [[Page 45813]] tentatively concluded that electronic submission of regulatory audit reports, written in English, will help ensure we have ready access to information needed for monitoring and oversight of the program. Proposed Sec. 1.652(b) also requires auditors/certification bodies accredited by recognized accreditation bodies to submit each regulatory audit report to the accrediting body in the same timeframe and manner as it is submitted to us. We believe that this information is important to recognized accreditation bodies in conducting monitoring and oversight of the auditors/certification bodies they accredit, including monitoring required by proposed Sec. 1.621, and in assessing its own performance of accreditation activities under proposed Sec. 1.622. The report of a regulatory audit must contain all of the data elements required for reports of consultative audits under proposed Sec. 1.652(a). Proposed Sec. 1.652(b) requires that regulatory audit reports contain the following additional data elements: (1) The FDA registration number assigned to the facility, where applicable; (2) the process(es), food(s), and facility observed during the audit; and (3) information on sampling and laboratory analysis, recent food recalls, recent significant changes at the facility, and any food or facility certifications recently issued to the entity. We discuss each of these additional data elements. FDA Registration Number: Having an audited facility's FDA registration number, where required, will allow us to verify (and to correct, where necessary) registration information in our database. This will help us in overseeing this program and in risk-based planning for FDA foreign inspections. Process(es) and food(s) observed during a regulatory audit: In proposed Sec. 1.652(b)(4) we require a description of the process(es) and food(s) observed during the audit, because we believe that, otherwise, the description of the scope of the audit may not provide sufficient information to allow the accredited auditor/certification body, its recognized accreditation body, or us to determine whether the certification matches the scope of the audit stated and, furthermore, whether the stated scope of the audit matches the scope of auditor's/ certification body's accreditation. In sum, the description of the process(es) and food(s) subject to regulatory audit help to verify the validity of any food or facility certifications issued as a result of the regulatory audit. Sampling and analysis: Proposed Sec. 1.652(b)(8) requires information on whether the entity uses sampling and laboratory analysis (e.g., under a microbiological sampling plan) as part of the facility's preventive control plan. We are not proposing to require the accredited auditor/certification body to include the results of such sampling and analysis in the regulatory audit report. Information on whether a facility uses sampling and laboratory analysis helps identify how the facility has chosen to verify its preventive controls. Recalls during the preceding 2 years: Proposed Sec. 1.652(b)(9) requires information on whether the entity issued a food-safety related recall of an article of food from the facility during the 2 years preceding the audit and, if so, any such article(s) recalled and the reason(s) for the recall(s). We believe this is an important element of a regulatory audit for certification purposes, because it may be relevant in helping us to determine whether to accept a certification or other assurance by an accredited auditor/certification body for purposes of admitting a food into the United States under section 801(q) of the FD&C Act. Recent food safety-related recalls might call into question the reliability of any food certifications issued to the facility. Recall information also may be relevant to the risk factors used to determine VQIP eligibility. Recent significant changes: Proposed Sec. 1.652(b)(10) requires submission of information regarding whether, during the 2 years preceding the audit, the entity made a significant change in the activities conducted at the facility, if such change creates a reasonable potential for a new hazard or a significant increase in a previously identified hazard. For example, a new hazard might arise if a facility began to process a different type of commodity or began to package an existing product in a different way (e.g., going from a canned product to a vacuum-packed ready-to-eat product). We developed this criterion based on the language in section 418(i) of the FD&C Act, regarding conditions that trigger a requirement to reanalyze hazards under section 418(b) of the FD&C Act (21 U.S.C. 350g(b) and (i)), as described in the Preventive Controls proposed rule. While the types of facilities that may be audited are not limited to facilities subject to the proposed preventive controls regulations, we nonetheless believe the language set out in the statute sets the appropriate boundaries for proposed Sec. 1.652(b)(9). We have tentatively concluded that the type of information that has relevance for reanalysis of hazards in a facility under the Preventive Controls proposed rule is the same type of information that has relevance for the conduct of a regulatory audit of a facility under this rule. We invite comment on this tentative conclusion. For comments that oppose this criterion, we seek comment on whether any other information on facility changes has relevance for our oversight and, if so, we seek alternative language for proposed Sec. 1.652(b)(9). Prior certifications: Proposed Sec. 1.652(b)(11) requires regulatory audit reports to contain information on any food or facility certifications issued to the entity during the 2 years preceding the audit, where available. The information must include the scope and duration of each such certification. This information is a helpful in verifying certifications submitted to us by importers for purposes of VQIP eligibility or as required to accompany food for which certification is a condition of admission under section 801(q) of the FD&C Act. It also verifies the activities of an accredited auditor/ certification body under this program, which should be documented in the records of the accredited auditor/certification body under proposed Sec. 1.658. Proposed Sec. 1.652(c) explains that an accredited auditor/ certification body must submit a report, as required by paragraph (b), for each regulatory audit it conducts, regardless of whether certification issued as a result. This requirement is consistent with section 808(c)(3)(A) of the FD&C Act, which requires all regulatory audit reports to be submitted. That statutory provision is not limited to reports of regulatory audits where certifications were issued. Proposed Sec. 1.652(d) requires accredited certification bodies to implement written procedures for receiving and addressing challenges from eligible entities contesting adverse regulatory audit results and requires them to maintain records of such challenges under Sec. 1.658. ISO/IEC 17021:2011 (Ref. 19) requires auditors/certification bodies to have a documented process to receive, evaluate, and make decisions on complaints relating to certification activities under clause 9.8.4., as well as a documented process for handling appeals under clause 9.7.1. d. What must accredited auditor/certification body do when issuing food or facility certifications? (Proposed Sec. 1.653). This proposed rule describes the activities that an accredited auditor/certification body would have to perform when issuing food and facility certifications. It is based on the language in section 808(c)(2)(C) (requiring a regulatory audit and such other [[Page 45814]] necessary activities) and (c)(5)(C)(i) (requiring unannounced audits) of the FD&C Act. Proposed Sec. 1.653(a) specifies that the certification body must have conducted a regulatory audit meeting the requirements of proposed Sec. 1.651, including verification of corrective actions and using an accredited laboratory, subject to the requirements of the laboratory accreditation program we implement under that provision (21 U.S.C. 350k). ISO/IEC 17021:2011 (Ref. 19) requires auditors/certification bodies to use certain information in considering certification decisions: Audit reports; comments on nonconformities and corrective actions (if any); verified application information; and the audit agent's recommendation on certification, including any conditions or observations. The auditor's/certification body's decision must be based on an evaluation of the audit findings and conclusions and any other relevant information, such as public information and the client's comments on the audit report. Proposed Sec. 1.653(b) sets out the requirements for issuance of certification. As with other submissions under this rule, we propose to require certifications to be submitted electronically and in English. Proposed paragraph (b)(2) describes the minimum elements of a certification: Identifying information for the accredited auditor/ certification body, the eligible entity to which certification was issued (including its unique facility identifier), and the facility (if different from the eligible entity); the scope and date(s) of the regulatory audit and the name of the audit agent conducting it, where applicable; and the scope of the certification, its date of issuance, and its date of expiration. These are the minimum elements we believe necessary for us to link the certification to an importer in the VQIP program under section 806 of the FD&C Act or to a food subject to mandatory certification under section 801(q) of the FD&C Act. Moreover, these data elements will help us determine whether the certification is valid and reliable or should be refused under section 801(q)(4)(B) of the FD&C Act. e. When must an accredited auditor/certification body monitor an eligible entity with food or facility certification? (Proposed Sec. 1.654). This proposed rule would require accredited auditors/ certification bodies to monitor eligible entities in certain circumstances. Under proposed Sec. 1.654, an accredited auditor/ certification body is required to conduct monitoring of an eligible entity if the auditor/certification body has reason to believe that an eligible entity to which it issued a certification may no longer be in compliance with the FD&C Act. In developing proposed Sec. 1.654, we considered international standards. ISO/IEC Guide 65: 1996 (Ref. 20), clause 13.1, requires auditors/certification bodies to have documented procedures for surveillance under applicable criteria. Under clause 13.2, auditors/ certification bodies must determine whether changes, such as a client's intended changes in manufacturing processes, require further investigation. ISO/IEC 17021:2011 (Ref. 19), clause 9.3, requires auditors/certification bodies to develop their surveillance activities so that representative areas and functions are regularly monitored. Surveillance may include onsite audits. While we are not proposing to require regular surveillance of certified eligible entities, we believe requiring an accredited auditor/certification body to conduct monitoring when it has ``reason to believe'' that the entity is no longer in compliance with the FD&C Act strikes an appropriate balance. Proposed Sec. 1.654 requires the accredited auditor/certification body to immediately notify us under proposed Sec. 1.656(d) if it determines that the entity to which it issued certification is out of compliance with the FD&C Act. We believe that such notification is necessary to ensure the protection of the public health and to maintain the credibility of the program, particularly in light of the use of such certifications: To allow admission of a food subject to mandatory certification based on a determination of safety risk, under section 801(q) of the FD&C Act, and to allow importers to participate in a program giving them expedited review and entry of product from a certified facility, under section 806 of the FD&C Act. f. How must an accredited auditor/certification body monitor its own performance? (Proposed Sec. 1.655). This proposed rule would require accredited auditors/certification bodies to conduct self- assessments annually and following revocation of the recognition of its accreditation body. Proposed Sec. 1.655(a) requires an accredited auditor/certification body prepare a report of the results of each self-assessment. The report must address the performance of its officers, employees, or other agents in activities under this subpart. For audit agents in particular, the accredited auditor/certification body must report on whether its audit agents, during food safety audits, focused on the elements of production, manufacturing, processing, packing, and holding of food that pose the most significant risks to human and/or animal health. Under proposed Sec. 1.655(a), the self-assessment report must evaluate the degree of consistency among its officers, employees, or other agents in performing activities under this subpart. (With audit agents, this is frequently called ``auditor correlation.'') In addition, the report must assess compliance with the conflict of interest requirements of Sec. 1.657, actions taken based on assessments by FDA or its recognized accreditation body, and must address any other aspects of performance relevant to a determination of compliance, if requested by FDA. Proposed Sec. 1.655(b) states that, in conducting its self- assessment, an accredited auditor/certification body may assess the compliance of one or more of the eligible entities it certified, as a means to evaluate its performance. Under proposed Sec. 1.655(c), the auditor/certification body must quickly execute appropriate corrective actions when problems are identified during a self-assessment under paragraphs (a) or (b) and must maintain records documenting the completion of such actions under proposed Sec. 1.658. In addition, proposed Sec. 1.655(d) describes the contents of the written reports of its self-assessments, including describing any corrective actions taken based on its self-assessments and stating the extent of its compliance with conflict of interest requirements and other applicable requirements of this rule. ISO/IEC Guide 65:1996 (Ref. 20), clause 4.7.1, requires auditors/ certification bodies to conduct periodic internal audits covering all of its procedures and to ensure that personnel responsible for the area audited are informed of the audit outcome, timely and appropriate corrective actions are taken, and audit results are documented. Additionally, clause 4.7.2 requires the management with executive responsibility to review its quality systems at sufficiently short intervals to ensure its continuing suitability and effectiveness. The FDA MFRPS (Ref. 12) have elements requiring States to conduct periodic self-assessments of its manufactured food regulatory program against the criteria we established. These self-assessments are designed to identify the strengths and weaknesses of the State program by determining the level of conformance with the program standards and are independently verified through an audit. Records documenting the results of the self-assessment must be maintained. We have tentatively concluded that self-assessments would serve a similarly [[Page 45815]] important role for accredited auditors/certification bodies under our accredited third-party audits and certification program. g. What reports and notifications must an accredited auditor/ certification body submit? (Proposed Sec. 1.656). This proposed rule would establish requirements for various reports and notifications that accredited auditors/certification bodies would have to submit to FDA. Proposed Sec. 1.656(a) requires accredited auditors/certification bodies to submit regulatory audit reports no later than 45 days after completing such audit. This requirement is based on section 808(c)(3)(A) of the FD&C Act, which requires submission of regulatory audit reports as a condition of accreditation. The regulatory audit report must be submitted electronically, in English, contain the information required by proposed Sec. 1.652(b). The requirement for electronic submissions, in English language, is required consistently throughout this rule, for the reasons explained in section IV.3.c and IV.3.d. Under proposed Sec. 1.656(b), an accredited auditor/certification body must submit its annual self-assessment report to its accreditation body (or, in the case of direct accreditation, to us) no later than 45 days after the anniversary date of its accreditation under this program and, for reports required following revocation of its accreditation body's recognition, within 2 months of the revocation. The self- assessment report, which is required by Sec. 1.655, must be submitted electronically, in English, and must include an up-to-date list of any audit agents the certification body uses to conduct audits under this subpart. As explained in the discussion of proposed Sec. 1.621, we believe that the results of such assessments will be helpful to us in performing our monitoring of not only the accredited auditor/ certification body itself, but also the recognized accreditation body that accredited it, where applicable. Monitoring of recognized accreditation bodies and accredited third-party auditors/certification bodies is required by section 808(f)(2) of the FD&C Act. Having information about deficiencies the accredited auditor/ certification body identified in its own performance and program, together with the corrective actions that were implemented to address such deficiencies helps us target our monitoring activities. Moreover, the results of self-assessments across a number of accredited auditors/ certification bodies will help us identify trends in program performance and may offer an early signal of potential issues for the Agency to address at the program level. Proposed Sec. 1.656(c) requires an accredited auditor/ certification body to immediately notify us when any audit agent or the auditor/certification body itself, discovers during an audit any condition that could cause or contribute to a serious risk to the public health. This notification is required by section 808(c)(4) of the FD&C Act, which identifies certain information that must be contained in the notification. Based on that requirement and the authority granted to us to issue regulations for the efficient enforcement of its authority, under section 701(a) of the FD&C Act, proposed Sec. 1.656(c) requires such notification to include the following: (1) The name and address of the facility where the condition was discovered; (2) the FDA registration number assigned to the facility, where applicable; (3) the name and address of the eligible entity, if different from that of the facility; and (4) the condition that could cause or contribute to a serious risk to the public health and for which notification is required. Information on the identity of the entity and the notifiable condition is required by section 808(c)(4) of the FD&C Act. The other data elements we propose to require are essential for us to take immediate and necessary steps to protect the public health. In the event that the facility where the condition was discovered is different than the eligible entity, or is at a different location, we need to know the name and address of the facility so that we can interact directly with the facility. Knowing the facility's FDA registration number (where required) helps us quickly assemble relevant information we possess, including information from our foreign regulatory partners. The data elements required for notification under Sec. 1.656(c)(1), (c)(2), and (c)(3) offer the minimum information we believe necessary to allow the Agency to determine the appropriate course of action with respect to the situation. We note that section 808 of the FD&C Act does not define ``serious risk to the public health,'' nor does it give examples of ``condition[s] that could cause or contribute to a serious risk to the public health.'' The statutory description of notifiable conditions--as ones that ``could'' cause or contribute to a serious risk to public health--suggests to us that the scope of this provision is broad. In developing these proposed implementing regulations, we looked for the precise phrase, ``cause or contribute to a serious risk to the public health'' elsewhere in the FD&C Act, but did not find it there (21 U.S.C. 301 et seq.). In considering section 808 of the FD&C Act as a whole, we noted that the provision giving us access to records associated with consultative audits cross-references section 414 of the FD&C Act (21 U.S.C. 350c). Section 414 of the FD&C Act, among other things, gives us access to records if we have a reasonable belief that an article of food, and any other article of food that we reasonably believe is likely to be affected in a similar manner, is adulterated and presents a threat of serious adverse health consequences or death to humans or animals (SAHCODHA) (21 U.S.C. 350c(a)). Although Congress chose to incorporate SAHCODHA by referencing section 414 of the FD&C Act as authority for us to access records of consultative audits under section 808(c)(3)(C) of the FD&C Act, Congress did not use the SAHCODHA standard in describing the types of conditions that could cause or contribute to a serious risk to the public health and that must be reported to FDA under section 808(c)(4)(A) of the FD&C Act. We believe Congress intended the standard for notification to be a different standard than SAHCODHA. We invite comment from interested parties interpreting the notification standard in section 808(c)(4)(A) of the FD&C Act and providing examples of circumstances that stakeholders believe do and do not rise to the level of a ``condition that could cause or contribute to a serious risk to the public health.'' We are particularly interested in receiving input on whether our existing Class I and Class II recall standards (Ref. 33), taken together, might adequately address any condition covered by section 808(c)(4)(A) of the FD&C Act. An FDA Class I recall occurs in a situation in which there is a reasonable probability that the use of or exposure to a violative product will cause serious adverse health consequences or death. An FDA Class II recall occurs in a situation in which use of or exposure to a violative product may cause temporary or medically reversible adverse health consequences or where the probability of serious adverse health consequences is remote. We also note that international standards for [auditors/ ]certification bodies have exceptions to confidentiality agreements where disclosure is required by law. For example, ISO/IEC Guide 17021:2011 (Ref. 19), clause 8.5.3, requires an auditor/certification body that is required by law to release confidential information to a third party, to notify the client before providing such information to a third party, ``unless regulated by law.'' Based on section 808(c)(4)(A) of the FD&C Act, which [[Page 45816]] requires that the accredited third-party certification body ``immediately'' notify us, proposed Sec. 1.656(c) requires an accredited auditor/certification body to notify us of a serious risk to public health prior to notifying its client, the eligible entity. We recommend that accredited auditors/certification bodies include a provision explaining this notification requirement in their contracts with eligible entities. We believe this will help ensure that eligible entities are aware of the notification requirement and will help emphasize to the accredited auditors/certification bodies their obligation to notify FDA of such condition. Proposed Sec. 1.656(d) requires an accredited auditor/ certification body to immediately notify us electronically, in English, upon withdrawing or suspending the food or facility certification of an eligible entity. The notice must describe the basis for withdrawal or suspension. We believe immediate notification of suspension or withdrawal of certifications is necessary because of how we use these certifications: As a condition of granting admission to a food subject to an risk determination under section 801(q) of the FD&C Act and as a criteria for an importer's eligibility to participate in VQIP under section 806 of the FD&C Act. We realize that certification bodies currently withdraw and suspend certifications for a number of reasons, some of which relate to payment of fees and others relate to food safety matters. Therefore, having information on the fact that a certification has been withdrawn or suspended, as well as the reason(s) for the action, allows us to determine the effect of suspension or withdrawal on our use of the certifications under sections 801(a) and 806 of the FD&C Act. Depending on the reasons for suspension or withdrawal of certification, we may conduct an inspection or take other action. Under proposed Sec. 1.656(e)(1), an accredited auditor/ certification body that notifies us under proposed Sec. 1.656(c) must immediately thereafter notify the eligible entity where the condition was discovered. Proposed Sec. 1.656(e)(2) requires an accredited auditor/certification body to notify its accreditation body (or, in the case of direct accreditation, to us) electronically, in English, within 30 days after making any significant change that may affect its compliance with the requirements of Sec. Sec. 1.640 through 1.658. The notice must describe the purpose of the change and an explanation for whether and how the change might affect its accreditation under this program. In that proposed Sec. 1.640 requires auditors/certification bodies to maintain compliance with the requirements of this rule as a condition of their accreditation, this notification is necessary for our program oversight. We will use this information in monitoring the certification body as required by section 808(f)(2) of the FD&C Act and may use the notification (or the failure to notify under proposed Sec. 1.656(e)(2)) in determining whether to withdraw accreditation under section 808(c)(6) of the FD&C Act. h. How must an accredited auditor/certification body protect against conflicts of interest? (Proposed Sec. 1.657). This proposed rule would require accredited auditors/certification bodies to have procedures to ensure against financial conflicts of interest and to make annual financial disclosure statements available to us, as required by section 808(c)(5)(A) and (c)(5)(B) of the FD&C Act. Additionally, section 808(c)(5)(C) of the FD&C Act directs us to issue implementing regulations including requirements for unannounced audits, a structure to decrease the potential for conflicts of interest (including requirements for timing and public disclosure of fee payments), and appropriate limits on financial affiliations between certification bodies (and their audit agents) and eligible entities to be certified. Proposed Sec. 1.657 sets out the elements of a conflict of interest program we believe are appropriate to implement this mandate and to ensure the objectivity and independence of accredited auditors/ certification bodies necessary for to maintain the credibility of the program. Proposed Sec. 1.657(a) requires the accredited auditor/ certification body to have written program that covers the certification body itself and any of its officers, employees, or other agents (e.g., audit agents) conducting audits or certification activities under this program. Based in large part on section 808(c)(5)(A)(i) of the FD&C Act, proposed Sec. 1.657(a)(1) prohibits an accredited auditor/ certification body and its officers, personnel, and other agents (except for audit agents subject to paragraph (a)(2)) from owning, controlling, managing, or otherwise having a financial interest in an eligible entity, or an affiliate, parent, or subsidiary of such entity, to be certified by the auditor/certification body . The effect of the language in proposed Sec. 1.657(a)(1) would be to prevent a foreign food firm with its own audit team from conducting regulatory audits and issuing certifications for its own facilities, processes, or products (i.e., first-party audits) or for an affiliate or for its parent or subsidiary (i.e., second-party audits). Given the multinational nature and multiple corporate interests of many food companies, we have tentatively concluded it is important to extend the conflict of interest safeguards in proposed Sec. 1.657 to subsidiaries, affiliates, and parent organizations. We seek comment on this tentative conclusion. Proposed Sec. 1.657(a)(2) prohibits an audit agent of an accredited auditor/certification body from conducting a food safety audit of an eligible entity, or an affiliate, parent, or subsidiary of such entity, that the agent owns or operates. This provision is largely based on the section 808(c)(5)(B)(i) of the FD&C Act, which prohibits an audit agent from owning or operating an eligible entity to be audited by the agent, coupled with language covering financial interests associated with an affiliate, parent, or subsidiary of the eligible entity, for the reasons previously described. To be clear, proposed Sec. 1.657(a)(2) does not go so far as to prohibit audit agents from having any financial interest in any food company; rather, it prevents an audit agent from conducting a consultative or regulatory audit of an eligible entity or an affiliate, parent, or subsidiary of such entity, owned or operated by such agent. We believe that requiring any audit agent conducting audits under this program to divest all interests in FDA-regulated food firms might unnecessarily limit the pool of qualified audit agents. We seek comment on these tentative conclusions and on the approach we propose in Sec. 1.657(a)(2), including whether this approach might unnecessarily limit the availability of competent audit agents to conduct audits under this program and whether removing the restriction relating to interests in affiliates, parents, or subsidiaries might create, or create the appearance of, bias. Proposed Sec. 1.657(a)(3) prohibits officers, employees, or other agents of an accredited auditor/certification body from accepting any gift, gratuity, or item of value from the entity subject to audit. A gift, gratuity, or item of value would not include meals of a de minimis value provided on the premises where the audit or assessment is being conducted, recognizing that some facilities may be remotely located and allowing onsite meals is appropriate in the interest of efficiency. We seek comment on whether to interpret de minimis value according to the limits for gifts or items of value applicable to U.S. Government employees. Proposed Sec. 1.657(a)(3) also [[Page 45817]] allows for authorized officials, employees, or agents to accept payments of fees for the audit and certification, as described in proposed Sec. 1.657(b). Proposed Sec. 1.657(b) addresses the requirement, in section 808(c)(5)(C) of the FD&C Act, to issue implementing regulations that include a structure to decrease the potential for conflicts of interest, including timing and public disclosure, for fees paid by eligible entities to accredited third-party certification bodies. After considering this statutory provision, we have tentatively concluded that an appropriate structure to decrease the potential for conflicts of interests between an eligible entity and an accredited auditor/ certification body would be one in which there was public disclosure of the point at which the entity paid fees for audit and certification services. Proposed Sec. 1.657(b) provides that that payment of such fees does not constitute a covered financial conflict of interest. Proposed Sec. 1.657(c) imputes to an officer, employee, or other agent of an accredited auditor/certification body the financial interests of his or her spouse and minor children, if any. This proposed requirement is based on the approach we recommended in the 2009 Guidance that no auditor acting for the [auditor/]certification body (or spouse or minor children) should have any significant ownership or other financial interest regarding any product of the type it certifies (Ref. 5). As another example, FDA regulations on conflicts of interest of experts serving on panels for unapproved new animal drugs imputes the financial interests and arrangements of an expert's spouse and minor children to the expert him- or herself (21 CFR 516.141(g)). We believe that imposing a similar requirement on the immediate family of the officers, employees, or other agents of an accredited auditor/certification body will help to ensure the credibility of the accredited third-party audits and certification program at every level. We seek comment on this tentative conclusion. Proposed Sec. 1.657(d) requires accredited certification bodies to maintain on their Web sites an up-to-date list of eligible entities to which they issued certifications under this subpart, the duration and scope of each such certifications, and the date on which the eligible entity paid any fee or reimbursement under proposed Sec. 1.657(c). Information on timing of fee payments is required by section 808(b)(5)(C)(iii) of the FD&C Act and is necessary, we believe, in the interest of transparency. We seek comment on the tentative conclusions identified here-- namely, we should require accredited certification bodies to: (1) Have a written program to safeguard against conflicts of interest; (2) include the interest of any affiliate, parent, or subsidiary of a certification body within the scope of interests covered by its conflict of interest program; (3) impute the interests of immediate family members of an officer, employee, or other agent to such officer, employee, or other agent; and (4) to maintain on its Web site a list of its certified eligible entities, including duration and scope of each such certification, and disclosure of the date(s) on which an eligible entity paid the accredited auditor/certification body any fee or reimbursement associated with an audit or certification under this program. i. What records requirements must an accredited auditor/ certification body meet? (Proposed Sec. 1.658). This proposed rule would establish requirements for accredited auditors/certification bodies to establish, control, and retain records relating to their auditing and certification activities under our program. Proposed Sec. 1.658 requires accredited auditors/certification bodies to maintain certain documents and data electronically, in English, for 4 years, to document compliance with this rule.\34\ These records include: (1) Requests for regulatory audits; (2) audit reports and other documents resulting from a consultative or regulatory audit; (3) any notification of a condition under proposed Sec. 1.650(a)(5) or by the accredited auditor/certification body to FDA under proposedSec. 1.656(c); (4) any food or facility certification issued under this program; (5) any challenge to an adverse regulatory audit decision and its disposition; (6) any monitoring it conducted of a certified eligible entity; (7) the auditor's/certification body's self- assessments and corrective actions; and (8) any significant change to the auditing and certification program that might affect compliance with this rule. --------------------------------------------------------------------------- \34\ We are proposing records be maintained for 4 years, which aligns with the maximum length of time for which accreditation may be granted. This will be particularly useful in decisionmaking on an application to renew accreditation, because the accrediting body will have access to data and information on activities conducted at any time during its current accreditation. We used a similar rationale in proposing to require recognized accreditation bodies to maintain their records for 5 years, which is the maximum length of time for which recognition may be granted. --------------------------------------------------------------------------- Maintenance of records on requests for regulatory audits under proposed Sec. 1.658(a)(1) is one means to verify the adequacy of audit planning under proposed Sec. 1.651(a). Records associated with audits, certifications, challenges to auditor/certification body decisions, internal reviews, significant changes, and monitoring (also known as surveillance) of eligible entities are among the records commonly required to be maintained by international standards. We believe it appropriate to require maintenance of similar records for purposes of this rule. We propose to require accredited auditors/certification bodies choosing to participate in this program to maintain their program records in English. We believe this English-language records requirement is necessary for our oversight based on, among other things, our experience with the shrimp pilot (Ref. 6). During the pilot project, we faced costly delays and logistical hurdles in attempting to assess third-party [auditors/]certification bodies, because we needed English-language translations of their records to be able to conduct performance audits. Based on that experience, we believe that having real-time access to English-language records is necessary for conducting efficient and effective assessments to the fullest extent of our authority. We solicit comment on the English-language records requirement in proposed Sec. 1.658 and on whether other approaches might be similarly efficient and effective. For example, should we allow an accredited auditor/certification body to maintain its records in a language other than English, if the auditor/certification body would be required to make an English translation of its records available ``promptly'' upon a written FDA request? What should ``promptly'' mean in this context (e.g., 2 business days of the written request)? Would such an approach be as efficient and effective as the proposed English-language records requirement would be? For comments offering other approaches, we request a detailed description of the alternative, an analysis of the impacts of the alternative on our ability to ensure the compliance of accredited auditors/certification bodies with applicable FDA requirements. Based on section 808(c)(3)(B) of the FD&C Act, proposed Sec. 1.658(b) and (c) require an accredited auditor/certification body to provide FDA access to records upon request of an officer or employee we designate, except that reports or other documents of a consultative audit must be made available to us only in accordance with the requirements of subpart J (records access under section 414 of the FD&C Act). Proposed Sec. 1.658(b) reflects section 808(c)(3)(C) of the FD&C Act, which [[Page 45818]] states that reports or other documents resulting from a consultative audit are accessible to us only under circumstances that meet the threshold for records access under section 414 of the FD&C Act (21 U.S.C. 350c). Based on these statutory requirements, we can access such documents from consultative audits in either of the following circumstances: If we have a reasonable belief that an article of food, and any other article of food that we reasonably believe is likely to be affected in a similar manner, is adulterated and presents a threat of SAHCODHA; or if we believe that there is a reasonable probability that the use of or exposure to an article of food, and any other article of food that we reasonably believe is likely to be affected in a similar manner, will cause SAHCODHA, as described in Sec. 1.361 of this part. We have tentatively concluded that the records identified and the records maintenance and access requirements in proposed Sec. 1.658 are necessary to monitor and evaluate accredited certification bodies, as directed by section 808(f)(2) of the FD&C Act. We believe it is reasonable to require accredited auditors/certification bodies to maintain such records for the maximum length of accreditation, 4 years. We acknowledge that the requirements of proposed Sec. 1.658 may require revisions to contracts and perhaps other documents establishing and limiting the scope of an auditor's/certification body's authority with respect to granting records access. We nonetheless have tentatively concluded that such access is necessary to help ensure the credibility of the program. We seek comment on this tentative conclusion and on the specific records requirements we propose. 7. Procedures for Accreditation of Third-Party Auditors/Certification Bodies Table 7--Proposed Procedures for Third-Party Auditors/Certification Bodies ------------------------------------------------------------------------ Proposed rule section Title ------------------------------------------------------------------------ 1.660.................. Where do I apply for accreditation or renewal of accreditation by a recognized accreditation body? 1.661.................. What is the duration of accreditation? 1.662.................. How will FDA monitor accredited auditors/ certification bodies? 1.663.................. How do I request an FDA waiver or waiver extension for the 13-month limit for audit agents conducting regulatory audits? 1.664.................. When can FDA withdraw accreditation? 1.665.................. How do I voluntarily relinquish accreditation? 1.666.................. How do I request reaccreditation? ------------------------------------------------------------------------ a. Where do I apply to obtain accreditation from a recognized accreditation body? (Proposed Sec. 1.660). This proposed rule explains where interested third-party auditors/certification bodies could apply for accreditation under our accredited third-party audits and certification program. Proposed Sec. 1.660 informs third-party auditors/certification bodies that they must apply directly to a recognized accreditation body for accreditation, except for those circumstances meeting the requirements of proposed Sec. 1.670 for direct accreditation. b. What is the duration of accreditation? (Proposed Sec. 1.661). Proposed Sec. 1.661 states that accreditation of a third-party auditor/certification body may be granted for a period up to 4 years. This applies both to accreditations granted by recognized accreditation bodies and to direct accreditations that we grant under proposed Sec. 1.672. We have tentatively concluded that 4 years is an appropriate duration for an accreditation, because we believe the rigor and credibility of this new program rests, in part, on the extent of oversight of accredited third-party auditors/certification bodies to conduct audits and to certify eligible foreign entities. The process for renewal of accreditation provides an opportunity for recognized accreditation bodies (and us, for directly accredited auditors/certification bodies) to look closely at all aspects of the auditor's/certification body's program and performance and to decide anew whether the auditor/certification body meets the eligibility requirements. We note proposed Sec. 1.661 set the duration of accreditation in the new accredited third-party auditor/certification body program for a shorter period than the duration of accreditation we allow in the mammography program under 21 CFR part 900, which is a time-tested program. As we and the recognized accreditation bodies participating in the accredited third-party audits and certification program for food gain experience with the program, we may revisit this matter. For these reasons, we have tentatively concluded that accreditation should be granted for a period of no longer than 4 years. We seek comment on this tentative conclusion. c. How will FDA monitor accredited auditors/certification bodies? (Proposed Sec. 1.662). This proposed rule would establish requirements for our evaluation of the performance of accredited auditors/ certification bodies, based on section 808(f)(2) of the FD&C Act, which requires us to monitor accredited auditors/certification bodies periodically, or at least once every 4 years. The statute makes no distinction between the frequency of our monitoring necessary for auditors/certification bodies accredited by recognized accreditation bodies and for auditors/certification bodies that we directly accredit. However, we are proposing, in Sec. 1.621, to require a recognized accreditation body to conduct annual assessments of the performance of each third-party auditor/ certification body it accredited under this program. Under proposed Sec. 1.662(a) we will perform our own performance evaluations of auditors/certification bodies accredited by recognized accreditation bodies at least once every 3 years for auditors/certifications bodies accredited for 4 year terms, and at the mid-term point for auditors/ certification bodies accredited for less than 4 years. Proposed Sec. 1.662(a) also establishes requirements for our monitoring of directly accredited auditors/certification bodies. In these circumstances, we act in the role of a recognized accreditation body and will perform annual monitoring. Not only would annual monitoring by us provide oversight similar to the annual monitoring requirements of proposed Sec. 1.621, but also it would satisfy the monitoring requirement of section 808(f)(2) of the FD&C Act with respect to monitoring of directly accredited auditors/certification bodies. [[Page 45819]] Proposed Sec. 1.662(b) identifies the types of information we may review in conducting our evaluations of accredited auditors/ certification bodies. Proposed Sec. 1.662(c) makes clear that we can conduct our evaluation of an auditor/certification body through onsite observations of performance during the conduct of food safety audits and through document review. For both directly accredited auditors/certification bodies and those accredited by recognized accreditation bodies, we will evaluate performance based on whether the auditor/certification body continues to comply with the requirements of Sec. Sec. 1.640 through 1.658 and whether there are performance deficiencies that would warrant withdrawal of accreditation under this rule. We seek comment on whether the criteria in proposed Sec. 1.662(a) and (b) are appropriate for evaluating accredited auditors/certification bodies under this program. Additionally, we seek recommendations for possible approaches we might use to monitor performance, such as conducting our inspections of a certain number of eligible entities, shortly after the accredited auditor/certification body conducted a food safety audit of an eligible entity. For each such recommendation, we seek comment on the how the approach might affect: (1) The incentives for auditors/certification bodies to seek accreditation under our program, and (2) the degree of oversight needed to meet the objectives of section 808 of the FD&C Act. d. How do I request a waiver or waiver extension for the 13-month limit for audit agents conducting regulatory audits? (Proposed Sec. 1.663). This proposed rule would allow accredited auditors/ certification bodies to seek an FDA waiver of the limit on audit agents conducting regulatory audits of an eligible entity where they conducted a regulatory or consultative audit in the preceding 13 months. Under section 808(c)(4)(C)(ii) of the FD&C Act, we may waive the limit, which appears in proposed Sec. 1.650(c), where there is insufficient access to accredited certification bodies in the country or region where an eligible entity is located. Proposed Sec. 1.663(a) establishes the requirements for a waiver or waiver extension and proposed Sec. 1.663(b) to (f) describes the procedural requirements for a waiver or waiver extension request, including electronic submission, in English. Under proposed Sec. 1.663(g), we explain that an accredited auditor/ certification body should not use an audit agent subject to the 13- month limit in proposed Sec. 1.650 unless we have granted the request or the 13-month limit has elapsed. The procedural requirements in proposed Sec. 1.663 mirror the procedural requirements for other applications submitted to us. e. When can FDA withdraw accreditation? (Proposed Sec. 1.664). This proposed rule would establish the conditions under which we could withdraw accreditation from an auditor/certification body, regardless of whether it was directly accredited or accredited by a recognized accreditation body. Proposed Sec. 1.664(a) describes criteria for mandatory withdrawal that reflect section 808(c)(6)(A) of the FD&C Act, which requires us to withdraw accreditation in certain outbreak situations, whenever we find that an accredited auditor/certification body is no longer meeting the requirements for accreditation, or following a refusal to allow U.S. officials to conduct audits and investigations to ensure compliance with these requirements. The statute directs us to withdraw accreditation if a food or facility certified by an accredited auditor/ certification body under our program is linked to an outbreak of foodborne illness that has a reasonable probability of causing serious adverse health consequences or death in human or animals, except under section 808(c)(6)(C) of the FD&C Act, if we conduct an investigation of the material facts of the outbreak, review the steps and actions taken by the auditor/certification body, and determine that the accredited auditor/certification body satisfied the requirements for issuance of certification under this rule. The exception is set out in proposed Sec. 1.664(b). Section 808(c)(6)(B) of the FD&C Act allows us to withdraw accreditation from an accredited auditor/certification body whose accrediting body had its recognition revoked, if we determine there is good cause for withdrawal. This statutory provision is reflected in Sec. 1.664(c), which also provides two examples of circumstances we believe provide good cause for withdrawal, including bias or lack of objectivity and performance calling into question the validity or reliability of its food safety audits and certifications. In proposed Sec. 1.664(d) we provide for records access when considering possible withdrawal of accreditation. In proposed Sec. 1.664(e) we provide for notice of withdrawal of accreditation and describe the processes to challenge such withdrawal. Proposed Sec. 1.665(f) describes the effect of withdrawal on eligible entities. In general, a food or facility certification issued by an accredited auditor/certification prior to withdrawal of accreditation will remain in effect until it terminates by expiration, except if we have reason to believe a certification issued for purposes of section 801(q) of the FD&C Act is not valid or reliable, we can refuse to accept the certification. Proposed Sec. 1.664(g)(1) explains that FDA will notify the recognized accreditation body that accredited the third-party auditor/ certification body whose accreditation was withdrawn by FDA. In such circumstances, proposed Sec. 1.664(g)(1) requires the recognized accreditation body to conduct a self-assessment, as described in Sec. 1.622, and report the results of such self-assessment to FDA within 2 months after withdrawal, as required by Sec. 1.623(b). Proposed Sec. 1.664(g)(2) explains that FDA may revoke recognition of an accreditation body whenever FDA determines there is good cause for revocation under proposed Sec. 1.634. Proposed Sec. 1.664(h) provides for public notice of withdrawal of accreditation on FDA's Web site. We believe this information is necessary in the interest of transparency. f. How do I voluntarily relinquish accreditation? (Proposed Sec. 1.665). This proposed rule would allow accredited auditors/ certification bodies to voluntarily relinquish their accreditations before they expire and without having them withdrawn by FDA. Proposed Sec. 1.665 offers the mechanism for voluntarily relinquishment before it terminates by expiration. Relinquishment on the initiative of the auditor/certification body is distinct from withdrawal of accreditation for cause. The mammography regulations in 21 CFR 900.3 offer accreditation bodies the opportunity to voluntarily relinquish their authority to grant accreditation. We believe that auditors/certification bodies operating under our accredited third-party audits and certification program should have the option to voluntarily relinquish their accreditation for their business reasons. We are proposing certain procedural requirements--similar to those contained in the mammography regulations--which auditors/certification bodies must follow in relinquishing accreditation. We believe these measures are necessary to ensure an orderly transition for eligible entities certified by the auditor/certification body that is relinquishing its accreditation, and for us to make the necessary adjustments in the program. Proposed Sec. 1.665(a) requires auditors/certification bodies to notify us and to [[Page 45820]] notify their accreditation body (where applicable) at least 6 months before relinquishing accreditation. We propose to require such notifications to be submitted electronically and in English. To ensure that we have the ability to maintain adequate oversight of the program, including through access the records of the auditor/certification body, the notice required under proposed Sec. 1.665(a) must identify the location where the records required by proposed Sec. 1.658 will be maintained. The decision to relinquish accreditation is made solely by the third-party auditor/certification body, without FDA involvement. Therefore, in relinquishing accreditation under proposed Sec. 1.665(a), the auditor/certification body would waive its rights to appeal, because there is no FDA action to serve as the basis for appeal. Proposed Sec. 1.665(b) requires the accreditation body to notify any eligible entity to which it issued a food or facility certification no later than 15 business days after notifying FDA of its intent to voluntarily relinquish accreditation. Proposed Sec. 1.665(c) describes the effects of relinquishment of accreditation on certification issued by an auditor/certification body prior to relinquishing its accreditation. In considering the impact of relinquishment on eligible entities, we were mindful that such entities would likely have little, if any, opportunity to provide input on a decision by its auditor/certification body whether or not to relinquish accreditation. We believe that, under most circumstances, the fact that an auditor/certification body decided to relinquish its accreditation is likely to have no bearing on the validity or reliability of certifications it issued. Therefore, we have tentatively concluded that the certification of an eligible entity whose auditor/certification body voluntarily relinquished its accreditation under proposed Sec. 1.665 will remain in effect (subject to recertification under proposed Sec. 1.681), except that we may refuse to consider a certification issued for purposes of section 801(q) of the FD&C Act, if we have reason to believe the certification is not valid or reliable. Proposed Sec. 1.665(d) provides for public notice on our Web site of the voluntary relinquishment of accreditation by an auditor/ certification body. g. How do I request reaccreditation? (Proposed Sec. 1.666). This proposed rule would allow a third-party auditor/certification body to become reaccredited after withdrawal or relinquishment of its accreditation. Section 808(c)(7) of the FD&C Act requires us to establish procedures to reinstate the accreditation of an auditor/certification body for which we have withdrawn accreditation. Under proposed Sec. 1.666(a), we will reinstate accreditation if the auditor/certification body can demonstrate that the grounds for withdrawal no longer exist, or if the withdrawal was prompted by the revocation of recognition of its accreditation body and the auditor/certification body finds a new recognized accreditation body, becomes directly accredited, or otherwise meets conditions we impose in the withdrawal. Under proposed Sec. 1.666(b), an auditor/certification body that voluntarily relinquished its accreditation may become reaccredited by submitting a new application for accreditation under proposed Sec. 1.660 or Sec. 1.670 (where the criteria for direct accreditation are met). 8. Additional Procedures for Direct Accreditation of a Third-Party Auditors/Certification Bodies Table 8--Additional Procedures Proposed for Direct Accreditation of Third-Party Auditors/Certification Bodies ------------------------------------------------------------------------ Proposed rule section Title ------------------------------------------------------------------------ 1.670.................. How do I apply to FDA for direct accreditation or renewal of direct accreditation? 1.671.................. How will FDA review applications for direct accreditation and for renewal of direct accreditation? 1.672.................. What is the duration of direct accreditation? ------------------------------------------------------------------------ a. How do I apply to FDA for direct accreditation or renewal of direct accreditation? (Proposed Sec. 1.670). This proposed rule describes the circumstances and procedures that would apply for direct accreditation and renewal of direct accreditation. Proposed Sec. 1.670 describes the conditions under which we will accept applications for direct accreditation, reflecting the statutory language in section 808(b)(1)(A)(ii) of the FD&C Act, which allows us to directly accredit auditors/certification bodies if we have not identified and recognized an accreditation body to meet the requirements of section 808 of the FD&C Act within 2 years after establishing our program. Proposed Sec. 1.670(a)(1) identifies certain circumstances and criteria that we have tentatively concluded are relevant for determining whether we have not identified and recognized an accreditation body to meet the requirements of section 808 of the FD&C Act. Proposed Sec. 1.670(a)(2) specifies conditions under which we may revoke or modify such a determination. Proposed Sec. 1.670(a)(3) provides for public notice of such determination or its revocation or revision. Proposed Sec. 1.670(b) sets out the procedures for applying for direct accreditation or renewal of direct accreditation. This mirrors the procedures for applications established elsewhere under this rule. b. How will FDA review applications for direct accreditation and for renewal of direct accreditation? (Proposed Sec. 1.671). This proposed rule would establish procedures for processing applications for direct accreditation and for renewal of direct accreditation. Proposed Sec. 1.671 describes a process for reviewing and deciding on applications for direct accreditation and renewal that is consistent with the procedures for reviewing and deciding on applications under other provisions in this rule. For example, we propose to establish a queue for direct accreditation and renewal applications based on the date on which an application was completed, and we will review applications on a first in, first out basis. We will inform applicants of deficiencies in application documentation. To encourage applicants to supply any missing information promptly, we will not place an application in the queue until it is complete. Allowing incomplete applications in the queue might block applications that are ready for review, but were submitted later in time. We will inform an applicant once its application has been placed in the queue. We will review each application for direct accreditation or renewal of direct accreditation to determine [[Page 45821]] whether the applicant meets the eligibility requirements of proposed Sec. 1.640. We will communicate anticipated processing periods to applicants. We are not proposing to include specific timeframes for review in the regulation, for the following reasons: (1) It is difficult to project, at this time, the amount of resources that will be available to us for this program, which under section 808(c)(8) of the FD&C Act, is funded through user fees established by regulation; and (2) we anticipate that, as we gain experience in reviewing applications and in overall administration of the program, we will become more efficient in processing applications but currently lack data that would allow us to reasonably estimate the effect of efficiency gains on review times. Under proposed Sec. 1.671(c), (d), and (e), we will notify an applicant, in writing, whether the application has been approved or denied. If approved, the notice will describe any conditions imposed on the direct accreditation. If denied, the notice will state the basis for the denial and will describe procedures for requesting reconsideration of the decision. We believe this provision offers necessary protections for applicants. We seek comment on the process and procedures required by proposed Sec. 1.671. c. What is the duration of direct accreditation? (Proposed Sec. 1.672). This proposed rule would establish the duration of accreditation. Proposed Sec. 1.672 states that direct accreditation of a third- party auditor/certification body may be granted for a period up to 4 years. Similarly, proposed Sec. 1.661 allows a recognized accreditation body to grant accreditation for a period of up to 4 years. We have tentatively concluded that 4 years is an appropriate duration for an accreditation--whether granted by a recognized accreditation body or by us--because we believe the rigor and credibility of this new program rests, in part, on the extent of oversight of accredited third-party auditors/certification bodies to conduct audits and to certify eligible foreign entities. The process for renewal of accreditation provides an opportunity for us to look closely at all aspects of the auditor's/certification body's program and performance and to decide anew whether the auditor/certification body meets the eligibility requirements for accreditation. We are proposing to set the duration of accreditation under this new program for a shorter period than the duration of accreditation we allow under 21 CFR part 900, which is the mammography program established several years ago. As we gain experience with accredited auditors/certification bodies in the food and feed programs, we may revisit this matter. For these reasons, we have tentatively concluded that accreditation should be granted for a period of no longer than 4 years. We seek comment on this tentative conclusion. 9. Requirements for Eligible Entities Table 9--Proposed Requirements for Eligible Entities ------------------------------------------------------------------------ Proposed rule section Title ------------------------------------------------------------------------ 1.680.................. How and when will FDA monitor eligible entities? 1.681.................. How frequently must eligible entities be recertified? ------------------------------------------------------------------------ a. How and when will FDA monitor eligible entities? (Proposed Sec. 1.680). This proposed rule would provide for FDA monitoring of eligible entities that choose to be audited under our program. Proposed Sec. 1.680(a) states that we may conduct an onsite audit of an eligible entity that has received certification under this program, as allowed under section 808(f)(3) of the FD&C Act, which specifies that we may conduct an onsite audit of a certified entity at any time, with or without the accredited auditor/certification body present. Proposed Sec. 1.680(b) reflects section 808(h)(1) of the FD&C Act, explaining that a food safety audit conducted under this program is not considered an inspection under section 704 of the FD&C Act. b. How frequently must eligible entities be recertified? (Proposed Sec. 1.681). This proposed rule would require eligible entities to be recertified annually. Section 808(d) of the FD&C Act requires eligible entities to apply for annual certification for food required to have certification under section 801(q) of the FD&C Act or for its facility, if it intends the certification to be used by an importer in establishing eligibility to participate in VQIP under section 806 of the FD&C Act. This statutory requirement is reflected in proposed Sec. 1.681(a). Proposed Sec. 1.681(b) states that FDA may require renewal of a food certification at any time FDA determines appropriate under section 801(q)(4)(A) of the FD&C Act. 10. General Requirements Table 10--Proposed General Requirements ------------------------------------------------------------------------ Proposed rule section Title ------------------------------------------------------------------------ 1.690.................. How will FDA make information about recognized accreditation bodies and accredited auditors/ certification bodies available to the public? 1.691.................. How do I request reconsideration of a denial by FDA of an application or a waiver request? 1.692.................. How do I request internal agency review of a denial of an application or waiver request upon reconsideration? 1.693.................. How do I request a regulatory hearing on a revocation of recognition or withdrawal of accreditation? ------------------------------------------------------------------------ a. How will FDA make information about recognized accreditation bodies and accredited auditors/certification bodies available to the public? (Proposed Sec. 1.690). This proposed rule explains how and where we would make information on the accredited third-party audits and certification program public. Section 808(g) of the FD&C Act requires us to establish a publicly available registry of recognized accreditation bodies and accredited auditors/certification bodies, including their names and contact information. Proposed Sec. 1.690 provides that we will post on our Web site a registry of recognized accreditation bodies and of accredited auditors/ certification bodies [[Page 45822]] and explains that we may meet the obligation with respect to accredited auditors/certification bodies by establishing links on our Web site to the Web sites of recognized accreditation bodies, who are required to maintain this information for auditors/certification bodies they accredit under this program. As appropriate based on available resources, we may use such links in the interest of minimizing the administrative burden on us and in acknowledgement that some accreditation bodies currently maintain such information on their Web sites. We are seeking comment on our proposed public registry. b. How do I request reconsideration of a denial by FDA of an application or a waiver request? (Proposed Sec. 1.691). This proposed rule would establish procedures for an applicant or requestor to seek reconsideration of a denial. Under proposed Sec. 1.691, accreditation bodies and certification bodies may ask us to reconsider an application or waiver request we previously denied. The types of applications and requests that may be reconsidered are: (1) Denial of an application for recognition or for renewal of recognition; (2) denial of an application submitted to reinstate recognition; or (3) denial of a request for a waiver of the 13-month limit on audit agents or for a waiver extension; (4) denial of an application for direct accreditation or for renewal of direct accreditation; and (5) denial of an application for reaccreditation. The procedures described in proposed Sec. 1.691 require submission of the request for reconsideration within 10 business days of the date of such decision, in accordance with the procedures described in the notice of denial, including requirements relating to submission of supporting information. Within a reasonable time after completing its review and evaluation of the request for reconsideration and the supporting information (if any) submitted, we will notify the requestor, in writing, of our decision to grant the application or waiver request upon reconsideration, or our decision to deny upon reconsideration the application or waiver request. c. How do I request internal Agency review of a denial of an application or waiver request upon reconsideration? (Proposed Sec. 1.692). This proposed rule would offer additional process for applicants or requestors whose request for reconsideration was denied. Proposed Sec. 1.692 states that the requestor who received a denial upon reconsideration may seek internal Agency review of such denial under 21 CFR 10.75(c)(1), which is a currently established process for review but different than the initial review process under proposed Sec. 1.691. The request for internal Agency review must be submitted within 10 business days of the date of denial upon reconsideration, in accordance with procedures described in the denial upon reconsideration and must be signed by the accreditation body or certification body, as appropriate, or by an individual authorized to act on its behalf. Internal Agency review of the denial upon reconsideration must be based on the information in the administrative file, which will include any supporting information submitted under proposed Sec. 1.691(c). Within a reasonable time after completing the review and evaluation of the administrative file, we will notify the requestor, in writing, of our decision to overturn the denial and grant the application or waiver request or to affirm the denial. Affirmation of a denial constitutes final Agency action for purposes of 5 U.S.C. 702. d. How do I request a regulatory hearing on a revocation of recognition or withdrawal of accreditation? (Proposed Sec. 1.693). This proposed rule explains the procedures that would be used for challenges to revocation of recognition or withdrawal of accreditation. Under proposed Sec. 1.693(a) an accreditation body whose recognition was revoked (or an individual authorized to act on its behalf) may submit a request for a regulatory hearing, under part 16, on the revocation. The request must be submitted within 10 business days of the date of revocation. Similarly, under proposed Sec. 1.693(b) a certification body whose accreditation was withdrawn by FDA may submit a request for a part 16 regulatory hearing on the withdrawal. Such request must be submitted within 10 business days of the date of withdrawal. Written notices of revocation and of withdrawal will contain all of the elements required by Sec. 16.22 of this chapter and will thereby constitute the notice of an opportunity for hearing under part 16 of this chapter. Under proposed Sec. 1.693(c), the request for a regulatory hearing under paragraph (a) or (b) of this section must be submitted with a written appeal that responds to the bases for our decision described in the written notice of revocation or withdrawal, as appropriate, together with any supporting information upon which the requestor is relying. The request, appeal, and supporting information must be submitted in accordance with the procedures described in the notice. Proposed Sec. 1.693 makes clear that the submission of a request for a regulatory hearing under this subpart will not operate to delay or stay the effect of our decision to revoke recognition of an accreditation body or to withdraw accreditation of a certification body unless we determine that delay or a stay is in the public interest. Under proposed Sec. 1.693(e) and (f), the presiding officer for a regulatory hearing under this subpart will be designated after a request for a regulatory hearing is submitted to us. The presiding officer may deny a request for regulatory hearing under this subpart pursuant to Sec. 16.26(a) of this chapter. Proposed Sec. 1.693(g) states that if a hearing request is granted, the hearing will be held within 10 business days after the date the request was filed or, if applicable, within a time frame agreed upon in writing by requestor and the presiding officer. The presiding officer may require that a hearing conducted under this subpart be completed within 1 business day, as appropriate. The presiding officer must conduct the hearing under part 16 of this chapter, except that, under Sec. 16.5(b) of this chapter, the procedures for a regulatory hearing described in part 16 of this chapter apply only to the extent that such procedures are supplementary and not in conflict with the procedures specified for the conduct of regulatory hearings under this subpart. Based on Sec. 16.5(b), the following requirements of part 16 of this chapter are inapplicable to regulatory hearings conducted under this subpart: The requirements of Sec. 16.22 (Initiation of a regulatory hearing), Sec. 16.24(e) (Timing) and (f) (Contents of notice), Sec. 16.40 (Commissioner), Sec. 16.95(b) (Administrative decision and record for decision), and Sec. 16.119 (Reconsideration and stay of action). Proposed Sec. 1.693(g)(4) states that a decision by the presiding officer to affirm the revocation of recognition or the withdrawal of accreditation that served as the basis for the request for a regulatory hearing is considered a final Agency action for purposes of 5 U.S.C. 702. 11. Audits for Other Purposes [[Page 45823]] Table 11--Proposed Use of Regulatory Audit Reports Under Subpart L ------------------------------------------------------------------------ Proposed rule section Title ------------------------------------------------------------------------ 1.698.................. May importers use reports of regulatory audits by accredited auditors/certification bodies for purposes of subpart L of this part? ------------------------------------------------------------------------ May importers use reports of regulatory audits by accredited auditors/certification bodies for purposes of subpart L of this part? (Proposed Sec. 1.698). This proposed rule would allow importers to use certain information from accredited auditors/certification bodies in meeting the Foreign Supplier Verification Program (FSVP) requirements. Proposed Sec. 1.698 allows an importer, as defined in the proposed regulations for the FSVP published elsewhere in this edition of the Federal Register, to use a report of a regulatory audit of a foreign supplier (which is an eligible entity), in meeting the verification requirements under the proposed FSVP regulations. The FSVP proposed rule would require importers to verify that hazards identified as reasonably likely to occur are being adequately controlled. Onsite auditing may be used under the FSVP proposed rule. While the FSVP proposed rule would not require use of accredited auditors/certification bodies, we believe accredited auditor/ certification body program we are establishing under section 808 of the FD&C Act will help ensure the rigor and objectivity of audits performed by auditors/certification bodies accredited under our program. Proposed Sec. 1.698 allows an importer required (or having the option) to perform onsite auditing of its foreign supplier to comply with the FSVP proposed rule to use the results of a regulatory audit in meeting such requirement. The regulatory audit report of the foreign supplier would be the documentation of such verification activity. (We have tentatively concluded that the report of a consultative audit would not be appropriate documentation for purposes of the proposed FSVP rule. Among other things, consultative audits are defined as being conducted for internal purposes only and are conducted against industry standards as well as the requirements of the FD&C Act.) We see significant value in having the food industry use competent and impartial auditors/certification bodies to conduct food safety audits of their facilities and are aware that many leaders in the food industry are working to assure those objectives are achieved. We believe that the accredited third-party audits and certification program we are establishing to implement section 808 of the FD&C Act offers a credible system to help ensure that the audits conducted by auditors/certification bodies accredited under our program and the certifications they issue based on the results of those audits are valid and reliable not only to us, but also to companies throughout the supply chain of the audited facility. We further believe that our involvement, as the regulator responsible with oversight of these facilities, offers an added level of assurance to consumers in the validity of these third-party audits--a confidence they otherwise might not gain from private audit systems. It is our intent that the program we establish for foreign food safety audits be solidly grounded in the key principles set out in the statute and in the international standards and best practices that are currently used by leaders at the forefront of efforts to ensure auditor competency and objectivity. We realize that the same principles and standards that are features of a rigorous and credible program for audits of foreign firms would likewise hold great merit for audits of domestic food facilities. We seek comment on the value of, and need for, a program established and administered by FDA for the use of accredited auditors/ certification bodies to conduct domestic food safety audits. We seek input on whether accreditation bodies, auditors/certification bodies, and domestic food facilities might be interested in such a program and the incentives we might offer to encourage participation. B. Proposed Revisions to Part 16 We are proposing a conforming change to the section of the CFR that describes procedures for regulatory hearings that would add revocation of recognition of an accreditation body and withdrawal of accreditation of a third-party auditor/certification body to the list of actions for which a hearing under this part may be held. The affected section in title 21 of the CFR is 16.1. V. Analysis of Environmental Impact We have carefully considered the potential environmental effects of this action. We have concluded, under 21 CFR 25.30(h), that this action is of a type that does not individually or cumulatively have a significant effect on the human environment. Therefore, neither an environmental assessment nor an environmental impact statement is required (Ref. 34). VI. Federalism We have analyzed this proposed rule in accordance with the principles set forth in Executive Order 13132. We have determined that the proposed rule does not contain policies that have substantial direct effects on the States, on the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government. Accordingly, we have concluded that the proposed rule does not contain policies that have federalism implications as defined in the Executive order and, consequently, a federalism summary impact statement is not required. VII. Comments Interested persons may submit either electronic comments regarding this document to http://www.regulations.gov or written comments to the Division of Dockets Management (see ADDRESSES). It is only necessary to send one set of comments. Identify comments with the docket number found in brackets in the heading of this document. Received comments may be seen in the Division of Dockets Management between 9 a.m. and 4 p.m., Monday through Friday, and will be posted to the docket at http://www.regulations.gov. VIII. References The following references have been placed on display in the Division of Dockets Management (see ADDRESSES) and may be seen by interested persons between 9 a.m. and 4 p.m., Monday through Friday. (FDA has verified all the Web site addresses in this References section, but FDA is not responsible for any subsequent changes to the Web sites after this document publishes in the Federal Register). 1. Centers for Disease Control and Prevention. ``CDC research shows outbreaks linked to imported foods increasing.'' http://www.cdc.gov/media/releases/2012/p0314_foodborne.html. Accessed April 23, 2013. [[Page 45824]] 2. ``Notification to the World Trade Organization (G/SPS/N/USA/ 2156).'' Food and Drug Administration, 2011. https://docs.wto.org/imrd/directdoc.asp?DDFDocuments/t/G/SPS/NUSA2156.DOC. 3. International Organization for Standardization/CASCO. ``Building Trust: The Conformity Assessment Toolbox,'' 2009. http://www.iso.org/iso/casco_building-trust.pdf. Accessed April 23, 2013. 4. U.S. Agency for International Development. ``The Relationship of Third-Party Certification (TPC) to Sanitary/Phytosanitary (SPS) Measures and the International Agri-Food Trade: Final Report,'' 2005. http://cs3.msu.edu/d/pubs/ The%20Relationship%20of%20TPC%20to%20SPS%20Measures-- Final%20Report%20+%20Annexes.pdf. Accessed April 23, 2013. 5. ``Guidance for Industry--Voluntary Third-Party Certification Program for Foods and Feeds,'' 2009. Food and Drug Administration. http://www.fda.gov/regulatoryinformation/guidances/ucm125431.html. 6. ``Assessment of the Third-Party Certification Program for Aquacultured Shrimp,'' 2011. Food and Drug Administration. http://www.fda.gov/Food/GuidanceRegulation/GuidanceDocumentsRegulatoryInformation/Seafood/ucm265934.htm. 7. ``Mammography Quality Standards Act and Program, Facility Certification and Inspection (MQSA).'' Food and Drug Administration. http://www.fda.gov/Radiation-EmittingProducts/MammographyQualityStandardsActandProgram/AbouttheMammographyProgram/default.htm. Accessed on April 23, 2013. Last Modified 2012. 8. ``Import Alert 28-20 Detention Without Physical Examination of Indian Pepper.'' http://www.accessdata.fda.gov/cms_ia/importalert_90.html. Accessed April 23, 2013. Last Modified 2011. 9. ``Memorandum of Understanding Between the Food and Drug Administration, Department of Health and Human Services, United States of America and the Ministry of Agriculture of the Republic of France Covering Caseins, Caseinates, and Mixtures Thereof Exported to the United States of America.'' Food and Drug Administration. http://www.fda.gov/InternationalPrograms/Agreements/MemorandaofUnderstanding/ucm107563.htm. Accessed on April 23, 2013. Last Modified 1987. ``Cooperative Arrangement with the Department of Agriculture, Fisheries, and Food of Ireland Concerning Certification Requirements for Caseins, Caseinates, and Mixtures Thereof Exported from Ireland to the United States of America.'' Food and Drug Administration. http://www.fda.gov/InternationalPrograms/Agreements/MemorandaofUnderstanding/ucm107596.htm. Accessed on April 23, 2013. Last Modified 2010. ``Memorandum of Understanding Between the Food and Drug Administration and the Royal Norwegian Ministry of Agriculture Covering Rennet Casein Exported to the United States of America.'' Food and Drug Administration. http://www.fda.gov/InternationalPrograms/Agreements/MemorandaofUnderstanding/ucm107618.htm. Accessed on April 23, 2013. Last Modified 1982. 10. Government Accountability Office. ``Food Safety: FDA Can Better Oversee Food Imports by Assessing and Leveraging Other Countries' Oversight Resources (GAO-12-933),'' 2012. http://www.gao.gov/assets/650/649010.pdf. 11. National Academies Press. ``Enhancing Food Safety: The Role of the Food and Drug Administration,'' 2010. http://www.iom.edu/Reports/2010/Enhancing-Food-Safety-The-Role-of-the-Food-and-Drug-Administration.aspx. 12. ``Manufactured Foods Regulatory Program Standards.'' Food and Drug Administration. http://www.fda.gov/downloads/RegulatoryInformation/Guidances/UCM125448.pdf. Accessed on April 23, 2013. Last Modified 2007. 13. ``Ensuring the Safety of Imported Foods and Animal Feed: Comparability of Food Safety Systems and Import Practices of Foreign Countries; Notice of Public Hearing; Request for Comments, 2011.'' Food and Drug Administration. http://www.fda.gov/Food/NewsEvents/WorkshopsMeetingsConferences/ucm243781.htm. Accessed on April 23, 2013. 14. ``Draft International Comparability Assessment Tool, 2010.'' Food and Drug Administration. http://www.fda.gov/downloads/Food/InternationalInteragencyCoordination/UCM331177.pdf. Accessed on April 23, 2013. 15. ``Circular A-119 Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities, 1998.'' Office of Management and Budget. http://www.whitehouse.gov/omb/circulars_a119. Accessed on April 23, 2013. 16. ``Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities; Request for Information and Notice of Public Workshop, 2012.'' Office of Management and Budget. http://www.regulations.gov/#!documentDetail;D=OMB-2012-0003-0001. Accessed on April 23, 2013. 17. ``ISO/IEC 17000:2004 Conformity assessment--Vocabulary and General Principles.'' International Organization for Standardization/International Electrotechnical Commission. Accessed on April 23, 2013. Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/iso/catalogue_detail.htm?csnumber=29316 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66). 18. ``ISO/IEC 17011:2004 Conformity assessment--General requirements for accreditation bodies accrediting conformity assessment bodies.'' International Organization for Standardization/International Electrotechnical Commission. Accessed on April 23, 2013. Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=29332 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA- 2011-N-0146 and/or RIN 0910-AG66). 19. ``ISO/IEC 17021: 2006/2011 Conformity assessment--Requirements for bodies providing audit and certification of management systems.'' International Organization for Standardization/ International Electrotechnical Commission. Accessed on April 23, 2013. Last Modified 2011. Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46568 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66). 20. ``ISO/IEC Guide 65:1996 General requirements for bodies operating product certification systems.'' International Organization for Standardization/International Electrotechnical Commission. Accessed on February 27, 2013. Copies are available from the International Electrotechnical Commission, 3, rue de Varembe, P.O. Box 131, CH-1211 Geneva 20--Switzerland, or on the Internet at http://webstore.iec.ch/webstore/webstore.nsf/Artnum_PK/40140, or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66). ``ISO/IEC 17065:2012 Conformity assessment--Requirements for bodies certifying products, processes and services.'' International Organization for Standardization/International Electrotechnical Commission. Accessed on April 23, 2013. Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46568 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA- 2011-N-0146 and/or RIN 0910-AG66). 21. ``ISO/TS 22003:2007 Food safety management systems--Requirements for bodies providing audit and certification of food safety management systems.'' International Organization for Standardization/International Electrotechnical Commission. Accessed on April 23, 2013. Copies are available from the International Organization for [[Page 45825]] Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/cataloguetc/catalogue_detail.htm?csnumber=39834 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66). 22. ``Enhancing Food Safety Through Third-Party Certification.'' Global Food Safety Initiative. http://www.mygfsi.com/technical-resources/global-regulatory-affairs-working-group.html. Accessed on April 23, 2013. Last Modified 2011. 23. ``GFSI Guidance Document Sixth Edition, Version 6.2.'' Global Food Safety Initiative. http://www.mygfsi.com/gfsifiles/GFSI_Guidance_Document_Sixth_Edition_Version_6.2.pdf. Accessed on April 23, 2013. Last Modified 2012. 24. ``Accreditation Services,'' 2013. American National Standards Institute. https://www.ansica.org/wwwversion2/outside/PROsectorprograms.asp?menuID=1. Accessed on April 23, 2013. 25. Food and Drug Administration. Analysis to examine the impacts of the proposed rules for the Foreign Supplier Verification Program and the Accreditation of Third-Party Auditors/Certification Bodies to Conduct Food Safety Audits and to Issue Certifications under Executive Order 12866, Executive Order 13563, the Regulatory Flexibility Act (5 U.S.C. 601-612), the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), and the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3520), 2013. http://www.fda.gov/AboutFDA/ReportsManualsForms/Reports/EconomicAnalyses/default.htm. Accessed on July 22, 2013. 26. Codex Alimentarius Commission. Principles for Food Import and Export Inspection and Certification (CAC/GL 20-1995). www.codexalimentarius.org/input/download/standards/37/CXG_020e.pdf. Accessed on April 23, 2013. 27. ``Policy Memorandum, Certification of Grower Groups,'' 2011. U.S. Department of Agriculture Agricultural Marketing Service National Organic Program. http://www.ams.usda.gov/AMSv1.0/getfile?dDocName=STELPRDC5088955. Accessed on April 23, 2013. 28. ``NVCASE Program Handbook: Procedures for Obtaining NIST Recognition as an Accreditor (NISTIR 6440),'' 2004. National Institute for Standards and Technology. http://gsi.nist.gov/global/docs/NVCASE_Handbook.pdf. Accessed on April 23, 2013. 29. ``GFSI Requirements on the Application of ISO/IEC 17011:2004,'' 2009. Global Food Safety Initiative. http://www.mygfsi.com/gfsifiles/GFSI_ISO_17011_Requirements_190209_Final_IAF.pdf. Accessed April 23, 2013. 30. ``Multilateral Recognition Arrangement Documents (ML Series).'' International Accreditation Forum. http://www.iaf.nu/articles/MRA_Documents/39. Accessed April 23, 2013. 31. ``Letter to Interested Parties re: Draft WaterSense[supreg] Program,'' 2007. Environmental Protection Agency. http://www.epa.gov/watersense/docs/cert_scheme_cover_letter508.pdf. Accessed on April 23, 2013. ``WaterSense[supreg] Program, Product Certification System, Version 2.0,'' 2011. Environmental Protection Agency. http://www.epa.gov/watersense/docs/cert_system_508.pdf. Accessed on April 23, 2013. 32. ``Global Standard for Food Safety, Issue 6,'' 2012. British Retail Consortium. Copies are available from the British Retail Consortium, Second Floor, 21 Dartmouth Street, London SW1H 9BP, or on the Internet at http://www.brcglobalstandards.com/GlobalStandards/Standards/Food.aspx or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA- 2011-N-0146 and/or RIN 0910-AG66). 33. ``Recalls Background and Definitions.'' Food and Drug Administration. http://www.fda.gov/Safety/Recalls/IndustryGuidance/ucm129337.htm. Accessed on April 23, 2013. Last Modified 2009. 34. McCarthy, A. and Food and Drug Administration. ``Memorandum: Establishment of regulation to accredit third-party auditors and laboratories as required by the Food Safety Modernization Act of 2011.'' List of Subjects 21 CFR Part 1 Cosmetics, Drugs, Exports, Food labeling, Imports, Labeling, Reporting and recordkeeping requirements. 21 CFR Part 16 Administrative practice and procedure. Therefore, under the Federal Food, Drug, and Cosmetic Act and under authority delegated to the Commissioner of Food and Drugs, it is proposed that 21 CFR parts 1 and 16 be amended as follows: PART 1--GENERAL ENFORCEMENT REGULATIONS 0 1. The authority citation for 21 CFR part 1 is revised to read as follows: Authority: 15 U.S.C. 1453, 1454, 1455; 19 U.S.C. 1490, 1491; 21 U.S.C. 321, 331, 332, 333, 334, 335a, 343, 350c, 350d, 350k, 352, 355, 360b, 362, 371, 374, 381, 382, 384a, 384b, 384d, 393, 42 U.S.C. 216, 241, 243, 262, 264. 0 2. Add subpart M, consisting of Sec. Sec. 1.600 through 1.698, to read as follows: Subpart M--Accredited Third-Party Food Safety Audits and Food or Facility Certification 1.600 What definitions apply to this subpart? 1.601 Who is subject to this subpart? Recognition of Accreditation Bodies Under This Subpart 1.610 Who is eligible for recognition? 1.611 What legal authority must an accreditation body have to qualify for recognition? 1.612 What competency and capacity must an accreditation body have to qualify for recognition? 1.613 What protections against conflicts of interest must an accreditation body have to qualify for recognition? 1.614 What quality assurance procedures must an accreditation body have to qualify for recognition? 1.615 What records procedures must an accreditation body have to qualify for recognition? Requirements for Recognized Accreditation Bodies Under This Subpart 1.620 How must a recognized accreditation body assess third-party auditors/certification bodies seeking accreditation? 1.621 How must a recognized accreditation body monitor the performance of third-party auditors/certification bodies it accredits? 1.622 How must a recognized accreditation body monitor its own performance? 1.623 What reports and notifications must a recognized accreditation body submit to FDA? 1.624 How must a recognized accreditation body protect against conflicts of interest? 1.625 What records requirements must a recognized accreditation body meet? Procedures for Recognition of Accreditation Bodies Under This Subpart 1.630 How do I apply to FDA for recognition or renewal of recognition? 1.631 How will FDA review applications for recognition and for renewal of recognition? 1.632 What is the duration of recognition? 1.633 How will FDA monitor recognized accreditation bodies? 1.634 When will FDA revoke recognition? 1.635 How do I voluntarily relinquish recognition? 1.636 How do I request reinstatement of recognition? Accreditation of Third-Party Auditors/Certification Bodies Under This Subpart 1.640 Who is eligible for accreditation? 1.641 What legal authority must a third-party auditor/certification body have to qualify for accreditation? 1.642 What competency and capacity must a third-party auditor/ certification body have to qualify for accreditation? 1.643 What protections against conflicts of interest must a third- party auditor/certification body have to qualify for accreditation? 1.644 What quality assurance procedures must a third-party auditor/ certification body have to qualify for accreditation? 1.645 What records procedures must a third-party auditor/ certification body have to qualify for accreditation? [[Page 45826]] Requirements for Accredited Auditors/Certification Bodies Under This Subpart 1.650 How must an accredited auditor/certification body ensure its audit agents are competent and objective? 1.651 How must an accredited auditor/certification body conduct a food safety audit of an eligible entity? 1.652 What must an accredited auditor/certification body include in food safety audit reports? 1.653 What must an accredited auditor/certification body do when issuing food or facility certifications? 1.654 When must an accredited auditor/certification body monitor an eligible entity with food or facility certification? 1.655 How must an accredited auditor/certification body monitor its own performance? 1.656 What reports and notifications must an accredited auditor/ certification body submit? 1.657 How must an accredited auditor/certification body protect against conflicts of interest? 1.658 What records requirements must an accredited auditor/ certification body meet? Procedures for Accreditation of Third-Party Auditors/Certification Bodies Under This Subpart 1.660 Where do I apply for accreditation or renewal of accreditation by a recognized accreditation body? 1.661 What is the duration of accreditation? 1.662 How will FDA monitor accredited auditors/certification bodies? 1.663 How do I request an FDA waiver or waiver extension for the 13- month limit for audit agents conducting regulatory audits? 1.664 When can FDA withdraw accreditation? 1.665 How do I voluntarily relinquish accreditation? 1.666 How do I request reaccreditation? Additional Procedures for Direct Accreditation of Third-Party Auditors/ Certification Bodies Under This Subpart 1.670 How do I apply to FDA for direct accreditation or renewal of direct accreditation? 1.671 How will FDA review applications for direct accreditation and for renewal of direct accreditation? 1.672 What is the duration of direct accreditation? Requirements for Eligible Entities Under This Subpart 1.680 How and when will FDA monitor eligible entities? 1.681 How frequently must eligible entities be recertified? General Requirements of This Subpart 1.690 How will FDA make information about recognized accreditation bodies and accredited auditors/certification bodies available to the public? 1.691 How do I request reconsideration of a denial by FDA of an application or a waiver request? 1.692 How do I request internal agency review of a denial of an application or waiver request upon reconsideration? 1.693 How do I request a regulatory hearing on a revocation of recognition or withdrawal of accreditation? Audits for Other Purposes 1.698 May importers use reports of regulatory audits by accredited auditors/certification bodies for purposes of subpart L of this part? Subpart M--Accredited Third-Party Food Safety Audits and Food or Facility Certification Authority: 15 U.S.C. 1453, 1454, 1455; 19 U.S.C. 1490, 1491; 21 U.S.C. 321, 331, 332, 333, 334, 335a, 343, 350c, 350d, 350k, 352, 355, 360b, 362, 371, 374, 381, 382, 384a, 384b, 384d, 393, 42 U.S.C. 216, 241, 243, 262, 264. Sec. 1.600 What definitions apply to this subpart? (a) The FD&C Act means the Federal Food, Drug, and Cosmetic Act. (b) Except as otherwise defined in paragraph (c) of this section, the definitions of terms in section 201 of the FD&C Act apply when the terms are used in this subpart. (c) In addition, for the purposes of this subpart: Accreditation means a determination by a recognized accreditation body (or, in the case of direct accreditation, by FDA) that a third- party auditor/certification body meets the applicable requirements of this subpart, including the model accreditation standards. Accreditation body means an authority that performs accreditation of third-party auditors/certification bodies. Accredited auditor/certification body means a third-party auditor/ certification body that a recognized accreditation body (or, in the case of direct accreditation, FDA) has determined meets the applicable requirements of this subpart and is authorized to conduct food safety audits and to issue food or facility certifications to eligible entities. Audit means: (1) With respect to an accreditation body, the systematic, independent, and documented examination (through observation, investigation, and records review) by FDA to assess the accreditation body's authority, qualifications (including its expertise and training program), and resources; its procedures for quality assurance, conflicts of interest, and records; its performance in accreditation activities; and its capability to meet the applicable requirements of this subpart. (2) With respect to a third-party auditor/certification body, the systematic, independent, and documented examination (through observation, investigation, and records review) by a recognized accreditation body (or, in the case of direct accreditation, by FDA) to assess the third-party auditor's/certification body's authority, qualifications (including its expertise and training program), and resources; its procedures for quality assurance, conflicts of interest, and records; its performance in auditing and certification activities; and its capability to meet the applicable requirements of this subpart; and (3) With respect to an eligible entity, the systematic, independent, and documented examination (through observation, investigation, records review, and as appropriate, sampling and laboratory analysis) by an accredited auditor/certification body to assess the entity, its facility, system(s), and food using audit criteria for consultative or regulatory audits, including compliance with any applicable requirements for preventative controls, sanitation, monitoring, verification, corrective actions, and recalls, and, for consultative audits, also includes an assessment of compliance with applicable industry standards and practices. Audit agent means an individual who is an employee or other agent of an accredited auditor/certification body who, although not individually accredited, is qualified to conduct food safety audits on behalf of an accredited auditor/certification body. An audit agent includes a contractor of the accredited auditor/certification body. Certification body means a foreign government, agency of a foreign government, foreign cooperative, or any other third party that is eligible to be considered for accreditation to conduct food safety audits and to certify that eligible entities meet applicable requirements of the FD&C Act. A certification body may be a single individual or an organization. A certification body may use audit agents to conduct food safety audits. Certification body has the same meaning as Third-party auditor as that term is defined in section 808 of the FD&C Act and in this subpart. Consultative audit means an audit of an eligible entity: (1) To determine whether such entity is in compliance with applicable requirements of the FD&C Act and industry standards and practices; and (2) The results of which are for internal purposes only and cannot be used to determine eligibility for a food or facility certification issued under this subpart or in meeting the requirements [[Page 45827]] for an onsite audit of a foreign supplier under subpart L of this part. Direct accreditation means accreditation of a third-party auditor/ certification body by FDA. Eligible entity means a foreign entity that chooses to be subject to a food safety audit by an accredited auditor/certification body. Eligible entities include foreign facilities subject to the registration requirements of subpart H of this part. Facility means any structure, or structures of an eligible entity under one ownership at one general physical location, or, in the case of a mobile facility, traveling to multiple locations, that manufactures/processes, packs, or holds food for consumption in the United States. Transport vehicles are not facilities if they hold food only in the usual course of business as carriers. A facility may consist of one or more contiguous structures, and a single building may house more than one distinct facility if the facilities are under separate ownership. The private residence of an individual is not a facility. Non-bottled water drinking water collection and distribution establishments and their structures are not facilities. Facility certification means an attestation, issued for purposes of section 806 of the FD&C Act by an accredited auditor/certification body, after conducting a regulatory audit and any other activities necessary to establish that a facility meets the applicable requirements of the FD&C Act. Food certification means an attestation, issued for purposes of section 801(q) of the FD&C Act by an accredited auditor/certification body, after conducting a regulatory audit and any other activities necessary to establish that a food meets the applicable requirements of the FD&C Act. Food safety audit means a regulatory audit or a consultative audit. Foreign cooperative means an entity that aggregates food from growers or processors that is intended for export to the United States. Recognized accreditation body means an accreditation body that FDA has determined meets the applicable requirements of this subpart and is authorized to accredit third-party auditors/certification bodies under this subpart. Regulatory audit means an audit of an eligible entity: (1) To determine whether such entity is in compliance with the provisions of the FD&C Act; and (2) The results of which are used in determining eligibility for food certification under section 801(q) of the FD&C Act or facility certification under section 806 of the FD&C Act, and may be used by an importer in meeting the requirements for an onsite audit of a foreign supplier under subpart L of this part. Relinquishment means: (1) With respect to an accreditation body, a decision to cede voluntarily its authority to accredit third-party auditors/ certification bodies as a recognized accreditation body; and (2) With respect to a third-party auditor/certification body, a decision to cede voluntarily its authority to conduct food safety audits and to issue food and facility certifications to eligible entities. Self-assessment means a systematic assessment conducted by an accreditation body or by a third-party auditor/certification body to determine whether it meets the applicable requirements of this subpart. Third-party auditor means a foreign government, agency of a foreign government, foreign cooperative, or any other third party that is eligible to be considered for accreditation to conduct food safety audits and to certify that eligible entities meet the applicable requirements of the FD&C Act. A third-party auditor may be a single individual or an organization. A third-party auditor may use audit agents to conduct food safety audits. Third-party auditor has the same meaning as Certification body as that term is defined in this subpart. Sec. 1.601 Who is subject to this subpart? (a) Accreditation bodies. Any accreditation body seeking recognition from FDA to accredit third-party auditor/certification bodies for conducting food safety audits and for issuing food and facility certifications to eligible entities. (b) Third-party auditors/certification bodies. Any third-party auditor/certification body seeking accreditation from a recognized accreditation body or direct accreditation by FDA for: (1) Conducting food safety audits; and (2) Issuing food and facility certifications that may be used in satisfying a condition of admissibility of an article of food under section 801(q) of the FD&C Act; or in meeting the eligibility requirements for the Voluntary Qualified Importer Program under section 806 of the FD&C Act. (c) Eligible entities. Any eligible entity seeking a food safety audit or a food or facility certification from an accredited auditor/ certification body, except as provided in paragraph (d) of this section. (d) Limited exemptions from section 801(q) of the FD&C Act. (1) The certification of food under section 801(q) of the FD&C Act does not apply with respect to alcoholic beverages from an eligible entity that is a facility that meets the following two conditions: (i) Under the Federal Alcohol Administration Act (27 U.S.C. 201 et seq.) or chapter 51 of subtitle E of the Internal Revenue Code of 1986 (26 U.S.C. 5001 et seq.), the facility is a foreign facility of a type that, if it were a domestic facility, would require obtaining a permit from, registering with, or obtaining approval of a notice or application from the Secretary of the Treasury as a condition of doing business in the United States; and (ii) Under section 415 of the FD&C Act, the facility is required to register as a facility because it is engaged in manufacturing/ processing one or more alcoholic beverages. (2) Certification of food under section 801(q) of the FD&C Act does not apply with respect to food other than alcoholic beverages that is from a facility described in paragraph (d)(1) of this section, provided such food: (i) Is in prepackaged form that prevents any direct human contact with such food; and (ii) Constitutes not more than 5 percent of the overall sales of the facility, as determined by the Secretary of the Treasury. Recognition of Accreditation Bodies Under This Subpart Sec. 1.610 Who is eligible for recognition? An accreditation body is eligible for recognition by FDA if it can demonstrate that it meets the requirements of Sec. Sec. 1.611 to 1.615. Sec. 1.611 What legal authority must an accreditation body have to qualify for recognition? (a) An accreditation body seeking recognition must demonstrate that it has the authority (as a governmental entity or through contractual rights) to perform such assessments of a third-party auditor/ certification body as are necessary to determine its capability to audit and certify food facilities and food, including authority to: (1) Review any relevant records; (2) Conduct onsite assessments of the performance of third-party auditors/certification bodies, such as by witnessing the performance of a statistically significant number of personnel and other agents conducting assessments; (3) Perform any reassessments or surveillance necessary to monitor [[Page 45828]] compliance of accredited auditors/certification bodies; and (4) Suspend, withdraw, or reduce the scope of accreditation for failure to comply with the requirements of accreditation. (b) An accreditation body seeking recognition must demonstrate that it is capable of exerting any authority necessary to meet the requirements of recognition in Sec. Sec. 1.620 to 1.625 and the procedures in Sec. Sec. 1.630, 1.635, and 1.636, if recognized. Sec. 1.612 What competency and capacity must an accreditation body have to qualify for recognition? An accreditation body seeking recognition must demonstrate that it has: (a) The resources required to adequately implement its accreditation program, including: (1) Adequate numbers of personnel and other agents with relevant knowledge, skills, and experience to effectively assess the qualifications of third-party auditors/certification bodies seeking accreditation and to effectively monitor the performance of third-party auditors/certification bodies; and (2) Adequate financial resources for its operations; and (b) The capability to meet the assessment and monitoring requirements of Sec. Sec. 1.620 and 1.621, the reporting and notification requirements of Sec. 1.623, and the procedures in Sec. Sec. 1.630, 1.631, 1.635, and 1.636, if recognized. Sec. 1.613 What protections against conflicts of interest must an accreditation body have to qualify for recognition? An accreditation body must demonstrate that it has: (a) Implemented written measures to protect against conflicts of interest between the accreditation body (and its officers, personnel, and other agents) and third-party auditors/certification bodies (and their officers, personnel, and other agents) seeking accreditation from, or accredited by, such accreditation body; and (b) The capability to meet the conflict of interest requirements in Sec. 1.624, if recognized. Sec. 1.614 What quality assurance procedures must an accreditation body have to qualify for recognition? An accreditation body seeking recognition must demonstrate that it has: (a) Implemented a written program for monitoring and assessing the performance of its officers, personnel and other agents and its accreditation program, including procedures to: (1) Identify areas in its accreditation program or performance that need improvement; and (2) Quickly execute appropriate corrective actions when problems are found; and (b) The capability to meet the quality assurance requirements of Sec. 1.622, if recognized. Sec. 1.615 What records procedures must an accreditation body have to qualify for recognition? An accreditation body seeking recognition must demonstrate that it has: (a) Implemented written procedures to establish, control, and retain records (including documents and data) for the period of time necessary to meet its contractual and legal obligations and to provide an adequate basis for assessing its program and performance; and (b) Is capable of meeting the reporting and notification requirements of Sec. 1.623 and the records requirements of Sec. 1.625, if recognized. Requirements for Recognized Accreditation Bodies Under This Subpart Sec. 1.620 How must a recognized accreditation body assess third- party auditors/certification bodies seeking accreditation? (a) Prior to accrediting a third-party auditor/certification body under this subpart, a recognized accreditation body must perform, at a minimum, the following: (1) In the case of a foreign government or an agency of a foreign government, such reviews and audits of its food safety programs, systems, and standards as are necessary to determine that it meets the eligibility requirements of Sec. 1.640(b) and any requirements specified in FDA model accreditation standards regarding qualifications for accreditation, including legal authority, competency, capacity, conflicts of interest, quality assurance, and records. (2) In the case of a foreign cooperative that aggregates the products of growers or processor or any other third-party seeking accreditation as a third-party auditor/certification body, such reviews and audits of the training and qualifications of audit agents used by such cooperative or other third party and such reviews of internal systems and any other investigation of the cooperative or other third party necessary to determine that it meets the eligibility requirements of Sec. 1.640(c) and any requirements specified in FDA model accreditation standards regarding qualifications for accreditation, including legal authority, competency, capacity, conflicts of interest, quality assurance, and records. (3) In conducting a review and audit under paragraph (a)(1) or (a)(2) of this section, observe a statistically significant number of onsite audits conducted by the third-party auditor/certification body (or its audit agents) to assess compliance with the applicable requirements of the FD&C Act. (b) A recognized accreditation body must require a third-party auditor/certification body, as a condition of accreditation under this subpart, to comply with the reports and notification requirements of Sec. Sec. 1.652 and 1.656 and to agree to submit electronic food and facility certifications, in English, to FDA for purposes of sections 801(q) and 806 of the FD&C Act. (c) A recognized accreditation body must maintain records on any denial of accreditation (in whole or in part) and on any withdrawal, suspension, or reduction in scope of accreditation of a third-party auditor/certification body under this subpart. The records must include the name and contact information for the third-party auditor/ certification body; the scope of accreditation denied, withdrawn, suspended, or reduced; and the basis for such action. (d) A recognized accreditation body must implement written procedures for receiving and addressing appeals from any third-party auditor/certification body challenging an adverse decision associated with accreditation under this subpart and for investigating and deciding on appeals in a fair and meaningful manner. The appeals procedures must provide similar protections to those offered by FDA under Sec. Sec. 1.692 and 1.693, including requirements to: (1) Make the appeals procedures publicly available; (2) Use competent, independent persons to investigate and decide appeals; (3) Advise third-party auditors/certification bodies of the final decisions on their appeals; and (4) Maintain records under Sec. 1.625 of appeals, final decisions on appeals, and the bases for such decisions. Sec. 1.621 How must a recognized accreditation body monitor the performance of third-party auditors/certification bodies it accredits? A recognized accreditation body must annually conduct a comprehensive assessment of the performance of each auditor/ certification body it accredited under this subpart by reviewing the auditor's/certification body's self-assessments (including information on [[Page 45829]] compliance with the conflict of interest requirements of Sec. Sec. 1.643 and 1.657); its regulatory audit reports and notifications submitted to FDA under Sec. 1.656; and any other information reasonably available to the accreditation body: (a) Regarding the compliance history of eligible entities it certified; or (b) That is otherwise relevant to a determination whether the accredited auditor/certification body is in compliance with this subpart. Sec. 1.622 How must a recognized accreditation body monitor its own performance? (a) A recognized accreditation body must annually, and as required under Sec. 1.664(g), conduct a self-assessment that includes evaluation of: (1) The performance of its officers, personnel, or other agents in activities under this subpart and the degree of consistency among such performances; (2) The compliance of the accreditation body and its officers, personnel, and other agents, with the conflict of interest requirements of Sec. 1.624; and (3) If requested by FDA, any other aspects of its performance relevant to a determination whether the accreditation body is in compliance with this subpart. (b) As a means to evaluate the accreditation body's performance, the self-assessment must include onsite observation of regulatory audits by a statistically significant number of third-party auditors/ certification bodies it accredited under this subpart. (c) Based on the evaluations conducted under paragraphs (a) and (b) of this section, the accreditation body must: (1) Identify any area(s) needing improvement; (2) Quickly implement effective corrective action(s) to address those area(s); and (3) Establish and maintain records of such corrective action(s) under Sec. 1.625. (d) The accreditation body must prepare, and as required by Sec. 1.623(b) submit, a written report of the results of its self-assessment that includes: (1) A description of any corrective actions taken under paragraph (c) of this section; (2) A statement disclosing the extent to which the accreditation body, and its officers, personnel, and other agents, complied with the conflict of interest requirements in Sec. 1.624; and (3) A statement attesting to the extent to which the accreditation body complied with applicable requirements of this subpart. Sec. 1.623 What reports and notifications must a recognized accreditation body submit to FDA? (a) Reporting results of assessments of certification body performance. A recognized accreditation body must submit to FDA electronically, in English, a report of the results of any assessment conducted under Sec. 1.621, no later than 45 days after completing such assessment. The report must include an up-to-date list of any audit agent used by the accredited auditor/certification body to conduct food safety audits under this subpart. (b) Reporting results of accreditation body self-assessments. A recognized accreditation body must submit to FDA electronically, in English, a report of the results of an annual self-assessment required under Sec. 1.622, no later than 45 days after completing such self- assessment and, for a recognized accreditation body subject to Sec. 1.664(g)(1), must submit a report of such self-assessment to FDA within 2 months. (c) Immediate notification to FDA. A recognized accreditation body must notify FDA electronically, in English, immediately upon: (1) Granting accreditation to an auditor/certification body under this subpart, and include: (i) The name, address, and telephone number of the auditor/ certification body; (ii) The name of one or more officers of the auditor/certification body; (iii) A list of the auditor's/certification body's audit agents; and (iv) The scope of accreditation and the date on which it was granted. (2) Withdrawing, suspending, or reducing the scope of an accreditation under this subpart, and include: (i) The basis for such action; and (ii) Any additional changes to accreditation information previously submitted to FDA under paragraph (c)(1) of this section. (3) Determining that an auditor/certification body it accredited failed to comply with Sec. 1.653 in issuing a food or facility certification under this subpart, and include: (i) The basis for such determination; and (ii) Any changes to accreditation information previously submitted to FDA under paragraph (c)(1) of this section. (d) Other notification to FDA. A recognized accreditation body must notify FDA electronically, in English, within 30 days after: (1) Denying accreditation (in whole or in part) under this subpart and include: (i) The name, address, and telephone number of the auditor/ certification body; (ii) The name of one or more officers of the auditor/certification body; (iii) The scope of accreditation requested; and (iv) The basis for such denial. (2) Making any significant change that would affect the manner in which it complies with the requirements in Sec. Sec. 1.610 to 1.625 and include: (i) A description of the change; and (ii) An explanation for the purpose of the change. Sec. 1.624 How must a recognized accreditation body protect against conflicts of interest? (a) A recognized accreditation body must implement a written program to protect against conflicts of interest between the accreditation body (and its officers, personnel, and other agents) and a third-party auditor/certification body (and its officers, personnel, and other agents) seeking accreditation from, or accredited by, such accreditation body, including the following: (1) Ensuring that the accreditation body (and its officers, personnel, or other agents) do not own or have a financial interest in, manage, or otherwise control the third-party auditor/certification body (or any affiliate, parent, or subsidiary); and (2) Prohibiting officers, personnel, or other agents of the accreditation body from accepting any money, gift, gratuity, or item of value from the third-party auditor/certification body. (3) The items specified in paragraph (a)(2) of this section do not include: (i) Money representing payment of fees for accreditation services and reimbursement of direct costs associated with an onsite audit or assessment of the third-party auditor/certification body; or (ii) Meals, of de minimis value, provided on the premises where the audit or assessment is conducted. (b) The financial interests of the spouses and children younger than 18 years of age of officers, personnel, and other agents of a recognized accreditation body will be considered the financial interests of such officers, personnel, and other agents of the accreditation body. (c) A recognized accreditation body must maintain on its Web site an up-to-date list of the auditors/certification bodies it accredited under this subpart and must identify the duration and scope of each accreditation and date(s) on each the accredited auditor/certification body paid any fee or reimbursement associated with such accreditation. [[Page 45830]] Sec. 1.625 What records requirements must a recognized accreditation body meet? (a) A recognized accreditation body must maintain electronically for 5 years records (including documents and data), in English, demonstrating its compliance with this subpart, including records relating to: (1) Applications for accreditation and renewal of accreditation under Sec. 1.660; (2) Decisions to grant, deny, suspend, withdraw, or reduce the scope of an accreditation; (3) Challenges to adverse accreditation decisions under Sec. 1.620(c); (4) Its monitoring of accredited auditors/certification bodies under Sec. 1.621; (5) Self-assessments and corrective actions under Sec. 1.622; (6) Regulatory audit reports, including any supporting information, that an accredited auditor/certification body may have submitted; and (7) Any reports or notifications to FDA under Sec. 1.623, including any supporting information. (b) A recognized accreditation body must make records required by paragraph (a) of this section available for inspection and copying promptly upon written request of an authorized FDA officer or employee at the place of business of the accreditation body or at a reasonably accessible location. If the records required by paragraph (a) of this section are requested by FDA electronically, the records must be submitted to FDA electronically, in English, not later than 10 business days after the date of the request. (c) A recognized accreditation body must not prevent or interfere with FDA's access to its accredited auditors/certification bodies and the auditor/certification body records required by Sec. 1.658. Procedures for Recognition of Accreditation Bodies Under This Subpart Sec. 1.630 How do I apply to FDA for recognition or renewal of recognition? (a) Applicant for recognition. An accreditation body seeking recognition must submit an application demonstrating that it meets the eligibility requirements in Sec. 1.610. (b) Applicant for renewal of recognition. An accreditation body seeking renewal of its accreditation must submit a renewal application demonstrating that it continues to meet the eligibility requirements in Sec. 1.610. (c) Submission. Recognition and renewal applications and any documents provided as part of the application process must be submitted electronically, in English. An applicant must provide any translation and interpretation services needed by FDA to process the application, including during onsite audits or assessments of the applicant by FDA. (d) Signature. Recognition and renewal applications must be signed by the applicant or by any individual authorized to act on behalf of the applicant for purposes of seeking recognition or renewal of recognition. Sec. 1.631 How will FDA review applications for recognition and for renewal of recognition? (a) FDA will review a recognition or renewal application on a first in, first out basis according to the date on which the application was submitted in complete form. (b) FDA will evaluate any completed recognition or renewal application to determine whether the applicant meets the eligibility requirements in Sec. 1.610 and will notify the applicant, in writing, whether the application has been approved or denied. FDA may make such notification electronically. (c) When FDA notifies an applicant that its recognition or renewal application has been approved, the notification will list any conditions associated with the recognition. (d) If FDA denies a recognition or renewal application, the notification will state the basis for such denial and will provide the address and procedures for requesting reconsideration of the application under Sec. 1.691. (e) If FDA does not reach a final decision on a renewal application before an accreditation body's recognition terminates by expiration, FDA may extend such recognition for a specified period of time or until the agency reaches a final decision on the renewal application. Sec. 1.632 What is the duration of recognition? FDA may grant recognition of an accreditation body for a period not to exceed 5 years. Sec. 1.633 How will FDA monitor recognized accreditation bodies? (a) FDA will periodically evaluate the performance of each recognized accreditation body to determine its compliance with the applicable requirements of this subpart. Such evaluation must occur by at least 4 years after the date of accreditation for a 5-year term of recognition, or by no later than mid-term point for recognition granted for less than 5 years. FDA may conduct additional performance evaluations of a recognized accreditation body at any time. (b) An FDA performance evaluation may include onsite assessments of statistically significant numbers of auditors/certification bodies the recognized accreditation body accredited and onsite audits of eligible entities such auditors/certification bodies certified. These may be conducted at any time, with or without the accreditation body or auditor/certification body present. Sec. 1.634 When will FDA revoke recognition? (a) Grounds for revocation of recognition. FDA will revoke the recognition of an accreditation body for any one or more of the following: (1) Refusal to allow FDA to access records required by Sec. 1.625, or to conduct an audit, assessment, or investigation of the accreditation body or of a third-party auditor/certification body it accredited to ensure the accreditation body's continued compliance with the requirements of this subpart. (2) Failure to take timely and necessary corrective action when: (i) The accreditation of an auditor/certification body it accredited is withdrawn by FDA under Sec. 1.664(a); (ii) A significant problem with the accreditation body is identified through self-assessment under Sec. 1.622, monitoring under Sec. 1.621, or self-assessment by one or more of its accredited auditors/certification bodies under Sec. 1.655; or (iii) Directed by FDA to ensure compliance with this subpart. (3) A determination by FDA that the accreditation body has committed fraud or has submitted material false statements to the agency. (4) A determination by FDA that there is otherwise good cause for revocation, including: (i) Demonstrated bias or lack of objectivity when conducting activities under this subpart; or (ii) Failure to adequately support one or more decisions to grant accreditation under this subpart. (b) Records request associated with revocation. To assist in determining whether revocation is warranted under paragraph (a) of this section, FDA may request records of the accreditation body required by Sec. 1.625 or the records, required by Sec. 1.658, of one or more of the auditors/certification bodies it accredited under this subpart. (c) Notice to the accreditation body of revocation of recognition. (1) Upon revocation, FDA will notify the accreditation body electronically, in English, stating the grounds for revocation, the procedures for requesting a regulatory hearing under [[Page 45831]] Sec. 1.693 on the revocation, and the procedures for requesting reinstatement of recognition under Sec. 1.636. (2) Within 10 business days of the date of revocation, the accreditation body must notify FDA electronically, in English, of the location where the records required by Sec. 1.625 will be maintained. (d) Effect of revocation of recognition on accredited auditors/ certification bodies. (1) FDA will notify an accredited auditor/ certification body, electronically and in English, if the recognition of its accreditation body is revoked. Such auditor's/certification body's accreditation will remain in effect if the auditor/certification body: (i) No later than 2 months after the revocation, conducts a self- assessment under Sec. 1.655 and reports the results of the self- assessment to FDA under Sec. 1.656(b); and (ii) No later than 1 year after the revocation, becomes accredited by a recognized accreditation body or by FDA through direct accreditation. (2) FDA may withdraw the accreditation of a third-party auditor/ certification body whenever FDA determines there is good cause for withdrawal of accreditation under Sec. 1.664. (e) Effect of revocation of recognition on food or facility certifications issued to eligible entities. A food or facility certification issued by an auditor/certification body accredited by an accreditation body prior to revocation of recognition will remain in effect until the certificate terminates by expiration. If FDA has reason to believe that a food certification issued for purposes of section 801(q) of the FD&C Act is not valid or reliable, FDA may refuse to consider the certification in determining the admissibility of the article of food for which the certification was offered. (f) Public notice of revocation and the status of accreditations and food and facility certifications. FDA will provide notice on the Web site described in Sec. 1.690 of the revocation of recognition of an accreditation body under this subpart. Sec. 1.635 How do I voluntarily relinquish recognition? (a) An accreditation body that decides to relinquish recognition before it terminates by expiration must notify FDA electronically, in English, at least 6 months before relinquishing such authority and must identify the location where the records required by Sec. 1.625 will be maintained. An accreditation body waives the right to a hearing when relinquishing its recognition under this subpart. (b) No later than 15 business days after notifying FDA, the accreditation body must notify any third-party auditor/accreditation body currently accredited that it intends to relinquish its recognition, specify the date on which it will occur. The accreditation body must establish and maintain records of such notification under Sec. 1.625. (c) An accreditation granted by an accreditation body prior to relinquishing its recognition will remain in effect, subject to reaccreditation under Sec. 1.665, except where FDA determines that there is good cause for withdrawal of accreditation under Sec. 1.664. (d) A food certification issued by such accredited auditor/ certification body will remain in effect until it terminates by expiration, unless FDA requires renewal of the certification under section 801(q)(4)(A) of the FD&C Act prior to its expiration. If FDA has reason to believe that a certification issued for purposes of section 801(q) of the FD&C Act is not valid or reliable, FDA may refuse to consider the certification in determining the admissibility of the article of food for which the certification was offered. (e) FDA will provide notice on the Web site described in Sec. 1.690 of the voluntary relinquishment of recognition of an accreditation body. The notice will describe the effect, if any, on any third-party auditor/certification body it accredited and on any food or facility certifications such auditor/certification body issued under this subpart. Sec. 1.636 How do I request reinstatement of recognition? (a) Application following revocation. An accreditation body that has had its recognition revoked may seek reinstatement by submitting a new application for recognition under Sec. 1.630, or may be required to submit such application after a determination in a regulatory hearing under Sec. 1.693 that revocation was appropriate. The accreditation body must submit evidence that the grounds for revocation have been resolved, including evidence addressing the cause or conditions that were the basis for revocation and identifying measures that have been implemented to help ensure that such cause(s) or condition(s) are unlikely to recur. (b) Application following relinquishment. An accreditation body that previously relinquished its recognition under Sec. 1.635 may seek recognition by submitting a new application for recognition under Sec. 1.630. Accreditation of Third-Party Auditors/Certification Bodies Under This Subpart Sec. 1.640 Who is eligible for accreditation? (a) A foreign government, agency of a foreign government, foreign cooperative, or any other third party may seek accreditation from a recognized accreditation body (or, where direct accreditation is appropriate, FDA) to conduct food safety audits and to issue food and facility certifications to eligible entities under this subpart. (b) A foreign government or an agency of a foreign government is eligible for accreditation if it can demonstrate that its food safety programs, systems, and standards meet the requirements of Sec. Sec. 1.641 to 1.645, as specified in FDA model standards on qualifications for accreditation, including legal authority, competency, capacity, conflicts of interest, quality assurance, and records. (c) A foreign cooperative or other third party is eligible for accreditation if it can demonstrate that the training and qualifications of its audit agents and its internal systems and standards meet the requirements of Sec. Sec. 1.641 to 1.645, as specified in FDA model standards on qualifications for accreditation, including legal authority, competency, capacity, conflicts of interest, quality assurance, and records. Sec. 1.641 What legal authority must a third-party auditor/ certification body have to qualify for accreditation? (a) A third-party auditor/certification body seeking accreditation from a recognized accreditation body or from FDA must demonstrate that it has the authority (as a governmental entity or through contractual rights) to perform such assessments of facilities, their process(es), and food(s) as are necessary to determine compliance with the FD&C Act and with industry standards and practices and to issue certifications where appropriate based on a review of the findings of such assessments. This includes authority to: (1) Review any relevant records; (2) Conduct onsite audits of the eligible entity, such as witnessing the performance of a statistically significant number of personnel and other agents conducting audits of food facilities; and (3) Suspend or withdraw certification for failure to comply with applicable requirements. (b) A third-party auditor/certification body seeking accreditation must demonstrate that it is capable of exerting any authority necessary to meet the requirements of accreditation in Sec. Sec. 1.650 to 1.658 and the procedures in Sec. Sec. 1.660, 1.663, 1.665, 1.666, and 1.670, if accredited. [[Page 45832]] Sec. 1.642 What competency and capacity must a third-party auditor/ certification body have to qualify for accreditation? A third-party auditor/certification body seeking accreditation must demonstrate that it has: (a) The resources necessary to fully implement its audit and certification program, including: (1) Adequate numbers of personnel and other agents with relevant knowledge, skills, and experience to effectively audit and assess compliance with applicable FDA requirements and industry standards and practices and to issue valid and reliable certifications; and (2) Adequate financial resources for its operations; and (b) The competency and capacity to meet the requirements of Sec. Sec. 1.650 to 1.658 and the procedures in Sec. Sec. 1.660, 1.663, 1.665, 1.666, and 1.670, if accredited. Sec. 1.643 What protections against conflicts of interest must a third-party auditor/certification body have to qualify for accreditation? A third-party auditor/certification body must demonstrate that it has: (a) Implemented written measures to protect against conflicts of interest between the auditor/certification body (and its officers, personnel, and other agents) and eligible entities (and their owners and operators) seeking assessment and certification from, or assessed and certified by, such auditor/certification body; and (b) The capability to meet the conflict of interest requirements in Sec. 1.657, if accredited. Sec. 1.644 What quality assurance procedures must a third-party auditor/certification body have to qualify for accreditation? A third-party auditor/certification body seeking accreditation must demonstrate that it has: (a) Implemented a written program for monitoring and assessing the performance of its officers, personnel, and other agents involved in auditing and certification activities, including procedures to: (1) Identify areas in its auditing and certification program or performance that need improvement; and (2) Quickly execute appropriate corrective actions when problems are found; and (b) The capability to meet the quality assurance requirements of Sec. 1.655, if accredited. Sec. 1.645 What records procedures must a third-party auditor/ certification body have to qualify for accreditation? A third-party auditor/certification body seeking accreditation must demonstrate that it: (a) Implemented written procedures to establish, control, and retain records (including documents and data) for a period of time necessary to meet its contractual and legal obligations and to provide an adequate basis for assessing its program and performance; and (b) Is capable of meeting the reporting and notification requirements of Sec. 1.656 and the records requirements of Sec. 1.658, if accredited. Requirements for Accredited Auditors/Certification Bodies Under This Subpart Sec. 1.650 How must an accredited auditor/certification body ensure its audit agents are competent and objective? (a) An accredited auditor/certification body that uses audit agents to conduct food safety audits must ensure that each such agent meets the following requirements with respect to the scope of its accreditation under this subpart: (1) Has relevant knowledge and experience that provides an adequate basis for the agent to assess compliance with the FD&C Act and, for consultative audits, industry standards and practices; (2) Has been determined by the accredited auditor/certification body, through observations of a representative number of audits, to be competent to conduct food safety audits under this subpart; (3) Participates in annual food safety training under the accredited auditor's/certification body's training plan; (4) Is in compliance with the conflict of interest requirements of Sec. 1.657 and has no other conflicts of interest with the eligible entity to be audited that might impair the agent's objectivity; and (5) Agrees to notify its accredited auditor/certification body immediately upon discovering, during a food safety audit, any condition that could cause or contribute to a serious risk to the public health. (b) In assigning an audit agent to conduct a food safety audit at a particular eligible entity, an accredited auditor/certification body must determine that the agent is qualified to conduct such audit under the criteria established in paragraph (a) of this section and based on the scope and purpose of the audit and the type of facility, its process(es), and food. (c) An accredited auditor/certification body cannot use an audit agent to conduct a regulatory audit at an eligible entity if such agent conducted a consultative audit or regulatory audit for the same eligible entity in the preceding 13 months, except that such limitation may be waived if the accredited auditor/certification body demonstrates to FDA, under Sec. 1.663, there is insufficient access to accredited auditors/certification bodies in the country or region where the eligible entity is located or in the country of export. Sec. 1.651 How must an accredited auditor/certification body conduct a food safety audit of an eligible entity? (a) Audit planning. Before beginning to conduct a food safety audit under this subpart, an accredited auditor/certification body must: (1) Require the entity seeking an audit to: (i) Identify the scope and purpose of the food safety audit, including the facility, process(es), or food to be audited; whether the audit is to be conducted as a consultative or regulatory audit, and if a regulatory audit, the type(s) of certification(s) sought; and (ii) Provide a 30-day operating schedule for such facility that includes information relevant to the scope and purpose of the audit; and (2) Determine whether the requested audit is within its scope of accreditation. (b) Authority to audit. In arranging a food safety audit with an eligible entity, an accredited auditor/certification body must ensure it has authority, whether contractual or otherwise, to: (1) Conduct an unannounced audit to verify whether the activities and results of the eligible entity (within the scope of the audit) comply with the applicable requirements of the FD&C Act and, for consultative audits, industry standards and practices; (2) Access any records and any area of the facility, its process(es), and food of the eligible entity relevant to the scope and purpose of such audit and, where appropriate, to issue food and facility certifications; (3) Where FDA requires sampling and analysis, use of validated sampling or analytical methodologies and analysis by a laboratory that is accredited, in accordance with the requirements of section 422 of the FD&C Act; (4) Notify FDA immediately if, at any time during a food safety audit, the accredited auditor/certification body (or its audit agent, where applicable) discovers a condition that could cause or contribute to a serious risk to the public health and provide information required by Sec. 1.656(c); (5) Prepare reports of consultative audits that contain the elements [[Page 45833]] specified in Sec. 1.652(a) and, for regulatory audits, prepare reports that contain the elements specified in Sec. 1.652(b) and submit them to FDA and to its accreditation body (where applicable) under Sec. 1.656(a); and (6) Allow FDA and the recognized accreditation body that accredited such third-party auditor/certification body, if any, to observe any food safety audit for purposes of evaluating the accredited auditor's/ certification body's performance under Sec. Sec. 1.621 and 1.662 or, where appropriate, the recognized accreditation body's performance under Sec. Sec. 1.622 and 1.633. (c) Audit protocols. An accredited auditor/certification body (or its audit agent, where applicable) must conduct a food safety audit in a manner consistent with the identified scope and purpose of the audit and within the scope of its accreditation. (1) The audit must be conducted without announcement during the 30- day timeframe identified under paragraph (a)(1)(ii) of this section and must be focused on the highest food safety risk(s) associated with the facility, its process(es), and food within the scope of the audit. (2) The audit must include records review; an onsite assessment of the facility, its process(es), and the food that results from such process(es); and where appropriate, environmental or product sampling and analysis, using validated procedures (including sample integrity procedures) and analysis performed by a laboratory accredited in accordance with the requirements of section 422 of the FD&C Act. The audit may include any other activities necessary to establish compliance with the FD&C Act. (3) The audit must be sufficiently rigorous to allow the accredited auditor/certification body to determine whether the entity is in compliance with the FD&C Act at the time of the audit; and for a regulatory audit, whether the entity would be likely to remain in compliance with the applicable requirements of the FD&C Act for at least 12 months following the audit, provided that the facility and its process(es) are properly maintained and implemented. (4) Audit observations and assessments, including corrective actions, must be documented and must be used to support the findings contained in the audit report required by Sec. 1.652 and maintained as a record of the accredited auditor/certification body under Sec. 1.658. Sec. 1.652 What must an accredited auditor/certification body include in food safety audit reports? (a) Consultative audits. An accredited auditor/certification body must prepare a report of a consultative audit, in English, not later than 45 days after completing such audit and must maintain such report under Sec. 1.658. A consultative audit report must include: (1) The name and address of the facility subject to audit and the name and address of the eligible entity, if different from the facility; (2) A unique facility identifier, as required by FDA, for the facility and for the eligible entity, if different from the facility; (3) The names and telephone numbers of the persons responsible for food safety compliance at the facility; (4) The dates and scope of the audit; and (5) Any deficiencies observed that require corrective action, the corrective action plan, and the date on which such corrective actions were completed. Such audit report must be maintained as a record under Sec. 1.658 and must be made available to FDA under Sec. 1.361. (b) Regulatory audits. An accredited auditor/certification body must, no later than 45 days after completing a regulatory audit, prepare and submit electronically, in English, to FDA and to its accreditation body (or, in the case of direct accreditation, only to FDA) a report of such regulatory audit that includes the following information: (1) The identity of the audited facility, including: (i) The name and address of the facility subject to audit and a unique facility identifier, as required by FDA; and (ii) Where applicable, the FDA registration number assigned to the facility under subpart H of this part; (2) The identity of the eligible entity, including the name, address, and unique facility identifier, as required by FDA, of the eligible entity (if different than that of facility); (3) The dates and scope of the regulatory audit; (4) The process(es) and food(s) observed during such audit; (5) The identity of the person(s) responsible for the facility's compliance with the applicable requirements of the FD&C Act; (6) Any deficiencies observed during the audit that present a reasonable probability that the use of or exposure to a violative product: (i) Will cause serious adverse health consequences or death; or (ii) May cause temporary or medically reversible adverse health consequences or where the probability of serious adverse health consequences is remote; (7) The corrective action plan for addressing each deficiency identified under paragraph (b)(6) of this section, unless corrective action was implemented immediately and verified onsite by the accredited auditor/certification body (or its audit agent); (8) Whether any sampling and laboratory analysis (e.g., under a microbiological sampling plan) is used in the facility; (9) Whether the entity has issued a food safety-related recall of an article of food from the facility during the 2 years preceding the audit and, if so, any such article(s) recalled and the reason(s) for the recall(s); (10) Whether the entity has made significant changes to the facility, its process(es), or products during the 2 years preceding the audit; and (11) Any food or facility certifications issued to the entity during the 2 years preceding the audit, including the scope and duration of each such certification. (c) Submission of regulatory audit report. An accredited auditor/ certification body must submit a completed regulatory audit report as required by paragraph (b) of this section, regardless of whether the food or facility certification was issued under this subpart. (d) Appeals of adverse regulatory audit results. An accredited auditor/certification body must implement written procedures for receiving and addressing appeals from eligible entities challenging adverse regulatory audit results and for investigating and deciding on appeals in a fair and meaningful manner. The appeals procedures must provide similar protections to those offered by FDA under Sec. Sec. 1.692 and 1.693, including requirements to: (1) Make the appeals procedures publicly available; (2) Use qualified persons, different from those involved in the subject of the appeal, to investigate and decide on an appeal; (3) Advise the eligible entity of the final decision on its appeal; and (4) Maintain records under Sec. 1.658 of the appeal, the final decision, and the basis for such decision. Sec. 1.653 What must accredited auditor/certification body do when issuing food or facility certifications? (a) Basis for issuance of a food or facility certification. (1) Prior to issuing a food or facility certification to an eligible entity, an accredited auditor/certification body (or an audit agent on its behalf) must complete a regulatory [[Page 45834]] audit that meets the requirements of Sec. 1.651 and any other activities that may be necessary to establish compliance with applicable requirements of the FD&C Act. (2) If, as a result of an observation during a regulatory audit, an eligible entity must implement a corrective action plan to address an observation, an accredited auditor/certification body may not issue a food or facility certification to such entity until after the accredited auditor/certification body verifies that eligible entity has implemented the corrective action plan through onsite observation, except for corrective actions taken to address recordkeeping deficiencies that may be verified through submission of records or through assurances by the eligible entity. (3) An accredited auditor/certification body must consider each observation and assessment made during a regulatory audit and other activities conducted under Sec. 1.651 to determine whether the entity was in compliance with the applicable requirements of the FD&C Act at the time of the audit and whether the entity would be likely to remain in compliance for the duration of a food or facility certification issued under this subpart. (4) A single regulatory audit may result in issuance of one or more food or facility certifications under this subpart, provided that the requirements of issuance are met as to each such certification. (5) Where an accredited auditor/certification body uses an audit agent to conduct a regulatory audit of an eligible entity under this subpart, the accredited auditor/certification body (and not the audit agent) must make the determination whether to issue a food or facility certification based on the results of such regulatory audit. (b) Issuance of a food or facility certification and submission to FDA. (1) For purposes of submission to FDA under this subpart, an accredited auditor/certification body must issue a food or facility certification electronically and in English. The accredited auditor/ certification body must not issue a food or facility certification under this subpart for a term that is longer than 12 months. (2) A food or facility certification must contain, at a minimum, the following elements: (i) The name and address of the accredited auditor/certification body and the scope and date of its accreditation under this subpart; (ii) The name, address, and unique facility identifier, as required by FDA, of the eligible entity to which the food or facility certification was issued; (iii) The name, address, and unique facility identifier, as required by FDA, of the facility where the audit was conducted, if different than the eligible entity; (iv) The scope and date(s) of the audit; (v) The name of the audit agent(s) (where applicable) conducting the audit; (vi) The scope of the food or facility certification, date of issuance, and date of expiration. (3) FDA may refuse to accept any food certification or other assurance for food issued by an accredited auditor/certification body for purposes of section 801(q) of the FD&C Act, if FDA determines, under section 801(q)(4)(B), that such food certification or assurance was not validly issued or does not reliably demonstrate that the food is in compliance with the applicable requirements of the FD&C Act, including the following: (i) That the food certification or assurance is offered in support of the admissibility of a food that was not within the scope of the certification or assurance; and (ii) That the food certification was issued by an accredited auditor/certification body acting outside the scope of its accreditation under this subpart. Sec. 1.654 When must an accredited auditor/certification body monitor an eligible entity with food or facility certification? If an accredited auditor/certification body has reason to believe that an eligible entity to which it issued a food or facility certification may no longer be in compliance with the applicable requirements of the FD&C Act, the accredited auditor/certification body must conduct any monitoring (including an onsite assessment) of such eligible entity necessary to determine whether the entity is in compliance. The accredited auditor/certification body must immediately notify FDA, under Sec. 1.656(d), if it determines the entity is no longer in compliance with the applicable requirements of the FD&C Act. The accredited auditor/certification body must maintain records of such monitoring under Sec. 1.658. Sec. 1.655 How must an accredited auditor/certification body monitor its own performance? (a) An accredited auditor/certification body must annually, and as required under Sec. 1.634(d)(1)(i) or upon FDA request made for cause, conduct a self-assessment that includes evaluation of: (1) The performance of its officers, personnel, or other agents in activities under this subpart, including assessing whether its audit agents focused on the most significant risks to human and/or animal health when conducting food safety audits of facilities involved in the production, manufacturing, processing, packing, or holding of food; (2) The degree of consistency among its officers, personnel, or other agents in performing activities under this subpart, including assessing whether its audit agents interpreted audit protocols in a consistent manner; (3) The compliance of the accredited auditor/certification body and its officers, personnel, and other agents, with the conflict of interest requirements of Sec. 1.657; (4) Actions taken in response to the results of any assessments conducted by FDA or, where applicable, the recognized accreditation body under Sec. 1.621; and (5) As requested by FDA, any other aspects of its performance relevant to a determination whether the accredited auditor/ certification body is in compliance with this subpart. (b) As a means to evaluate its performance, the accredited auditor/ certification body may evaluate the compliance of one or more of eligible entities to which food or facility certification was issued under this subpart. (c) Based on the evaluations conducted under paragraphs (a) and (b) of this section, the accredited auditor/certification body must: (1) Identify any area(s) needing improvement; (2) Quickly implement effective corrective action(s) to address those area(s); and (3) Under Sec. 1.658, establish and maintain records of such corrective action(s). (d) The accredited auditor/certification body must prepare a written report, in English, of the results of its self-assessment that includes: (1) A description of any corrective action(s) taken under paragraph (c) of this section; (2) A statement disclosing the extent to which the accredited auditor/certification body, and its officers, personnel, and other agents complied with the conflict of interest requirements in Sec. 1.657; and (3) A statement attesting to the extent to which the accredited auditor/certification body complied with the applicable requirements of this subpart. Sec. 1.656 What reports and notifications must an accredited auditor/ certification body submit? (a) Reporting results of regulatory audits. An accredited auditor/ [[Page 45835]] certification body must submit a regulatory audit report, as described in Sec. 1.652(b), electronically, in English, to FDA and to the accreditation body that granted its accreditation (where applicable), no later than 45 days after completing such audit. (b) Reporting results of accredited auditor/certification body self-assessments. An accredited auditor/certification body must submit the report of its annual self-assessment required by Sec. 1.655 electronically to its accreditation body (or, in the case of direct accreditation, FDA), within 45 days of the anniversary date of its accreditation under this subpart and, for an accredited auditor/ certification body subject to Sec. 1.634(d)(1)(i) or an FDA request for cause, must submit the report of its self-assessment to FDA within 2 months. Such report must include an up-to-date list of any audit agents it uses to conduct audits under this subpart. (c) Notification to FDA of a serious risk to public health. An accredited auditor/certification body must immediately notify FDA electronically, in English, when any of its audit agents or the accredited auditor/certification body itself, discovers any condition, found during a regulatory or consultative audit of an eligible entity, which could cause or contribute to a serious risk to the public health, providing the following information: (1) The name and address of the eligible entity subject to the audit; (2) The name and address of the facility where the condition was discovered (if different from that of the eligible entity) and, where applicable, the FDA registration number assigned to the facility under subpart H of this part; and (3) The condition for which notification is submitted. (d) Immediate notification to FDA of withdrawal or suspension of food or facility certification. An accredited auditor/certification body must notify FDA electronically, in English, immediately upon withdrawing or suspending the food or facility certification of an eligible entity and the basis for such action. (e) Notification to its accreditation body or an eligible entity. (1) After notifying FDA under paragraph (c) of this section, an accredited auditor/certification body must immediately notify the eligible entity of such condition and must immediately thereafter notify the accreditation body that granted its accreditation, except for auditors/certification bodies directly accredited by FDA. (2) An accredited auditor/certification body must notify its accreditation body (or, in the case of direct accreditation, FDA) electronically, in English, within 30 days after making any significant change that would affect the manner in which it complies with the requirements of Sec. Sec. 1.640 to 1.658, and must include with such notification the following information: (i) A description of the change; and (ii) An explanation for the purpose of the change. Sec. 1.657 How must an accredited auditor/certification body protect against conflicts of interest? (a) An accredited auditor/certification body must implement a written program to protect against conflicts of interest between the accredited auditor/certification body (and its officers, personnel, and agents) and an eligible entity seeking a food safety audit or food or facility certification from, or audited or certified by, such accredited auditor/certification body, including the following: (1) Ensuring that the accredited auditor/certification body and its officers, personnel, or agents (other than audit agents subject to paragraph (a)(2) of this section) do not own or have a financial interest in, manage, or otherwise control an eligible entity to be certified, or any affiliate, parent, or subsidiary of the entity; (2) Ensuring that an audit agent of the accredited auditor/ certification body does not own or operate an eligible entity, or any affiliate, parent, or subsidiary of the entity, to be subject to consultative or regulatory audit by such agent; and (3) Prohibiting an officer, employee, or other agent of the accredited auditor/certification body from accepting any money, gift, gratuity, or item of value from the eligible entity to be audited or certified under this subpart. (4) The items specified in paragraph (a)(3) of this section do not include: (i) Money representing payment of fees for accreditation services and reimbursement of direct costs associated with an onsite audit or assessment of the third-party auditor/certification body; or (ii) Meals, of de minimis value, provided on the premises where the audit or assessment is conducted. (b) An accredited auditor/certification body may accept the payment of fees for auditing and certification services and the reimbursement of direct costs associated with an audit of an eligible entity only after the date on which the report of such audit was completed or the date a food or facility certification was issued, whichever is later. Such payment is not considered a conflict of interest for purposes of paragraph (a) of this section. (c) The financial interests of the spouses and children younger than 18 years of age of officers, personnel, and other agents of an accredited auditor/certification body will be considered the financial interests of such officers, personnel, and other agents of the accredited auditor/certification body for purposes of this subpart. (d) An accredited auditor/certification body must maintain on its Web site an up-to-date list of the eligible entities to which it has issued food or facility certifications under this subpart. For each such eligible entity, the Web site also must identify the duration and scope of the food or facility certification and date(s) on which the eligible entity paid the accredited auditor/certification body any fee or reimbursement associated with such audit or certification. Sec. 1.658 What records requirements must an accredited auditor/ certification body meet? (a) An accredited auditor/certification body must maintain electronically for 4 years records (including documents and data), in English, that document compliance with this subpart, including: (1) Any audit report and other documents resulting from a consultative audit conducted under this subpart, including the audit agent's observations, laboratory testing records and results (as applicable), correspondence with the eligible entity, and corrective actions to address deficiencies identified during the audit; (2) Any request for a regulatory audit from an eligible entity; (3) Any audit report and other documents resulting from a regulatory audit conducted under this subpart, including the audit agent's observations, laboratory testing records and results (as applicable), correspondence with the eligible entity, and corrective actions to address deficiencies identified during the audit; (4) Any notification submitted by an audit agent to the accredited auditor/certification body under Sec. 1.650(a)(5) or by the accredited auditor/certification body to FDA under Sec. 1.656(c); (5) Any food or facility certification issued under this subpart; (6) Any challenge to an adverse regulatory audit decision and the disposition of the challenge; (7) Any monitoring it conducted of an eligible entity to which food or facility certification was issued; [[Page 45836]] (8) Its self-assessments and corrective actions taken as a result; and (9) Significant changes to the auditing or certification program that might affect compliance with this subpart. (b) An accredited auditor/certification body must make the records of a consultative audit required by paragraph (a)(1) of this section available to FDA in accordance with the requirements of subpart J of this chapter. (c) An accredited auditor/certification body must make the records required by paragraphs (a)(2) to (a)(9) of this section available for inspection and copying promptly upon written request of an authorized FDA officer or employee at the place of business of the auditor/ certification body or at a reasonably accessible location. If such records are requested by FDA electronically, the records must be submitted electronically, in English, not later than 10 business days after the date of the request. Procedures for Accreditation of Third-Party Auditors/Certification Bodies Under This Subpart Sec. 1.660 Where do I apply for accreditation or renewal of accreditation by a recognized accreditation body? Except as allowed under Sec. 1.670, a third-party auditor/ certification body seeking accreditation must submit its request for accreditation or renewal of accreditation to an accreditation body recognized by FDA under this subpart and identified on the Web site described in Sec. 1.690. Sec. 1.661 What is the duration of accreditation? A recognized accreditation body may grant accreditation to a third- party auditor/certification body under this subpart for a period not to exceed 4 years. Sec. 1.662 How will FDA monitor accredited auditors/certification bodies? (a) FDA will periodically evaluate the performance of each auditor/ certification body accredited under this subpart to determine whether the accredited auditor/certification body continues to comply with the requirements of Sec. Sec. 1.640 to 1.658 and whether there are deficiencies in the performance of the accredited auditor/certification body that, if not corrected, would warrant withdrawal of its accreditation under this subpart. FDA will evaluate each directly accredited auditor/certification body annually. FDA will evaluate an accredited auditor/certification body annually evaluated by a recognized accreditation body under Sec. 1.621 by not later than 3 years after the date of accreditation for a 4-year term of accreditation, or by no later than the mid-term point for accreditation granted for less than 4 years. FDA may conduct additional performance evaluations of an accredited auditor/certification body at any time. (b) In evaluating the performance of an accredited auditor/ certification body under paragraph (a) of this section, FDA may review any one or more of the following: (1) Regulatory audit reports and food and facility certifications; (2) The accredited auditor's/certification body's annual self- assessments under Sec. 1.655; (3) Reports of assessments by a recognized accreditation body under Sec. 1.621, where applicable; (4) Documents and other information regarding the accredited auditor's/certification body's authority, qualifications (including the expertise and training of its audit agents), conflict of interest program, internal quality assurance program, and monitoring by its accreditation body (or, in the case of direct accreditation, FDA); and (5) Information obtained by FDA, including during inspections, audits, onsite observations, or investigations, of one or more eligible entities to which food or facility certification was issued by such accredited auditor/certification body. (c) FDA may conduct its evaluation of an accredited auditor/ certification body through onsite observations of performance during a food safety audit of an eligible entity or through document review. Sec. 1.663 How do I request an FDA waiver or waiver extension for the 13-month limit for audit agents conducting regulatory audits? (a) An accredited auditor/certification body may submit a request to FDA to waive the requirements of Sec. 1.650(c) preventing an audit agent from conducting a regulatory audit of an eligible entity if the agent has conducted a food safety audit of such entity during the previous 13 months. The auditor/certification body seeking a waiver or waiver extension must demonstrate there is insufficient access to accredited auditors/certification bodies in the country or region where the eligible entity is located. (b) Requests for a waiver or waiver extension and all documents provided in support of the request must be submitted to FDA electronically, in English. The requestor must provide such translation and interpretation services as are needed by FDA to process the request. (c) The request must be signed by the requestor or by any individual authorized to act on behalf of the requestor for purposes of seeking such waiver or waiver extension. (d) FDA will review requests for waivers and waiver extensions on a first in, first out basis according to the date on which the submission was completed. FDA will evaluate any completed waiver request to determine whether the criteria for waiver have been met. (e) FDA will notify the requestor, in writing, whether the request for a waiver or waiver extension is approved or denied. Such notification may be made electronically. (f) If FDA approves the request, the notification will state the duration of the waiver and list any conditions associated with it. If FDA denies the request, the notification will state the basis for denial and will provide the address and procedures for requesting reconsideration of the request under Sec. 1.691. (g) Unless FDA notifies a requestor that its waiver request has been approved, an accredited auditor/certification body must not use the agent to conduct a regulatory audit of such eligible entity until the 13-month limit in Sec. 1.650(a) has elapsed. Sec. 1.664 When can FDA withdraw accreditation? (a) Mandatory withdrawal. FDA will withdraw accreditation from an auditor/certification body: (1) Except as provided in paragraph (b) of this section, if the food or facility certified under this subpart is linked to an outbreak of foodborne illness that has a reasonable probability of causing serious adverse health consequences or death in humans or animals; (2) Following an evaluation and finding by FDA that the auditor/ certification body no longer meets the requirements for accreditation; or (3) Following its refusal to allow FDA to access records under Sec. 1.658 or to conduct an audit, assessment, or investigation necessary to ensure continued compliance with this subpart. (b) Exception. FDA may waive mandatory withdrawal under paragraph (a)(1) of this section, if FDA: (1) Conducts an investigation of the material facts related to the outbreak of human or animal illness; (2) Reviews the steps or actions taken by the accredited auditor/ certification body to justify the food or facility certification; and (3) Determines that the accredited auditor/certification body satisfied the [[Page 45837]] requirements for issuance of certification under sections 801(q) or 806 of the FD&C Act, as applicable, and under this subpart. (c) Discretionary withdrawal. FDA may withdraw accreditation from an auditor/certification body when such auditor/certification body is accredited by an accreditation body for which recognition is revoked under Sec. 1.634, if FDA determines there is good cause for withdrawal, including: (1) Demonstrated bias or lack of objectivity when conducting activities under this subpart; or (2) Performance that calls into question the validity or reliability of its food safety audits and food and facility certifications. (d) Records access. FDA may request records of the accredited auditor/certification body under Sec. 1.658 and, where applicable, may request records of the recognized accreditation body under Sec. 1.625, when considering withdrawal under paragraphs (a)(1), (a)(2), or (c) of this section. (e) Notice to the auditor/certification body of withdrawal of accreditation. (1) FDA will notify the auditor/certification body of the withdrawal electronically, in English, stating the grounds for withdrawal, the procedures for requesting a regulatory hearing under Sec. 1.693 on the withdrawal, and the procedures for requesting reaccreditation under Sec. 1.666. (2) Within 10 business days of the date of withdrawal, the auditor/ certification body must notify FDA electronically, in English, of the location where the records will be maintained as required by Sec. 1.658. (f) Effect of withdrawal of accreditation on eligible entities. A food or facility certification issued by third-party auditor/ certification body prior to withdrawal will remain in effect until the certification terminates by expiration. If FDA has reason to believe that a food certification issued for purposes of section 801(q) of the FD&C Act is not valid or reliable, FDA may refuse to consider the certification in determining the admissibility of the article of food for which the certification was offered. (g) Effect of withdrawal of accreditation on recognized accreditation bodies. (1) FDA will notify a recognized accreditation body, electronically and in English, if the accreditation of one of its auditors/certification bodies is withdrawn. Such accreditation body's recognition will remain in effect if, no later than 2 months after withdrawal, the accreditation body conducts a self-assessment under Sec. 1.622 and reports the results of the self-assessment to FDA as required by Sec. 1.623(b). (2) FDA may revoke the recognition of such accreditation body whenever FDA determines there is good cause for revocation of recognition under Sec. 1.634. (h) Public notice of withdrawal and the status of recognition and food and facility certifications. FDA will provide notice on the Web site described in Sec. 1.690 of its withdrawal of accreditation of an auditor/certification body under this subpart. Sec. 1.665 How do I voluntarily relinquish accreditation? (a) An accredited auditor/certification body that decides to relinquish accreditation before it terminates by expiration must notify the accreditation body (where applicable) and must notify FDA electronically, in English, at least 6 months before relinquishing such authority. The notice must identify the location where the records will be maintained as required by Sec. 1.658. A third-party auditor/ certification body waives the right to a hearing when relinquishing its accreditation under this subpart. (b) No later than 15 business days after notifying FDA under paragraph (a) of this section, the accredited auditor/certification body must notify any eligible entity to which it issued food or facility certification under this subpart. (c) A food or facility certification issued by an accredited auditor/certification body prior to relinquishing its accreditation will remain in effect until terminated by expiration. If FDA has reason to believe that a certification issued for purposes of section 801(q) of the FD&C Act is not valid or reliable, FDA may refuse to consider the certification in determining the admissibility of the article of food for which the certification was offered. (d) FDA will provide notice on the Web site described in Sec. 1.690 of the voluntary relinquishment of accreditation by an auditor/ certification body. Sec. 1.666 How do I request reaccreditation? (a) Application following withdrawal. FDA will reinstate the accreditation of an auditor/certification body for which it has withdrawn accreditation: (1) If, in the case of direct accreditation, FDA determines, based on evidence presented by the auditor/certification body, that the auditor/certification body satisfies the requirements for accreditation and adequate grounds for withdrawal no longer exist; or (2) In the case of an auditor/certification body accredited by an accreditation body for which recognition has been revoked under Sec. 1.634: (i) If the auditor/certification body becomes accredited by a recognized accreditation body or by FDA through direct accreditation not later than 1 year after withdrawal of accreditation; or (ii) Under such conditions as FDA may impose in withdrawing accreditation. (b) Application following relinquishment. An auditor/certification body that previously relinquished its accreditation under Sec. 1.665 may seek accreditation by submitting a new application for accreditation under Sec. 1.660 or, where applicable, Sec. 1.670. Additional Procedures for Direct Accreditation of Third-Party Auditors/ Certification Bodies Under This Subpart Sec. 1.670 How do I apply to FDA for direct accreditation or renewal of direct accreditation? (a) Eligibility. (1) FDA will accept applications from third-party auditors/certification bodies for direct accreditation or renewal of direct accreditation only if FDA determines that it has not identified and recognized an accreditation body to meet the requirements of section 808 of the FD&C Act within 2 years after establishing the accredited third-party audits and certification program. Such FDA determination may apply, as appropriate, to specific types of auditor/ certification bodies, types of expertise, or geographic location; or through identification by FDA of any requirements of section 808 of the FD&C Act not otherwise met by previously recognized accreditation bodies. FDA will only accept applications for direct accreditation and renewal applications that are within the scope of the determination. (2) FDA may revoke or modify a determination under paragraph (a)(1) of this section if FDA subsequently identifies and recognizes an accreditation body that affects such determination. (3) FDA will provide notice on the Web site described in Sec. 1.690 of a determination under paragraph (a)(1) of this section and of a revocation or modification of the determination under paragraph (a)(2) of this section. (b) Application for direct accreditation or renewal of direct accreditation. (1) An auditor/certification body seeking direct accreditation or renewal of direct accreditation must submit an application to FDA, demonstrating that it is within the scope of the [[Page 45838]] determination issued under paragraph (a) of this section, and it meets the eligibility requirements of Sec. 1.640. (2) Applications and all documents provided as part of the application process must be submitted electronically, in English. An applicant must provide such translation and interpretation services as are needed by FDA to process the application, including during an onsite audit of the applicant. (3) The application must be signed by the applicant or by any individual authorized to act on behalf of the applicant for purposes of seeking or renewing direct accreditation. Sec. 1.671 How will FDA review applications for direct accreditation and for renewal of direct accreditation? (a) FDA will review applications for direct accreditation and for renewal of direct accreditation on a first in, first out basis according to the date the submission was completed. (b) FDA will evaluate any completed application to determine whether the applicant meets the requirements for direct accreditation under this subpart. (c) FDA will notify the applicant in writing whether the application has been approved or denied. FDA may provide such notification electronically. (d) If an application has been approved, the notification will list any conditions associated with the accreditation. (e) If FDA denies an application, the notification will state the basis of denial and will provide the address and procedures for requesting reconsideration of the application under Sec. 1.691. (f) If FDA does not reach a final decision on a renewal application before the expiration of its direct accreditation, FDA may extend the duration of such direct accreditation for a specified period of time or until the agency reaches a final decision on the renewal application. Sec. 1.672 What is the duration of direct accreditation? FDA will grant direct accreditation of a third-party auditor/ certification body for a period not to exceed 4 years. Requirements for Eligible Entities Under This Subpart Sec. 1.680 How and when will FDA monitor eligible entities? (a) FDA may, at any time, conduct an onsite audit of an eligible entity that has received food or facility certification from an accredited auditor/certification body under this subpart. The audit may be conducted with or without the accredited auditor/certification body or the recognized accreditation body (where applicable) present. (b) A food safety audit conducted by an accredited auditor/ certification body under this subpart is not considered an inspection under section 704 of the FD&C Act. Sec. 1.681 How frequently must eligible entities be recertified? (a) An eligible entity seeking to maintain facility certification under this subpart must seek recertification prior to expiration of its certification. To obtain recertification, the eligible entity must demonstrate its continuing compliance with the applicable requirements of the FD&C Act. (b) FDA may require an eligible entity to renew a food certification at any time FDA determines appropriate under section 801(q)(4)(A) of the FD&C Act. General Requirements of This Subpart Sec. 1.690 How will FDA make information about recognized accreditation bodies and accredited auditors/certification bodies available to the public? FDA will place on its Web site a registry of recognized accreditation bodies and accredited auditors/certification bodies, including the name and contact information for each. The registry may provide information on auditors/certification bodies accredited by recognized accreditation bodies through links to the Web sites of such accreditation bodies. Sec. 1.691 How do I request reconsideration of a denial by FDA of an application or a waiver request? (a) An accreditation body may seek reconsideration of the denial of an application for recognition, renewal of recognition, or reinstatement of recognition no later than 10 business days after the date of such decision. (b) A third-party auditor/certification body may seek reconsideration of the denial of an application for direct accreditation, renewal of direct accreditation, reinstatement of direct accreditation, a request for a waiver of the conflict of interest requirement in Sec. 1.650(b), or a waiver extension no later than 10 business days after the date of such decision. (c) A request to reconsider an application or waiver request under paragraph (a) or (b) of this section must be signed by the requestor or by an individual authorized to act on its behalf in submitting the request for reconsideration. The request must be submitted in English to the address specified in the notice of denial and must comply with the procedures it describes. (d) After completing its review and evaluation of the request for reconsideration, FDA will notify the requestor, in writing, of its decision to grant the application or waiver request upon reconsideration, or its decision to deny the application or waiver request upon reconsideration. Sec. 1.692 How do I request internal agency review of a denial of an application or waiver request upon reconsideration? (a) No later than 10 business days after the date FDA issued a denial of an application or waiver request upon reconsideration under Sec. 1.691, the requestor may seek internal agency review of such denial under Sec. 10.75(c)(1) of this chapter. (b) The request for internal agency review under paragraph (a) of this section must be signed by the requestor or by an individual authorized to act on its behalf in submitting the request for internal review. The request must be submitted in English to the address specified in the letter of denial upon reconsideration and must comply with procedures it describes. (c) Under Sec. 10.75(d) of this chapter, internal agency review of such denial must be based on the information in the administrative file, which will include any supporting information submitted under Sec. 1.691(c). (d) After completing the review and evaluation of the administrative file, FDA will notify the requestor, electronically, of its decision to overturn the denial and grant the application or waiver request or to affirm the denial of the application or waiver request upon reconsideration. (e) Affirmation by FDA of a denial of an application or waiver request upon reconsideration constitutes final agency action under 5 U.S.C. 702. Sec. 1.693 How do I request a regulatory hearing on a revocation of recognition or withdrawal of accreditation? (a) Request for hearing on revocation. No later than 10 business days after the date FDA issued a revocation of recognition of an accreditation body under Sec. 1.634, the accreditation body or an individual authorized to act on its behalf may submit a request for a regulatory hearing on the revocation under part 16 of this chapter. The written notice of revocation issued under Sec. 1.634 will contain all of the elements required by Sec. 16.22 of this chapter and will thereby constitute the notice of an opportunity for hearing under part 16 of this chapter. (b) Request for hearing on withdrawal. No later than 10 business days after the date FDA issued a withdrawal of [[Page 45839]] accreditation of a third-party auditor/certification body under Sec. 1.664, the auditor/certification body or an individual authorized to act on its behalf may submit a request for a regulatory hearing on the withdrawal under part 16 of this chapter. The written notice of withdrawal under Sec. 1.664 will contain all of the elements required by Sec. 16.22 of this chapter and will thereby constitute the notice of opportunity of hearing under part 16 of this chapter. (c) Submission of request for regulatory hearing. The request for a regulatory hearing under paragraph (a) or (b) of this section must be submitted with a written appeal that responds to the basis for the FDA decision, as described in the written notice of revocation or withdrawal, as appropriate, and includes any supporting information upon which the requestor is relying. The request, appeal, and supporting information must be submitted in English to the address specified in the notice and must comply with the procedures it describes. (d) Effect of submission of request on FDA decision. The submission of a request for a regulatory hearing under paragraph (a) or (b) of this section will not operate to delay or stay the effect of a decision by FDA to revoke recognition of an accreditation body or to withdraw accreditation of an auditor/certification body unless FDA determines that a delay or a stay is in the public interest. (e) Presiding officer. The presiding officer for a regulatory hearing for a revocation or withdrawal under this subpart will be designated after a request for a regulatory hearing is submitted to FDA. (f) Denial of a request for regulatory hearing. The presiding officer may deny a request for regulatory hearing for a revocation or withdrawal under Sec. 16.26(a) of this chapter. (g) Conduct of regulatory hearing. (1) If the presiding officer grants a request for a regulatory hearing for a revocation or withdrawal, the hearing will be held within 10 business days after the date the request was filed or, if applicable, within a timeframe agreed upon in writing by requestor, the presiding officer, and FDA. (2) The presiding officer may require that a regulatory hearing for a revocation or withdrawal be completed within 1 business day, as appropriate. (3) The presiding officer must conduct the regulatory hearing for revocation or withdrawal under part 16 of this chapter, except that, under Sec. 16.5 of this chapter, such procedures apply only to the extent that the procedures are supplementary and do not conflict with the procedures specified for regulatory hearings under this subpart. Accordingly, the following requirements are inapplicable to regulatory hearings under this subpart: The requirements of Sec. 16.22 (Initiation of a regulatory hearing); Sec. 16.24(e) (timing) and (f) (contents of notice); Sec. 16.40 (Commissioner); Sec. 16.95(b) (administrative decision and record for decision) and Sec. 16.119 (Reconsideration and stay of action) of this chapter. (4) A decision by the presiding officer to affirm the revocation of recognition or the withdrawal of accreditation is considered a final agency action under 5 U.S.C. 702. Audits for Other Purposes Sec. 1.698 May importers use reports of regulatory audits by accredited auditors/certification bodies for purposes of subpart L of this part? An importer, as defined in Sec. 1.500 of this part, may use a regulatory audit of an eligible entity, documented in a regulatory audit report, in meeting requirements for an onsite audit of a foreign supplier under subpart L of this part. PART 16--REGULATORY HEARING BEFORE THE FOOD AND DRUG ADMINISTRATION 0 3. The authority citation for 21 CFR part 16 continues to read as follows: Authority: 15 U.S.C. 1451-1461; 21 U.S.C. 141-149, 321-394, 467f, 679, 821, 1034; 28 U.S.C. 2112; 42 U.S.C. 201-262, 263b, 364. 0 4. Section 16.1 is amended by numerically adding the following entry in paragraph (b)(2) to read as follows: Sec. 16.1 Scope. * * * * * (b) * * * (2) * * * Sec. Sec. 1.634 and 1.664, relating to revocation of recognition of an accreditation body and withdrawal of accreditation of auditors/ certification bodies that conduct food safety audits of eligible entities in the food import supply chain and issue food and facility certifications. * * * * * Dated: July 23, 2013. Leslie Kux, Assistant Commissioner for Policy. [FR Doc. 2013-17994 Filed 7-26-13; 8:45 am] BILLING CODE 4160-01-P