[Federal Register Volume 80, Number 228 (Friday, November 27, 2015)]
[Rules and Regulations]
[Pages 74570-74667]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-28160]
[[Page 74569]]
Vol. 80
Friday,
No. 228
November 27, 2015
Part IV
Department of Health and Human Services
-----------------------------------------------------------------------
Food and Drug Administration
-----------------------------------------------------------------------
21 CFR Parts 1, 11, and 16
Accreditation of Third-Party Certification Bodies To Conduct Food
Safety Audits and To Issue Certifications; Final Rule
��Federal Register / Vol. 80 , No. 228 / Friday, November 27, 2015 /
Rules and Regulations��
[[Page 74570]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Food and Drug Administration
21 CFR Parts 1, 11, and 16
[Docket No. FDA-2011-N-0146]
RIN 0910-AG66
Accreditation of Third-Party Certification Bodies To Conduct Food
Safety Audits and To Issue Certifications
AGENCY: Food and Drug Administration, HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Food and Drug Administration (FDA or we) is adopting
regulations to provide for accreditation of third-party certification
bodies to conduct food safety audits of foreign food entities,
including registered foreign food facilities, and to issue food and
facility certifications, under the FDA Food Safety Modernization Act
(FSMA). These certifications will be required for participation in the
voluntary qualified importer program (VQIP) established under the
Federal Food, Drug, and Cosmetic Act (FD&C Act). In addition, when the
Agency has determined that an imported food is subject to certification
under FSMA, the Agency may require a certification under this rule as a
condition for admitting the food into the United States. FDA also
expects that these regulations will increase efficiency by reducing the
number of redundant food safety audits.
DATES: This rule is effective January 26, 2016.
FOR FURTHER INFORMATION CONTACT: Charlotte A. Christin, Office of Foods
and Veterinary Medicine, Food and Drug Administration, 10903 New
Hampshire Ave., Silver Spring, MD 20993, 301-796-7526.
SUPPLEMENTARY INFORMATION:
Table of Contents
Executive Summary
I. Introduction and Background
A. FDA Food Safety Modernization Act
B. Purpose of This Rulemaking
C. The Proposed Rule
D. Public Comments
II. Legal Authority
III. Comments on What Definitions Apply to This Subpart (Sec.
1.600)
A. Definitions, Generally
B. Assessment
C. Audit
D. Audit Agent
E. Consultative Audit
F. Eligible Entity
G. Facility
H. Facility Certification and Food Certification
I. Food
J. Food Safety Audit
K. Foreign Cooperative
L. Regulatory Audit
M. Self-Assessment
N. Third-Party Auditor
IV. Comments on Who Is Subject to This Subpart (Sec. 1.601)
A. Limiting the Scope of the Rule to Regulatory Audits and
Certifications
B. Exemption for Alcoholic Beverages
C. USDA Regulated Products
V. Comments on Recognition of Accreditation Bodies Under This
Subpart
A. Who is eligible to seek recognition? (Sec. 1.610)
B. What legal authority must an accreditation body have to
qualify for recognition? (Sec. 1.611)
C. What competency and capacity must an accreditation body have
to qualify for recognition? (Sec. 1.612)
D. What protections against conflicts of interest must an
accreditation body have to qualify for recognition? (Sec. 1.613)
E. What quality assurance procedures must an accreditation body
have to qualify for recognition? (Sec. 1.614)
F. What records procedures must an accreditation body have to
qualify for recognition? (Sec. 1.615)
VI. Comments on Requirements for Accreditation Bodies That Have Been
Recognized Under This Subpart
A. How must a recognized accreditation body evaluate third-party
certification bodies seeking accreditation? (Sec. 1.620)
B. How must a recognized accreditation body monitor the
performance of third-party certification bodies it accredited?
(Sec. 1.621)
C. How must a recognized accreditation body monitor its own
performance? (Sec. 1.622)
D. What reports and notifications must a recognized
accreditation body submit to FDA? (Sec. 1.623)
E. How must a recognized accreditation body protect against
conflicts of interest? (Sec. 1.624)
F. What records requirements must an accreditation body that has
been recognized meet? (Sec. 1.625)
VII. Comments on Procedures for Recognition of Accreditation Bodies
Under This Subpart
A. How do I apply to FDA for recognition or renewal of
recognition? (Sec. 1.630)
B. How will FDA review my application for recognition or for
renewal of recognition and what happens once FDA decides on my
application? (Sec. 1.631)
C. What is the duration of recognition? (Sec. 1.632)
D. How will FDA monitor recognized accreditation bodies? (Sec.
1.633)
E. When will FDA revoke recognition? (Sec. 1.634)
F. What if I want to voluntarily relinquish recognition or do
not want to renew recognition? (Sec. 1.635)
G. How do I request reinstatement of recognition? (Sec. 1.636)
VIII. Comments on Accreditation of Third-Party Certification Bodies
Under This Subpart
A. Who is eligible to seek accreditation? (Sec. 1.640)
B. What legal authority must a third-party certification body
have to qualify for accreditation? (Sec. 1.641)
C. What competency and capacity must a third-party certification
body have to qualify for accreditation? (Sec. 1.642)
D. What protections against conflicts of interest must a third-
party certification body have to qualify for accreditation? (Sec.
1.643)
E. What quality assurance procedures must a third-party
certification body have to qualify for accreditation? (Sec. 1.644)
F. What records procedures must a third-party certification body
have to qualify for accreditation? (Sec. 1.645)
IX. Comments on Requirements for Third-Party Certification Bodies
That Have Been Accredited Under This Subpart
A. How must an accredited third-party certification body ensure
its audit agents are competent and objective? (Sec. 1.650)
B. How must an accredited third-party certification body conduct
a food safety audit of an eligible entity? (Sec. 1.651)
C. What must an accredited third-party certification body
include in food safety audit reports? (Sec. 1.652)
D. What must an accredited third-party certification body do
when issuing food or facility certifications? (Sec. 1.653)
E. When must an accredited third-party certification body
monitor an eligible entity that it has issued a food or facility
certification? (Sec. 1.654)
F. How must an accredited third-party certification body monitor
its own performance? (Sec. 1.655)
G. What reports and notifications must an accredited third-party
certification body submit? (Sec. 1.656)
H. How must an accredited third-party certification body protect
against conflicts of interest? (Sec. 1.657)
I. What records requirements must a third-party certification
body that has been accredited meet? (Sec. 1.658)
X. Comments on Procedures for Accreditation of Third-Party
Certification Bodies Under This Subpart
A. Where do I apply for accreditation or renewal of
accreditation by a recognized accreditation body and what happens
once the recognized accreditation body decides on my application?
(Sec. 1.660)
B. What is the duration of accreditation by a recognized
accreditation body? (Sec. 1.661)
C. How will FDA monitor accredited third-party certification
bodies? (Sec. 1.662)
D. How do I request an FDA waiver or waiver extension for the
13-month limit for audit agents conducting regulatory audits? (Sec.
1.663)
E. When would FDA withdraw accreditation? (Sec. 1.664)
F. What if I want to voluntarily relinquish accreditation or do
not want to renew accreditation? (Sec. 1.665)
G. How do I request reaccreditation? (Sec. 1.666)
[[Page 74571]]
XI. Comments on Additional Procedures for Direct Accreditation of
Third-Party Certification Bodies Under This Subpart
A. How do I apply to FDA for direct accreditation or renewal of
direct accreditation? (Sec. 1.670)
B. How will FDA review my application for direct accreditation
or renewal of direct accreditation and what happens once FDA decides
on my application? (Sec. 1.671)
C. What is the duration of direct accreditation? (Sec. 1.672)
XII. Comments on Requirements for Eligible Entities Under This
Subpart
A. How and when will FDA monitor eligible entities? (Sec.
1.680)
B. How frequently must eligible entities be recertified? (Sec.
1.681)
XIII. Comments on General Requirements of This Subpart
A. How will FDA make information about recognized accreditation
bodies and accredited third-party certification bodies available to
the public? (Sec. 1.690)
B. How do I request reconsideration of a denial by FDA of an
application or a waiver request? (Sec. 1.691)
C. How do I request internal agency review of a denial of an
application or waiver request upon reconsideration? (Sec. 1.692)
D. How do I request a regulatory hearing on a revocation of
recognition or withdrawal of accreditation? (Sec. 1.693)
E. Are electronic records created under this subpart subject to
the electronic records requirements of part 11? (Sec. 1.694)
F. Are the records obtained by FDA under this subpart subject to
public disclosure? (Sec. 1.695)
G. May importers use reports of regulatory audits by accredited
certification bodies for purposes of subpart L of this part? (Sec.
1.698)
XIV. Editorial and Conforming Changes
XV. Executive Order 13175
XVI. Analysis of Economic Impact
XVII. Paperwork Reduction Act of 1995
XVIII. Analysis of Environmental Impact
XIX. Federalism
XX. References
Executive Summary
Purpose and Coverage of the Final Rule
This rule is part of FDA's implementation of FSMA, which intends to
better protect public health by, among other things, adopting a modern,
preventive, and risk-based approach to food safety regulation. In this
document, we establish a program for accreditation of third-party
certification bodies \1\ to conduct food safety audits and issue
certifications of foreign food facilities and foods for humans and
animals for purposes of sections 801(q) and 806 of the FD&C Act. We are
also codifying certain limited exemptions to mandatory import
certification under 801(q) of the FD&C Act (21 U.S.C. 381).
---------------------------------------------------------------------------
\1\ As explained more fully in Response 1, in response to
comments and for clarity, this final rule uses the term ``third-
party certification body'' rather than either the term ``third-party
auditor'' or the term, ``third party auditor/certification body''
(except that we will use the term ``third-party auditor'' in the
definitions of ``accredited third-party certification body'' and
``third-party certification body'' in 21 CFR 1.600(c) and in the
preamble discussion of those definitions in section III.A).
---------------------------------------------------------------------------
FSMA added section 808 to the FD&C Act (21 U.S.C. 384d), which
directs FDA to establish a new program for accreditation of third-party
certification bodies to conduct food safety audits and to certify that
eligible foreign entities (including registered foreign food
facilities) and food produced by such entities meet applicable FDA
requirements for purposes of sections 801(q) and 806 of the FD&C Act.
This rulemaking implements section 808 of the FD&C Act; we will
recognize accreditation bodies to accredit third-party certification
bodies, except for limited circumstances in which we may directly
accredit third-party certification bodies.
FSMA specifies two uses for the food and facility certifications
issued by accredited third-party certification bodies under this
program. First, facility certifications will be used by importers to
establish eligibility for VQIP under section 806 of the FD&C Act (21
U.S.C. 384b(a)). VQIP offers participating importers expedited review
and entry of food that is part of VQIP. One condition of participation
is importation of food from facilities audited and certified by third-
party certification bodies accredited under this subpart. FDA issued
draft guidance on VQIP on June 5, 2015 (80 FR 32136); the draft
guidance may be accessed at http://www.fda.gov/downloads/Food/GuidanceRegulation/GuidanceDocumentsRegulatoryInformation/UCM448558.pdf.
Second, section 801(q) of the FD&C Act gives FDA the authority to
make a risk-based determination to require, as a condition of
admissibility, that a food imported or offered for import into the
United States be accompanied by a certification or other assurance that
the food meets the applicable requirements of the FD&C Act. The
authority to mandate import certification for food, based on risk, is
one of the tools we can use to help prevent potentially harmful food
from reaching U.S. consumers. When FDA has determined that a food
import is subject to such certification under section 801(q) of the
FD&C Act, FDA will require, as a condition of entry, a certification
issued either by an accredited third-party certification body under
this rule or by an agency or representative of the government of the
country from which the food at issue originated, as designated by FDA.
In addition, facilities and importers may choose to use onsite
audits conducted by third-party certification bodies accredited under
the program set out in this rule in connection with meeting supplier
verification requirements under FDA's final rules for Current Good
Manufacturing Practice and Hazard Analysis and Risk-Based Preventive
Controls for Human Food (final human preventive controls regulation)
(80 FR55907, September 17, 2015); Current Good Manufacturing Practice
and Hazard Analysis and Risk-Based Preventive Controls for Food for
Animals (final animal preventive controls regulation) (80 FR 56169,
September 17, 2015); and the Foreign Supplier Verification Programs
(FSVP) for Importers of Food for Humans and Animals (published
elsewhere in this edition of the Federal Register) (implementing
sections 418 and 805 of the FD&C Act, respectively). Under those rules,
in circumstances where an onsite audit is the appropriate supplier
verification activity, such audit must be conducted by a ``qualified
auditor.'' The definitions of ``qualified auditor'' in those rules make
clear that an example of a potential qualified auditor includes, but is
not limited to, an audit agent of a certification body that has been
accredited in accordance with regulations in part 1, subpart M of this
chapter (i.e., this rule implementing section 808 of the FD&C Act).
Summary of Major Provisions of the Final Rule
This rule establishes the framework, procedures, and requirements
for accreditation bodies and third-party certification bodies for
purposes of section 808 of the FD&C Act. The rule sets requirements for
the legal authority, competency, capacity, conflict of interest
safeguards, quality assurance, and records procedures that
accreditation bodies must demonstrate to be eligible for recognition.
Accreditation bodies also must demonstrate capability to meet the FDA
requirements that would apply upon recognition. Additionally, the rule
establishes requirements for the legal authority, competency, capacity,
conflict of interest safeguards, quality assurance, and records
procedures that third-party certification bodies must demonstrate to be
eligible for accreditation. Third-party certification bodies also must
demonstrate capability to meet the applicable requirements of the rule
that would apply upon accreditation.
Pursuant to FSMA section 307 (21 U.S.C. 384d), the rule requires
accredited third-party certification
[[Page 74572]]
bodies to perform unannounced facility audits, to notify FDA upon
discovering a condition that could cause or contribute to a serious
risk to the public health, and to submit to FDA reports of regulatory
audits conducted for certification purposes. The rule includes
stringent requirements to prevent conflicts of interest from
influencing the decisions of recognized accreditation bodies and
accredited third-party certification bodies. The rule does not,
however, establish the audit criteria that accredited third-party
certification bodies will use in examining eligible entities for
compliance with the applicable food safety requirements of the FD&C Act
and FDA regulations, because those criteria appear elsewhere in FDA
regulations and the FD&C Act.
Costs and Benefits
Costs of the Third-Party final rule include compliance costs of
accreditation bodies and certification bodies that choose to
participate in our third-party program, and user fees imposed by FDA on
accreditation bodies and certification bodies for application review
and monitoring of program participants.
Table 1--Summary User Fee, Compliance, Undiscounted and Annualized Costs of the Third-Party (TP) Program per
Participant
----------------------------------------------------------------------------------------------------------------
Audited by
----------------------------------------
Certification
Eligible entity bodies (CBs) Total
currently CBs not accredited
accredited under under any program
other programs
----------------------------------------------------------------------------------------------------------------
SCENARIO 1
----------------------------------------------------------------------------------------------------------------
Number of section 801(q) Entities................... 10 65 75
Cost of Compliance with Program Requirements (TP $694 $2,569 ..................
Compliance Cost)...................................
Section 801(q) Compliance Cost...................... $6,940 $166,985 $173,925
Number of section 806 Entities...................... 145 971 1,116
TP Compliance Cost.................................. $694 $2,569 ..................
Section 806 Compliance Cost......................... $100,630 $2,494,499 $2,595,129
-----------------------------------------------------------
Total TP Compliance Cost--Scenario 1............ .................. .................. $2,769,054
----------------------------------------------------------------------------------------------------------------
SCENARIO 2
----------------------------------------------------------------------------------------------------------------
Number of section 801(q) Entities................... 10 65 75
TP Compliance Cost.................................. $322 $2,197 ..................
Section 801(q) Compliance Cost...................... $3,220 $142,805 $146,025
Number of Sec. 806 Entities....................... 459 3,068 3,527
TP Compliance Cost.................................. $322 $2,197 ..................
Section 806 Compliance Cost......................... $147,798 $6,740,396 $6,888,194
-----------------------------------------------------------
Total TP Compliance Cost--Scenario 2............ .................. .................. $7,034,219
----------------------------------------------------------------------------------------------------------------
SCENARIO 3
----------------------------------------------------------------------------------------------------------------
Number of section 801(q) Entities................... 10 65 75
TP Compliance Cost.................................. $227 $2,102 ..................
Section 801(q) Compliance Cost...................... $2,270 $136,630 $138,900
Number of section 806 Entities...................... 801 5,359 6,160
TP Compliance Cost.................................. $227 $2,102 ..................
Section 806 Compliance Cost......................... $181,827 $11,264,618 $11,446,445
-----------------------------------------------------------
Total TP Compliance Cost--Scenario 3............ .................. .................. $11,585,345
----------------------------------------------------------------------------------------------------------------
The costs that accreditation bodies and certification bodies incur
in complying with the regulation are necessarily less than the private
benefits they accrue by becoming recognized or accredited,
respectively. Through the third-party accreditation program more
effective regulatory oversight is achieved. FDA will recoup resources
in managing its third-party accreditation program through user fees
that FDA intends to impose on participating accreditation bodies and
third-party certification bodies.
I. Introduction and Background
A. FDA Food Safety Modernization Act
FSMA (Pub. L. 111-353), signed into law by President Obama on
January 4, 2011, is intended to allow FDA to better protect public
health by helping to ensure the safety and security of the food supply.
FSMA enables us to focus more on preventing food safety problems rather
than relying primarily on reacting to problems after they occur. The
law also provides new enforcement authorities to help achieve higher
rates of compliance with risk-based, prevention-oriented safety
standards and to better respond to and contain problems when they do
occur. In addition, the law contains important new tools to better
ensure the safety of imported foods and encourages partnerships with
State, local, tribal, and territorial authorities and international
collaborations with foreign regulatory counterparts. A top priority for
FDA are those FSMA-required regulations that provide the framework for
industry's implementation of preventive controls and enhance our
ability to oversee their implementation for both domestic and imported
food. To that end, we proposed the seven foundational rules listed in
table 2 and
[[Page 74573]]
requested comments on all aspects of these proposed rules.
Table 2--Published Foundational Proposed Rules for Implementation of FSMA
----------------------------------------------------------------------------------------------------------------
Title Abbreviation Publication
----------------------------------------------------------------------------------------------------------------
Current Good Manufacturing Practice 2013 proposed human 78 FR 3646, January 16, 2013.
and Hazard Analysis and Risk-Based preventive controls
Preventive Controls for Human Food. regulation.
Standards for the Growing, 2013 proposed produce 78 FR 3504, January 16, 2013.
Harvesting, Packing, and Holding of safety regulation.
Produce for Human Consumption.
Current Good Manufacturing Practice 2013 proposed animal 78 FR 64736, October 29, 2013.
and Hazard Analysis and Risk-Based preventive controls
Preventive Controls for Food for regulation.
Animals.
Foreign Supplier Verification 2013 proposed FSVP 78 FR 45730, July 29, 2013.
Programs (FSVP) for Importers of regulation.
Food for Humans and Animals.
Accreditation of Third-Party Auditors/ 2013 proposed third- 78 FR 45782, July 29, 2013.
Certification Bodies to Conduct Food party certification
Safety Audits and to Issue regulation (also
Certifications. referred to in this
document as the
proposed rule).
Focused Mitigation Strategies To 2013 proposed 78 FR 78014, December 24, 2013.
Protect Food Against Intentional intentional
Adulteration. adulteration
regulation.
Sanitary Transportation of Human and 2014 proposed sanitary 79 FR 7006, February 5, 2014.
Animal Food. transportation
regulation.
----------------------------------------------------------------------------------------------------------------
We also issued a supplemental notice of proposed rulemaking for the
rules listed in table 3 and requested comments on specific issues
identified in each supplemental notice of proposed rulemaking.
Table 3--Published Supplemental Notices of Proposed Rulemaking for the Foundational Rules for Implementation of
FSMA
----------------------------------------------------------------------------------------------------------------
Title Abbreviation Publication
----------------------------------------------------------------------------------------------------------------
Current Good Manufacturing Practice 2014 supplemental human 79 FR 58524, September 29, 2014.
and Hazard Analysis and Risk-Based preventive controls
Preventive Controls for Human Food. notice.
Standards for the Growing, 2014 supplemental 79 FR 58434, September 29, 2014.
Harvesting, Packing, and Holding of produce safety notice.
Produce for Human Consumption.
Current Good Manufacturing Practice 2014 supplemental 79 FR 58476, September 29, 2014.
and Hazard Analysis and Risk-Based animal preventive
Preventive Controls for Food for controls notice.
Animals.
FSVP for Importers of Food for Humans 2014 supplemental FSVP 79 FR 58574, September 29, 2014.
and Animals. notice.
----------------------------------------------------------------------------------------------------------------
We finalized two of the foundational rulemakings listed in table 4
in September 2015.
Table 4--Published Foundational Final Rules for Implementation of FSMA
----------------------------------------------------------------------------------------------------------------
Title Abbreviation Publication
----------------------------------------------------------------------------------------------------------------
Current Good Manufacturing Practice final human preventive 80 FR 55908, September 17, 2015.
and Hazard Analysis and Risk-Based controls regulation.
Preventive Controls for Human Food.
Current Good Manufacturing Practice final animal preventive 80 FR 56170, September 17, 2015.
and Hazard Analysis and Risk-Based controls regulation.
Preventive Controls for Food for
Animals.
----------------------------------------------------------------------------------------------------------------
As FDA finalizes these seven foundational rulemakings, we are
putting in place a modern, risk-based framework for food safety that is
based on the most recent science, that focuses efforts where the
hazards are reasonably likely to occur, and that is flexible and
practical given our current knowledge of food safety practices. To
achieve this, FDA has engaged in a significant amount of outreach to
the stakeholder community to find the right balance between flexibility
and accountability in these regulations.
After FSMA was enacted in 2011, we have been involved in
approximately 600 stakeholder engagements on FSMA and the proposed
rules, including public meetings, webinars, listening sessions, farm
tours, and extensive presentations and meetings with various
stakeholder groups (Refs. 1, 2, 3). As a result of this stakeholder
dialogue, FDA decided to issue the four supplemental notices of
proposed rulemaking to share our current thinking on key issues and get
additional stakeholder input on those issues. As we move forward into
the next phase of FSMA implementation, we intend to continue this
dialogue and collaboration with our stakeholders, through guidance,
education, training, and assistance, to ensure that stakeholders
understand and engage in their respective roles in food safety. FDA
believes these seven foundational final rules, when implemented, will
affect the paradigm shift toward prevention that was envisioned in FSMA
and be a major step forward for food safety that will help protect
consumers into the future.
[[Page 74574]]
B. Purpose of This Rulemaking
FSMA added section 808 to the FD&C Act which directs FDA to
establish a new voluntary program for accreditation of third-party
certification bodies to conduct food safety audits and to issue food
and facility certifications to eligible foreign entities (including
registered foreign food facilities) that meet our applicable
requirements for purposes of sections 801(q) and 806 of the FD&C Act.
This rulemaking implements section 808 of the FD&C Act; we will
recognize accreditation bodies to accredit third-party certification
bodies, except for limited circumstances in which we may directly
accredit third-party certification bodies.
FSMA specifies two uses for the food and facility certifications
issued by accredited third-party certification bodies under this
program. First, facility certifications will be used by importers to
establish eligibility for VQIP under section 806 of the FD&C Act. VQIP
offers participating importers expedited review and importation for
food from facilities audited and certified by third-party certification
bodies accredited under this subpart. FDA issued draft guidance on VQIP
on June 5, 2015 (80 FR 32136); the draft guidance may be accessed at
http://www.fda.gov/downloads/Food/GuidanceRegulation/GuidanceDocumentsRegulatoryInformation/UCM448558.pdf.
Second, section 801(q) of the FD&C Act gives FDA the authority to
make a risk-based determination to require, as a condition of
admissibility, that a food imported or offered for import into the
United States be accompanied by a certification or other assurance that
the food meets the applicable requirements of the FD&C Act. The
authority to mandate import certification for food, based on risk, is
one of the tools we can use to help prevent potentially harmful food
from reaching U.S. consumers. When FDA has determined that a food
import is subject to such certification under section 801(q) of the
FD&C Act, FDA will require, as a condition of entry, a certification
issued either by an accredited third-party certification body under
this rule or by an agency or representative of the government of the
country from which the food at issue originated, as designated by FDA.
This final rule will help FDA ensure the competence and
independence of third-party certification bodies who are accredited to
conduct foreign food safety audits to examine compliance with the
applicable food safety requirements of the FD&C Act and FDA
regulations, among other things. The document also will help ensure the
validity and reliability of certifications offered to FDA for purposes
of VQIP eligibility under section 806 of the FD&C Act and admissibility
of an imported food subject to an FDA risk determination under section
801(q) of the FD&C Act.
The third-party certification program is part of FSMA's paradigm
shift toward a modern, preventive, and risk-based approach to food
safety regulation and new programs to facilitate global trade in safe
food. Specifically, FSMA requires FDA to issue new preventive controls
and produce safety standards that apply to domestic and foreign
processors and producers. In addition, FSMA directs FDA to issue an
FSVP regulation requiring importers to implement FSVPs that provide
adequate assurances that their foreign suppliers produce food that is
in compliance with processes and procedures, including risk-based
preventive controls, that provide the same level of public health
protection as those required under section 418 (concerning hazard
analysis and preventive controls) or 419 (concerning produce safety) of
the FD&C Act, as appropriate, and that is in compliance with sections
402 (concerning adulteration) and 403(w) (concerning misbranding
regarding allergen labeling) of the FD&C Act. We emphasize that
facilities and importers are not required to use third-party
certification bodies accredited under this rule in meeting their
supplier verification requirements under the final human or animal
preventive controls or FSVP regulations. See section XIII.G.
By contrast, the third-party certification program established
under section 808 of the FD&C Act focuses on food safety audits to
certify that eligible foreign entities and the food produced by such
entities meet applicable FDA requirements for purposes of sections
801(q) and 806 of the FD&C Act. Although importers must obtain facility
certifications from accredited third-party certification bodies under
this rule in order to be eligible for VQIP, we note that importers
seeking to satisfy a requirement for certification as a condition of
admissibility for an article of food under section 801(q) of the FD&C
Act may offer a certification issued either by foreign governments
designated by FDA to issue such certifications or by third-party
certification bodies accredited under this rule.
Through FSMA we are transforming our role in the global food safety
system, by building ever stronger partnerships with our foreign
regulatory counterparts and by exploring opportunities to leverage
private food safety activities to benefit of our system of public food
safety assurances. We value the role that private audits can play in
enhancing food safety when done properly, and we share common purpose
with the food industry in ensuring the rigor and objectivity of those
audits.
The final rule on accreditation of third-party certification bodies
reflects the results of significant stakeholder engagement to help
ensure that the rule achieves its public health goal, reflects industry
best practices, and strikes the right balance between flexibility and
accountability.
C. The Proposed Rule
FDA published a proposed rule for ``Accreditation of Third-Party
Auditors/Certification Bodies to Conduct Food Safety Audits and to
Issue Certifications'' (the proposed rule) on July 29, 2013. The
proposed rule included eligibility requirements for accreditation
bodies to qualify for recognition and requirements that accreditation
bodies choosing to participate in the FDA program must meet, once
recognized. We also proposed eligibility requirements for third-party
certification bodies to qualify for accreditation and requirements that
third-party certification bodies choosing to participate in the FDA
program must meet, once accredited. We intended the proposed
requirements to ensure the competency and independence of the
accreditation bodies and third-party certification bodies participating
in the program.
We also proposed procedures for recognition and accreditation, as
well as requirements relating to monitoring and oversight of
participating accreditation bodies and third-party certification
bodies. These included procedures that we would follow when removing a
third-party certification body or an accreditation body from the
program. Further, we proposed requirements relating to auditing and
certification of foreign eligible entities under the program, and for
notifying us of conditions in an audited facility that could cause or
contribute to a serious risk to the public health. In response to
several requests, we extended the proposed rule comment period until
January 27, 2014.
D. Public Comments
We received over 150 comments from accreditation bodies,
certification bodies, members of the food industry, industry
associations, foreign governments, State governments, public health
organizations, public advocacy
[[Page 74575]]
groups, individual consumers, consumer groups, and others. Some
submissions included signatures and statements from multiple
individuals. Taken as a whole, the comments address virtually every
provision of the proposed rule. In the remainder of this document, we
describe the comments that are within the scope of this rulemaking,
respond to them, and explain any revisions we made from the proposed
rule.
A number of comments focus on the overarching issues of: (1)
Alignment with voluntary consensus standards; (2) the use of private
food safety schemes; (3) the relationship between the third-party
certification program, foreign competent authorities, and FDA's
international activities; and (4) the possible implications of the lack
of qualified auditors on the third-party certification program. We
address these comments generally below.
We received several comments on the overarching issue of the use of
voluntary international consensus standards issued by the International
Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC), including the following ISO/IEC
standards: ISO/IEC 17000:2004 Conformity assessment--Vocabulary and
general principles (ISO/IEC 17000:2004) (Ref. 4); ISO/IEC 17011:2004,
Conformity assessment--General requirements for accreditation bodies
accrediting conformity assessment bodies (ISO/IEC 17011:2004) (Ref. 5);
ISO/IEC 17021:2011, Conformity assessment--Requirements for bodies
providing audit and certification of management systems (ISO/IEC
17021:2011) (Ref. 6); ISO/IEC 17065:2012, Conformity assessment--
Requirements for bodies certifying products, processes and services
(ISO/IEC 17065:2012) (Ref. 7); and ISO/IEC 19011:2011, Guidelines for
auditing management systems (ISO/IEC 19011:2011) (Ref. 8).
Some comments support the approach to ISO/IEC standards that we
used when developing the proposed rule; some comments state that the
process for developing these standards makes them unbiased. Other
comments suggest we should place greater reliance on ISO/IEC standards,
including some comments asserting that we should incorporate ISO/IEC
standards by reference into the final rule. These comments encourage us
to follow the example of a proposed rule issued by the Environmental
Protection Agency and entitled, ``Formaldehyde; Third-Party
Certification Framework for the Formaldehyde Standards for Composite
Wood Products'' (78 FR 34795, June 10, 2013), which proposed to
incorporate by reference certain international standards. These
comments assert that by placing greater reliance on ISO standards, we
could allow ISO's broader oversight program to complement FDA's
management of these bodies.
Implementation of section 808 of the FD&C Act occurs against the
backdrop of the broader Federal policies on consensus standards and
conformity assessment under the National Technology Transfer and
Advancement Act of 1995 (NTTAA) (Pub. L. 104-113). The NTTAA, together
with the Office of Management and Budget (OMB) Circular A-119, revised
February 10, 1998 (63 FR 8546, February 19, 1998), directs Federal
Agencies to use voluntary consensus standards in lieu of government-
unique standards except where inconsistent with law or otherwise
impractical. OMB Circular A-119 states that the use of voluntary
standards, whenever practicable and appropriate, is intended to
eliminate the cost to government of developing its own standards and
decrease the cost of goods procured and the burden of complying with
Agency regulation; provide incentives and opportunities to establish
standards that serve national needs; encourage long-term growth for
U.S. enterprises and promote efficiency and economic competition
through harmonization of standards; and further the policy of reliance
upon the private sector to supply government needs for goods and
services.
As directed by OMB in Circular A-119, the National Institute of
Standards and Technology (NIST), in the Federal Register of August 10,
2000 (65 FR 48894), issued policy guidance on Federal conformity
assessment activities (defined as activities concerned with determining
directly or indirectly that requirements for products, services,
systems, and organizations are fulfilled) (15 CFR 287.2). The Federal
conformity assessment guidance is codified at 15 CFR part 287 and
applies to all Federal Agencies that set policy for, manage, operate,
or use conformity assessment activities or results, domestically and
internationally (except for activities conducted pursuant to treaties)
and is intended to eliminate unnecessary duplication and complexity in
conformity assessment requirements. (We note that OMB has announced it
is currently revising Circular A-119, and NIST is revising the Federal
conformity assessment guidance.)
We agree with comments on the value of promoting international
consistency and tapping into an existing framework of consensus
standards that is familiar to industry, which may make it easier for
accreditation bodies, third-party certification bodies, and eligible
entities to comply with this rule. Therefore, we are revising the rule
to allow for accreditation bodies and third-party certification bodies
to use documentation of their conformance with ISO/IEC standards in
meeting the program requirements under this rule, supplemented as
necessary. We are not, however, incorporating these standards by
reference into the rule as further discussed in our responses to
comments in sections III. to XIII., except that we are not further
responding to comments citing specific requirements of ISO/IEC Guide
65:1996, Conformity assessment--Requirements for bodies providing audit
and certification of management systems (ISO/IEC Guide 65:1996) (Ref.
9) in sections III. to XIII., because that standard has been withdrawn
and replaced by ISO/IEC 17065:2012 (Ref. 7) in September 2015. Comments
referring to ISO/IEC 17020:2012, Conformity assessment--Requirements
for the operation of various types of bodies performing inspection
(ISO/IEC 17020:2012) (Ref. 10) are outside the scope of this
rulemaking, because that standard relates to inspections and not the
auditing and certification activities that will be performed under this
rule. Therefore, we are not responding to comments citing to ISO/IEC
17020:2012, Conformity assessment--Requirements for the operation of
various types of bodies performing inspection (ISO/IEC 17020:2012)
(Ref. 10) in sections III. to XIII.
We also received several comments on the overarching issue of using
private food safety schemes as audit criteria for regulatory audits
conducted under the third-party certification program. Some comments
suggest that FDA should rely on private food safety schemes,
particularly those that have been benchmarked by the Global Food Safety
Initiative (GFSI), as the audit criteria for regulatory audits of
eligible entities under the third-party certification program. Other
comments suggest that FDA should establish requirements for
accreditation bodies and third-party certification bodies that are
similar to those required by GFSI, such as GFSI requirements relating
to accreditation under relevant ISO/IEC product certification or
management system standards.
By way of background, a group of international retailers
established GFSI in 2000 with the goal of reducing the need for
duplicative third-party audits by benchmarking private food safety
schemes against a harmonized set of
[[Page 74576]]
criteria for food safety and management systems (see 78 FR 45782 at
45788; July 29, 2013). Under current GFSI criteria, a food safety
scheme must have a commitment with one or more accreditation bodies for
certification bodies that operate in conformance with either the
product certification standard, ISO/IEC Guide 65, or the management
system standard, ISO/IEC 17021:2006 (supplemented by ISO/TS 22003).
GFSI describes these standards as having similar requirements for how a
certification body must operate--e.g., in addressing issues of
preventing conflict of interest, managing customer information,
properly qualifying personnel, auditor calibration, and many other
aspects involved with the certification process. However, as GFSI noted
in a 2011 White Paper (Ref. 11), there is a distinct difference between
the two. ISO 17021/ISO 22003 is not product specific. ISO/IEC Guide 65,
on the other hand, is concerned with verifying that particular products
or services meet specified requirements. The type and scope of GFSI
benchmarked scheme selected, determines the accreditation standard
which applies. The majority of GFSI recognized schemes fall under ISO/
IEC Guide 65 accreditation requirements, whereas only two currently
recognized schemes are management system schemes accredited to ISO
17021/ISO 22003.
Comments suggesting that we should rely on GFSI-benchmarked food
safety schemes or other private food safety schemes as the criteria for
certification under the third-party program are outside the scope of
this rulemaking. This rule establishes the framework for the third-
party certification program, and not the food safety standards that
accredited third-party certification bodies will use to determine an
eligible entity's compliance with the applicable food safety
requirements of the FD&C Act and FDA regulations. We are however
responding to relevant comments that address audit quality and auditor
competency, consistency, and capacity, including comments referencing
GFSI's work in these areas.
Other overarching comments ask how the FSMA third-party
certification program relates to the roles of foreign competent
authorities and to FDA's international activities. Some comments assert
that competent authorities should be allowed to participate in the
third-party certification program purely by administrative procedures
without a formal review process. Other comments suggest that government
agencies with both regulatory and trade promotion missions face
inherent conflicts of interest.
Some comments recommend that we should establish a different
structure for accrediting third-party certification bodies that already
have been approved by a foreign government accreditation body. Other
comments suggest that FDA should reserve the role of accreditation body
or third-party certification body for a national competent authority
that requests it. The comments argue that the responsibility for
monitoring the safety of food exports should remain with the national
competent authorities in each country.
Some comments ask whether a national competent authority has a role
in auditing and certification activities occurring in the country,
including in countries where an FDA foreign office is located. Other
comments ask whether the competent authority may perform other
activities in the third-party certification program, such as
authentication of audit information before it is submitted to FDA.
Still other comments suggest that FDA require accredited third-party
certification bodies to review correspondence between an audited
eligible entity and the competent authorities in the country where the
eligible entity is located.
Section 808 of the FD&C Act expressly provides for both public and
private accredited third-party certification bodies. Public
accreditation bodies and third-party certification bodies, as well as
private accreditation bodies and third-party certification bodies that
meet the eligibility requirements for recognition and accreditation
under section 808 of the FD&C Act and this rule are equally eligible to
participate in the third-party certification program. This includes
government accreditation bodies and certification bodies in countries
where FDA has a foreign office, as well as government agencies with the
dual missions of food safety and trade promotion. We believe that both
public and private third-party certification bodies and accreditation
bodies are capable of exhibiting the competency, capacity, and
impartiality necessary to meet the letter and spirit of the law and
this regulation.
By becoming an accredited third-party certification body or a
recognized accreditation body, a competent authority for food safety or
a foreign accreditation body would establish a role in the third-party
certification program. Only if competent authorities are accredited
under this rule, may they issue food and facility certifications under
section 808 of the FD&C Act. (We note, however, that FDA may require
certifications from competent authorities under section 801(q) of the
FD&C Act for foods that FDA determines meet the criteria set forth in
that section (see 801(q)(3)(A) of the FD&C Act), regardless of whether
the competent authorities are accredited.) We acknowledge that the
third-party certification program that is the subject of this rule is
narrowly tailored and only a small piece of the much larger modernized,
prevention-oriented food safety system we are establishing under FSMA.
Broader FSMA activities are outside the scope of this rulemaking, as
are matters covered by FDA's information sharing arrangements with
foreign competent authorities.
We received other comments on the overarching issue of how the
third-party certification program fits into FDA's international
activities. Some comments assert that, for countries with a systems
recognition agreement with FDA, there should be no need for a (direct
or indirect) role for FDA in monitoring accredited third-party
certification bodies. Other comments encourage us to recognize their
national food safety system as equivalent to that of the United States.
The systems recognition initiative is a food safety regulatory
cooperation program that allows FDA to take into account the role of
food safety systems of exporting countries in our risk-based
decisionmaking. We are using systems recognition as a tool to determine
when we can rely on the implementation of science-based food safety
programs by foreign regulatory authorities and take action based on
information provided by such authorities.
We note that a competent authority with whom FDA has a systems
recognition agreement must apply for recognition to make accreditation
decisions and apply for accreditation to issue certifications under
section 808 of the FD&C Act. If the competent authority applies for
recognition or direct accreditation by FDA (assuming that the statutory
criteria have been met for FDA to begin direct accreditation), FDA's
review will be informed by the data, experiences, and insights into the
foreign system that FDA gained through the systems recognition review.
Except as described above, systems recognition activities are outside
the scope of this rulemaking, as are equivalency determinations.
We also received several overarching comments noting that the lack
of qualified food safety auditors is a problem in many countries. Some
comments suggest that we may face similar problems with the
availability of accredited third-party certification
[[Page 74577]]
bodies in our program. The comments assert that we should prioritize
the review of applications from foreign countries with significant
volumes of exports to the United States because of the cost and
inconvenience to foreign suppliers and the likely trade disruption that
would result if the only accredited third-party certification bodies
were located in other countries. Some comments predict that rapid
expansion in the field of food safety auditing may result in shortcuts
in auditing. Other comments contend that because of the limited
availability of qualified auditors we should adjust the timeframes for
accredited third-party certification bodies to submit information to
FDA under the regulations. The comments specifically request that we
lengthen the 45-day timeframe for submitting regulatory audit reports.
We acknowledge the concerns about cost, inconvenience, and
disruption resulting from auditor capacity issues. We are encouraging
broad program participation to minimize the likelihood that capacity
issues might emerge, because certifications issued by accredited third-
party certification bodies under this program are intended to
facilitate trade. The certifications are used in meeting the
eligibility requirements of VQIP for expedited entry of food under
section 806 of the FD&C Act and in satisfying a condition of
admissibility for a food subject an FDA determination under section
801(q) of the FD&C Act.
Revisions have been made to this rule made in response to comments,
such as allowing accreditation bodies and third-party certification
bodies to use documentation of their conformance with ISO/IEC standards
in support of their applications. We also are modifying our ``first in,
first out'' approach to processing applications, as comments request,
to allow for prioritizing specific applications and requests based on
program needs. We are unable to accommodate the request to lengthen the
timeframe for submission of regulatory audit reports to FDA, because
the 45-day deadline for submission is established in section
808(c)(3)(A) of the FD&C Act. Audit protocols and other requirements of
the rule are designed to prevent audit agents (auditors) and third-
party certification bodies from taking shortcuts that would jeopardize
audit results.
Some comments addressed the Model Accreditation Standards that FDA
is required to develop under section 808(b)(2) of the FD&C Act for use
in qualifying third-party certification bodies for accreditation. Some
of these comments suggest various criteria to be included in the model
standards. Other comments suggest the proposed rule was ambiguous with
respect to the form of, and manner by which, FDA will establish the
Model Accreditation Standards.
While the substance of the Model Accreditation Standards is outside
the scope of this rulemaking, we note that on July 24, 2015, FDA
published a draft guidance on Model Accreditation Standards. The draft
guidance can be accessed at: http://www.fda.gov/Food/GuidanceRegulation/GuidancevDocumentsRegulatoryInformation/ucm455328.htm. Additionally, a notice was published in the Federal
Register (80 FR 44137, July 24, 2015) of the availability of the draft
guidance and of the opening of a docket for public comments on the
document. As explained in the draft guidance, section 808(b)(2) of the
FD&C Act requires FDA to develop Model Accreditation Standards that
recognized accreditation bodies shall use to qualify third-party
certification bodies for accreditation, and in so doing, to look to
existing standards for certification bodies (as of the date of
enactment of FSMA) to avoid unnecessary duplication of efforts and
costs. The draft guidance contains FDA recommendations on third-party
certification body qualifications, including recommendations based on
relevant provisions in the proposed rule. This final rule will serve as
a framework for the Model Accreditation Standards final guidance, which
will include more detailed recommendations on third-party certification
body qualifications.
Some comments respond to our request for input on the question
about the value of, and possible need for, FDA to establish a program
for use of accredited third-party certification bodies to conduct
domestic food safety audits (78 FR 45782 at 45823). We received
comments on all sides, expressing various views. We are taking these
comments under advisement at this time, as the focus of this final rule
is on establishing and implementing the third-party certification
program set forth in section 808 of the FD&C Act.
Other comments addressed the substance of VQIP, import
certification, laboratory accreditation, and provisions in the proposed
FSVP rule and/or other FMSA rules that are outside the scope of this
rulemaking; accordingly we will not be responding to those comments
here. Other comments that fall outside the scope of this rulemaking,
and to which we will therefore not be responding, include comments on
the value of a universal, mandatory food safety system; comments
advocating for policies promoting locally grown produce; comments
addressing the information technology infrastructure needs of the
third-party certification program; comments suggesting the value of
student interns to the food safety system; and comments on factors
beyond the use of third-party audits that FDA should consider in
setting inspection priorities.
We also received a few comments concerning the rulemaking process.
Comments suggest that we devise a new process for regularly updating
the rule; they state that FDA has cumbersome requirements for modifying
rules. FDA's current rulemaking process is consistent with FDA's
obligations under the Administrative Procedure Act (5 U.S.C. 551-559).
II. Legal Authority
Section 307 of FSMA, Accreditation of Third-Party Auditors, amends
the FD&C Act to create a new provision, section 808, under the same
name. Section 808(b)(1)(A) of the FD&C Act requires us to establish a
system, within 2 years of the enactment of FSMA, for the recognition of
accreditation bodies that accredit third-party certification bodies to
conduct food safety audits and to issue certifications for eligible
foreign food entities and their products for purposes of sections
801(q) and 806 of the FD&C Act.
Section 808(c)(5)(C) of the FD&C Act directs us to issue
implementing regulations for section 808 of the FD&C Act. The
regulations must require audits to be unannounced and must contain
protections against conflicts of interest between accredited third-
party certification bodies (and their audit agents) and the entities
they audit or certify, including requirements on timing and public
disclosure of fees and appropriate limits on financial affiliations (21
U.S.C. 384d(c)(5)(C)(i), (ii), and (iii)).
This final rule establishes regulations implementing section 808 of
the FD&C Act. The authority for the requirements in this rule comes
primarily from section 808 of the FD&C Act. However, FDA also derives
authority for this final rule from other sections of the FD&C Act,
including section 701(a) of the FD&C Act (21 U.S.C. 371(a)), which
authorizes us to issue regulations for the efficient enforcement of the
FD&C Act. The regulations in this final rule ensure the competency and
independence of recognized accreditation bodies and of accredited
third-party certification bodies, which will help ensure the validity
and reliability of certifications and other information resulting from
the food safety audits conducted by
[[Page 74578]]
accredited third-party certification bodies. These features of the
final rule are essential to the operation of the third-party program.
This rule also is consistent with section 404 of FSMA (21 U.S.C. 2252),
which states that nothing in FSMA should be construed in a manner that
is inconsistent with the agreement establishing the World Trade
Organization or any other treaty or international agreement to which
the United States is a party.
This rule establishes requirements for accreditation bodies and
third-party certification bodies seeking recognition and accreditation,
respectively. These requirements will help ensure that any
accreditation bodies that we recognize, and any certification bodies
that are accredited, are capable of meeting all of the requirements of
this program. This includes requirements, for example, for legal
authority and competency and capacity. It also includes provisions for
the direct accreditation of third-party certification bodies by FDA in
accordance with section 808(b)(1)(A)(ii) of the FD&C Act. This rule
also establishes requirements for accreditation bodies that have been
recognized, and third-party certification bodies that have been
accredited. This includes requirements designed to decrease the
potential for conflicts of interest in accordance with section
808(c)(5)(C)(ii) of the FD&C Act. Additionally, this rule establishes
requirements for eligible entities that want to be certified under this
program. This includes requirements for onsite audits by FDA for the
purpose of monitoring in accordance with section 808(f)(3) of the FD&C
Act. Finally, this rule establishes general requirements related to the
operation of this program. These include requirements for requesting a
regulatory hearing on revocation of recognition or withdrawal of
accreditation.
Some of the requirements under this final rule are also
established, in part, under the authority in sections 806 and 801(q) of
the FD&C Act. Section 806 of the FD&C Act describes a voluntary program
to provide for the expedited review and importation of food offered for
importation from certified facilities (VQIP). Section 801(q) of the
FD&C Act gives FDA authority to require certifications for imported
food in certain situations. This final rule does not set up the
framework for participation in the program described under section 806
of the FD&C Act, nor does it describe the circumstances under which FDA
might require certification under section 801(q) of the FD&C Act.
However, this rule does describe circumstances under which FDA might
refuse to consider a certification issued under this program in
determining the admissibility of an article of food for which the
certification was offered under section 801(q) of the FD&C Act, or in
determining eligibility for participation in VQIP under section 806 of
the FD&C Act. Additionally, this rule creates limited exemptions from
the certification requirements of section 801(q) of the FD&C Act for
certain alcoholic beverages, including certain raw materials and
ingredients that are used to manufacture/process alcoholic beverages.
The exemptions are being promulgated consistent with section 116 of
FSMA (21 U.S.C. 2206). Section 116(a) of FSMA states that, except as
provided by certain listed sections in FSMA, nothing in FSMA, or the
amendments made by FSMA, will be construed to apply to a facility that:
(1) Under the Federal Alcohol Administration Act (27 U.S.C. 201 et
seq.) or chapter 51 of subtitle E of the Internal Revenue Code of 1986
(26 U.S.C. 5001 et seq.) is required to obtain a permit or to register
with the Secretary of the Treasury as a condition of doing business in
the United States and (2) under section 415 of the FD&C Act (21 U.S.C.
350d) is required to register as a facility because such facility is
engaged in manufacturing, processing, packing, or holding one or more
alcoholic beverages (with respect to the activities of such facility
that relate to the manufacturing, processing, packing, or holding of
alcoholic beverages). This rule also creates exemptions from the
certification requirements of section 801(q) of the FD&C Act for
products subject to the requirements of the U.S. Department of
Agriculture (USDA) under the Federal Meat Inspection Act (FMIA) (21
U.S.C. 601 et seq.), the Poultry Products Inspection Act (PPIA) (21
U.S.C. 451 et seq.), or the Egg Products Inspection Act (EPIA) (21
U.S.C. 1031 et seq.) at the time of importation. We conclude that this
provision is consistent with section 403 of FSMA, entitled ``Rule of
Construction,'' which states that nothing in FSMA shall be construed to
alter or limit the jurisdiction of the Secretary of the Department of
Agriculture.
III. Comments on What Definitions Apply to This Subpart (Sec. 1.600)
We proposed to codify definitions of several terms used in the
third-party certification regulations. We received several comments on
this section. As discussed in the following paragraphs, we have revised
many of the proposed definitions in response to comments as well as on
our own initiative. Where we disagree with comments or decline a
suggested revision, we offer an explanation in response. Some
definitions were finalized as proposed.
The definitions for terms used in the third-party certification
regulations are codified in 21 CFR 1.600.
A. Definitions, Generally
(Comment 1) Several comments encourage us to more closely align the
definitions in Sec. 1.600 with international standards to promote
consistency and common understanding of the rule. The comments explain
that the terms and definitions used in section 808 of the FD&C Act and
in the proposed rule convey a different meaning for accreditation
bodies, certification bodies, and the standards community. To that end,
some comments encourage us to avoid using the term ``third-party
auditor'' synonymously with ``certification body,'' to be consistent
with international standards, which use the term ``certification body''
(e.g., ISO/IEC 17065:2012 (Ref.7).
Similarly, some comments indicate that, the language of the statute
notwithstanding, it is not correct to use the term ``third-party
auditor'' when describing the activities of a ``third-party
certification body.'' The comments explain that auditors are
individuals contracted or employed by certification bodies to conduct
audits, and they urge us to clarify the rule by substituting
``certification body'' for ``third-party auditor.''
(Response 1) We agree that alignment with the terminology used in
international standards is preferable, wherever possible. Congress
recognized the value of international standards in accreditation and
certification, having instructed us in section 808(b)(2) of the FD&C
Act to look to existing standards in developing our model accreditation
standards to avoid unnecessary duplication of efforts and costs. We
believe it is particularly useful to rely on definitions and
terminology from international consensus standards when possible where,
as here, the rule is establishing a voluntary program with an
international focus. In addition, we agree that, notwithstanding the
use of the term ``third-party auditor'' in the statute, the use of the
term ``third-party certification body'' instead of the term ``third-
party auditor'' provides some clarity for purposes of referring to
bodies that employ or contract individuals to perform audits.
Therefore, in response to the comments suggesting the term ``third-
party auditor'' is confusing and inconsistent with international
standards, we are using the term ``third-party certification body'' in
the
[[Page 74579]]
remainder of the preamble and in the codified of this final rule,
except in the definitions of ``Accredited third-party certification
body'' and ``Third-party certification body'' in Sec. 1.600(c) and in
the preamble discussion of those definitions.
On our own initiative, we are including the descriptor ``third-
party'' before ``certification body'' throughout this final rule. We
did not use that descriptor in the proposed rule when referring to a
third-party auditor/certification body once accredited. We are doing so
now in order that the term accurately reflects that, under this
subpart, only third-party certification bodies are eligible for
accreditation. We are making corresponding changes to the term
``accredited auditor/certification body;'' and in this final rule we
will instead use the term, ``accredited third-party certification
body.''
Accordingly, we have revised the proposed definitions of
``accreditation,'' ``accreditation body,'' ``accredited auditor/
certification body,'' ``audit,'' ``audit agent,'' ``certification
body,'' ``direct accreditation,'' ``eligible entity,'' ``facility
certification,'' ``food certification,'' ``recognized accreditation
body,'' ``relinquishment,'' and ``self-assessment,'' to replace the
term ``third-party auditor'' with the term ``third-party certification
body,'' or ``third-party certification bodies,'' and to remove
``auditor/'' from in the term ``third-party auditor/certification
body'' or ``third-party auditors/certification bodies'' that was used
in the proposed rule.
On our own initiative, we added a sentence to the definition of
``accredited third-party certification body'' in Sec. 1.600 of this
final rule to explain that the term has the same meaning as
``accredited third-party auditor'' as defined in section 808(a)(4) of
the FD&C Act. Similarly, we added language to the definition of
``third-party certification body'' in Sec. 1.600 of this final rule
explaining that the term has the same meaning as ``third-party
auditor'' as defined in section 808(a)(3) of the FD&C Act.
(Comment 2) Some comments encourage us to make the definitions in
this rule consistent with the definitions in other FSMA proposed rules,
such as the 2013 proposed FSVP regulation, the 2013 proposed human
preventive controls regulation, the 2013 proposed animal preventive
controls regulation, and the 2012 proposed produce safety regulation,
where feasible.
(Response 2) We agree with the comments on the overarching goal of
alignment across regulations and accepted suggested revisions, where
feasible and appropriate. However, it is not always possible to develop
uniform definitions due to the distinct statutory requirements and the
framework of each program. In such cases where it was not feasible or
appropriate, we declined the suggested revisions from comments. We
discuss such comments and our responses under each relevant term.
B. Assessment
We did not define ``assessment'' in the proposed rule.
(Comment 3) Some comments recommend adding a definition of
``assessment'' based on ISO/IEC 17011:2004 (Ref. 5), clause 3.7, which
describes the process for evaluating certification bodies. The comments
explain that defining such evaluations as ``audits,'' as we had
proposed, is inconsistent with international standards. The comments
suggest consulting with other ISO/IEC standards for relevant
terminology.
(Response 3) We agree that the term ``assessment'' should be used,
in part, to refer to the activity undertaken to assess the competency
and capacity of a third-party certification body under the rule. We
reviewed ISO/IEC 17011:2004 (Ref. 5) (clause 3.7 and NOTE) and ISO/IEC
17000:2004 (Ref. 4), ISO/IEC 17040:2005 Conformity assessment--General
requirements for peer assessment of conformity assessment bodies and
accreditation bodies (ISO/IEC 17040:2005) (Ref. 12), and an
International Accreditation Forum (IAF) document entitled, ``IAF
Endorsed Normative Documents'' (Ref. 13).
After considering the comments and reviewing the referenced
documents, we developed a definition of ``assessment'' that describes,
with respect to accreditation bodies, the activity undertaken by FDA to
evaluate the competency and capacity of the accreditation body under
the applicable requirements of this rule. With respect to certification
bodies, ``assessment'' describes the activity undertaken by a
recognized accreditation body (or, in the case of direct accreditation,
FDA) to evaluate the competency and capacity of a certification body
under the applicable requirements of this rule. We also made
corresponding changes to the definition of ``audit'' from proposed
Sec. 1.600(c) by removing clauses (1) and (2).
C. Audit
We proposed a definition of ``audit'' describing the examination of
accreditation bodies, third-party certification bodies, and eligible
entities. We proposed to define an audit of an accreditation body as an
examination by FDA of the accreditation body's authority,
qualifications, resources, policies, procedures, and performance, as
well as of its capability to meet the requirements of the proposed
rule. We proposed to define an audit of a third-party certification
body as an examination by a recognized accreditation body (or, by FDA,
for direct accreditation) of the third-party certification body's
authority, qualifications, resources, policies, procedures, and
performance, as well as of its capability to meet the requirements of
the proposed rule. We proposed to define an audit of an eligible entity
as an examination by an accredited third-party certification body of
the eligible entity to assess the entity, its facility, system(s), and
food using audit criteria for consultative or regulatory audits, and,
for consultative audits, also including an assessment of compliance
with applicable industry standards and practices.
We received some comments on the proposed definition of ``audit,''
and the related definitions of ``consultative audit'' and ``regulatory
audit.'' Comments specific to the definition of ``consultative audit''
are discussed in section III.E., and comments on the definition of
``regulatory audit'' are discussed in section III.L. As described in
Response 3, we also removed clauses (1) and (2) from the proposed
definition of ``audit'' because those evaluations are ``assessments''
as the term is defined in Sec. 1.600(c).
On our own initiative, we are revising the definition of ``audit''
to clarify that an audit conducted under this subpart is not an
inspection under section 704 of the FD&C Act (21 U.S.C. 374).
(Comment 4) Several comments encourage us to align our definition
of audit with relevant international standards, and some comments
request that we use the definition of ``audit'' from the Codex
``Principles for Food Import and Export Inspection and Certification''
(CAC/GL 20-1995) (Ref. 14), which defines ``audit'' as a ``systematic
and functionally independent examination to determine whether
activities and related results comply with planned objectives.''
(Response 4) We agree with the general principle of creating
consistency with international standards and have revised the
definition of ``audit'' in Sec. 1.600(c) accordingly. Rather than
describing the determination of whether activities comply with
``planned objectives'' that appears in the Codex definition of
``audit'' (Ref. 14), we inserted a brief description of the objectives
of consultative and regulatory audits from the definitions in section
808(a)(5) and (7) of the FD&C Act (i.e.,
[[Page 74580]]
the examination of an eligible entity under this rule).
(Comment 5) Some comments encourage us to remove the proposed
definition of ``audit'' in Sec. 1.600(c) and substitute the FSVP
definition of ``audit'' instead, to promote consistency and a common
understanding of terminology.
(Response 5) We disagree. We believe that it is more important for
the definition in this rule to reflect international standards that are
generally well known to the parties subject to this rule than it is for
the definition to mirror the definition in FSVP, which has different
applicability. FSVP applies to importers; this rule applies to
accreditation bodies, third-party certification bodies, and eligible
entities. Therefore, we are rejecting the suggestion to use the FSVP
definition of ``audit'' as the definition of ``audit'' in Sec.
1.600(c).
(Comment 6) We received some comments on the definition of
``audit'' regarding its relationship to the related definitions of
``consultative audit'' and ``regulatory audit'' in Sec. 1.600(c). Some
comments recommend that we revise the definition of ``audit'' to mean
only regulatory audits, and not consultative audits, asserting that is
how the word ``audit'' is used in the statute. These comments contend
that the statute must be interpreted in light of the fact that section
808 of the FD&C Act is directed to food and facility certifications,
which are only accomplished through regulatory audits. Other comments
ask us to clarify that the services of an accredited third-party
certification body that fall short of the definition of an ``audit''
(e.g., informal consulting, continuous improvement programs, and
limited purpose audits) under this rule, are not subject to the
requirements of the rule.
(Response 6) We decline the suggestion to interpret section 808 of
the FD&C Act in a manner that would equate ``audit'' with ``regulatory
audit.'' Section 808 of the FD&C Act defines two types of audits used
under the program, consultative audits and regulatory audits, and
contains requirements relating to each. (See, e.g., section 808(a)(5),
(7), and (c)(3)(A) of the FD&C Act). In addition, section 808(c)(4)(B)
of the FD&C Act expressly allows an accredited third-party
certification body or an audit agent of such auditor to perform
consultative and regulatory audits of eligible entities.
To the extent that other comments suggest creating a list of
exceptions from the definition of ``audit'' in the codified for this
rule, we decline to do so. To the extent that these comments were
seeking clarification of the definition of ``consultative audit'' in
Sec. 1.600(c), and what types of activities might fall outside of that
definition as well as outside of this program, please see the
discussion in Response 9 in section III.E.
(Comment 7) Some comments express confusion about the criteria that
accredited third-party certification bodies will be using in conducting
audits under subpart M and ask us to more clearly describe the
``applicable requirements'' against which compliance will be evaluated.
Some comments are concerned that eligible entities might be audited
against requirements that do not apply to their operations. For
example, some comments note that firms subject to the final animal
preventive controls regulation should not be assessed for compliance
with the allergen cross contamination requirements of the final human
preventive controls regulation. Other comments ask us to clarify
whether the ``applicable requirements'' are limited to requirements
that appear in the FD&C Act or FDA regulations, or both.
(Response 7) During regulatory and consultative audits, accredited
third-party certification bodies will examine compliance with
applicable food safety requirements of the FD&C Act and FDA regulations
within the scope of the audit. In consultative audits, the third-party
certification bodies also may be conducting an examination to determine
conformance with applicable industry standards and practices.
The applicable requirements that accredited third-party
certification bodies and their audit agents will use relate to the food
safety standards under the FD&C Act, such as the adulterated food
provisions in section 402 of the FD&C Act and the provisions on the
misbranding of food allergens in section 403(w) of the FD&C Act. The
applicable requirements of the FD&C Act and FDA regulations would
depend on the type of eligible entity being audited. To use the example
given by one of the comments, an eligible entity that is subject to the
requirements of the final animal preventive controls regulation, but
not the final human preventive controls regulation, would not be
subject to an audit examining its practices relating to cross-
contamination by food allergens under the final human preventive
controls regulation because those are not ``applicable food safety
requirements'' for such an entity.
To help clarify this rule for eligible entities, third-party
certification bodies, and accreditation bodies who may be interested in
participating in the program and who may not yet be familiar with U.S.
laws and regulations, we are using the phrase ``applicable food safety
requirements of the FD&C Act and FDA regulations'' in place of the
phrase ``applicable requirements'' in the definition of ``audit'' in
Sec. 1.600(c) and elsewhere throughout the rule where we are
discussing the requirements that will be used in auditing eligible
entities.\2\
---------------------------------------------------------------------------
\2\ Although we have elected to cite to both the FD&C Act and
FDA regulations in this definition, we otherwise will follow the
conventional practice of using the words ``applicable requirements''
to refer the applicable requirements of the FD&C Act and FDA
regulations.
---------------------------------------------------------------------------
D. Audit Agent
We proposed to define an ``audit agent'' as an individual who is an
employee or other agent of an accredited third-party certification body
who, although not individually accredited, is qualified to conduct food
safety audits on behalf of an accredited third-party certification
body. Under the proposed rule we also defined an audit agent to include
a contractor of the accredited third-party certification body.
(Comment 8) Some comments express concern about our proposal to
allow a contractor of an accredited third-party certification body to
serve as an audit agent, asserting that ``[w]ith each step that is
further removed in this process, institutional control is lost
exponentially.'' The comments point out that a subcontractor conducted
the audit and gave a passing audit score to a cantaloupe farm and
packing facility that used ``improper and unsafe processing equipment''
and subsequently was linked to a deadly outbreak caused by Listeria
monocytogenes. Other comments mentioning the incident cite to an
article in Bloomberg News explaining that auditors often outsource to
independent contractors over whom they do not have direct management
control (Ref. 15). Still other comments offer the cantaloupe outbreak
as an example of why auditors must be competent and accountable for
their activities.
(Response 8) We understand that third-party certification bodies
currently work with individual auditors under many different types of
arrangements. We acknowledge concerns raised by comments about recent
outbreaks at some domestic facilities that had received satisfactory
scores in food safety audits. Further, we agree with the comments on
the importance of an accredited third-party certification body
exercising adequate control over an audit agent conducting audits on
its
[[Page 74581]]
behalf. We believe that principle is equally true whether the audit
agent is an employee or a contract auditor.
International standards, such as ISO/IEC 17021:2011 (Ref. 6),
specifically allow accredited third-party certification bodies to use
contractors to perform audits if certain conditions are met. Among
other conditions, contract auditors must meet the same level of
qualifications (e.g., knowledge, skills, and experience) and the same
requirements for impartiality and objectivity as do the auditors the
third-party certification body employs. The third-party certification
body must exercise adequate control and oversight over a contractor
such that the third-party certification body accepts the result of the
contractor's audit as its own.
When we proposed to define ``audit agent'' to include a contractor,
we were contemplating arrangements such as those described in ISO/IEC
17021:2011 (Ref. 6) that involve a direct relationship between the
accredited third-party certification body and its auditors. We are
revising the definition of ``audit agent'' to clarify that we are
excluding subcontractors and other types of outsourcing arrangements;
we have concluded that such arrangements fail to provide the degree of
control and oversight necessary for an accredited third-party
certification body to ensure that its audit agents are competent and
objective. An accredited third-party certification body exercises
direct supervision over the activities of its employees, and has a
direct relationship with a contractor; but the relationship between the
third-party certification body and a subcontractor or other type of
outsourced staff is attenuated--the third-party certification body may
not even choose such persons and may not have any direct authority over
them. We do not believe such diminished oversight is appropriate, given
the important role of audit agents in this program.
By revising the definition of ``audit agent'' we are not preventing
an accredited third-party certification body from subcontracting for
services in areas other than the conduct of audits. For example, an
accredited third-party certification body may use subcontractors or
other outsourcing arrangements to deliver annual training to its audit
agents under Sec. 1.650 or may use subcontractors or other outsourcing
arrangements to investigate and decide on appeals of adverse regulatory
audit results under Sec. 1.651. However, we are limiting the role of
``audit agent'' to employees and contractors of the accredited third-
party certification body.
E. Consultative Audit
We proposed to define a ``consultative audit'' as an audit of an
eligible entity: (1) To determine whether such entity is in compliance
with applicable requirements of the FD&C Act and industry standards and
practices and (2) the results of which are for internal purposes only
and cannot be used to determine eligibility for a food or facility
certification issued under this subpart or in meeting the requirements
for an onsite audit of a foreign supplier under subpart L of this part.
(Comment 9) We received several comments on the definition of
``consultative audit.'' Many comments express concern that the
definition of ``consultative audit'' is overly broad and that some of
the requirements that would apply to consultative audits under the
proposed rule might create a disincentive to using accredited third-
party certification bodies. Some comments urge FDA to remove all
requirements associated with consultative audits from the rule. Other
comments identify two requirements of particular concern: (1) Proposed
Sec. 1.656, requiring an accredited third-party certification body
conducting a consultative audit or regulatory audit under the rule to
notify FDA immediately upon discovering a condition that could cause or
contribute to a serious risk to public health (the notification
requirement) and (2) proposed Sec. 1.652, requiring an accredited
third-party certification body to provide FDA access to a consultative
audit report when the criteria for records access under section 414 of
the FD&C Act (21 U.S.C. 350c) are met (the records access requirement).
The comments explain that many firms use certification bodies (and/or
their consulting divisions) to help establish, maintain, and improve
their food safety practices. For example, some firms use certification
bodies (and/or their consulting divisions) to help in identifying root
causes and remediating food safety problems. Comments also note that
certification bodies (and/or their consulting divisions) provide
informal counseling, perform preliminary evaluations, limited purpose
audits, and activities in support of firms' continuous improvement
programs.
Comments express concern that if these types of activities are
subject to notification, records access, and other requirements of the
rule, firms located outside the United States might not use accredited
third-party certification bodies, instead choosing unaccredited third-
party certification bodies to avoid the requirements of this rule. The
comments assert that unaccredited third-party certification bodies are
less likely to have qualified auditors and their independence and
objectivity is less certain, than third-party certification bodies that
have been evaluated and issued accreditation.
Comments also argue that the definition of ``consultative audit,''
which states that the results of such an audit are ``for internal
purposes only,'' is inconsistent with the requirements for notification
and records access that would apply to consultative audits under the
proposed rule. Other comments ask us to clarify that audits conducted
for external purposes--for example, an audit for purposes of compliance
with FSVP--do not satisfy the definition of a consultative audit
because consultative audits are for internal purposes only.
Some comments suggest that the proposed definition of
``consultative audit,'' taken together with the proposed definitions of
``food safety audit'' and ``regulatory audit,'' could preclude third-
party certification bodies from conducting any audits that are outside
the scope of subpart M, once accredited. Based on that interpretation,
the comments predict that few if any third-party certification bodies
would want to participate in the program.
Many of the comments that express concern about disincentives also
suggest that Congress intended the third-party program to be much
narrower than our proposed definition of ``consultative audit'' would
suggest. These comments suggest that the FSMA third-party certification
program was intended to be focused on regulatory audits and the
issuance of certifications to be used for two limited purposes: i.e.,
in establishing an importer's eligibility for VQIP and in satisfying a
condition of admissibility for a food subject to an FDA safety
determination under section 801(q) of the FD&C Act. These comments
argue further that Congress inserted the term ``consultative audit'' in
the statute to be used only in reference to the conflicts of interest
provisions in section 808(c)(4)(C) and (c)(5) of the FD&C Act;
therefore, a broad interpretation of ``consultative audit'' is
inconsistent with Congressional intent. The comments urge us to
construe the term ``consultative audit'' as narrowly as possible.
(Response 9) We recognize that food firms use accredited third-
party certification bodies (and their consulting divisions) in various
[[Page 74582]]
capacities that serve the ultimate goal of improving food safety. We do
not want, nor do we believe Congress intended, for our third-party
certification program to create disincentives for food firms seeking to
use accredited third-party certification bodies for various purposes to
improve food safety practices in their operations. Nevertheless, we
decline the request to remove all requirements relating to consultative
audits from this final rule. Section 808(c)(5)(C) of the FD&C Act
directs us to issue implementing regulations for section 808 of the
FD&C Act, which includes some specific provisions relating to
consultative audits (e.g., section 808(c)(3)(A) and (C) on consultative
audit reports and section 808 (c)(4)(C) of the FD&C Act on audit agents
performing regulatory audits of eligible entities of which they
performed consultative or regulatory audits within the preceding 13
months). We have, however, revised the definition of ``consultative
audit'' as explained below and have made other revisions to the rule to
clarify the scope of such audits and help mitigate possible
disincentives to conduct consultative audits, while fulfilling the
letter and spirit of the law.
With regard to the comments expressing concerns about an overly
broad interpretation of ``consultative audit,'' we remind readers that
the statute endows both regulatory and consultative audits with certain
characteristics. For example, section 808(a)(6) of the FD&C Act
indicates that an eligible entity must choose to be audited by an
accredited third-party certification body, and section 808(c)(5)(C)(i)
of the FD&C Act states that audits under this program must be
unannounced. We understand these provisions to mean that, at the time
the audit services are arranged, an eligible entity must specifically
request from an accredited third-party certification body a food safety
audit under this rule--that is the only way the accredited third-party
certification body would know that the eligible entity is requesting an
unannounced subpart M audit to determine compliance with the applicable
food safety requirements of the FD&C Act and FDA regulations. Further,
the eligible entity would need to specify whether it is seeking a
regulatory or consultative audit. (In addition to determining whether
the eligible entity is in compliance with the food safety requirements
of the FD&C Act, consultative audits under section 808 of the FD&C Act
also determine whether the eligible entity is in compliance with
applicable industry standards and practices). Audits that fall outside
the purview of this rule--for example, audits that are conducted by
third-party certification bodies that are not accredited under this
program, audits that determine compliance with standards other than the
food safety requirements of the FD&C Act and FDA regulations (e.g.,
audits that determine compliance with private standards), audits that
are announced, and audits conducted solely for the purposes of supplier
verification under the final human or animal preventive controls
regulations or the final FSVP regulations--are not covered by, or
subject to, the requirements of this rule.
It is impossible to describe or predict all of the audit scenarios
that may occur. We emphasize that an accredited third-party
certification body can continue to offer auditing and certification
services that are outside the scope of this rule, such as on-site
supplier verification audits under the final human or animal food
preventive controls regulations or the final FSVP regulation. Such
audits would not be subject to the requirements of this rule, including
the reporting and notification requirements.
In response to comments, we revised the proposed definition of
``consultative audit'' to clarify that it is an audit conducted in
preparation for a regulatory audit under the third-party certification
program. A consultative audit would thus be a pre-examination or pre-
assessment type of activity imbued with certain characteristics. We
further clarify the characteristics of a consultative audit, as well as
of a regulatory audit (the results of which can form the basis for
issuance of certification under the rule), in the definition of ``food
safety audit'' discussed in section III.J.
F. Eligible Entity
We proposed to define an ``eligible entity'' as a foreign entity
that chooses to be subject to a food safety audit by an accredited
third-party certification body. We further proposed that eligible
entities include foreign facilities subject to the registration
requirements in FDA regulations.
(Comment 10) We received several comments on the definition of
``eligible entity.'' Some comments request that we provide examples of
specific types of entities that satisfy the definition. Some comments
offer examples of ``eligible entities,'' including orchards or farms,
packing houses, processing plants, and storage facilities. Other
comments suggest we add ``and foreign farms'' to the end of the
definition, to clarify that such entities are eligible to receive
audits under subpart M. Some comments encourage us to adjust the
definition of ``eligible entity'' to make it mandatory for foreign food
facilities to undergo food safety audits by accredited third-party
certification bodies.
(Response 10) The proposed definition of ``eligible entity'' was
based on the statutory definition, which includes facilities subject to
the registration requirements in section 415 of the FD&C Act that
choose to be audited under the program. At our own initiative we are
revising the definition of ``eligible entity'' in the codified to more
accurately track the statute, and we decline the suggestion to add
specific examples, such as orchards or farms, that are not included in
the statutory definition of ``eligible entity.'' However, as explained
in Response 12 we are revising the definition of ``facility'' in Sec.
1.600(c) to clarify that entities that grow, harvest, or raise animals
for food for consumption in the United States are facilities that are
eligible for auditing and certification under this subpart.
We disagree with the comment suggesting that we should make audits
under this program mandatory for all foreign food firms by modifying
the definition of ``eligible entity.'' The statute clearly indicates
that participation in this program is intended to be voluntary, and
only entities that choose to be audited under the program are subject
to its requirements (see section 808(a)(6) of the FD&C Act).
(Comment 11) In the proposed rule, we specifically asked for
comment on whether to allow for food or facility certification to be
issued to a producer group, offering as an example the criteria for
groups under the National Organic Program (NOP)--i.e., having multiple
sites operating under a single management system and whose farms are
``uniform in most ways.'' Several comments responded to this inquiry in
relation to the definition of ``eligible entity.''
Comments in support of certification of a group (e.g., a
cooperative being audited as a single eligible entity) note that some
producers are very small and might find it difficult on their own to
obtain third-party certification, but taken as a group the task would
likely be more manageable. Other comments note that treating multiples
sites with a single management system as a single eligible entity could
be particularly helpful in sectors or regions where there is a scarcity
of accredited third-party certification bodies. Some comments argue in
support of groups functioning as a single eligible entity as long as
the central management system functions effectively, providing
oversight to the
[[Page 74583]]
members. Comments also note that some multisite sampling protocols have
been developed by international organizations, such as ISO.
Other comments encourage us to ensure that cooperatives are subject
to this rule, so that all the links in a foreign supply chain are
appropriately inspected, and so that they are subject to any applicable
regulations before their product is exported to the United States.
Comments not in support of cooperatives being classified as
eligible entities note that food safety practices and conditions are
site-specific and can vary significantly even if the individual farms
are located in the same geographic area (for example, due to soil
composition, agricultural water runoff, or the manner in which the land
was used in the past). They also note that organic production standards
and scientifically-based food safety standards are not the same, so
what works for the NOP may not be appropriate here
Some comments encourage us to provide guidance on the acceptable
parameters of a cooperative. Some comments encourage us to consider
guidance available from other sources beyond the NOP, such as the
International Federation of Organic Agriculture Movements.
(Response 11) We decline to revise the definition of eligible
entities to include a group. We acknowledge that some very small
producers might be daunted by the prospect of working individually with
an accredited third-party certification body, and there would be
obvious economies in banding together with other very small producers
to gain certification. We also acknowledge that some sets of producers
do currently function as a unit under a centralized management system,
and that group certification may make it easier for entities to access
accredited third-party certification bodies in areas or regions where
they may be scarce. Nevertheless, after reviewing the NOP, the
International Federation of Organic Agricultural Movements, the Canada
Organic Office Operation Manual, the USDA Agricultural Marketing
Service pilot program on group certification, and other recommended
sources, we conclude that it would not be appropriate to allow groups
to be certified under this program. Group certification raises a myriad
of complicated issues such as establishing who may act as a group,
determining the requisites of a central management system, and
delineating the minimum requirements for accredited third-party
certification body audits of a group.
With regard to the comments contending that certifications from
individual eligible entities that might otherwise act as a group would
create redundant and unnecessary paperwork for FDA, we will take that
sort of information into account as we gain experience with the
program. Finally, with regard to the comments encouraging us to define
``eligible entity'' to include groups to ensure that all their members
are examined for compliance with applicable food safety regulations
before their food is exported to the United States, we note that this
rule does not create audit obligations for all foreign suppliers or for
all importers. The third-party certification program created by this
rule is a voluntary program for eligible entities who wish to
participate.
G. Facility
We proposed to define ``facility'' as any structure, or structures
of an eligible entity under one ownership at one general physical
location, or, in the case of a mobile facility, traveling to multiple
locations, which manufactures/processes, packs, or holds food for
consumption in the United States. The definition went on to state that:
(1) Transport vehicles are not facilities if they hold food only in the
usual course of business as carriers; (2) a facility may consist of one
or more contiguous structures, and a single building may house more
than one distinct facility if the facilities are under separate
ownership; (3) the private residence of an individual is not a
facility; and (4) non-bottled water drinking water collection and
distribution establishments and their structures are not facilities.
On our own initiative, we are clarifying that facilities for the
purposes of this subpart are not limited to facilities required to be
registered under Subpart H.
(Comment 12) Some comments encourage us to align the proposed
definition of ``facility'' to the definition of ``facility'' in the
human and animal preventive controls, produce safety, and FSVP
regulations, to promote consistency and common understanding of the
rules.
(Response 12) As previously noted, we agree with the comments on
the importance of consistency across regulations, where feasible and
appropriate. We reviewed the definitions of ``facility'' in the final
FSVP and final human preventive controls regulations, and found those
definitions to be too narrow in light of the purpose of this rule to
establish a voluntary program for certification of foods and facilities
and the broad definition of ``eligible entity'' in section 808(a)(6) of
the FD&C Act. Of our own initiative, in order to preserve the option
for broad participation in the third-party program, we are expressly
including in the definition of ``facility'' those entities that grow,
harvest, or raise animals for food for consumption in the United
States.
H. Facility Certification and Food Certification
We proposed to define ``facility certification'' as an attestation,
issued for purposes of section 806 of the FD&C Act by an accredited
third-party certification body, after conducting a regulatory audit and
any other activities necessary to establish that a facility meets the
applicable requirements of the FD&C Act. We proposed to define ``food
certification'' as an attestation, issued for purposes of section
801(q) of the FD&C Act by an accredited third-party certification body,
after conducting a regulatory audit and any other activities necessary
to establish that a food meets the applicable requirements of the FD&C
Act.
(Comment 13) We received some comments on the definitions of
``facility certification'' and ``food certification.'' Some of these
comments raise group certification issues which we address above, in
connection with the definition of ``foreign cooperative.'' Some
comments state that ``food certification'' is improper terminology,
because it implies a product certification model, whereas audits of
eligible entities--particularly in the produce sector--generally assess
processes and/or management systems.
(Response 13) The term ``food certification'' appears in the
statute and is specifically discussed in the statute as a type of
certification that may be used in meeting a condition of admissibility
under section 801(q) of the FD&C Act. Under section 808(c)(2)(C) of the
FD&C Act, food certifications may only issue upon conduct of a
regulatory audit. In light of the statutory language, we decline to
revise the term ``food certification'' in response to the comments on
this rule.
We also note that section 801(q)(1) of the FD&C Act allows for FDA
to accept ``a listing of certified facilities that manufacture,
process, pack, or hold food, or other assurances deemed appropriate by
FDA'' to satisfy the condition of admissibility. Of our own initiative,
in light of this statutory language, we are clarifying in the
definition of ``facility certification'' that
[[Page 74584]]
a facility certification may be issued for purposes of 801(q) of the
FD&C Act.
I. Food
In proposed Sec. 1.600(b), we stated unless otherwise defined in
Sec. 1.600(c) of the proposed rule, definitions of terms in section
201 of the FD&C Act would apply to terms used in this subpart. Section
201 of the FD&C Act defines ``food'' as ``(1) articles used for food or
drink for man or other animals, (2) chewing gum, and (3) articles used
for components of any such article.'' Proposed Sec. 1.600(c) did not
define the term ``food.''
(Comment 14) Some comments request that we define ``food''
consistent with how it was defined in the FSVP proposed rule for
consistency and to indicate that producers of food contact substances
are eligible entities.
(Response 14) The proposed definition of ``food'' under Sec. 1.600
would include pesticides when they meet the definition of ``food''
under section 201 of the FD&C Act. By contrast, the FSVP rule's
proposed definition of food explicitly does not include pesticides, as
defined in 7 U.S.C. 136(u), consistent with the definition of ``food''
used in the rulemaking on the Prior Notice of Imported Food Under the
Public Health Security and Bioterrorism Preparedness Act of 2002 (prior
notice rule). FDA received comments during that rulemaking questioning
the applicability of the rule to pesticides, so FDA clarified that
``food'' for the purposes of that rule did not include pesticides.
The final FSVP regulation, which is publishing elsewhere in this
issue of the Federal Register, retains the exclusion of pesticides from
the definition of ``food.''
In response to comments suggesting revision of the definition of
``food'' in this rule to be consistent with the final FSVP regulation,
we considered the purposes that certifications serve under this program
and the nature of comments we received on the third-party proposed
rule, including general comments requesting alignment across the FSMA
rules and comments specifically requesting that we use the FSVP
definition of ``food.'' Certifications issued by accredited third-party
certification bodies may be used in establishing an importer's
eligibility to participate in VQIP and in satisfying a condition of
admissibility for an imported food that we determine poses a safety
risk under section 801(q) of the FD&C Act.
While certifications may be useful in addressing pesticide
contamination of food (e.g., pesticide levels in food that exceed
established tolerances), we have not identified a need for
certifications to address pesticides as articles of food, nor do we
anticipate a role for food safety audits in pesticide manufacturing
facilities. Accordingly, we are revising the final rule by adding to
Sec. 1.600(c) a definition of ``food'' that excludes pesticides.
We also agree with the comment that producers of food contact
substances could be eligible entities under this rule and that food
contact substances should be considered food for the purposes of this
rule. Third-party food safety audits and certifications for food
contact substances could potentially be useful given the possibility of
migration of harmful food contact substances into food or contamination
of food contact materials that directly contact food. Accordingly, we
are revising the proposed definition of ``food'' to exclude pesticides
and retain ``food contact substances'' in the definition of ``food'' in
this final rule, consistent with the definition of ``food'' in the
final FSVP regulation.
J. Food Safety Audit
We proposed to define ``food safety audit'' as a regulatory audit
or a consultative audit.
(Comment 15) We received a few comments on the definition of ``food
safety audit.'' Some comments request that we remove consultative
audits from the definition of ``food safety audit,'' asserting that
consultative audits should not be subject to the reporting and
notification requirements associated with ``food safety audits.'' Other
comments say we should replace the term ``food safety audit'' with
``regulatory audit,'' as a matter of statutory construction and sound
policy. Finally, some comments suggest that we delete the definition of
``food safety audit'' altogether.
(Response 15) We are retaining the definition of ``food safety
audit'' as a useful definition to describe regulatory and consultative
audits that fall under the requirements of this rule. As described in
Response 9, we have revised the definition of ``consultative audit'' to
clarify that it is an audit conducted in preparation for a regulatory
audit under the third-party certification program. Although an audit
meeting that definition would be subject to certain reporting and
notification requirements, there are many types of audits/arrangements
that would not fall within the definition of ``consultative audit'' or
``regulatory audit,'' and would therefore not be subject to the
requirements of this rule, including the reporting and notification
requirements. Therefore, including consultative audits in the
definition of ``food safety audit'' will not prevent eligible entities
from using accredited third-party certification bodies for auditing
arrangements that fall outside of the scope of this rule and do not
trigger the requirements of this rule. To further address comments'
concerns, we are modifying the definition of ``food safety audit'' to
provide clarification regarding what types of audits/activities would
fall outside of the scope of this rule. Specifically, we clarify that a
food safety audit must be declared by an eligible entity at the time of
audit planning and must be conducted on an unannounced basis consistent
with sections 808(b)(6) and 808(c)(5)(C) of the FD&C Act.
K. Foreign Cooperative
We proposed to define ``foreign cooperative'' as an entity that
aggregates food from growers or processors that is intended for export
to the United States.
On our own initiative, we are replacing the phrase ``entity that
aggregates'' with ``autonomous association of persons, identified as
members, who are united through a jointly owned enterprise to
aggregate'' for clarification purposes.
(Comment 16) Some comments suggest that we add a definition for
``consolidator.'' The comments contrast consolidators with cooperatives
and argue that consolidators act essentially as brokers that purchase
products from several sources and then export the total set to the
United States. According to these comments, consolidators do not own or
manage the individual sites and generally do not have control over or
even knowledge of the processing procedures.
(Response 16) We agree with the comment that an entity without a
single management system that exercises control over the manner in
which individual sites meet the applicable food safety requirements of
the FD&C Act and FDA regulations would not be an eligible entity.
However, we disagree that adding a definition of ``consolidator'' would
be helpful because whether an entity is a ``consolidator'' has no
bearing on the requirements of this rule.
(Comment 17) Some comments point out that while the proposed rule
indicates a foreign cooperative could be an accreditation body or a
third-party certification body, in their countries the government is
the accreditation body. Also, in some places the government authorizes
certain parties to conduct audit activities and those parties are under
the control and supervision of the
[[Page 74585]]
government. Accordingly, the comments suggest that we indicate in which
countries and in which cases a foreign cooperative could be an
accreditation body or a third-party certification body. Other comments
recommend more detail on how cooperatives are defined, and how they
would conform to FDA requirements for third-party certification bodies.
(Response 17) We currently are not in a position to be able to
determine which countries or which foreign cooperatives may be
adequately qualified to become accredited under the third-party
certification program. We note that section 808 of the FD&C Act
expressly allows foreign cooperatives to serve as accredited third-
party certification bodies if they are adequately qualified and
independent of the eligible entities they audit or certify under the
third-party certification program. Therefore, we are not categorically
excluding foreign cooperatives from the third-party certification
program, nor are we making any categorical decisions on whether
governmental accreditation bodies have conflicts that would preclude
them from accrediting such foreign cooperatives under the program.
L. Regulatory Audit
We proposed to define a ``regulatory audit'' as an audit of an
eligible entity to determine whether such entity is in compliance with
the provisions of the FD&C Act and the results of which are used in
determining eligibility for food certification under section 801(q) of
the FD&C Act or facility certification under section 806 of the FD&C
Act, and may be used by an importer in meeting the requirements for an
onsite audit of a foreign supplier under the FSVP program.
(Comment 18) Some comments request that we clarify the definition
of ``regulatory audit.''
(Response 18) The comments requesting clarification failed to
mention specific characteristics in the definition needing
clarification and did not offer suggestions for clarification.
Therefore, we decline to modify the definition based on these comments.
However, on our own initiative we have revised the definition of
``regulatory audit'' by removing the clause ``, and may be used by an
importer in meeting the requirements for an onsite audit of a foreign
supplier under subpart L of this part'' that does not appear in the
statute. We did this in part to avoid confusion. We emphasize that an
audit conducted for the purposes of FSVP would not need to be conducted
by a third-party certification body under this subpart. See section
XIII.G. Nor are facilities required to use third-party certification
bodies accredited under this rule in meeting their supplier
verification requirements under the final human or animal preventive
controls regulations. On our own initiative, we are revising the
definition of ``regulatory audit'' to clarify that the results of a
regulatory audit may be used to determine eligibility for any
certifications that may be used for purposes of section 801(q) or
section 806 of the FD&C Act.
M. Self-Assessment
We proposed to define ``self-assessment'' as a systematic
assessment conducted by an accreditation body or by a third-party
certification body to determine whether it meets the applicable
requirements of this subpart.
We received no adverse comments about our proposed definition.
However, on our own initiative, we are revising the definition of
``self-assessment'' to improve clarity and to specify what is required
of a recognized accreditation body and an accredited third-party
certification body when performing these evaluations.
N. Third-Party Auditor
We proposed to define a ``third-party auditor'' as a foreign
government, agency of a foreign government, foreign cooperative, or any
other third-party that is eligible to be considered for accreditation
to conduct food safety audits and to certify that eligible entities
meet the applicable requirements of the FD&C Act. We further proposed
that a third-party auditor may be a single individual or an
organization and may use audit agents to conduct food safety audits.
Finally, we proposed that ``third-party auditor'' has the same meaning
as ``certification body'' as that term was defined in the proposed
rule.
(Comment 19) As described in Comment 1, we received several
comments urging us to align our definitions and terminology with
international standards. Some comments state that the term ``third-
party auditor,'' the language of the statute notwithstanding, is not
correct terminology to use interchangeably with ``third-party
certification body.''
(Response 19) As discussed previously, we agree that it is
beneficial to use terminology in this rule that is consistent with
terminology used in international standards when feasible and
appropriate. Therefore, we are deleting the definition of ``third-party
auditor'' in the final rule and will use the term ``third-party
certification body'' in this rule except that we will use the term
``third-party auditor'' in the definitions of ``Accredited third-party
certification body'' and ``Third-party certification body'' in Sec.
1.600(c) and in the preamble discussion of those definitions in section
III.A. We are clarifying in the definition of ``third-party
certification body'' in Sec. 1.600(c) that the term has the same
meaning as ``third-party auditor'' as defined in section 808(a)(3) of
the FD&C Act.
IV. Comments on Who Is Subject to This Subpart (Sec. 1.601)
We proposed in Sec. 1.601 that this rule would apply to those
accreditation bodies, third-party certification bodies, and eligible
entities that seek to participate in this voluntary third-party
certification program. We proposed two limited exemptions from section
801(q) of the FD&C Act: One related to alcoholic beverages from an
eligible entity that is a facility that meets certain conditions, and
another related to certain food constituting not more than 5 percent of
the overall sales of a facility meeting the conditions of the first
exemption.
A. Limiting the Scope of the Rule to Regulatory Audits and
Certifications
Under proposed Sec. 1.601(b), we proposed that subpart M would
apply to third-party certification bodies seeking accreditation to
conduct food safety audits and issue certifications for purposes of
sections 801(q) and 806 of the FD&C Act.
(Comment 20) Some comments suggest we modify the language in Sec.
1.601(b) regarding third-party certification bodies seeking
accreditation to clarify that requirements of the rule apply only to
imported foods that are subject to a condition of admissibility under
section 801(q) of the FD&C Act and imported foods offered by an
importer seeking to establish eligibility to participate in VQIP. In
this view, the requirements of the rule (e.g., the notification
requirements) should not apply to audits other than regulatory audits
that are conducted for certification purposes.
(Response 20) We decline to make the suggested revisions to Sec.
1.601(b) because Sec. 1.601(b)(2) already describes the two types of
certifications that may be issued by accredited third-party
certification bodies under the final rule and the types of audits that
they would conduct under this program (i.e., food safety audits, which
include both consultative and regulatory audits). Audits conducted by
third-party certification bodies that are outside of the scope of this
program, and eligible entities receiving audits outside of the scope of
this program, would not be
[[Page 74586]]
subject to the requirements of this final rule. With respect to the
suggestion that the final rule should apply only to regulatory audits,
and therefore not to consultative audits, we note, as previously
discussed, that section 808 of the FD&C Act specifically defines
``consultative audit'' and contains requirements for the conduct of
both regulatory and consultative audits (see, e.g., section 808(a)(5)
and (c)(4)(B) of the FD&C Act). Therefore, this final rule establishes
requirements for consultative audits that are consistent with the
provisions on consultative audits in the statute.
B. Exemption for Alcoholic Beverages
Under proposed Sec. 1.601(d), we proposed to exempt from the
certification requirements under section 801(q) of the FD&C Act
alcoholic beverages that are imported from an eligible entity that is a
facility that meets the following two conditions:
Under the Federal Alcohol Administration Act or chapter 51
of subtitle E of the Internal Revenue Code of 1986, the facility is a
foreign facility of a type that, if it were a domestic facility, would
require obtaining a permit from, registering with, or obtaining
approval of a notice or application from the Secretary of the Treasury
as a condition of doing business in the United States; and
Under section 415 of the Federal Food, Drug, and Cosmetic
Act, the facility is required to register as a facility because it is
engaged in manufacturing/processing one or more alcoholic beverages.
We also proposed that the certification requirements under section
801(q) of the FD&C Act would not apply to food other than alcoholic
beverages that is imported from a facility described in Sec.
1.601(d)(1) provided that such food:
(i) Is in prepackaged form that prevents any direct human contact
with such food; and
(ii) Constitutes not more than 5 percent of the overall sales of
the facility, as determined by the Secretary of the Treasury.
We tentatively concluded that these provisions were consistent with
the provisions on alcohol-related facilities in section 116 of FSMA.
(Comment 21) Some comments support the proposed exemption of
imported beverage alcohol products, but encourage us to clarify and
amplify the exemption to cover the raw materials and ingredients (e.g.,
grapes, grains, hops, flavors) used to produce alcoholic beverages. The
comments assert that the requested exemption would provide for
consistency between domestic and foreign facilities and would be
consistent with Congressional intent regarding section 116 of FSMA. The
comments assert that the expanded exemption would be consistent with
the regulations on preventive controls for human food. The comments
urge us to consult their comments on the FSVP proposed rule.
(Response 21) As requested, we consulted comments submitted on
proposed Sec. 1.501(e) in the FSVP proposed rule, requesting an
exemption from the FSVP requirements for the importation of the raw
materials and ingredients (e.g., grapes, grains, hops, flavors) used to
produce alcoholic beverages, and asserting that such an exemption would
be consistent with Congressional intent regarding section 116 of FSMA.
We considered the comments' request in light of the risk-based
public health principles generally underlying FSMA and have concluded
that Congress did not intend for FSMA's core requirements to apply to
the manufacture/processing, packing, and holding of alcoholic
beverages. Congress may have made such a conclusion in light of the
potential antimicrobial function of the alcohol content in such
beverages and the concurrent regulation of alcoholic beverage-related
facilities by both FDA and the Alcohol and Tobacco Tax and Trade
Bureau. In light of this context, we have concluded that section 116 of
FSMA should be interpreted to mean that the manufacturing, processing,
packing, or holding of alcoholic beverages at most alcohol-related
facilities should not be subject to this rule.
We believe the same rationale supports the comments' request.
Accordingly, and consistent with the final FSVP regulation, we are
expanding the exemption from certification under section 801(q) of the
FD&C Act in Sec. 1.601(d) to cover raw materials or other ingredients
that are used to manufacture/process, pack or hold alcoholic beverages
by an importer required to be registered under section 415 of the FD&C
Act, when such facilities are exempt from the preventive controls
regulations under 21 CFR 117.5(i).
Also in this final rule, we are replacing the term ``food other
than alcoholic beverages,'' to describe the applicability of the
exemption, with the term ``food that is not an alcoholic beverage.''
C. USDA Regulated Products
(Comment 22) Some comments suggest we explicitly exempt products
under USDA jurisdiction from the requirements of this rule.
(Response 22) We agree that an exemption to 801(q) is appropriate
with respect to meat, poultry, and egg products regulated by USDA at
the time of importation. The final rule adds a new Sec. 1.601(d)(2)
which states that any certification under 801(q) does not apply to
meat, poultry, and egg products that at the time of importation are
subject to the requirements of the USDA under FMIA (21 U.S.C. 601 et
seq.), PPIA (21 U.S.C. 451 et seq.), or EPIA (21 U.S.C. 1031 et seq.).
We conclude that this provision is consistent with section 403 of FSMA,
entitled ``Rule of Construction,'' which states that nothing in FSMA
shall be construed to alter or limit the jurisdiction of the Secretary
of the Department of Agriculture. For many decades, USDA has exercised
authority and responsibility over the import of such meat, poultry, and
egg products, and has detailed regulations and procedures implementing
this authority. In light of USDA's role with respect to the importation
of these products, and also in light of section 403 of FSMA, we believe
that Congress did not intend for an FDA determination under section
801(q) of the FD&C Act to apply to meat, poultry, and egg products that
at the time of importation are subject to USDA requirements under the
MPIA, PPIA, and EPIA, respectively. We therefore conclude that final
Sec. 1.601(d)(2) is consistent with Congress's intent in promulgating
section 403 of FSMA.
With respect to the third-party program, we note that the program
establishes a voluntary system of certification by accredited third-
party certification bodies that food and facilities meet applicable
requirements of the FD&C Act and FDA regulations. Certifications issued
under this program will not be used to facilitate entry of meat,
poultry, and egg products that are regulated by USDA at the time of
importation, as defined above.
V. Comments on Recognition of Accreditation Bodies Under This Subpart
A. Who is eligible to seek recognition? (Sec. 1.610)
Proposed Sec. 1.610 states that an accreditation body would be
eligible for recognition if it could demonstrate that it meets the
requirements related to legal authority, competency, capacity,
conflicts of interest, quality assurance, and records in Sec. Sec.
1.611 through 1.615. In our discussion of this section in the preamble
of the proposed rule we stated our tentative conclusions that key
[[Page 74587]]
elements of ISO/IEC 17011:2004 (Ref. 5) would form a basis for our
requirements, and that documented conformance to that standard would be
relevant in demonstrating that an accreditation body is qualified for
recognition.
(Comment 23) Some comments recommend that we require accreditation
bodies to be signatories to IAF multilateral recognition agreements
(IAF-MLAs) (which requires signatories, among other things, to conform
to ISO/IEC 17011:2004) as a condition of recognition, and some contend
it should be the sole criterion. Comments in favor of including
signatory status as a requirement note that the process of becoming a
signatory involves a thorough peer-review process, which helps ensure
quality outcomes (e.g., signatories have to demonstrate conformance to
ISO/IEC 17011:2004 as part of the peer review process). Comments note
other aspects of IAF-MLA signatory status that would be beneficial to
the program, such as periodic reevaluation by peer signatories to
ensure continued compliance. These comments argue that when a foreign
government is the accreditation body, it may be difficult for FDA to
regulate a peer agency, so reliance on IAF-MLA signatory status would
be helpful, in part because it would give an independent organization
(IAF) a role in managing the accreditation body.
Some comments discourage us from requiring IAF-MLA signatory status
as a condition of recognition. Some comments suggest that we consider
signatory status as a factor in favor of recognition, noting many of
the same advantages touted by proponents of requiring signatory status,
but suggest that we not make IAF-MLA signatory status a condition of
program participation.
Other comments explain that it would be premature to make IAF
signatory status the sole requirement. The comments note that at the
time of these comments the IAF-MLA does not yet include subscopes for
specific food safety standards or schemes. Still other comments
recommend that FDA study the issues surrounding signatory status
further before making it a requirement, pointing out that some
countries may not have signatory IAF-MLA members representing them.
Some comments cite to third-party food safety audit programs
administered by other governments, noting those programs do not require
IAF-MLA status as a condition for program participation. These comments
argue that it is more important to require conformance to ISO/IEC
17011:2004.
(Response 23) The comments uniformly agree on the value of an
accreditation body's conformance to ISO/IEC 17011:2004 in establishing
its qualifications for recognition. As discussed in section I.D., we
agree that an accreditation body may use its documented conformance to
ISO/IEC 17011:2004 to support its eligibility for recognition under
this rule, supplemented as necessary (for example, to demonstrate
capability to meet FDA requirements for reporting and notification
under Sec. 1.623, if recognized). We also agree that additional
documentation relating to IAF-MLA signatory status may be useful in
supporting an accreditation body's application for recognition under
this program. However, we disagree with comments suggesting that we
require IAF-MLA signatory status as the sole criterion or one of
several criteria for recognition to accredit third-party certification
bodies to conduct food safety audits and to certify that eligible
entities meet the applicable food safety requirements of the FD&C Act
and FDA regulations at this time. We currently lack (and the comments
did not provide) adequate information to conclude that IAF-MLA
signatory status should be the sole factual basis or one of several
criteria for determining whether an accreditation body can fulfill the
roles and responsibilities of a recognized accreditation body under
this subpart. Further, we also want to allow accreditation bodies that
are not signatories to participate in the program if they meet the
statutory and regulatory criteria.
(Comment 24) As explained in section I.D., several comments support
FDA's reliance on ISO/IEC 17011:2004 (Ref. 5) in developing the
proposed rule. Other comments suggest FDA should place greater reliance
on ISO/IEC 17011:2004 (Ref. 5), including some comments recommending
that we incorporate the standard by reference into the rule.
(Response 24) We agree with comments on the value of promoting
international consistency and tapping into an existing framework that
is familiar to accreditation bodies, third-party certification bodies,
and the food industry. Accordingly, in Sec. 1.610 we are adding new
language to state that an accreditation body may use documentation of
conformance with ISO/IEC 17011:2004 (Ref. 5), supplemented as
necessary, to demonstrate that it is eligible for recognition. This new
language may make it easier for accreditation bodies that already
conform to ISO/IEC 17011:2004 (Ref. 5) to apply for the program. We are
also making conforming changes to Sec. Sec. 1.622(d) and 1.623(b),
1.640(a), and 1.655(e).
We decline to incorporate ISO/IEC 17011:2004 (Ref. 5) by reference
as the sole criterion or one of several criteria for recognition,
because the standard contains some provisions that are inconsistent
with section 808 of the FD&C Act or impractical for use in our program.
For example, ISO/IEC 17011:2004 (Ref. 5), clause 4.3.7, allows an
accreditation body to have ``related bodies'' that provide conformity
assessment services (e.g., auditing and certification) in areas the
accreditation body accredits. (A ``related body'' is linked to the
accreditation body by common ownership or contractual arrangement,
under clause 4.3.7 NOTE 1.) The only safeguards that a related body is
expressly required to meet are as follows: (1) It must have different
top management than the accreditation body's top management; (2)
different personnel from those involved in the accreditation
decisionmaking processes; (3) no possibility to influence the outcome
of an assessment for accreditation; and (4) distinctly different names,
logos, and symbols. While clause 4.3.7 of ISO/IEC 17011 (Ref. 5) speaks
to issues of common management and control of the accreditation body
and its related body, the standard does not expressly prohibit the
accreditation body from accrediting its related body with which it
shares common ownership or financial interests. For example, an
accreditation body that provides financial support (directly or
indirectly) to a related body could be viewed as lacking the
impartiality necessary to make an objective decision about whether the
related body it supports is appropriately qualified. The impartiality
provisions in ISO/IEC 17011:2004 (Ref. 5) are impractical for our
purposes because they fail to address the range of possible conflicts
associated with shared financial interests and ownership between a
recognized accreditation body and a ``related'' third-party
certification body under this rule. To help ensure the credibility of
our program, Sec. 1.624 requires a recognized accreditation body to
implement a program to ensure that the accreditation body and its
officers, employees, and other agents involved in accreditation
activities do not own or have a financial interest in a third-party
certification body seeking its accreditation. Accordingly, it would be
inappropriate for us to rely on the conflict of interest safeguards
contained in ISO/IEC
[[Page 74588]]
17011:2004 (Ref. 5), in the third-party certification program we are
establishing.
For the foregoing reasons, we decline the suggestion to incorporate
ISO/IEC 17011:2004 (Ref. 5) by reference into this rule.
(Comment 25) Several comments express concern about our proposal to
allow both public and private accreditation bodies to seek recognition.
Some comments discourage us from allowing private entities to be
accreditation bodies because of the concern that allowing for private
accreditation bodies may cause conflicts of interest. Similarly, some
comments contend that accreditation bodies must uphold public
confidence and perform their duties objectively, which is the purview
of governmental entities.
Other comments take a contrary view, suggesting that some
government agencies have missions that may undermine the objectivity
and independence required of a recognized accreditation body. Some
comments encourage us to consider which government agency/ministry in a
given country may be eligible for recognition, and to solicit input
from stakeholders as to which agencies/ministries are best positioned
to perform this function.
Still other comments assert that private and government entities
are sufficiently different such that we should establish different
conflict of interest provisions and requirements for each.
(Response 25) Comments on both sides of this issue express concern
that any accreditation body we recognize must be independent and
objective in the performance of its duties. We share that concern.
However, none of the comments offered substantiation that would lead us
to bar public or private accreditation bodies, as a class, from seeking
recognition because of conflicts of interest inherent in the class.
Section 808 of the FD&C Act defines an ``accreditation body'' as an
authority that accredits third-party certification bodies and makes no
distinction between public and private accreditation bodies. We have
concluded that both public and private accreditation bodies are
potentially capable of exhibiting the impartiality necessary for
recognition under this rule. Therefore in light of the broad definition
of ``accreditation body'' and to maximize the opportunities for
qualified accreditation bodies to participate in the program, FDA does
not consider it to be appropriate to limit the program to only certain
types of accreditation bodies.
With respect to the comments that suggest we apply different
conflict of interest requirements to different types of accreditation
bodies, none of these comments offered an adequate explanation to
justify different requirements for public and private accreditation
bodies. Again, we note that section 808 of the FD&C Act does not make
distinctions for different types of accreditation bodies.
(Comment 26) Some comments request that we provide additional
explanation regarding how an accreditation body that does not have
experience accrediting third-party certification bodies for food safety
scopes would become eligible for recognition under this program.
(Response 26) An accreditation body of the type described in the
comments' hypothetical might face practical difficulties in providing
adequate substantiation demonstrating that it meets the requirements
described in Sec. 1.610. However, we will consider each application on
its own merits and do not foreclose the possibility for such an
accreditation body to make the showing necessary to be granted
recognition under this rule.
B. What legal authority must an accreditation body have to qualify for
recognition? (Sec. 1.611)
We proposed to require an accreditation body seeking recognition to
demonstrate that it has adequate legal authority (as a governmental
entity or through contractual rights) to assess a third-party
certification body for accreditation, including authority to review
records and conduct performance assessments (e.g., authority to witness
the performance of a statistically significant number of employees and
other agents conducting assessments). We proposed to require that the
accreditation body have adequate authority to remove or modify an
accreditation status, once granted. We also proposed to require the
accreditation body to demonstrate that it would be capable of
exercising the legal authority necessary to meet the program
requirements, if we granted recognition.
On our own initiative, in Sec. 1.611(a)(2) we replaced,
``personnel and other agents,'' with, ``audit agents, or the third-
party certification body in the case of a third-party certification
body that is an individual'' for clarity and consistency with section
808(a)(4) of the FD&C Act. We have also made corresponding changes
throughout this subpart.
(Comment 27) Some comments provide support for this provision, and
others encourage us to ensure that a private accreditation body seeking
recognition could have adequate legal authority to operate.
(Response 27) We agree with the comment urging us to ensure that a
private accreditation body could have the necessary authority to act as
a recognized accreditation body under this rule. As noted previously,
we see no inherent reason why private entities could not theoretically
meet the eligibility requirements for accreditation bodies under this
rule. Therefore, we are revising Sec. 1.611(a) and (b) to clarify that
an accreditation body can be a legal entity with contractual rights. By
the words ``legal entity,'' we mean that the accreditation body must be
duly authorized to operate as an accreditation body by governmental
authorities responsible for such authorizations in any country or
countries in which the accreditation body seeks to perform
accreditation of third-party certification bodies under this rule.
(Comment 28) Some comments ask us to clarify what we mean by
``statistically significant'' as used in Sec. 1.611(a)(2) and
elsewhere in the proposed rule to provide adequate confidence in the
results of an analysis of the sample. The comments encourage us to
abandon the phrase ``statistically significant'' in favor of the
language of ISO/IEC 17011:2004 (Ref. 5), which requires an
accreditation body to witness the performance of a representative
number of third-party certification body staff.
(Response 28) We understand from the comments that a body of
knowledge and experience has developed among accreditation bodies
conforming to ISO/IEC 17011: 2004 (Ref. 5) on the meaning of
``representative'' numbers of observations and that no similar body of
knowledge or experience exists on the meaning of ``statistically
significant'' numbers of observations in this context. Accordingly, we
are revising Sec. 1.611 to require observations of a ``representative
sample'' of audit agents and food safety audits. We are making similar
revisions to other sections of the rule that require onsite
observations.
For purposes of an accreditation body's observations of a third-
party certification body under this rule, what constitutes a
``representative sample'' will be decided on a case-by-case basis,
depending on various factors. These factors include the scope of
accreditation, whether the third-party certification body is an
individual who will conduct audits and make certification decisions, or
whether the third-party certification body uses agents to conduct
audits and, if so, whether such agents are centrally managed,
conducting similar types of
[[Page 74589]]
audits, under a single set of operating procedures or whether the
agents are managed from various locations, perform different types of
audits, or follow different procedures such that these various
locations, activities, or practices must be observed to ensure that the
sample is sufficiently representative. A representative sample also
must provide adequate confidence in the results of an analysis of the
sample.
C. What competency and capacity must an accreditation body have to
qualify for recognition? (Sec. 1.612)
We proposed to require an accreditation body seeking recognition to
demonstrate that it has the resources required to adequately implement
its accreditation program, including adequate numbers of qualified
employees and other agents, adequate financial resources for its
operations, and the capability to meet the resource demands of a
recognized accreditation body, in the event the accreditation body is
recognized.
(Comment 29) We received some comments on this provision, which
also support the proposed rule's requirement that accreditation bodies
demonstrate their competence and capacity based on the requirements of
ISO/IEC 17011:2004 (Ref. 5). However, these comments disagree with our
statement in the preamble that liability coverage requirements should
not apply to this rule. The comments argue that we should include a
requirement for accreditation bodies to carry liability coverage,
noting that it is one of the requirements in ISO/IEC 17011:2004 (Ref.
5) and describing it as especially important because of the risks
associated with food safety.
(Response 29) We agree with the comments that liability insurance
may be useful in demonstrating the adequacy of an accreditation body's
resources, for example, under ISO/IEC 17011:2004 (Ref. 5); however, FDA
lacks experience in evaluating the adequacy of liability coverage for
accreditation activities and we do not believe it would be appropriate
for FDA to make recognition decisions primarily on this basis. We
believe an accreditation body can demonstrate that it is adequately
resourced in a number of different ways, including providing
documentation of liability coverage as part of the information
submitted to help to demonstrate that accreditation body is adequately
resourced.
D. What protections against conflict of interest must an accreditation
body have to qualify for recognition? (Sec. 1.613)
Proposed Sec. 1.613 requires accreditation bodies to demonstrate
that they have written measures to protect against conflicts of
interest with third-party certification bodies and the capability to
meet the rule's other conflict of interest requirements.
On our own initiative, we are clarifying that the scope of conflict
of interest provisions in Sec. 1.613(a) is limited to individuals
involved in accreditation, auditing, and certification activities and
not, for example, employees involved in purely administrative
functions, such as payroll, or in positions that support administrative
functions, such as computer technicians. Therefore, Sec. 1.613(a) of
this rule applies to interests between the officers, employees, and
other agents of the accreditation body that are involved in
accreditation activities and the officers, employees, and other agents
of the third-party certification body involved in auditing and
certification activities. We are making corresponding changes in the
subsequent provisions for recognized accreditation bodies under Sec.
1.624(a).
(Comment 30) Some comments take issue with our decision not to
include the requirements of clause 4.3.2 of ISO/IEC 17011:2004 (Ref.
5), which requires the accreditation body to have documented and
implemented a structure relating to conflicts of interest that provides
for effective involvement by interested parties with balanced
representation ensured.
(Response 30) We decline to require that recognized accreditation
bodies establish and implement a structure for involving interested
parties in matters relating to the conflict of interest requirements
for recognized accreditation bodies. It would be administratively
burdensome for FDA to establish a mechanism for monitoring the
activities of interested parties that the accreditation body elects to
involve to comply with such requirements. In our third-party
certification program, impartiality will be protected by the conflict
of interest provisions for accreditation bodies in Sec. 1.624, the
appeals provisions in Sec. 1.620(d), and FDA's oversight activities.
E. What quality assurance procedures must an accreditation body have to
qualify for recognition? (Sec. 1.614)
Proposed Sec. 1.614 requires accreditation bodies to implement a
written quality assurance program and have the capability to meet the
rule's other quality assurance requirements.
(Comment 31) Some comments encourage FDA to more closely align
Sec. 1.614 with established international standards on quality
assurance programs. Some ask us to rely on the relevant provisions in
ISO/IEC 17011:2004 (Ref. 5) in particular.
(Response 31) We agree with the comments and as described in
section I.D., we are revising Sec. 1.610 to allow accreditation bodies
to use their demonstrated conformance to ISO/IEC 17011:2004 (Ref. 5),
supplemented as necessary, in meeting the requirements for recognition.
(Comment 32) Some comments ask us to clarify the language in Sec.
1.614(a)(1) and (2) regarding food safety problems and corrective
actions.
(Response 32) We agree and have revised Sec. 1.614(a)(1) and (2)
to clarify that an accreditation body must demonstrate that it has
procedures to identify deficiencies and procedures to execute
corrective actions for such deficiencies, using language that better
aligns with international standards (see, e.g., clause 5.5 in ISO/IEC
17011:2004 (Ref. 5)).
F. What records procedures must an accreditation body have to qualify
for recognition? (Sec. 1.615)
Proposed Sec. 1.615 would require accreditation bodies seeking
recognition to demonstrate that they have developed and implemented
adequate written procedures for establishing, controlling, and
retaining records and to demonstrate the capability to meet the
program's records, reporting, and notification requirements, if
recognized.
(Comment 33) Some comments voice general concerns about
confidentiality. Others state their concern with how confidentiality of
third-party certification body records would be preserved when third-
party certification bodies must share information with recognized
accreditation bodies and FDA. Noting that such information can be
sensitive in nature and sometimes includes confidential business
information, these comments urge us to place certain limits--i.e., only
information related to food safety would be collected during audits of
third-party certification bodies and such information would be shared
only with the recognized accreditation body and FDA. Some comments
suggest FDA require strict protective measures for information handled
by third-party certification bodies and accreditation bodies, because
the release of an eligible entity's confidential business information
could have detrimental
[[Page 74590]]
effects on U.S. businesses and their foreign suppliers. These comments
suggest the use of confidentiality protections such as ``confidential
disclosure agreements'' so that the audit climate remains conducive to
robust scrutiny and open dialogue.
Some comments also express concern with the proposed use of
electronic records, because of the opportunity for sensitive electronic
information to be compromised. Such comments recommend that the final
rule include requirements for both third-party certification bodies and
accreditation bodies to ensure that electronic records remain secure in
transit and during storage.
(Response 33) We decline the suggestions to require confidential
disclosure agreements between recognized accreditation bodies and
third-party certification bodies under our program and to establish
data protection requirements for electronic records and communications
of recognized accreditation bodies and accredited third-party
certification bodies. We understand that many accreditation bodies and
third-party certification bodies have contractual agreements regarding
confidentiality and disclosure by those parties. We expect
accreditation bodies that become recognized under our program may elect
to establish contracts that incorporate language on information sharing
with FDA for third-party certification bodies seeking accreditation
under this program. For such accreditation bodies, how they choose to
accomplish this--e.g., whether by establishing a separate
confidentiality agreement or through revision of current contract
language or creation of a new contract addendum--is a decision best
made by the parties to those contracts. Accreditation bodies and third-
party certification bodies will have common interests in safeguarding
the electronic records they store and transmit to each other;
therefore, we have no reason to believe that any separate agreements
will lack adequate protections for confidentiality of information,
including information stored and shared among the parties
electronically.
This rule focuses on confidentiality and disclosure with respect to
information shared with FDA. As explained in section XIII.F., FDA will
protect the confidentiality of information accessed by or submitted to
the Agency in accordance with Sec. 1.695 of this subpart. With respect
to the storage of electronic records and electronic transmission of
information by FDA, we note that we are working the FDA IT security
professionals in establishing the electronic portal for the third-party
certification program to apply adequate and appropriate controls to
ensure the confidentiality and integrity of data submitted to FDA
through the portal.
(Comment 34) In the proposed rule preamble discussion of this
section we stated that, ``[a]ccreditation bodies applying for
recognition must demonstrate their capacity, if recognized, to grant us
access to confidential information, including information contained in
records, without prior written consent of the third-party certification
body involved. Having access to records relating to accreditation
activities (including confidential information) under this subpart is
necessary to ensure the rigor, credibility, and independence of the
program.'' Some comments take issue with this point, arguing that
accreditation bodies would not be able to grant such access--they would
only be able to grant access to confidential information with prior
written consent. That is, the accreditation body would first need to
make arrangements for FDA access to confidential records with the
third-party certification bodies it accredits and the eligible entities
certified by those third-party certification bodies. Comments that
express doubt about private sector foreign accreditation bodies
actually granting FDA access to confidential records contend that such
access is particularly unlikely without the prior written consent of
the third-party certification body whose records are sought.
(Response 34) We agree with the comments that the contracts
accreditation bodies currently use with their third-party certification
body clients do not contemplate the program we are establishing. As
comments suggest, we would expect that confidentiality provisions in
standard contracts would need to be revised such that, in signing a
contract for accreditation under the FDA program, the third-party
certification body would be giving the accreditation body its prior
consent to perform any reporting or notification necessary for the
recognized accreditation body to fulfill its obligations under the
rule. Indeed, we expect that accreditation bodies seeking recognition
will demonstrate their ability to comply with the reporting and
notification provisions of this rule by providing us examples of
standard contract language that has been suitably revised as comments
describe.
VI. Comments on Requirements for Recognized Accreditation Bodies Under
This Subpart
A. How must a recognized accreditation body evaluate third-party
certification bodies seeking accreditation? (Sec. 1.620)
Proposed Sec. 1.620 would establish the criteria and procedures
that a recognized accreditation body must use in assessing third-party
certification bodies for accreditation. Paragraph (a) broadly addresses
the different requirements for foreign governments and foreign
cooperatives or other third parties. Paragraph (b) requires the
accreditation body to require third-party certification bodies to
satisfy the rule's reporting and notification requirements. Paragraph
(c) requires the accreditation body to maintain certain records, such
as those related to withdrawal or suspension of a third-party
certification body. Paragraph (d) requires an accreditation body to
have written procedures for handling appeals from third-party
certification bodies, and requires certain minimal appeal procedures.
On our own initiative, we are revising Sec. 1.620(a)(2) and (3) to
apply to accredited third-party certification bodies that are comprised
of a single individual, as applicable. We are also removing, ``and any
requirements specified in FDA model accreditation standards regarding
qualifications for accreditation, including legal authority,
competency, capacity, conflicts of interest, quality assurance, and
records'' to follow good guidance practice. We are making corresponding
changes to Sec. Sec. 1.620(a)(1), 1.640(b), and 1.640(c). We are also
revising Sec. 1.620(c) to specify that recognized accreditation bodies
must also include the date of the action in their records relating to
any denial of accreditation or the withdrawal, suspension, or reduction
in scope of accreditation of a third-party certification body. In
addition, we are revising Sec. 1.620(d) to clarify that the recognized
accreditation body must notify any third-party certification body of an
adverse decision associated with its accreditation under the subpart,
including denial of accreditation or the withdrawal, suspension, or
reduction in the scope of its accreditation.
(Comment 35) In paragraph (a)(3) of this proposed section we stated
that a recognized accreditation body must observe ``a statistically
significant number of onsite audits'' conducted by the third-party
certification body seeking accreditation. Some comments request
clarification of what we meant by ``statistically significant,'' so
that accreditation bodies would know what
[[Page 74591]]
would be an adequate number of audits to observe to provide adequate
confidence in the results of an analysis of such observations. The
comments suggest that we should explain the criteria for determining
the number of witness audits to be conducted under proposed Sec. 1.620
and ask whether site-specific issues such as geographic factors should
be considered. Other comments encourage us to abandon the phrase
``statistically significant'' in favor of the language of ISO/IEC
17011:2004 (Ref. 5), which requires an accreditation body to witness
the performance of a representative number of third-party certification
body staff.
(Response 35) We have removed the phrase ``statistically
significant'' in Sec. 1.620(a)(3) and inserted the phrase
``representative sample.'' We explain in Response 28 that comments
presented compelling arguments that a significant body of knowledge and
experience has developed around the meaning of a ``representative''
number of observations under ISO/IEC 17011:2004 (Ref. 5) to achieve an
adequate level of confidence in the results. We have revised Sec.
1.620(a)(3) accordingly. Site-specific issues may be relevant in
determining the representative number of witness assessments to
conduct, for example, where audit agents are located in remote offices
or where food safety audits are managed by remote offices. The
accrediting body, either a recognized accreditation body or FDA in the
case of direct accreditation, will be best positioned to determine
whether geographic issues are relevant for purposes of Sec.
1.620(a)(3).
(Comment 36) Some comments ask us to revise Sec. 1.620(d)(2) to
clarify that the individuals used to hear appeals of adverse decisions
by a recognized accreditation body could be individuals external to the
accreditation body.
(Response 36) We agree with the comments and have revised this
provision to clarify that individuals used to hear appeals may be
external to the accreditation body, as well as a similar provision
applying to appeals by eligible entities of adverse decisions by an
accredited third-party certification body. We have also revised this
provision to use language similar to language that is used in Sec.
16.42(b), which describes the characteristics of a presiding officer
that may be used for FDA regulatory hearings.
(Comment 37) In the preamble to the proposed rule we stated that we
were not proposing to review the decisions of recognized accreditation
bodies nor were we proposing to hear appeals from third-party
certification bodies aggrieved by an accreditation body's decision(s).
We sought comment on these matters. In response, some comments state
their understanding that FDA would retain the authority to challenge a
recognized accreditation body's decisions, because we have authority
over the entire program.
(Response 37) We agree with comments that our oversight extends to
any accreditation body or third-party certification body participating
in the program, including the authority to withdraw accreditation from
a third-party certification body even if the accreditation was granted
by a recognized accreditation body. However, FDA does not intend to
serve as an appellate body for aggrieved third-party certification
bodies, as this would be unworkable and unnecessary. Withdrawing the
accreditation of a third-party certification body to remove it from our
program is quite different than, for example, overturning an
accreditation body's decision to deny accreditation to a third-party
certification body in the first place. Our program is designed to
ensure the competency and independence of accreditation bodies. As part
of this program, FDA will be recognizing accreditation bodies to make
accreditation decisions based on a determination that the accreditation
body is qualified to do so. FDA involvement in accreditation decisions
would defeat the purpose of the program. Additionally, FDA retains the
authority to revoke the recognition of accreditation bodies for good
cause under Sec. 1.634(a)(4) for failure to comply with this rule. For
all of these reasons, FDA declines to codify a process to review
appeals challenging recognized accreditation body decisions under this
program.
(Comment 38) Several comments encourage us to expand on the
requirement to use ``independent'' person(s) to hear an appeal of an
adverse accreditation body decision. Some comments suggest that we
clarify that an independent person is one who was not involved in the
decision that is the subject of the appeal. A few comments suggest we
further require the accreditation body to use person(s) who are
external to the organization.
(Response 38) We agree with the suggestions to clarify Sec.
1.620(d)(2) and are revising it to align with the impartiality
provisions in 21 CFR part 16, which contains the regulations for
regulatory hearings that we will generally apply under Sec. 1.693 to
an appeal of a revocation or withdrawal. Under the part 16 regulations,
the person presiding over the hearing must be free from bias or
prejudice and must not have participated in the action that is the
subject of the hearing or be subordinate to a person who participated
in the action. We believe that the credibility of the third-party
certification program will be enhanced by requiring recognized
accreditation bodies to afford similar protections when considering
appeals by certification bodies under this rule. While we decline the
suggestion to require the use of external parties in deciding appeals,
we note that a recognized accreditation body has flexibility to use an
external party under Sec. 1.620(d)(2).
B. How must a recognized accreditation body monitor the performance of
third-party certification bodies it accredited? (Sec. 1.621)
We proposed to require a recognized accreditation body to conduct
an annual evaluation of each of its accredited certification bodies
that includes a review of the certification body's self-assessments,
its regulatory audit reports, notifications to FDA, and any other
information reasonably available. We requested comment on whether the
information we proposed to require would provide a solid basis for an
evaluation. We asked stakeholders whether we should include a
requirement in Sec. 1.621 for onsite monitoring of accredited
certification bodies and, if so, whether we should require the
accreditation body to observe or visit the certification body's
headquarters.
(Comment 39) We received several comments on the annual assessment
requirements of proposed Sec. 1.621. Some comments agree with the
requirement for an annual assessment. Some comments mention a
Government Accountability Office (GAO) report entitled, ``FDA Can
Better Oversee Food Imports by Assessing and Leveraging Other
Countries' Oversight Resources'' (GAO 12-933) and dated September 2012,
which notes ongoing challenges with ensuring the competency of third
parties to consistently apply standards and argues that annual
assessments would improve certification body reliability and
competency. Some of these comments state they would even support more
frequent certification body evaluations.
In contrast, some comments argue that annual assessments would be
burdensome. Comments variously focus on the burden on accreditation
bodies, certification bodies, and eligible entities. Some comments
disapprove of the cumulative burden of all the assessments (e.g., self-
assessments and monitoring assessments) required
[[Page 74592]]
throughout the rule. Some comments suggest biennial assessments, and
note that such a requirement would be consistent with ISO/IEC
17011:2004 (Ref. 5). Still others argue that when the accreditation
body or certification body is a government entity we should allow for
flexibility around the timing of assessments.
(Response 39) We agree with comments that express the view that
annual assessments of certification bodies will help build confidence
in the third-party certification program. Annual assessments will help
accreditation bodies ensure certification bodies' continued compliance
with the program requirements and quickly identify and address any
deficiencies with a certification body before a situation escalates.
We also acknowledge the concerns about the efforts needed to comply
with the monitoring and self-assessment requirements of the rule.
Section 1.621 is part of a set of proposed monitoring and self-
assessment requirements intended to work together in helping to ensure
that the recognized accreditation bodies and accredited third-party
certification bodies maintain compliance with the rule's requirements.
The certification body self-assessment in Sec. 1.655 is intended to
serve, in part, as information for use in the accreditation body
monitoring in Sec. 1.621, the results of which we intend the
accreditation body to use in its self-assessment under Sec. 1.622. We
do not intend for the assessments to require duplicative efforts, with
each section requiring a discrete set of activities with no opportunity
to use the results of one set of activities when performing another. As
explained in the preamble to the proposed rule, the accreditation body
assessments of certification bodies will not only help ensure that the
certification bodies continue to comply with our requirements, but also
can help the accreditation body identify trends and any deficiencies in
its own performance. The proposed monitoring and self-assessment
activities are an essential part of the program's safety net.
With respect to Sec. 1.621, in particular, we believe this section
will be far less burdensome in practice than some of the comments
anticipate, because of the convergence between the ISO/IEC standards
and this rule. The activities required by Sec. 1.621 are similar in
substance to surveillance activities under ISO/IEC 17011:2004 (Ref. 5),
which includes review of audit reports, results of internal quality
control, and management review records identified in clause 3.18 NOTE,
and thus are likely to be activities many accreditation bodies already
perform. In light of the foregoing, we have concluded that requiring
accreditation bodies to perform annual evaluations of each
certification body they accredit under the program is not unduly
burdensome. We disagree with comments suggesting that monitoring should
be more frequent than once a year, because requiring assessments to be
performed and reported twice each year, for example, would result in a
nearly continuous cycle of assessments and reports. Semiannual
assessments are likely to produce limited data sets that would be less
helpful for evaluation purposes than would larger data sets, such as
compilations of 12 months of data, which allow for tracking and
trending performance over time. Requiring assessments to be performed
more frequently than once a year also risks creating significant
disruption of the operations of accredited third-party certification
bodies and eligible entities and might have the unintended effect of
serving as a disincentive to participation in the program. For these
reasons, we have determined that an annual monitoring requirement is
appropriate to verify the overall effectiveness of the accredited
third-party certification body's operations and performance in
activities relevant to the third-party certification program and the
validity of its certification decisions. Accordingly, we are not
revising the annual certification body monitoring requirements we
proposed in Sec. 1.621.
(Comment 40) We received some comments on proposed Sec. 1.621(b)
specifically, which would require an accreditation body to consider any
other ``reasonably available'' information relevant to a determination
of whether a certification body is in compliance with this rule.
Comments encourage us to set limits around assessments conducted in the
wake of an incident, noting that a problem involving one certification/
type of product should not involve review of all certifications/
products. These comments did not want an incident in one sector (e.g.,
human food) to unnecessarily jeopardize an accreditation in a separate
sector (e.g., animal food). Some comments express concern that proposed
Sec. 1.621(b) would require an accreditation body to review every
certificate issued by a certification body if one of the eligible
entities it certified was placed on FDA import alert.
(Response 40) We decline the suggestions to narrow the scope of
proposed Sec. 1.621(b) or to direct how recognized accreditation
bodies should consider other ``reasonably available'' relevant
information, because it will depend on the facts of a particular
situation. In the wake of incidents, we expect the accreditation body
to take appropriate steps to determine whether the certification body
is in compliance with this subpart. Such steps may include a review of
certifications for product areas other than the subject of the incident
if the accreditation body deems it needed to assess the certification
body's compliance. We reiterate, as we explained in the preamble to the
proposed rule, we do not expect a recognized accreditation body launch
investigations of each certification body it accredited absent cause,
but we do expect the accreditation body to actively monitor public
information about their certification bodies and not ignore public
information about problems that might be associated with a
certification body it accredited.
(Comment 41) In response to our preamble questions about whether to
require observations and certification body headquarters visits in
Sec. 1.621, some comments state that observations are a useful tool
and should be required. Similarly, some comments support a requirement
for visiting the key location of the certification body. Some comments
state that the accreditation body should visit any location of the
accredited third-party certification body where the certification body
manages its staff or agents conducting audits under this program, which
the comments note may not be the certification body's headquarters.
Other comments agree that onsite visits can be a useful tool, but
encourage the use of remote assessments in certain circumstances (e.g.,
after the certification body has successfully completed a set number of
accreditation cycles).
Some comments suggest that we follow the requirements of relevant
ISO/IEC standards in establishing requirements for observations and
site visits under Sec. 1.621. Some comments express concern about the
cumulative burden of the monitoring and self-assessments we proposed to
require of accreditation bodies and certification bodies. A few
comments express concern we might impose duplicative requirements for
observations under Sec. Sec. 1.621 and 1.622(b). Some comments request
guidance on how an eligible entity would be selected as a site for an
observation.
(Response 41) We agree with the comments that state that
observations are useful and should be required as part of accredited
third-party certification body monitoring. Likewise, we agree with the
comments that state
[[Page 74593]]
a recognized accreditation body should visit any location of the
certification body where the certification body manages its staff or
agents conducting audits under this program, if different than the
certification body's headquarters, to get a better understanding of how
different locations operate. While we acknowledge that some
accreditation bodies may be successfully using remote assessments in
certain circumstances (e.g., after the certification body has
successfully completed a set number of accreditation cycles), we
decline the suggestion to allow for remote assessments in this
rulemaking.
In establishing requirements in Sec. 1.621 for observations and
accredited third-party certification body visits, we considered
comments' concerns that such requirements might be duplicative of the
observation requirements in Sec. 1.622(b), might pose practical
difficulties in arranging to observe audits, and might pose
difficulties if a certification body had several ``key'' locations. We
also considered comments' concerns about the cumulative burden of the
monitoring and self-assessment requirements of the rule and the
comments that urge us to align the requirements of Sec. 1.621 with the
relevant international standards.
Accordingly, in the final rule we are combining all of the
paragraphs in proposed Sec. 1.621 into new Sec. 1.621(a), and we are
adding a new paragraph (b) that requires the accreditation body to
perform a representative sample of onsite observations of regulatory
audits conducted by each accredited third-party certification body, as
explained in Response 28, and visit the certification body's
headquarters (or other certification body location if its audit agents
are managed by the certification body at a location other than its
headquarters). The observed audits and site visits must be performed by
no later than 12 months after the certification body's initial
accreditation and again every 2 years thereafter for the duration of
its accreditation, including renewals. The requirements for the
frequency of observed audits and site visits under Sec. 1.621(b) are
similar to the intervals for surveillance onsite assessments in one of
the options under clause 7.11.3 of ISO/IEC 17011:2004 (Ref. 5). We are
also requiring the accreditation body to consider information from
activities conducted under paragraph (b) in the annual performance
report of the accredited third-party certification body.
We also are making a corresponding revision to Sec. 1.622(b) to
clarify that the accreditation body should consider the results of
onsite observations and site visits conducted under Sec. 1.621(b) as
part of its self-assessment under Sec. 1.622.
C. How must a recognized accreditation body monitor its own
performance? (Sec. 1.622)
Proposed Sec. 1.622 would require recognized accreditation bodies
to conduct self-assessments on an annual basis, and as required under
proposed Sec. 1.664(g) (following FDA withdrawal of accreditation of a
certification body it accredited). Under the proposed rule, the
accreditation body's self-assessment would include evaluating the
performance of its officers, employees, or other agents; observing
regulatory audits by a statistically significant number of
certification bodies it accredited under this program, and creating a
written report of results.
(Comment 42) Some comments encourage a broader self-assessment.
They contend that, in addition to requiring that accreditation bodies
assess the consistency of their performance and their compliance with
conflict of interest provisions, we should also require accreditation
bodies to compare their performance against competitors, compare the
certification bodies they accredit to other certification bodies, and
look at industry best practices and benchmarks to set improvement
objectives.
(Response 42) The self-assessments are intended to help the
accreditation body determine whether it is in compliance with the
requirements of this rule. While the report elements suggested by
comments might be useful for an accreditation body to consider, we do
not believe those elements are necessary to a determination of
compliance with the rule. Therefore, we decline to revise the rule in
response to these comments.
(Comment 43) Some comments question whether the requirements for
accreditation body self-assessment would fit the government-to-
government model. Other comments suggest that the different nature of
private operators and public administration warrant different
requirements for each. The comments further contend that the workload
associated with the program would be significant for any government
agency; therefore, the time limits and frequencies of reporting should
be more flexible in the case of government agencies.
(Response 43) FDA uses self-assessment tools in various government-
to-government programs. As one comment notes, we require State
governments to conduct annual self-assessments for their work under the
Manufactured Food Regulatory Program Standards (MFRPS) and the Animal
Feed Regulatory Program Standards. We also require a foreign government
seeking a systems-recognition agreement with FDA to begin the process
by completing the International Comparability Assessment Tool, which is
a self-assessment tool that we developed based on the approach of the
MFRPS self-assessment. Our experience in using self-assessment tools
with foreign and State governments suggests to us that self-assessments
would be feasible and appropriate in the context of this program as
well.
We decline the suggestion to afford more flexibility in deadlines
for government agencies serving as recognized accreditation bodies than
we afford to other recognized accreditation bodies. Section 808 of the
FD&C Act makes no distinction between public and private accreditation
bodies, and the proposed rule would place the same workload burden on
private accreditation bodies as it would on public accreditation
bodies. The comments fail to explain why the differences in nature of
public and private accreditation bodies justify flexible deadlines for
governmental accreditation bodies but not private accreditation bodies.
(Comment 44) Some comments suggest that accreditation body self-
assessments under proposed Sec. 1.622 should be done in concert with
its monitoring of certification bodies under proposed Sec. 1.621,
because it would be more efficient and would reduce the burden on
eligible entities that were observed during regulatory audits. Other
comments question the need for accreditation body self-assessments to
include requirements for observations, because they read our preamble
discussion of proposed Sec. 1.621 as a signal that we would be
requiring accreditation bodies to conduct annual onsite observations of
each certification body under that provision.
(Response 44) We agree that self-assessments under Sec. 1.622 can
be done in concert with monitoring under Sec. 1.621. As described in
Response 39, we do not intend the self-assessment and monitoring
requirements of the rule to be duplicative. Having added requirements
for observations and certification body site visits to certification
body monitoring requirements in the final rule, we are revising Sec.
1.622(b) to clarify that accreditation bodies may consider the results
of any observations or visits conducted under Sec. 1.621(b) in its
self-assessments.
[[Page 74594]]
(Comment 45) Comments also suggest that international standards
could provide guidance on improving the efficiency and effectiveness of
an accreditation body's self-assessment. Some comments specifically
suggest that FDA could rely on the internal audits and management
reviews that are required under ISO/IEC 17011:2004 (Ref. 5) instead of
requiring its own self-assessments.
(Response 45) We agree that documentation of internal audits and
management reviews required under ISO/IEC 17011:2004 (Ref. 5) could be
useful to help demonstrate compliance with the requirement for self-
assessments under this program. We have revised Sec. 1.622(d) and made
a conforming change to Sec. 1.623(b) to specifically allow a
recognized accreditation body to use reports of internal audits and
management reviews prepared for conformance with ISO/IEC 17011:2004
(Ref. 5), supplemented as necessary, to demonstrate compliance with the
accreditation body self-assessment requirements of Sec. 1.622.
D. What reports and notifications must a recognized accreditation body
submit to FDA? (Sec. 1.623)
Proposed Sec. 1.623 would require recognized accreditation bodies
to submit to FDA reports of its self-assessments and annual re-
assessments of certification bodies within 45 days of completing the
assessment. The proposed rule also would require notification to FDA of
matters affecting recognition and accreditation status; notice of
denials of accreditation and any significant change that would affect
how the accreditation body complies with this rule would be required
within 30 days, while immediate notification would be required for
other matters (e.g., grant or withdrawing accreditation). Under the
proposed rule the reports and notifications would have to be submitted
electronically and in English.
On our own initiative, we are revising Sec. 1.623(c)(1)(i) and
(d)(1)(i) to require the recognized accreditation body to provide FDA
the email address of any third-party certification body that was
granted or denied accreditation (respectively) under our program.
Having the email address will facilitate FDA's communications with such
third-party certification bodies. We also are revising Sec.
1.623(c)(1)(iv) on our own initiative to specify that a recognized
accreditation body must also notify FDA of the expiration date of
accreditation upon granting accreditation to a third-party
certification body under this subpart.
(Comment 46) Some comments ask whether FDA intends to provide
feedback in response to self-assessment reports.
(Response 46) While FDA will not be providing formal responses to
the self-assessment reports, we will use the information in the reports
in our oversight of the third-party certification program and will
address any specific items of concern we identify in an accreditation
body-self-assessment report directly with the accreditation body.
(Comment 47) We received several comments related to our proposal
to require all reports and notifications to be submitted in English.
Some comments agree that both the notifications and the reports should
be submitted in English. Some comments agree that notifications should
be in English, but suggested that reports of self-assessments and re-
assessments of certification bodies could remain in their native
language, and if FDA had any questions about such reports the
accreditation body could furnish English translations.
Some comments note the difficulty and others the expense for
recognized accreditation bodies in countries that do not officially or
routinely conduct business in English. Some comments request a longer
period of time (e.g., up to 4 months) to submit documents that must be
translated into English. Other comments note that if we require
documents to be in English, and the translations are not done well, the
documents may be difficult to understand.
Some comments propose alternative solutions, including comments
that suggest that FDA explore technical translation and recognition
software, which in combination with standardized report/notification
templates, might facilitate submission in languages other than English.
Other comments suggest that if reports and notifications are submitted
in languages other than English, the recognized accreditation body
should be responsible for all translation costs.
Some comments ask whether supporting documents that accompany
reports also would have to be in English. Other comments inquire
whether there is any flexibility in the language requirement for
governmental accreditation bodies that do not maintain their records in
English.
(Response 47) We decline the suggestion to remove the requirement
to submit reports and notifications in English. While allowing
submissions in multiple languages might be helpful to some interested
parties, the accreditation body reports and notifications required by
Sec. 1.623 are essential to our oversight and management of the third-
party certification program and the programs that rely on
certifications issued by accredited third-party certification bodies,
and thus, must be in English in order for FDA to properly review and
evaluate. Some comments ask to have up to 4 months to prepare an
English translation of a submission under proposed Sec. 1.623. Such
delays would be unworkable. For example, we cannot afford delays in
translating an accreditation body's notification of withdrawal of
accreditation, or an accreditation body's notification that a
certification body has issued a food or facility certification without
meeting the requirements of this rule. We are requiring immediate
notification of these and other matters under Sec. 1.623(c) because of
the implications for the program and possibly for our acceptance of
certifications issued by the certification body. Unless the
notification is submitted in English, our actions will be delayed until
the information is translated. Although the annual certification body
monitoring reports and the accreditation body self-assessments reports
are not required to be submitted until 45 days after completion under
Sec. 1.623(a) and (b)(i) (and 60 days following certification body
withdrawal for self-assessment reports submitted under Sec.
1.623(b)(ii)), we will use these reports to identify areas where FDA
may need to promptly engage with an accreditation body or a
certification body to address apparent misunderstandings or confusion
about our program requirements. We plan to use these reports to
identify emerging issues that need intervention. Therefore any
additional time allotted for translation purposes would delay and
possibly hinder our ability to use these reports for program evaluation
and management.
(Comment) 48) Some comments address the proposed timeframes for
submitting reports and notifications, and suggest that instead of
requiring reports within 45 days of completing the assessment/re-
assessment, we should require submission every 6 months or annually.
(Response 48) We disagree with comments suggesting that we modify
the timeframe for submission of reports of annual self-assessments and
annual certification body monitoring reports from 45 days after
completion to every 6 months or every year. We are concerned that the
information could be outdated and our ability to use the
[[Page 74595]]
reports for early intervention would be significantly diminished.
(Comment 49) Some comments contend that the volume of reports and
notifications we proposed to require would be burdensome to FDA to
review and maintain. They suggest that instead we require recognized
accreditation bodies and their certification bodies to maintain reports
of self-assessment/re-assessment, and provide prompt access to FDA upon
request.
(Response 49) We disagree. We are establishing an electronic portal
for submission of applications, reports, notifications, and other
information under this rule and an electronic repository of this
information, which will allow us to access and use the information as
needed. Therefore, we decline to revise Sec. 1.623 is response to
these comments.
(Comment 50) Some comments ask if all reports and notifications
submitted to FDA will be subject to the Freedom of information Act
(FOIA) or if these submissions will be considered confidential
information with reasonable protections from disclosure. Other comments
suggest the importance of striking the appropriate balance between
disclosure and confidentiality and note the following statements in
ISO/IEC 17021:2011 (Ref. 6), clause 4.1.3 and NOTE: ``Principles for
inspiring confidence include: Impartiality, competence, responsibility,
openness, confidentiality, and responsiveness to complaints . . . An
appropriate balance between the principles of openness and
confidentiality, including responsiveness to complaints, is necessary
in order to demonstrate integrity and credibility to all users of
certification.''
(Response 51) We agree with comments suggesting the importance of
striking the appropriate balance between providing transparency to the
public and maintaining the confidentiality of any trade secrets and
confidential commercial information included in the applications,
reports, notifications, and other information submitted to FDA. We are
guided in this effort by FOIA as well as laws that protect trade
secrets and confidential commercial information from disclosure. In
response to comments, we are adding new Sec. 1.695 on public
disclosure, which is discussed in section XIII.F.
(Comment 51) Some comments urge us to eliminate or reduce the
proposed reporting requirements in proposed Sec. 1.623(a) and (b), for
various reasons. Some of these comments suggest that we should only
require regular submission of a report or other document that shows the
third-party certification bodies are maintaining their accreditation.
Other comments recommend that when a certification body is first
accredited, it should submit translated accreditation documents within
3 to 4 months of the accreditation body's decision. Then, as long as
the accreditation is unchanged, it should not be necessary for the
accreditation body to submit its--assessment reports under Sec.
1.623(a).
Some comments suggest it should not be necessary for accreditation
bodies to submit their self-assessment reports under Sec. 1.623(b) if
there is no significant change in their recognition. Other comments
assert that signatories to IAF MLAs should not have to submit self-
assessment reports to FDA, because IAF monitors accreditation bodies
for continued compliance with ISO/IEC 17011:2004 (Ref. 5).
(Response 51) We disagree. As described in Response 47, the reports
of annual certification body monitoring and accreditation body self-
assessments are essential to our oversight and management of the third-
party certification program and the programs that rely on
certifications issued by accredited third-party certification bodies.
We are not requiring accredited third-party certification bodies to
submit their self-assessments to FDA (except for directly accredited
third-party certification bodies); therefore, the reports that we
receive of the recognized accreditation bodies' assessments of
accredited third-party certification bodies are a fundamental piece of
the monitoring system we are establishing, as are the self-assessment
reports submitted by accreditation bodies we have recognized. Reducing
or eliminating either of these reporting requirements would hinder our
ability to properly oversee the program.
(Comment 52) We received some requests for clarification regarding
required content of the accreditation self-assessment reports and
reports of certification body annual monitoring. Some comments request
that FDA either suggest a format for the reports, provide an
opportunity for accreditation bodies to propose a format, or at least
indicate the minimum required elements.
(Response 52) We believe we provided minimum requirements on the
content of these reports in this rule and plan to provide additional
information on the format and submission of these reports on our Web
site.
(Comment 53) Comments suggest that to be consistent with ISO/IEC
17011:2004 (Ref. 5), a recognized accreditation body only would need to
notify FDA of the approval, suspension, or withdrawal of accreditation
of a third-party certification body, as well as any changes in its
scope of the accreditation scope or reduction of authorization. The
comments assert that the notification should not need to include such
details as the address and name of third-party certification body
employees under Sec. 1.624(c)(1).
(Response 53) We agree that submission of the information described
in the comment and required by clause 8 of ISO/IEC 17011:2004 (Ref. 5)
is necessary for our program management and oversight. For example, it
will help us verify the identity of any certification body before
taking an action to affect its status in the program based on a
notification submitted under Sec. 1.623. However, the notifications
required under Sec. 1.623(c)(3) and (d) are also necessary for our
program management and oversight. Under Sec. 1.623(c)(3), a recognized
accreditation body would have to notify FDA if one of its accredited
third-party certification bodies issued a food or facility
certification without complying with the requirements of this rule.
This notification will allow FDA to refuse to accept those improperly
issued certifications and to coordinate with the accreditation body in
determining appropriate next steps. Having information on a denial of
accreditation under Sec. 1.623(d) will allow FDA to monitor
accreditation activities across the program, including any repeat
denials of a third-party certification body.
With respect to providing the names of the audit agents of the
accredited third-party certification body, we note that section
808(b)(1)(B) of the FD&C Act requires a recognized accreditation body
to submit to FDA a list of all third-party certification bodies it
accredited under the program and the audit agents of such accredited
certification bodies. The list of audit agents we proposed to require a
recognized accreditation body to submit under Sec. 1.623(c)(1)(iii) is
necessary for verification of compliance with the conflict of interest
requirements by audit agents under section 808(c)(5)(A)(iii) and (B) of
the FD&C Act and by proposed Sec. 1.657, among other things. With
respect to the proposed requirement to provide the address and name of
one or more of the officers of the accredited third-party certification
body, this information will be helpful in communicating with the
accredited third-party certification body.
For the foregoing reasons, we decline the suggestion to eliminate
the requirements for the recognized
[[Page 74596]]
accreditation body to provide FDA the name of one or more officers of
the accredited third-party certification body under Sec.
1.623(c)(1)(ii) and a list of audit agents of the accredited third-
party certification body under Sec. 1.623(c)(1)(iii).
E. How must a recognized accreditation body protect against conflicts
of interest? (Sec. 1.624)
Proposed Sec. 1.624 would require a recognized accreditation body
to take certain steps to safeguard against conflicts of interest,
including the requirement to implement a written conflict of interest
program. The accreditation body would be prohibited from owning, having
a financial interest in, or managing/controlling a certification body.
Under the proposed rule, accreditation body employees would be unable
to accept money, gifts or other items of value from the certification
body, though we did exempt meals of de minimis value onsite where the
assessment occurs. We also proposed to require that a recognized
accreditation body maintain on its Web site a list of certification
bodies it accredited under this program, the duration and scope of
accreditation, and the date on which the certification bodies paid
their fee or reimbursement associated accreditation. We sought comment
on alternative approaches for public disclosure of payments.
On our own initiative, we are adding new provision Sec. 1.624(b)
to clarify when a recognized accreditation body can accept the payment
of fees for its services so that the payment is not considered a
conflict of interest for purposes of Sec. 1.624(a).
(Comment 54) Some comments agree that a recognized accreditation
body should be required to have a written program to protect against
conflict of interest. Comments suggest that the written plans should
include assurances of independence and safeguards to address any
possibility of conflicts. Some comments state FDA should require
accreditation bodies to make their conflict of interest policies
public.
(Response 54) We agree with comments about the importance of a
recognized accreditation body having a written program to safeguard
against conflicts of interest that meets the requirements of this rule.
While a recognized accreditation body may choose to make its conflicts
of interest program publicly available, we are not imposing that as a
program requirement because we do not believe it is necessary to ensure
that accreditation bodies safeguard against conflicts of interest.
(Comment 55) We received several comments related to allowing
certification bodies to provide onsite meals of de minimis value to
accreditation body representatives conducting an audit. Several
comments agree with the general concept of allowing meals of de minimis
value. Some supporting comments state that allowing such meals would
expedite the assessment, and could be necessary if the certification
body is distant from meal service providers. With respect to the
question of what constitutes ``de minimis'' value for these purposes,
some comments endorse the idea of defining de minimis value in
accordance with U.S. Government employee limits on accepting gifts or
gratuities. Others simply encourage us to define it in some way that
ensures consistency and clarity. Some comments state that we should not
set a fixed amount for the de minimis value, because costs vary in
different locations.
Some comments disagree with the proposal to allow meals of de
minimis value, and contend that the financial relationship between the
accreditation body and the certification body should be strictly
limited to the fee paid for the accreditation audit/services.
(Response 55) We agree with the comments that suggest that allowing
the certification body to provide meals of a de minimis value during an
assessment and at the site where the assessment is being conducted
might help facilitate the assessment, particularly for remote sites. We
also agree with comments that state we should not set a fixed amount
for the de minimis value because costs vary in different locations.
We disagree with comments suggesting that by providing meals of a
de minimis value, a certification body might influence the outcome of
an accreditation body assessment, particularly if the only allowable
meals are ones of minimal value that are provided during the course of
an activity and with the purpose of facilitating timeliness and
efficiency. FDA follows a similar approach for investigators conducting
foreign inspections--that is, FDA investigators performing foreign
inspections are allowed to accept lunches (of little cost) provided by
the firm during the course of a foreign inspection. We also note that
the U.S. government allows its employees to accept meals, within per
diem limits, when on official business in a foreign country, as an
exception to the prohibition on the acceptance of gifts or gratuities
from outside sources (5 CFR 2635.204(i)(1)), though we believe the
FDA's practices for foreign inspections serve as a better model because
foreign inspections are more analogous to foreign assessments than are
the range of activities that covered by the general requirements
applicable to all U.S. government employees on official business in
foreign countries. Accordingly, in light of the comments received and
analogous FDA guidelines, we have concluded that it is reasonable and
appropriate to limit the meal exception in Sec. 1.624(a)(3)(ii) to
only lunches of de minimis value provided during the course of an
assessment, on site at the premises where the assessment is being
conducted, and only if necessary to facilitate the efficient conduct of
the assessment. We believe these revisions help to address concerns
regarding the threats to impartiality, while accommodating the
practical considerations that apply to foreign assessments.
We offer the following additional input to recognized accreditation
bodies seeking guidance on the application of Sec. 1.624(a)(3)(ii). In
considering whether a meal is allowable under this provision, we
recommend that the assessor first consider whether accepting the lunch
is necessary to facilitate the efficient conduct of the assessment. We
recommend the assessor consider: (1) Whether the circumstances
surrounding the travel would allow the assessor to pack a lunch to
bring on site; (2) Whether the meal is being provided during the midday
or early afternoon. A lunch provided in the midst of an assessment is
different than a lunch or other meal provided at the completion of the
audit; (3) Whether the site of the assessment is in close proximity to
a retail food establishment, or is at a remote location far from a
retail food establishment; (4) What is the estimated value (or cost) of
the lunch in light of the costs associated with the area where the
assessment is being conducted; and (5) other similar considerations.
For assessors seeking additional guidance on determining what
constitutes a ``de minimis'' amount for purposes of complying with
Sec. 1.624(a)(3)(ii), we offer the following guidance that is based on
the requirements applicable to U.S. government employees who accept
certain meals while on official travel in foreign countries. Such
employees must deduct from the per diem the value of that meal,
calculated using a two-step process.
First, the individual must determine the per diem applicable to the
foreign area where the lunch was provided, as specified in the U.S.
Department of State's Maximum Per Diem Allowances for Foreign Areas,
Per Diem Supplement
[[Page 74597]]
Section 925 to the Standardized Regulations (GC,FA) available from the
Superintendent of Documents, U.S. Government Printing Office,
Washington, DC 20402, and available on the Department of State Web site
at https://aoprals.state.gov/Web920/per_diem.asp. (Foreign per diem
rates are established monthly by the Department of State's Office of
Allowances as maximum U.S. dollar rates for reimbursement of U.S.
Government civilians traveling on official business in foreign areas.)
Second, the individual must determine the appropriate allocation
for the meal within the daily per diem rate which is broken down into
Lodging and M&IE (Meals & Incidental Expenses) that are reported
separately in Appendix B of the Federal Travel Regulation and available
on the Department of State's Web site at https://aoprals.state.gov/content.asp?content_id=114&menu_id=78.
(Comment 56) Our proposal to require accreditation bodies to
maintain a Web site listing of certification bodies, and information
about each, drew several comments. Most comments agree with the Web
site listing in principle. Some comments encourage us to require
additional information in the Web site listing, such as requiring
accreditation bodies to include in their Web site listing those
certification bodies whose accreditations have been suspended or
revoked. Some comments advise that the ``scope'' information required
on the Web site should be specific (e.g., whether the accreditation is
for human food, animal food, or for specific rules).
Additionally, many comments address the proposed requirement to
include fee information in the Web site listing. Some comments suggest
that we require recognized accreditation bodies to specify what is
included in the fee payment and what costs are reimbursable. We also
received comments arguing that requiring payment schedules to be posted
online is not sufficient to ensure that potential conflicts of interest
will be identified; they suggested we require accreditation bodies to
submit payment schedule information directly to FDA.
Some comments disagree with the proposed requirement to require the
Web site posting of payment schedules contending, among other things,
that such information is proprietary. Some suggest that, instead, FDA
should require accreditation bodies to keep records of payments which
would be available to FDA if we have reason to examine them. Others
suggest it would be sufficient for the financial payment information to
be maintained such that FDA could review it during the recognition/
renewal process. Still other comments seek clarification as to whether
we would be requiring, in addition to the date of payment, the dollar
value of payment. These comments are not in favor of such a
requirement; they state such payment details constitute sensitive
information and argue that FDA should instead require the amount of
payment to be in the records required under Sec. 1.625.
(Response 56) We agree with comments that state that an
accreditation body's Web site posting under Sec. 1.624(c), finalized
as Sec. 1.624(d), must include specific information about the scope(s)
of accreditation, for example by relevant part of 21 CFR or by a
designation, such as ``part 123'' or ``Seafood HACCP'' (Hazard Analysis
Critical Control Point). We also are revising final Sec. 1.624(d) to
state that an accreditation body's Web site must identify a
certification body whose accreditation was suspended, withdrawn, or
reduced in scope, because we believe that this information would be
important to eligible entities seeking information on accredited
certification bodies. The suspension or withdrawal information must be
maintained on the Web site for 4 years (the maximum duration of an
accreditation under the rule) or until the suspension is lifted or the
certification body is reaccredited by that accreditation body,
whichever occurs first.
In the interest of transparency, we are maintaining the requirement
for accreditation bodies to post information on the timing of fee
payments and direct reimbursements by certification bodies. This
posting requirement is similar to the posting requirements that apply
to certification bodies under Sec. 1.657(d) and will help build
confidence in the impartiality of accreditation body accreditation
decisions. We are not requiring posting of the amount of fees or
reimbursement paid, because we do not think it is necessary to help
build confidence in the impartiality of accreditation body
accreditation decisions. We agree with the suggestion to specifically
require fee payment records to be maintained and are revising Sec.
1.625 accordingly.
(Comment 57) Some comments contend that Sec. 1.624 is seriously
flawed because it is inconsistent with ``the latest science on the
issue'' and a 2009 Institute of Medicine (IOM) Report, ``Conflicts of
Interest in Medical Research, Education, and Practice.'' They encourage
FDA to evaluate the most recent scientific research on conflicts of
interest and consult with leading academicians involved in such work.
They contend that the fact of payment by the certification body to the
accreditation body creates a conflict of interest that cannot be
avoided so we should aim our regulation to minimize it. They recommend
that we prohibit any financial relationship between the accreditation
body and a certification body it audits for at least 1 year before
accreditation was sought and 1 year after the last accreditation
expires or was denied.
(Response 57) While we agree with the comments' suggestion to
remain vigilant in ensuring that our conflict of interest protections
represent current best practices, we disagree with the assertion that
Sec. 1.624 is seriously flawed and have concluded that the suggested
revision would be infeasible and impractical. Third-party certification
bodies currently accredited for food safety auditing by accreditation
bodies that become recognized by FDA would have to apply to another
recognized accreditation body to join our program if the comments'
suggestion were adopted. This would create a disincentive to
participation by experienced third-party certification bodies and would
pose difficulties when the availability of recognized accreditation
bodies is limited.
In response to comments citing the 2009 IOM report on financial
conflicts of interest between medical researchers and medical products
companies, we note that it identified some conflict of interest issues
that also are relevant to our third-party certification program, such
as the need to disclose payments from industry and to place limits on
meals and gifts. However, the differences between the context of
medical research and practice and the context of our third-party
certification program pose difficulties in identifying practical
implications of the analysis for our purposes--i.e., the analysis of
data suggesting that the acceptance of meals and gifts and other
relationships may influence physicians to prescribe a company's
medicines. Nor are the IOM recommendations readily adaptable to
conflicts of interest in the third-party certification program. The
``best practices'' we employ must be suitable for the third-party
certification program and may differ from the state of the art best
practices for conflict of interests in medical research. For example,
the recommendations to place limits on the use of drug samples for
patients who lack financial access to medications and to prohibit the
claiming of authorship for ghost-written publications are not
applicable to this program. For the foregoing reasons, we decline the
[[Page 74598]]
suggestion to prohibit any financial relationship, such as the payment
of fees, between a recognized accreditation body and a certification
body for at least 1 year before seeking accreditation and 1 year after
the last accreditation expires or is denied.
(Comment 58) Some comments reject the notion that there could be
effective protections against conflict of interest. Such comments
consider third-party food safety audits to possess inherent
shortcomings and believe that FDA itself should conduct any food safety
inspections required by FSMA.
(Response 58) We disagree with the notion that it is not possible
to effectively protect against conflicts of interest. Currently,
accreditation bodies and certification bodies operate under a number of
private schemes successfully, with reasonably effective protections
against conflicts of interest. We note that the primary regulatory
functions of the third-party certification program are to facilitate
participation in VQIP and to provide certifications for the purposes of
section 801(q) of the FD&C Act. At this time, we do not intend for
private third-parties to conduct food safety inspections required by
FSMA.
F. What records requirements must an accreditation body that has been
recognized meet? (Sec. 1.625)
Proposed Sec. 1.625 identifies specific types of documents a
recognized accreditation body would be required to establish, control,
and maintain to document compliance with applicable requirements
(including applications for accreditation and for renewal; regulatory
audit reports and supporting information from its accredited auditors/
certification bodies; reports and notifications required under proposed
Sec. 1.623, along with any supporting information). The recognized
accreditation body would be required to provide FDA access to such
records. The rule also proposed to require records to be maintained
electronically and in English for 5 years.
In the proposed rule we acknowledged that the contracts between
accreditation bodies and certification bodies frequently include
confidentiality provisions that might otherwise prevent disclosure of
certain records to FDA without prior approval of the certification
body. We noted that any such contract provisions would need to be
changed to allow the accreditation body to furnish FDA with the records
identified in this section.
On our own initiative, we are including fee payment records as
another type of record that an accreditation body that has been
recognized must maintain under Sec. 1.625(a)(8).
(Comment 59) Several comments disagree with the proposed
requirement for records to be maintained in English. Some comments,
while noting their support for submission of reports and notifications
in English under proposed Sec. 1.623, disagree with our proposal to
require that records maintained by the accreditation body be kept in
English as well. Some comments, noting the cost of translating all
records, request that we allow records to be maintained in the language
of the country. They propose we could require the accreditation body to
provide the records in English upon our request within a reasonable
time; some suggest a reasonable time might be a week, depending on the
volume of records requested. Other comments argue that the food
industry is global and in recognition of that fact FDA should accept
records in other languages. Some comments suggest that we allow three
or four additional widely-used languages.
(Response 59) We agree with the recommendation to allow records
held by the accreditation body to be maintained in a language other
than English, coupled with a requirement that, upon FDA request, the
accreditation body must provide an English translation of the records
within a reasonable time.
The records required by Sec. 1.625 are necessary to document the
accreditation body's accreditation activities, and we expect to request
access to the accreditation body's records as necessary to verify the
accreditation body's continuing compliance with the requirements of
this rule, such as when we are considering whether to renew its
recognition. The accreditation body records also will be useful in
helping to verify the compliance of certification bodies it accredited
under the program. However, the records required by Sec. 1.625 are
generally distinguishable from the reports and notifications that must
be directly submitted to us under Sec. 1.623, which we are requiring
to be submitted to FDA in English because the reports and notifications
submitted directly to us are time sensitive in nature and essential to
our management and oversight of the third-party certification program.
For example, under Sec. 1.623(c) we are requiring immediate
notification, in English, of an accreditation body's withdrawal of
accreditation from a certification body. We cannot afford delays in
translating this information, because of its implications for the
program and possibly for our acceptance of certifications issued by the
certification body. Unless the notification is submitted in English,
our actions will be delayed until the information is translated.
By contrast, the records required under Sec. 1.625 typically
contain information that is less time sensitive; therefore, reasonable
delays for translation purposes will not compromise our ability to
manage or oversee the program. Accordingly, we are revising Sec. 1.625
to allow other accreditation body records to be maintained and
submitted to FDA in languages other than English, provided that an
English language translation of such records is provided within a
reasonable time thereafter. The circumstances surrounding each request
will differ; therefore, we decline to set a specific (numerical)
deadline for submission of the translation.
(Comment 60) We received several comments expressing
confidentiality concerns. Some comments note that documents that are
part of an audit process may contain critical business information that
warrants some level of proprietary protection.
(Response 60) We acknowledge comments' concerns and note that we
are including Sec. 1.695 on public disclosure in section XIII.F. The
new section explains that records obtained by FDA under this subpart
are subject to the disclosure requirements under 21 CFR part 20.
(Comment 61) With regard to the proposed requirement that records
must be maintained electronically, some comments discourage us from
requiring compliance with 21 CFR part 11, which are regulations setting
certain electronic records criteria. Comments contend that imposing
part 11 requirements would be disproportionate to the need under this
rule without an appreciable improvement in food safety and would create
a tremendous and costly burden. They encourage FDA to explicitly
exclude records under this rule from part 11. Comments propose that
instead of imposing part 11 requirements, we require documentation of
the chain of custody by requiring records to be signed and dated when
created or modified.
(Response 61) We acknowledge comments' concerns and note that we
are establishing Sec. 1.694 on electronic records in section XIII.E.
This new section will generally exempt records that are established or
maintained to satisfy the requirements of this subpart from the
requirements of part 11.
(Comment 61) Some comments express concern that our proposed record
keeping requirement was too broad; and others express concern about
[[Page 74599]]
how we might use our authority to request records. Some comments
request clarification of our proposed requirement that accreditation
bodies' records include any supporting information for the reports and
notifications required under Sec. 1.623. Other comments suggest that
our records requests should be narrower when the recognized
accreditation body is a foreign government than a records request to a
recognized, nonprofit accreditation body. Still other comments
encourage us to clarify the circumstances under which FDA staff could
request records and to include a method for an accreditation body to
object to an FDA records request.
(Response 62) The records we are requiring an accreditation body to
maintain under Sec. 1.625 are necessary to document the accreditation
body's accreditation activities and its compliance with the
requirements of this rule. We expect to request access to the
accreditation body's records in verifying an accreditation body's
continuing compliance with the requirements of this rule. While the
details of each records request will vary depending on its
circumstances, we will tailor our records requests under Sec. 1.625 as
narrowly as possible to reach program-related records and exclude
records that are irrelevant or insignificant to this program. For
example, the information an accreditation body reports under Sec.
1.623 may prompt us to request the underlying record to supplement the
report as needed. Or, when an accreditation body is requesting renewal
of its recognition, we may request records to supplement information
provided in the application.
Therefore, we believe it is unnecessary to develop administrative
procedures for accreditation body challenges to FDA records requests.
We recommend accreditation bodies to fully consider the program
requirements before deciding to pursue recognition under the voluntary
third-party certification program.
(Comment 63) We proposed that if FDA requests records
electronically, the recognized accreditation body provide the requested
records within 10 days. Some comments contend that 10 days is
insufficient time, and instead request a period of 3 months.
(Response 63) We believe that 10 days is ample time for
accreditation bodies to electronically submit any requested records
they are already required to maintain under this subpart. We note that
we are revising the final rule to allow accreditation bodies to
maintain and submit records in languages other than English, provided
that they electronically submit an English translation within a
reasonable time thereafter. By allowing records to be submitted in a
language other than English, accreditation bodies should be able to
provide requested records electronically within 10 days.
VII. Comments on Procedures for Recognition of Accreditation Bodies
Under This Subpart
A. How do I apply to FDA for recognition or renewal of recognition?
(Sec. 1.630)
We proposed to establish procedures for accreditation bodies to
follow when applying to FDA for recognition or for renewal of
recognition. We proposed that the accreditation body must submit a
signed application, accompanied by any supporting documents,
electronically and in English, demonstrating that it meets the
eligibility requirements in proposed Sec. 1.610. We also proposed to
require an applicant to provide any translation or interpretation
services we need to process the application.
(Comment 64) Some comments assert that the proposed rule does not
differentiate adequately between foreign governments and private
entities that are serving as accreditation bodies and suggest that we
provide a separate path for recognition of foreign government
accreditation bodies that prioritizes their applications over those
submitted by private accreditation bodies. The comments recommend that
we draft additional rules to specifically cover recognition of foreign
government accreditation bodies and/or direct accreditation of foreign
government certification bodies.
(Response 64) We disagree with the recommendation to create a
bifurcated system for recognition, because the line between
governmental and private accreditation bodies is not always clear.
Private accreditation bodies comprise approximately one third of the 72
accreditation bodies that accredit food safety certification bodies
around the world, according to a report prepared by the Research
Triangle Institute (RTI) (Ref. 16). In the report, RTI found that the
distribution of accreditation bodies by private versus government
agency is as follows: 24 private accreditation bodies, 38 governmental
accreditation bodies, and 10 accreditation bodies with unknown private
or government agency status. RTI found that the vast majority of the
private accreditation bodies were non-profit entities. Many of the
private accreditation bodies identified by RTI operate under government
sanction or in quasi-governmental roles. For example, the American
National Standards Institute (ANSI) is a private, non-profit
accreditation body that serves as the official U.S. representative to
ISO (Ref. 17); the United Kingdom Accreditation Services is appointed
as the national accreditation body for the United Kingdom, though it is
independent of the government (Ref. 18); and the Danish Accreditation
and Metrology Fund is a self-described ``business fund'' that is
appointed by the Danish Safety Technology Authority as the national
accreditation body for Denmark (Ref. 19). Additionally, we note that
section 808 of the FD&C Act makes no distinction in the requirements or
process for recognizing public or private accreditation bodies.
Furthermore, we do not believe it practical to engage in additional
rulemaking for foreign government accreditation bodies and
certification applications, as the comments suggest.
(Comment 65) Some comments ask us to accept applications in other
languages common to the major production areas exporting product to the
United States. These comments assert that due to the global nature of
produce supply chains allowing applications in other languages would
encourage supply chain participation in third-party auditing programs
as a tool to improve food safety. These comments suggest that we could
develop a phased process where we only accept English applications
initially, but increase flexibility to accept applications/renewal
documents in other languages as the program builds up.
(Response 65) We acknowledge that accepting applications for
recognition in languages other than English might be beneficial to some
interested parties. However, requiring applications for recognition to
be submitted in English will help us make well-informed and timely
decisions. Further, FDA does not have the resources to translate or
review documentation in other languages and generally requires
documents submitted in other languages to be translated to English.
Therefore, we decline the suggestion to develop long-term plans for
accepting applications for recognition in languages other than English.
(Comment 66) Some comments ask what costs are associated with
getting recognized as an accreditation body.
(Response 66) Pursuant to section 808(c)(8) of the FD&C Act, we
issued proposed regulations to establish a reimbursement (user fee)
program to assess fees and require reimbursement for the work performed
to establish and administer the third-party certification
[[Page 74600]]
program. The proposed rule provides details on how user fees would be
computed (80 FR 43987, July 24, 2015).
B. How will FDA review my application for recognition or for renewal of
recognition and what happens once FDA decides on my application? (Sec.
1.631)
We proposed to establish procedures for reviewing and deciding on
applications for recognition and for renewal of recognition. We
proposed to order the application queue on a first in, first out basis
and to only place complete applications in the queue.
On our own initiative, we are revising paragraph (a) to clarify
that FDA will review submitted applications for completeness and will
notify applicants of any identified deficiencies. We also are revising
paragraph (b) to clarify that FDA's evaluation of any completed
recognition or renewal application may include an onsite assessment of
the accreditation body. In addition, we are redesignating proposed
paragraph (e) as part of paragraph (b) for clarity.
On our own initiative we are adding new paragraphs (e) through (h)
to Sec. 1.631 to explain what happens when an accreditation body's
renewal application is denied. We are adding provisions to clarify what
the applicant must do, the manner in which FDA will notify accredited
third-party certification bodies and the public of the denial, the
effect of denial of an application for renewal of recognition on
accredited third-party certification bodies, and the effect of denial
of an application for renewal of recognition on food or facility
certifications issued to eligible entities.
(Comment 67) Some comments ask us to clarify how we will recognize
an accreditation body. Some comments ask that we clearly and
comprehensively lay out the conditions and requirements governing the
application for recognition, to ensure transparency, certainty, and
predictability of the procedures and criteria governing recognition.
Some comments specifically recommend that we use the IAF/ILAC/
International Laboratory Accreditation Cooperation (ILAC) (A-series)
documents as the foundation upon which to base our process for
recognition of accreditation bodies.
(Response 67) This rule establishes the framework for the third-
party certification program and generally describes procedures involved
in the submission and processing of applications for recognition and
will be supplemented by additional instructions. For example, we are
developing an electronic portal that accreditation bodies will use in
submitting their applications for recognition, and we will be issuing
directions for using the portal. We also are developing internal
operational procedures for recognition of accreditation bodies and will
consult the IAF/ILAC (A-series) documents in considering the types of
materials that may be useful to accreditation bodies and other
stakeholders interested in learning more about our program.
(Comment 68) Some comments express concern that we are limiting
ourselves to a ``first in, first out'' review process that gives us no
discretion to recognize foreign governments before we consider other
applications from private accreditation bodies that apply. These
comments recommend that we use guidance to industry or internal
management documents, rather than this rule, to describe how we will
establish the queue of applications for review.
(Response 68) For the reasons described in Response 64, we decline
the suggestion to prioritize applications submitted by government
accreditation bodies over applications submitted by private
accreditation bodies. However, we are modifying the first in, first out
approach to application review in proposed Sec. 1.631(a) to allow FDA
to prioritize an application for review based on program needs. We will
consider the suggestion to use an internal management document to
establish our procedures for reviewing applications for recognition as
part of our operational planning.
(Comment 69) We received several comments on the timeliness of
application review and decisionmaking. Some comments assert that our
application review process must be comprehensive but also expedient.
Some comments ask that our communications with applicants be timely.
Other comments ask us to establish review timeframes by which
accreditation bodies and other interested parties may expect a response
to applications, asserting this will foster enhanced confidence and
transparency with the review process. Some comments suggest that we
review and act upon an accurately completed recognition application
within 90 days and a completed recognition renewal application within
45 days.
(Response 69) We agree with the comments suggesting that our
application review must be comprehensive and as expedient as possible.
We decline the suggestion to establish review timelines in this rule
because we lack the experience and data that would allow us to
reasonably estimate review timeframes. We also recognize that each
review will differ depending on the circumstances, and we expect to
become more efficient in application review as we gain experience in
the program.
(Comment 70) Some comments express concern about the length of time
it will take us to recognize and notify an applicant of any
deficiencies in the application. These comments also assert that
requiring applicants with deficiencies to resubmit their applications
and sending them to the bottom of the review list would make for
significant delays in the recognition and renewal processes.
(Response 70) FDA agrees that an application for recognition should
be checked for completeness promptly after submission. The Agency
intends to notify the submitter in a timely manner if the submission is
not complete. FDA anticipates that this completeness determination
could generally be made within 15 business days, because this is not a
decision on the merits of the application. However, given the competing
demands on Agency resources, including staff available to conduct
review, the Agency declines to add a time restriction in the final rule
for notifying an applicant of deficiencies that cause its application
to be considered incomplete and thus not ready for processing.
(Comment 71) Some comments assert that we should include a
mechanism for stakeholders to provide feedback to the Agency concerning
the capacity and functioning of accreditation bodies and auditors/
certification bodies because stakeholders have firsthand experience
with such entities. These comments suggest that we modify Sec.
1.631(b) to specify that FDA will also ``solicit and consider
information provided by stakeholders, including importers and foreign
suppliers subject to the accreditation body's jurisdiction, to assist
in the recognition or renewal application review process.''
(Response 71) To the extent the comments suggest that the Agency's
review and decisionmaking process on recognition applications should
include a solicitation of comments from the public we disagree, as this
would create unnecessary delay in the recognition process. FDA believes
that the information it gains through the application process will be
sufficient to make a recognition determination, and that this process
and subsequent monitoring by FDA ensures robust oversight of the
program. Nevertheless, stakeholders are always free to share with FDA
any information relevant to the Agency's food safety programs. We
[[Page 74601]]
note that information shared with FDA is subject to the information
disclosure regulations in part 20, as stated in Sec. 1.695.
(Comment 72) Some comments note that there are no circumstances or
conditions in the proposed rule that allow for an accreditation body to
question or object to an FDA action or request if they believe it is
not reasonable or relevant to the recognition and performance of the
accreditation body.
(Response 72) We do not expect to make requests or actions of an
accreditation body that are not relevant to the requirements of the
third-party certification program. FDA's evaluation of accreditation
bodies, as expressed in Sec. Sec. 1.631(b), 1.633(a), and 1.634(a), is
premised on the accreditation body's compliance with the applicable
requirements of this rule.
We note that in this rulemaking, FDA has established a number of
mechanisms to address challenges to FDA's decisions, including Sec.
1.691 (for requests for reconsideration of the denial of an application
for recognition, renewal, or reinstatement of recognition); Sec. 1.692
(for internal Agency review of the denial of an accreditation body
application upon reconsideration); and Sec. 1.693 (for regulatory
hearings on revocation of recognition).
We recommend accreditation bodies to fully consider the program
requirements before deciding to pursue recognition under the voluntary
third-party certification program.
(Comment 73) Some comments ask that we provide training and
education documents regarding the application process as quickly as
possible to ensure that accreditation bodies are clear on the process
and its requirements. These comments assert that training and education
would minimize the need for second reviews due to inaccurate or
incomplete applications.
(Response 73) As indicated in Response 67, we are developing
additional instructions for applications for recognition that will be
useful to accreditation bodies interested in pursuing recognition.
C. What is the duration of recognition? (Sec. 1.632)
We proposed to grant recognition to an accreditation body for up to
5 years, though we will determine the length of recognition on a case-
by-case basis.
(Comment 74) Some comments support our proposal to recognize
accreditation bodies for a duration of up to 5 years, with shorter
durations awarded early in the program for accreditation bodies with
little experience in accrediting third-party certification bodies.
(Response 74) We agree with comments suggesting that the duration
of recognition may vary depending on a number of factors, including the
accreditation body's history (or lack of history) in accrediting
certification bodies. We believe the proposal allows FDA to consider
such factors.
(Comment 75) Some comments express concern that we are not
proposing a fixed duration of recognition and ask us to establish a
specific time limit of 5 years. These comments assert that having a
standardized duration of recognition for all accreditation bodies is
administratively more viable for FDA to plan its resource needs and
would provide consistency across the industry. Additionally, these
comments assert that 5 years is a reasonable duration given the other
reporting and monitoring requirements built into the system.
(Response 75) We acknowledge the advantages that certainty provides
and, where appropriate, the Agency will grant recognition for the
maximum duration of 5 years. However, as noted in our previous
response, we also recognize it may be appropriate for the duration of
recognition to vary depending on a number of factors. Where, for
example, an accreditation body has little or no experience in
accrediting food safety certification bodies, we may decide the initial
grant of recognition should be less than 5 years.
(Comment 76) Some comments suggest that the duration of recognition
for an accreditation body should be 4 years to be consistent with the
duration proposed for accreditation of certification bodies in Sec.
1.661. Other comments request clarification about the difference in
durations proposed for recognition of accreditation bodies and
accreditation of certification bodies.
(Response 76) We decline the suggestion to shorten the maximum
duration of accreditation body recognition to 4 years and note that the
comments suggesting it should be the same maximum duration as third-
party certification body accreditation offered no information that
would provide an adequate basis for shortening recognition such that an
accreditation body could be recognized for no longer than a
certification body's accreditation. Further, as stated in the proposed
rule, we noted that other government programs such as the Substance
Abuse and Mental Health Services Administration program for accredited
programs that use opioid agonist treatment medications approves
accreditation bodies for up to 5 years (42 CFR 8.3). Under the FDA
mammography program, we may approve accreditation bodies for terms up
to 7 years (21 CFR 900.3(g)). As stated previously, FDA may establish a
period of recognition of less than 5 years if appropriate for a
particular applicant.
(Comment 77) Some comments assert that accreditation bodies that
maintain their IAF signatory status should not be limited to a 5-year
duration.
(Response 77) We decline the suggestion, noting that the comment
lacks information demonstrating that a longer term of recognition is
warranted for an accreditation body that is an IAF signatory.
D. How will FDA monitor recognized accreditation bodies? (Sec. 1.633)
We proposed to establish the frequency and manner for formal
evaluations of recognized accreditation bodies. Specifically, we
proposed to evaluate each recognized accreditation body by at least 4
years after the date of recognition of an accreditation body granted a
5-year term of recognition and by no later than the mid-term point for
an accreditation body granted a term of recognition of less than 5
years. Proposed Sec. 1.633 also notes that FDA may conduct additional
assessments of recognized accreditation bodies at any time.
(Comment 78) While the comments generally support FDA performance
assessments of recognized accreditation bodies, the comments express a
wide range of views on how frequently such assessments should occur.
Some comments support the proposed reevaluation frequency for
recognized accreditation bodies. Some comments assert that we need to
have a more suitable monitoring mechanism. Other comments suggest we
incorporate a random, unannounced performance review for recognized
accreditation bodies as a supplement to the proposed frequency. Some
comments take a contrary view, asking us to clarify in the final rule
the circumstances under which we may perform additional performance
assessments of recognized accreditation bodies. These comments assert
that FDA's ability to conduct additional audits, assessments, and
investigations without the requirement to justify such actions creates
the potential for a confrontational relationship and lack of trust. The
comments question whether, without such clarification, any refusal by
an accreditation body to grant FDA access or information would trigger
revocation
[[Page 74602]]
of their recognition. Still other comments request clarification on the
frequency of audits that will be conducted on accreditation bodies.
(Response 78) Monitoring assessments of accreditation bodies are
one of several tools we will use for program oversight. Section
1.633(a) implements section 808(f) of the FD&C Act, which states that
FDA must reevaluate a recognized accreditation body periodically, or at
least once every 4 years, and take any other measures FDA deems
necessary to ensure compliance. We anticipate that information gleaned
from other monitoring tools, such as an accreditation body's self-
assessment, may prompt additional performance assessments in certain
instances. Although we decline to specifically codify random,
unannounced performance reviews as a supplement to the proposed
frequency as suggested by the comment, we note that under Sec.
1.633(a) FDA may conduct additional assessments of recognized
accreditation bodies, including unannounced assessments, at any time as
it deems appropriate. We need to retain flexibility to conduct
additional audits, assessments and investigations to support the
credibility of the program.
With respect to the request to clarify whether any refusal to grant
FDA access or information for a performance assessment would trigger
revocation, under section Sec. 1.634(a), refusal to allow FDA to
conduct an assessment to ensure the accreditation body's continued
compliance with the requirements of this subpart is grounds for
revocation.
(Comment 79) Some comments assert that we should provide additional
detail on our monitoring procedures under Sec. 1.633(b). Some comments
express concern about the ambiguity of the term ``statistically
significant'' as well as the scope of onsite assessments and onsite
audits for performance evaluation purposes. These comments assert that
we must provide clear guidance to industry as to what we expect would
be involved in such onsite assessments and make this guidance available
for public comment. Other comments specifically request that we outline
the procedures under which we will conduct audits on accreditation
bodies and third-party certification bodies and specify a timeframe for
when we will issue the results of the audits. Still other comments
assert that we must provide guidance on how an eligible entity might be
selected for an audit/inspection that relates to an accreditation
body's reassessment of a certification body.
(Response 79) The objective of an assessment under Sec. 1.633 will
be to determine an accreditation body's compliance with the
requirements of this rule. When planning an assessment, we will
establish the time period of activities covered by the assessment and
may request records of an accreditation body under Sec. 1.625. We also
will develop plans for any locations to be visited, which may include
the accreditation body's headquarters and any other locations where
employees and other agents who conduct activities under this program
are managed.
In conducting the assessment, we may review records, such as
records relating to conflicts of interest and may interview officers,
employees, and other agents of the accreditation body. We also may
observe regulatory audits by certification bodies the accreditation
body has accredited. For the reasons explained in Response 28, we have
removed the phrase, ``statistically significant'' and revised the
sentence to explain that we may observe a ``representative sample'' of
certification body regulatory audits when conducting an assessment of
its accreditation body. We will decide what constitutes a
``representative sample'' for purposes of Sec. 1.633 on a case-by-case
basis, based on factors such as how many certification bodies the
accreditation body has accredited under the program, the scope of
accreditation of the certification bodies accredited by the
accreditation body, how many years the accreditation body has been in
the program, how many prior assessments of the accreditation body we
have performed, and the length of time since any prior assessments.
(Comment 80) Some comments ask that we inform recognized
accreditation bodies prior to doing onsite assessments of accredited
certification bodies and eligible entities as part of our performance
evaluations.
(Response 80) In planning an assessment with onsite observations of
certification bodies or an audit of certified eligible entities, we
will consider whether to provide notice to the accreditation body and/
or invite the accreditation body to be present. In some circumstances
we may determine that it would be necessary or appropriate to conduct
the assessment or audit without notice to the accreditation body.
(Comment 81) Some comments assert that to carry out performance
evaluations for the purpose of monitoring recognized accreditation
bodies, we must have an agreement directly with the certification
bodies or request that recognized accreditation bodies include these
requirements in their agreements with certification bodies they have
accredited.
(Response 81) We disagree that we must have an agreement directly
in place with each accredited certification body for us to carry out
performance evaluations, as Sec. 1.633(b) states that FDA may include
onsite assessments of a representative sample of third-party
certification bodies the recognized accreditation body accredited and
onsite audits of a representative sample of eligible entities certified
by such third-party certification bodies under this subpart. We
recommend that third-party certification bodies fully consider the
program requirements before deciding to pursue accreditation under this
voluntary third-party certification program. We also encourage
recognized accreditation bodies to include language in their standard
contracts with third-party certification bodies they accredit under
this program that acknowledges FDA's ability to conduct such
evaluations.
(Comment 82) Some comments ask who will cover the costs of audits
on recognized accreditation bodies.
(Response 82) As discussed in Response 66, we are proposing in a
separate rulemaking (80 FR 43987) the costs of FDA monitoring of
recognized accreditation bodies will be covered by user fees that we
will establish by regulation.
E. When will FDA revoke recognition? (Sec. 1.634)
Proposed Sec. 1.634 establishes the criteria and procedures for
revocation of recognition of an accreditation body, including requests
for records and notifications. It describes several circumstances that
warrant revocation of recognition and describes the effects (if any) of
revocation on accreditations and certifications occurring prior to the
revocation.
On our own initiative, we are revising Sec. 1.634(c)(2) to require
the accreditation body to notify FDA of the name and contact
information of the custodian who will maintain the records required by
Sec. 1.625 instead of just providing us with a location to increase
flexibility. We are making corresponding changes to Sec. Sec.
1.635(a), 1.664(e)(2), and 1.665(a). We also are revising paragraphs
(d) through (f) to clarify the manner of FDA's notice to affected
third-party certification bodies and the public of the revocation, as
well as the effect of such revocation on the accredited third-party
certification bodies and certifications they issued prior to issuance
of the revocation of recognition.
(Comment 83) Some comments recommend that when an accreditation
[[Page 74603]]
body's recognition is revoked, the information on the Web site includes
the cause or causes of the revocation.
(Response 83) We agree and will include on the FDA Web site a brief
description of the grounds whenever revoking the recognition of an
accreditation body.
(Comment 84) Some comments agree that providing the certification
body 1 year to transition and become accredited with another
accreditation body is a reasonable concept, but express concerns that
in many countries a limited number of accreditation bodies may make
meeting that timeframe difficult. They also note that although audited
entities' certifications may remain in effect until its expiration, it
may be difficult for them to maintain their certifications beyond that
date due to lack of accreditation bodies, or there may be instances in
which their certification is set to expire in weeks or months following
the revocation. These comments note a similar concern about the impact
of a lack of capacity on scheduling certification audits should the
certification body have to be reaccredited within 1 year. Comments
recommend that FDA address this issue by performing an assessment of
accreditation capacity in key production regions around the world and
using that information as a baseline to inform timeframes on re-
accreditation of third-party certification bodies. Other comments
suggest that either FDA be required to renew the recognition of the
recently revoked accreditation body or recognize a new accreditation
body in time for any affected accredited certification body to comply,
or FDA would be required to solicit applications for a new
accreditation body after an accreditation body's recognition is
revoked. Comments also recommend that certifications issued by a
certification body accredited by the accreditation body whose
recognition was revoked remain in effect for 1 year from the date of
the revocation of the accreditation body in order to reduce the
likelihood of a lapse in certification of eligible facilities.
(Response 84) We acknowledge that revocation of the recognition of
an accreditation body may present difficulties for the certification
bodies accredited by the accreditation body (and for the eligible
entities those certification bodies certified), particularly in
countries that have a single national accrediting authority. In such
circumstances, we intend to work with recognized accreditation bodies
and the certification bodies to identify opportunities and challenges.
We believe 1 year is sufficient time for a certification body to be
reaccredited in such circumstances. The requirement for an eligible
entity to become recertified after a certificate terminates by
expiration is based on section 808(d) of the FD&C Act, which requires
an eligible entity to apply for annual recertification. In light of the
foregoing, we are declining the requests to extend the deadlines for
reaccreditation and for recertification in the case of revocation of
recognition of an accreditation body.
(Comment 85) Some comments request FDA provide specific provisions
to address potential questions that may arise if recognition of an
accreditation body is revoked, with particular emphasis on the validity
of certificates or other documentation already issued when revocation
occurs.
(Response 85) Section 1.634(d) specifically describes the impact of
revocation of recognition of an accreditation body on the certification
bodies that it accredited under this program, including that a
certification body's accreditation will remain in effect if it provides
a self-assessment to FDA within 60 days of issuance of the revocation
and it is accredited by another recognized accreditation body or FDA no
later than 1 year after the revocation or the original date of
expiration of the accreditation, whichever comes first. Section
1.634(e) explains that in the case of revocation of an accreditation
body's recognition, a food or facility certification issued by a
certification body accredited by the accreditation body prior to the
revocation of its recognition will remain in effect until the
certification terminates by expiration.
(Comment 86) Some comments request that FDA clarify how individual
holders of certifications would be made aware of the revocation of
recognition. For example, they ask if FDA would contact certification
holders directly or if the certification holder would be required to
monitor the recognition status of the accreditation and certification
bodies.
(Response 86) We will provide notice on the FDA Web site when we
revoke the recognition of an accreditation body. We also will notify
certification bodies that have been accredited by the accreditation
body that has had its recognition revoked through the electronic portal
we are establishing. Because revocation of recognition will not affect
the duration of previously issued certificates, we will not directly
contact eligible entities to inform them of the revocation. If the
revocation of recognition results in the withdrawal of accreditation of
a certification body, FDA will provide notice of such withdrawal on our
Web site as provided in Sec. 1.664(h).
(Comment 87) Some comments recommend that FDA refer to the
provisions in ISO/IEC 17011:2004 and ISO/IEC 17021:2011 to inform the
provisions revocation of recognition in Sec. 1.634 and withdrawal of
accreditation in Sec. 1.664 and to distinguish those actions from
reduction in scope of recognition and accreditation and to establish
the specific grounds and effects for those actions.
(Response 87) Neither of the ISO/IEC standards cited in the
comments relate to revocation of recognition of an accreditation body;
however, we reviewed ISO/IEC 17011:2004 (Ref. 5) for terminology,
procedures, and grounds that might have relevance for revocation of
recognition in Sec. 1.634. We decline the suggestion to consider ISO/
IEC 17021:2012 (Ref. 6), which applies to certification bodies, for
purposes of this analysis as it is inapplicable.
Having reviewed ISO/IEC 17011:2004, we note that ISO/IEC 17011:2004
(Ref. 5) gives an accreditation body the flexibility to establish its
own procedures for suspension, withdrawal, or reduction of the scope of
an accreditation as explained in clause 7.13.1 and NOTE. FDA's
procedures for revocation of recognition are thus not inconsistent with
the ISO standards in this respect. Regarding the grounds for withdrawal
of accreditation, ISO/IEC 17011:2004 (Ref. 5), clause 7.13, provides
that an accreditation body must make decisions to suspend and/or
withdraw accreditation when an accredited conformity assessment body
(i.e., third-party certification body) has persistently failed to meet
the requirements of accreditation or to abide by the rules for
accreditation. The standard for revocation of recognition under this
program is established by section 808(b)(1)(C) of the FD&C Act, which
requires FDA to ``promptly revoke the recognition of any accreditation
body found not to be in compliance with the requirements of this
section,'' which is the standard that is used in proposed Sec. 1.634.
Therefore, we cannot incorporate this standard for withdrawal for
purposes of this program.
(Comment 88) Some comments suggest FDA revise Sec. 1.634(a)(3) and
(4) to provide that FDA can make a decision to revoke recognition or
withdraw accreditation only when it has objective evidence to
demonstrate that the recognized accreditation body committed fraud or
submitted material with significant false statements, demonstrated a
significant bias or significant lack of objectivity when
[[Page 74604]]
conducting activities, or significantly failed to adequately support
one or more decisions to grant accreditation.
(Response 88) We disagree. Section 808(b)(1)(C) requires FDA to
promptly revoke the recognition of any recognized accreditation body
found not to be in compliance with section 808 of the FD&C Act, which
establishes the third-party program. This program is a system of
assurances that begins with the recognition of qualified accreditation
bodies, which in turn accredit certification bodies to make judgments
about the compliance of eligible entities and the food they produce
with the applicable food safety requirements of the FD&C Act and FDA
regulations. FDA's ability to have swift recourse when a recognized
accreditation fails to comply with the requirements of the third-party
program is essential. Limiting FDA's ability to revoke the recognition
of accreditation bodies to instances of ``significant'' fraud, bias, or
lack of competence as the comment suggests would render the program
unreliable to provide the assurance of food safety intended by this
section.
F. What if I want to voluntarily relinquish recognition or do not want
to renew recognition? (Sec. 1.635)
Proposed Sec. 1.635 describes the procedures that an accreditation
body must follow when it intends to relinquish its recognition.
FDA received comments in support of the proposed procedures for
voluntary relinquishment of recognition. FDA received no adverse
comments on this section. On our own initiative, we are revising the
voluntary relinquishment provisions in Sec. 1.635 to also address
situations where a recognized accreditation body decides it does not
want to renew its recognition once it expires. In addition we are
including procedures for the certification bodies to follow after their
accreditation bodies' recognitions are relinquished or not renewed.
G. How do I request reinstatement of recognition? (Sec. 1.636)
Proposed Sec. 1.636 describes the procedures that an accreditation
body would have to follow when seeking reinstatement of its
recognition.
FDA received comments in support of the proposed procedures for
reinstatement of recognition. FDA received no adverse comments on this
section and is not making any substantive changes to this section in
this final rule.
VIII. Comments on Accreditation of Third-Party Certification Bodies
Under This Subpart
A. Who is eligible to seek accreditation? (Sec. 1.640)
Proposed Sec. 1.640 states that a foreign government, agency of a
foreign government, foreign cooperative, or other third-party would be
eligible for accreditation from a recognized accreditation body (or,
where direct accreditation is appropriate, FDA) to conduct food safety
audits and issue food and facility certifications under the program.
Proposed Sec. 1.640(b) is based on section 808(c)(1)(A) of the FD&C
Act and would require a foreign government/agency seeking accreditation
to demonstrate that its food safety programs, systems, and standards
would meet the requirements of proposed Sec. Sec. 1.641 to 1.645, as
specified in FDA's model standards on qualifications for accreditation,
including legal authority, competency, capacity, conflicts of interest,
quality assurance, and records. Proposed Sec. 1.640(c) is based on
section 808(c)(1)(B) of the FD&C Act and would require a foreign
cooperative or other third-party certification body seeking
accreditation to demonstrate that the training and qualifications of
its audit agents and the internal systems used by the certification
body would meet the requirements of proposed Sec. Sec. 1.641 to 1.645,
as specified in FDA's model standards on qualifications for
accreditation, including legal authority, competency, capacity,
conflicts of interest, quality assurance, and records.
At our own initiative, we revised Sec. 1.640(c) to apply to
accredited third-party certification bodies that are comprised of a
single individual, as applicable.
(Comment 89) Some comments suggest that FDA should require third-
party certification bodies conducting regulatory audits to be
accredited to either: (1) ISO 17021:2011 (Ref. 6), with the
complementary requirements of ISO/TS 22003:2007, Food safety management
systems--Requirements for bodies providing audit and certification of
food safety management systems (Ref. 20) or (2) ISO 17065:2012 (Ref.
7), with conformance to ISO 17021:2011 (Ref. 6) and ISO 22000:2005,
Food safety management systems--Requirements for any organization in
the food chain (Ref. 21).
Other comments suggest that ISO/IEC 17000:2004 (Ref. 4) and ISO/IEC
17021:2011 (Ref. 6) provide a common framework for managing the
effectiveness of third-party certification activities and recommend
incorporating the standards by reference into the final rule. The
comments assert that FDA's proposed rule, by failing to incorporate by
reference the ISO standards, appears to unnecessarily establish a
unique standard in contravention of the NTTAA and OMB Circular A-119
(63 FR 8546) without adequate justification. The comments include
recommended revisions to Sec. 1.640. Other comments note that ISO/IEC
Guide 65:1996 (Ref. 9) will be phased out by September 2015; therefore,
the wording in the final rule should be changed to reflect the
successor standard, ISO/IEC 17065:2012 (Ref. 7). Some comments express
concern about the additional costs to exporters from third-party audits
and private interests over and above official systems.
(Response 89) As explained in section I.D., we have revised the
rule to allow a third-party certification body to offer documentation
of conformance to ISO/IEC 17021:2011 (Ref. 6) or ISO/IEC 17065:2013
(Ref. 7) in support of its application for accreditation, supplemented
as necessary. However, we decline the suggestion to incorporate the
standards by reference into this rule.
ISO/IEC ISO 17021:2011 (Ref. 6) and ISO/IEC 17065:2012 (Ref. 7),
the successor to ISO Guide 65:1996 (Ref. 9), contain requirements that
are inconsistent with section 808 of the FD&C Act and impractical for
our program. For example, ISO/IEC 17021:2011 (Ref. 6), clause 5.2.6,
prohibits a certification body, including a governmental certification
body, from providing internal audits to its certified clients. Under
this same clause, a certification body that has provided internal
auditing services to a client must wait for 2 years before conducting
an audit for certification purposes. Clause 5.2.5 of the standard also
prohibits the certification body from offering or providing any
management systems consultancy (defined as participation in designing,
implementing, or maintaining a management system). We note that ISO/IEC
17065:2012 (Ref. 7), clause 4 contains similar requirements, e.g., in
clauses 4.2.6 and 4.2.10 NOTE 1, as the requirements of clauses 5.2.5
and 5.2.6 of ISO/IEC 17011:2004 (Ref. 5).
The requirements of our third-party program are markedly different,
because section 808 of the FD&C Act expressly allows an accredited
third-party certification body to conduct both regulatory audits for
certification purposes and consultative audits for internal purposes.
Further, section 808(c)(4)(C) of the FD&C Act allows an accredited
certification body to use the same audit agent in auditing the same
[[Page 74605]]
eligible entity, subject only to a limitation (that FDA may waive) on
using the agent for a regulatory audit when the agent had conducted a
consultative audit of the eligible entity in the preceding 13 months.
As another example, we note that ISO/IEC 17021:2011, clauses 6.2.1
to 6.2.3 (Ref. 6), require a certification body to establish an
external committee for safeguarding impartiality that includes
representation of key interests, such as audited firms. Clause 5.3.2 of
the standard requires the certification body to demonstrate to the
external committee that commercial, financial, or other pressures do
not compromise its impartiality. Under clause 6.2.2(c), the committee
has the right to take ``independent action'' if the top management of
the certification body ``does not respect the advice of this
committee.'' ISO/IEC 17065:2012 (Ref. 7), clause 5, contains similar
requirements--e.g., clause 5.2.1 NOTE 1 (committee) and 5.2.3 (right to
take independent action).
It would be inappropriate and impractical for FDA to require an
accredited third-party certification body to assemble a committee
representing interests outside those of this program, and would be
impractical for FDA to properly manage the program under such
circumstances. We also are concerned about the disincentive these
requirements of ISO/IEC 17011:2004 (Ref. 5) and ISO/IEC 17065:2012
(Ref. 7) might create, for example, for foreign competent authorities
who have their own processes for stakeholder engagement.
Based on our review of the standard and explained in the examples
provided above, we have determined that ISO/IEC 17011:2004 (Ref. 5) and
ISO/IEC 17065:2012 (Ref. 7) are inconsistent with section 808 of the
FD&C Act and impractical for purposes of this program and therefore
deny the suggestion to incorporate by reference into this rule.
With respect to the suggestion to incorporate ISO/IEC 17000:2004
(Ref. 4) into this rule, we note that this standard uses terminology
that is inconsistent with section 808 of the FD&C Act. We are concerned
that incorporating the terms used in ISO/IEC 17000:2004 (Ref. 4) in
this rule would create unnecessary confusion as to how the rule relates
to the statute. For example, clause 7.5 of the standard uses the term
``recognition'' for the ``acknowledgement of the validity of a
conformity assessment result provided by another person or body,''
while recognition is used in section 808 of the FD&C Act when
describing FDA's determination that an accreditation body meets the
requirements of this rule.
Based on our review of the standard and explained in the example
provided above, we have determined that ISO/IEC 17000:2004 (Ref. 4) is
inappropriate for incorporation by reference into this rule.
Although we decline to incorporate the standards mentioned in the
comments, we are revising Sec. 1.640 to allow a third-party
certification body to offer documentation of its conformance to ISO/IEC
17021:2011 (Ref. 6) or ISO/IEC 17065: 2013 (Ref. 7), supplemented as
necessary, in support of its application for accreditation under the
final rule. We conclude that this will serve to promote international
consistency and allow third-party certification bodies to use a
framework that is familiar to them when it can be used to meet the
requirements of this rule.
(Comment 90) Some comments suggest the rule should impose different
requirements on foreign government certification bodies and on other
third-party certification bodies (i.e., foreign cooperatives and other
third-party certification bodies), because of the different nature of
private operators and public administration.
(Response 90) Under section 808(a)(3) of the FD&C Act third-party
certification bodies include Foreign government certification bodies,
foreign cooperatives, and other third-party certification bodies.
Section 808 of the FD&C Act for the most part does not distinguish
between public and private certification bodies and states that both
are subject to the same model accreditation standards discussed in
808(b)(2). The only difference in treatment of public and private
certification bodies is set forth in section 808(c)(1) of the FD&C Act,
describing what elements of oversight be assessed for accreditation.
This difference is reflected in the eligibility criteria set forth in
Sec. 1.640(b) and (c). In all other areas, we decline the suggestion
to impose different requirements on foreign government certification
bodies and other third-party certification bodies.
(Comment 91) Some comments express skepticism about private
auditing companies. Some comments note that foreign cooperatives have
rarely if ever been engaged in true accredited third-party auditing/
certification activities and are thus unproven in that role.
(Response 91) As stated above, section 808 of the FD&C Act
expressly provides for both public and private accredited third-party
certification bodies. FDA believes the system of oversight established
under this rulemaking will be sufficient to ensure the reliability of
private certification bodies that are able to participate in the
program. Foreign cooperatives are specifically listed in section 808 of
the FD&C Act as a third party that could be a certification body, and
must meet the same rigorous criteria to qualify for accreditation.
B. What legal authority must a third-party certification body have to
qualify for accreditation? (Sec. 1.641)
Proposed Sec. 1.641 would require third-party certification bodies
to demonstrate that they have adequate legal authority, which may
include authority established by contract or as a government entity to
evaluate eligible entities for compliance with the applicable
requirements of the FD&C Act and FDA regulations.
FDA received no adverse comments specific to this section. However,
as discussed in Response 27, we have revised Sec. 1.641 to specify
that a third-party certification body has to be a legal entity.
C. What competency and capacity must a third-party certification body
have to qualify for accreditation? (Sec. 1.642)
Proposed Sec. 1.642 would require a third-party certification body
to demonstrate it has adequate resources to fully implement its
auditing and certification program and the capacity to implement the
requirements of this program, if accredited.
(Comment 92) Some comments suggest that we require certification
bodies to be bonded, to cover any Agency costs should the firm go
bankrupt.
(Response 92) We decline the suggestion to require certification
bodies to be bonded to cover any Agency costs if a certification body
goes bankrupt. This requirement is unnecessary because the program is
designed to operate using user fees. Additionally, Sec. 1.642 of the
final rule requires a third-party certification body to demonstrate
that it has adequate resources to fully implement its auditing and
certification program.
(Comment 93) Some comments recommend that we clearly define the
necessary competencies of certification body staff and auditors. Some
comments suggest that we require auditors to have at least 1 year of
work experience in testing and assessing the conditions for food safety
of certain food manufacturer(s) and to have attended at least 20 audits
for management systems using hazards analysis and critical control
point requirements.
[[Page 74606]]
(Response 93) Section 1.640 of this rule establishes the
eligibility requirements for third-party certification bodies seeking
to participate in the third-party certification program. Specific
recommendations on qualifications such as the years and types of work
experience in food safety and in conducting audits will be contained in
FDA's Model Accreditation Standards final guidance, as explained in
section I.D.
(Comment 94) Some comments emphasize the importance of having
certification bodies accredited to the specific areas in which they
will be conducting audits and issuing certifications. The comment
explains that accredited auditors/certification bodies auditing pet
food facilities must be adequately qualified and knowledgeable in pet
food requirements. The comments express concern that human food
standards might be misapplied to a facility producing raw materials,
ingredients or finished food for pet food (e.g., cross-contact for
allergens, ingredients destined for further processing).
(Response 94) A recognized accreditation body assessing a
certification body for accreditation (or FDA under direct
accreditation) must ensure that the certification body is qualified to
conduct audits under the food safety requirements of the FD&C Act and
FDA regulations that apply to the scope of accreditation sought.
Therefore, a third-party certification body that is accredited to
conduct audits under part 117 would not be accredited to perform audits
under 21 CFR part 507, unless the accrediting body has assessed the
certification body's qualifications and accredited it to perform audits
under part 507 as well.
D. What protections against conflict interest must a third-party
certification body have to qualify for accreditation? (Sec. 1.643)
Proposed Sec. 1.643 would require third-party certification bodies
to have established programs to safeguard against conflicts of interest
that might compromise their objectivity and independence.
On our own initiative, we are clarifying in Sec. 1.643(a) that the
conflict of interest provisions of this section apply to officers,
employees, and other agents that are involved in auditing and
certification activities, as relevant. We are making corresponding
changes in the subsequent provisions for accredited third-party
certification bodies under Sec. 1.657(a) and (c).
(Comment 95) Some comments recommend that FDA ensure that auditors
are competent and accountable and that there are adequate protections
against conflicts of interest, with maximum transparency related to
auditors' activities. The comments support requirements for documented
safeguards against conflicts of interest to help ensure that decisions
are accurate and unbiased and that auditors are independent.
(Response 95) We agree and are requiring third-party certification
bodies seeking accreditation to demonstrate they have written conflict
of interest measures and that they have the capacity to meet the
requirements of the final rule, if accredited.
E. What quality assurance procedures must a third-party certification
body have to qualify for accreditation? (Sec. 1.644)
Proposed Sec. 1.644 would require a third-party certification body
to have a written program for monitoring and assessing its performance,
identifying deficiencies in its program or performance and quickly
executing corrective actions.
FDA received no adverse comments specific to this section. However,
as discussed in Response 32, we revised Sec. 1.644(a) to clarify that
a certification body must demonstrate that it has procedures to
identify deficiencies and procedures to execute corrective actions for
such deficiencies, which would better align with international
standards (see, e.g., clause 5.5 in ISO/IEC 17011:2004 (Ref. 5)).
F. What records procedures must a third-party certification body have
to qualify for accreditation? (Sec. 1.645)
Proposed Sec. 1.645 would require a third-party certification body
to have developed and implemented written procedures to establish,
control, and retain the records. Such records are necessary to provide
the recognized accreditation body (or FDA under direct accreditation)
an adequate basis for assessing the certification body for
accreditation under this program.
We received no adverse comments specific to Sec. 1.645 and are
making no substantive revisions to this section.
IX. Comments on Requirements for Third-Party Certification Bodies That
Have Been Accredited Under This Subpart
A. How must an accredited third-party certification body ensure its
audit agents are competent and objective? (Sec. 1.650)
Proposed Sec. 1.650 would require an accredited third-party
certification body that uses audit agents to ensure that each audit
agent meets certain requirements for competency and objectivity under
the final rule. Under paragraph (a), the audit agent would need to have
knowledge and experience relevant to determining an eligible entity's
compliance with the applicable food safety requirements of the FD&C Act
and FDA regulations and, for consultative audits, conformance with
industry standards and practices. The accredited certification body
would have to determine the audit agent's competency to conduct food
safety audits in part by observing a representative number of audits
performed by the audit agent. The audit agent would have to complete
annual food safety training under the accredited third-party
certification body's training plan, comply with the conflict of
interest requirements for audit agents, and agree to notify its
certification body immediately upon discovering, during a food safety
audit, any condition that could cause or contribute to a serious risk
to the public health.
Under proposed Sec. 1.650(b), the accredited third-party
certification body would have to assign an audit agent qualified to
conduct the food safety audit, based on the scope and purpose of the
audit and the type of facility, its processes, and food. Proposed Sec.
1.650(c) would prevent an accredited third-party certification body
from using an audit agent to conduct a regulatory audit of an eligible
entity if the agent had conducted a regulatory or consultative audit of
the same eligible entity during the preceding 13 months, except FDA
could waive the 13-month limitation for an accredited certification
body that could demonstrate insufficient access to accredited third-
party certification bodies in the country or region where the eligible
entity is located.
Of our own initiative, we are revising Sec. 1.650(a) to apply to
accredited third-party certification bodies that are comprised of a
single individual, as applicable. Section 808(a)(3) of the FD&C Act
specifically allows an accredited third-party certification body to be
an individual, which would not fall within the definition of ``audit
agent'' in the statute or this rule.
[[Page 74607]]
Therefore, as part of establishing eligibility under Sec. 1.640, an
individual seeking accreditation must fulfill the requirements of Sec.
1.650(a)(1) to become accredited under this rule and, once accredited,
must comply with the annual food safety training requirements of Sec.
1.650(a)(3). Pursuant to Sec. 1.650(a)(4), an accredited third-party
certification body also must comply with the conflict of interest
provisions applicable to audit agents under Sec. 1.657(a)(3).
We note that a recognized accreditation body that is assessing an
individual seeking accreditation under this program also must assess
the individual's knowledge and experience under Sec. 1.650(a)(1) for
the scope of accreditation requested and must consider the results of
such assessment in determining the individual's eligibility for
accreditation under Sec. 1.640. The onsite observations of an
individual seeking accreditation that are performed under Sec.
1.620(a)(3) must be sufficient to determine competency consistent with
Sec. 1.650(a)(2).
(Comment 96) Some comments strongly support the proposed
requirements of Sec. 1.650, which would require an accredited
certification body to ensure that the audit agents it uses have the
knowledge and experience, within the scope of its accreditation, to
examine facilities, processes, and foods for compliance with the FD&C
Act and FDA regulations. The comments assert that audits are only as
good as the education, training, and experience of the auditor. Other
comments recommend that food safety audits under this rule should be
performed by individuals that have training equivalent to FDA
investigator training standards.
(Response 96) We agree with comments emphasizing the importance of
ensuring that audit agents an accredited third-party certification body
uses to conduct audits under the program are appropriately qualified
within the scope of the third-party certification body's accreditation.
Proposed Sec. 1.650 would comprise the elements of a comprehensive
assessment that an accredited third-party certification body would need
to perform for each audit agent it would use to conduct a food safety
audit under this rule. We further agree with comments suggesting that
an auditor determined by a third-party certification body to be
competent to conduct audits under private food safety schemes must
nonetheless be assessed by the accredited third-party certification
body for competency to conduct audits using the applicable food safety
requirements of the FD&C Act and FDA regulations as the audit criteria.
Therefore, under Sec. 1.650(a), an audit agent would need to
demonstrate substantive knowledge of the applicable food safety
requirements of the FD&C Act and FDA regulations relevant to the scope
and purpose of the food safety audits the agent would conduct under the
program. We do not agree to go so far as to require that all audit
agents or individuals accredited as third-party certification bodies
must have training equivalent to FDA investigator training standards,
as we acknowledge that some investigator training would not be
necessary to conduct audits under this program (e.g., evidence
collection for enforcement purposes). Such a requirement would impose
unnecessary costs and might serve as a disincentive to participation in
the program.
(Comment 97) Some comments specifically endorse proposed Sec.
1.650(a)(2), which would require each audit agent to be observed
conducting audits to examine compliance with the FD&C Act in a
representative number of facilities and foods. Other comments recommend
that an accredited third-party certification body should observe an
audit agent before the agent begins to conduct food safety audits of a
different type of food, followed by random, periodic spot audits to
confirm that the audit agent is applying the audit criteria
consistently. The comments interpret proposed Sec. 1.650(a)(2) to mean
that the accredited third-party certification bodies would be required
to ``continually witness'' each audit agent they use.
(Response 97) We agree that observations of audit agents under
proposed Sec. 1.650(a)(2) are essential in determining the competency
of audit agents. We are revising proposed Sec. 1.650(a)(2) to require
the observation of a representative ``sample'' of audits, instead of a
representative ``number'' of audits, because the focus of this
provision was not intended to be on the number of audits the audit
agents would be expected to conducted. Rather, we intend for the
accredited third-party certification body to observe a sample of audits
that are representative of the range of audits the audit agent might be
assigned.
In determining what would constitute a ``representative sample''
for purposes of final Sec. 1.650(a)(2), the accredited third-party
certification body should consider the various types of food facilities
that might be audited and the range of FDA regulations that would apply
to such facilities. An accredited third-party certification body would
need to observe the audit agent conducting a number of audits across
the range of facilities identified by the certification body, and the
range of FDA regulations that would apply to those facilities, such
that, taken together, the observed audits would be adequately
representative of the facilities, processes, and foods the audit agent
may be assigned to conduct. Generally, the more complex the regulations
or the more complex the processes used by the facility, the greater the
sample size should be, to help ensure the audit agent can apply the
audit criteria consistently and reliably in various situations. The
accredited third-party certification also should gather sufficient
information to provide confidence in its determination of the audit
agent's competency to conduct audits under this rule.
Contrary to the interpretation suggested by some comments, proposed
Sec. 1.650(a)(2) would not require an accredited third-party
certification body to ``continually witness'' each of its audit agents.
Such an approach is not practical, efficient, or necessary. However, we
are clarifying in Sec. 1.650(a)(2) that before an audit agent is used
to conduct food safety audits under this rule the audit agent must be
observed by the accredited third-party certification body and found to
be competent to conduct food safety audits relevant to the audits they
will be assigned to perform under this program. Such observations also
must be performed whenever an audit agent will be assigned to perform
food safety audits to determine compliance with additional food safety
requirements under the FD&C Act and FDA regulations beyond what the
certification body has previously observed.
Under this approach, once an accredited third-party certification
body has determined an audit agent's competency and objectivity under
Sec. 1.650, the audit agent can be assigned to conduct audits for
which they are qualified under Sec. 1.650(a)(1) and (2), subject to
requirements such as the annual training requirements in Sec.
1.650(a)(3) and the accredited third-party certification body's self-
assessment under Sec. 1.655. Although we decline to require periodic
observations of audit agents, once the accredited certification body
has determined the competency of its audit agents under Sec.
1.650(a)(2), we acknowledge the value of such observations in verifying
audit agent competency and the rigor of the certification body's
program for evaluating its audit agents.
(Comment) 98) Some comments recommend that we include
[[Page 74608]]
requirements focusing on the performance of individual audit agents
because, the comments assert, many audit complaints arise from
individual auditor conduct and focusing on individual performance may
help create more consistency in the process.
(Response 98) We agree, and have received similar input from other
stakeholders during our public meetings. The comments and other
stakeholder input underscore the importance of the requirements for an
accredited third-party certification body to observe a representative
sample of audits conducted by each audit agent under Sec. 1.650(a)(2),
to ensure that any audit agent it assigns to an audit is appropriately
qualified under Sec. 1.650(b), and to assess the performance of its
audit agents and the consistency of performance across all its audit
agents as part of the certification body's self-assessment under Sec.
1.655.
(Comment 99) Some comments support the proposed requirement for
annual food safety training under proposed Sec. 1.650(a)(3), noting
the importance of ensuring that audit agents have up-to-date training
in areas relevant to their audit activities. The comments also suggest
that FDA should communicate to training institutions any general audit
agent training needs FDA identifies through its program management and
oversight. Other comments recommend that the annual training
requirement should relate to relevant food safety provisions of the
FD&C Act and FDA regulations.
(Response 99) We agree and are revising Sec. 1.650(a)(3) to
clarify that an audit agent, or an individual accredited as a third-
party certification body, must have annual food safety training that is
relevant to activities conducted under this program. FDA works with a
number of Alliances and other organizations to ensure training needs
for regulatory requirements are met. For instance, having identified
the need to train regulators and industry in the new FSMA preventive
controls rules, FDA is working in collaboration with the Food Safety
Preventive Controls Alliance (FSPCA) to develop training materials and
establish training and technical assistance programs for the preventive
controls rules. The Alliance includes members from FDA, state food
protection agencies, the food industry, and academia and is funded by a
grant to the Illinois Institute of Technology's Institute for Food
Safety and Health. For more information about the FSPCA, see e.g.,
http://www.iit.edu/ifsh/alliance/.http://www.iit.edu/ifsh/alliance/.
(Comment 100) Some comments suggest that in addition to the
requirements of the proposed rule, we should require conformance to
ISO/IEC 19011:2011 (Ref. 8) on auditor competency.
(Response 100) FDA's recommendations on auditor competency, among
other things, will be contained in FDA's Model Accreditation Standards.
As noted in section I.D., comments that address matters covered by
FDA's Model Accreditation Standards are outside the scope of this
rulemaking.
The issuance of the Model Accreditation Standards draft guidance
was announced through publication of a notice of availability in the
Federal Register of July 24, 2015. We plan to finalize the Model
Accreditation Standards after receiving public comments on the draft
guidance.
(Comment 101) Some comments note that the audit agent's education,
training, and experience must be specific to the industry or industries
being audited. Some comments, for example, recommend that audit agents
who examine eligible entities for compliance with food additive
requirements should have industry experience with food additives and
relevant knowledge, experience or training in auditing these types of
facilities and processes.
(Response 101) We agree that a certification body must consider an
audit agent's competency whenever assigning the audit agent to a
specific audit. Therefore, Sec. 1.650(b) requires the accredited
third-party certification body to ensure that an audit agent it assigns
to a specific audit is appropriately qualified, based on the audit
scope and purpose, the specific type of facility, processes, and foods
the audit agent would be required to examine, and the food safety
requirements of the FD&C Act and FDA regulations that would apply.
We note that an accredited third-party certification body that is
an individual would be determined during the accreditation process to
be appropriately qualified to conduct audits within the scope of its
accreditation.
(Comment 102) Some comments agree with proposed Sec. 1.650(c) and
assert that it is needed to protect against conflicts of interest. Some
comments assert that, under current practices, auditors in many
countries frequently conduct consecutive audits at the same premises.
Other comments suggest that the 13-month limit is unnecessary because
adequate mechanisms already exist to manage conflicts of interest and
objectivity in ISO/IEC standards. Still other comments express concern
that the proposed limit of 13 months would be too short to avoid a
conflict of interest. These comments contend a short interval between
consultative audits and regulatory audits that are conducted by the
same audit agent could create the appearance that the audit agent is
auditing the results of the prior consultation. Other comments assert
we should impose a 2-year limit, rather than a 13-month limit on audit
agents conducting regulatory audits of the same eligible entity.
(Response 102) We disagree with comments opposed to proposed Sec.
1.650(c). Proposed Sec. 1.650(c) would implement the requirements of
section 808(c)(4)(C) of the FD&C Act, which limits an accredited third-
party certification body's ability to use an audit agent to conduct a
regulatory audit of an eligible entity if the agent conducted a
consultative or regulatory audit for the same eligible entity in the
preceding 13 months, unless FDA waives the limitation under criteria
described in the statute. While we recognize this requirement may
differ from some international standards, it balances the concern of an
audit agent auditing their own prior results if the subsequent audit
happens too soon with auditor capacity concerns through a waiver
provision. Under proposed Sec. 1.663, FDA would issue waivers where we
determine there is insufficient access to in the country or region
where the eligible entity is located.
We note that the proposed rule was unclear with respect to whether
the showing of insufficient access to support a waiver was based on a
lack of certification bodies or individual audit agents in a country or
region, and have therefore clarified in the final rule that the showing
of insufficient access necessary for FDA to grant a waiver request is
based on lack of audit agents (or in cases where individuals are
accredited as third-party certification bodies, those individuals).
Although we are finalizing additional conflict of interest requirements
in Sec. 1.657 of this rule, these provisions do not implement the 13-
month limit in section 808(c)(4) of the FD&C Act. Section Sec.
1.650(c) complements the requirements in Sec. 1.657 to provide
additional conflict of interest protections. Note that though this
response uses the term ``audit agent'' this provision also applies to
accredited third-party certification bodies that are individuals.
(Comment 103) Several comments assert that proposed Sec. 1.650(c)
and the waiver process FDA proposes to establish would be impractical.
The comments note that there is currently a significant shortage of
experienced food
[[Page 74609]]
safety auditors around the world. Describing it as a ``capacity''
issue, the comments suggest that implementation of the FSMA rules will
further exacerbate the problem. Some comments suggest that proposed
Sec. 1.650(c) would be impractical for small countries due to auditor
capacity issues.
(Response 103) We acknowledge the concerns about the possible
shortage of skilled food safety auditors to meet current global demand
and are aware of efforts by GFSI, the food industry, scheme owners, and
third-party food safety certification bodies to address auditor
capacity, as described in section I.D. We also understand that FSMA
implementation is likely to create further demand for auditors.
Nonetheless, as explained in Response 102, we are required by section
808(c)(4)(C) of the FD&C Act to limit an accredited third-party
certification body's ability to use an audit agent; we have clarified
in the final rule that the showing of insufficient access necessary for
FDA to grant a waiver request is based on lack of audit agents (or in
cases where individuals are accredited as third-party certification
bodies, those individuals).
We disagree with comments suggesting that the waiver process we
propose would be impractical. We are developing an IT portal that
includes the capability for accepting electronic submissions of
requests and electronic issuance of waivers, which will help facilitate
the submission of waiver requests by accredited third-party
certification bodies and FDA's processing of such requests.
(Comment 104) Some comments contend that the proposal to require
accredited third-party certification bodies to show insufficient
accredited third-party certification body resources to obtain an FDA
waiver of proposed Sec. 1.650(c) would be unnecessarily burdensome
because the proposed conflict of interest requirements adequately
protect against concerns about ``industry capture.'' Some comments
recommend that FDA research global food safety auditor capacity and
proactively issue waivers of proposed Sec. 1.650(c), absent waiver
request(s). Still other comments suggest that eligible entities should
be able to seek waivers of the 13-month limit on behalf of an
accredited third-party certification body.
(Response 104) Under section 808(c)(4)(C) of the FD&C Act, the 13-
month limit on audit agents conducting regulatory audits may be waived
if FDA determines there is insufficient access to audit agents in a
country or region. While acknowledging capacity concerns raised in
comments, we decline the suggestion that FDA should gather information
to support waivers absent a request for a waiver under section
808(c)(4)(C)(ii) of the FD&C Act. We believe gathering such information
would not be the best use of our limited resources, and that third-
party certification bodies would be better positioned to inform FDA of
audit agent capacity issues in their country or region of operation.
Moreover, the final rule clarifies that accredited third-party
certification bodies must demonstrate that there is insufficient access
to audit agents in the country or region where the eligible entity is
located in order to obtain a waiver. Because the 13-month limit is on
individual audit agents, and not third-party certification bodies, this
limitation is likely to be less burdensome than anticipated by the
comments.
We decline the suggestion to allow eligible entities to request a
waiver of proposed Sec. 1.650(c) on behalf of an accredited third-
party certification body, because we believe the accredited third-party
certification body will be better suited to assess auditor capacity on
a national or regional basis. Periodic rotation of audit agents is
intended to help ensure that audits remain objective and do not become
compromised by familiarity. The requirement to ensure an audit agent's
objectivity is placed on the accredited third-party certification body,
not an eligible entity, under proposed Sec. 1.650(a). Further, given
that the accredited third-party certification body would ultimately
need to agree to conduct an audit for an eligible entity, requiring the
accredited third-party certification body to request the waiver would
ensure that they are willing to accept the request for a food safety
audit in the first place. In light of the foregoing, we have concluded
that it is the accredited third-party certification body, not the
eligible entity, who should seek a waiver of the 13-month limit in
proposed Sec. 1.650(c).
We disagree with comments suggesting waiver requests will be unduly
burdensome or time-consuming for accredited third-party certification
bodies. The IT portal we are developing for the third-party
certification program includes the capability for accepting electronic
submissions of requests and electronic issuance of waivers, which we
believe will help minimize the administrative burden on certification
bodies and FDA.
B. How must an accredited third-party certification body conduct a food
safety audit of an eligible entity? (Sec. 1.651)
Proposed Sec. 1.651 would establish requirements for planning and
conducting consultative and regulatory audits in a manner that fulfills
the purposes of section 808 of the FD&C Act. Under paragraph (a) on
audit planning, the accredited third-party certification body would
require the eligible entity to identify whether it was seeking a
consultative or regulatory audit subject to the requirements of this
subpart under the third-party certification program. The eligible
entity would indicate the scope and purpose of the requested audit and,
in the case of a regulatory audit, would indicate the type of
certification sought. The accredited third-party certification body
would also require the eligible entity to provide a 30-day operating
schedule for the facility that would provide information relevant to
scope and purpose of the audit. The accredited third-party
certification body would then consider whether the requested audit is
within the scope of its accreditation.
Proposed Sec. 1.651(b) would require the accredited third-party
certification body to ensure it would have adequate authority to
conduct the requested audit, including authority to: (1) Conduct an
unannounced audit; (2) access any area of the facility or any of its
records relevant to the scope of the audit; (3) use an accredited
laboratory in accordance with section 422 of the FD&C Act, (21 U.S.C.
350k), where FDA requires sampling and analysis; (4) notify FDA
immediately upon discovering, during a consultative or regulatory
audit, a condition that could cause or contribute to a serious risk to
the public health; (5) prepare audit reports that would contain certain
elements and, for regulatory audits, that would be submitted to FDA;
and (6) allow FDA and its recognized accreditation body to observe any
food safety audit under the program.
Proposed Sec. 1.651(c) would require an unannounced audit to be
conducted in a manner consistent with its scope and purpose and would
include records review as well as an onsite examination of the
facility, process(es), and food to determine compliance with the
applicable food safety requirements of the FD&C Act and FDA
regulations, and for consultative audits, conformance with include
industry standards and practices. Proposed Sec. 1.651(c) would require
the audit agent to document observations and corrective actions and,
where appropriate, would include
[[Page 74610]]
environmental or product sampling and analysis using validated
methodologies and a laboratory accredited in accordance with the
requirements of section 422 of the FD&C Act.
At our own initiative, we are removing the requirement to use a
laboratory consistent with section 422 of the FD&C Act and inserting a
requirement in Sec. 1.651(b)(3) to use a laboratory accredited under
ISO/IEC 17025:2005 or another laboratory accreditation standard that
provides at least a similar level of assurance in the validity and
reliability of sampling methodologies, analytical methodologies, and
analytical results.
On our own initiative, we are also revising Sec. 1.651(c)(1) to
clarify that the audit must be focused on determining whether the
facility, its process(es), and food are in compliance with the
applicable food safety requirements of the FD&C Act and FDA
regulations, and for consultative audits, also includes conformance
with applicable industry standards and practices. Based on comments
received on Sec. 1.653 and for the reasons described in Comment/
Response 112 in section IX.C., we are revising Sec. 1.651(c)(3) to
clarify that an accredited third-party certification body (or its audit
agent, where applicable) that identifies a deficiency requiring
corrective action may verify the effectiveness of a corrective action
once implemented by the eligible entity but must not recommend or
provide input to the eligible entity in identifying, selecting, or
implementing the corrective action.
(Comment 105) Some comments suggest that we should incorporate ISO/
IEC 19011:2011 (Ref. 8), which contains guidelines on auditing
management systems, by reference into the rule.
(Response 105) We disagree, because ISO/IEC 19011:2011 (Ref. 8) is
inconsistent with the requirements of section 808 of the FD&C Act and
this rule. For example, ISO/IEC 19011:2011 (Ref. 8) is premised on
announced audits that are scheduled with the client, as described in
clauses 6.2.2, and 6.2.3 of the standard; however, section
808(c)(5)(C)(i) of the FD&C Act requires audits conducted under this
rule to be unannounced. As another example, clause 6.4.9 of ISO/IEC
19011:2011 (Ref. 8) suggests that an audit team should attempt to
resolve any ``diverging opinions'' between the team and the audited
entity regarding the audit conclusions, such as the extent of
conformity with audit criteria (clause 6.4.8), during the closing
meeting. We acknowledge that differences of opinions regarding audit
conclusions are likely to occur between eligible entities and
accredited third-party certification bodies or audit agents. However,
the credibility of our program rests in large part on the independence
and objectivity of accredited third-party certification bodies and
audit agents. This rule is intended to help ensure they are free from
the influence of the eligible entities and any appearance that their
judgment is compromised by eligible entities. Audit conclusions
regarding an eligible entity's compliance with the applicable food
safety requirements of the FD&C Act and FDA regulations are the purview
of the accredited third-party certification body and any audit agents
it uses. The appropriate mechanism for an eligible entity seeking to
challenge adverse decisions would be the accredited third-party
certification body's appeals process.
For the foregoing reasons, we decline to incorporate ISO/IEC
19011:2011 (Ref. 8) by reference into this rule.
(Comment 106) Some comments assert the guidelines for management
systems auditing in ISO/IEC 19011:2011 (Ref. 8) would provide a useful
guide for audits conducted under the program. Other comments suggest
the audit agents should be conducting food safety audits using a
quality systems approach. Citing the production of food additives as an
example, these comments note that while it would be preferable to
conduct an audit while a food additive is being produced it is not
always feasible. The comments suggest that as long as the audit focuses
on quality systems it should not be necessary for production of the
food additive to occur during the audit.
(Response 106) As explained in Response 105, some elements of ISO/
IEC 19011:2011 (Ref. 8) are inconsistent with the requirements of
section 808 of the FD&C Act and this rule, thereby limiting its
applicability for food safety audits conducted under this rule. We
agree, however, with the general principle that a ``systems'' approach
to food safety audits with a correctly identified scope and purpose,
using appropriate audit criteria, and properly executed by a competent
audit agent (or individual accredited as third-party certification
body), should be sufficient to cover the food within the audited
system(s) of the facility, without requiring direct observation of each
type of food produced. We note that it is essential that the scope of
the audit covers the appropriate physical locations, activities, and
processes that are part of the management system to be audited, and
information collected during the audit must be relevant to the audit
scope, purpose, and criteria, including information relating to
interfaces between functions, activities, and processes of the food
safety system.
We use the term ``systems audits'' generally, acknowledging that
``management systems'' audits, ``product certification'' audits, and
``quality systems'' audits have specific meanings in some contexts,
such as ISO/IEC standards, but may have different meanings in different
contexts. To the extent that the comments referencing a ``quality
systems'' approach are suggesting that food safety audits should be
conducted using a ``systems auditing'' approach, we agree. Accordingly,
we are revising Sec. 1.651(c)(1) to better align with the language of
section 808 of the FD&C Act and this rule, as well as ``systems''
auditing principles.
Our goal is to ensure the rigor of the food safety audits conducted
under our program, which will be accomplished through compliance with
the requirements of this rule. It is intended to help ensure that food
safety audits are conducted by competent audit agents (or individuals
accredited as a third-party certification bodies), in accordance with a
properly defined audit scope and purpose, using the applicable audit
criteria required by this rule. As such, any food safety audit
conducted under the rule should provide the information necessary for
the accredited third-party certification body to make a determination
on compliance with the applicable food safety requirements of the FD&C
Act and FDA regulations. Whether or not a particular audit does, in
fact, provide such information, with an appropriate level of
confidence, is dependent on a number of factors, among them:
1. At the time that the food safety audit is procured, the eligible
entity must declare the scope and purpose of the audit consistent with
the requirements of this rule (and any additional criteria established
in VQIP guidance for facility certifications for use in that program
or, for certifications to be used for purposes of section 801(q) of the
FD&C Act any additional criteria that may be established by FDA
relating to the safety determination).
2. The accredited third-party certification body must assign an
audit agent that is competent to perform the audit (or, for an
accredited third-party certification body that is an individual, such
audit must be within the scope of accreditation).
3. The audit agent (or individual accredited as a third-party
certification body) must:
a. Develop and successfully execute an audit plan that includes a
records
[[Page 74611]]
review, which may be scheduled, and a subsequent onsite facility
examination performed on an unannounced basis within a 30-day window of
time according to the facility's operating schedule for the requested
audit purpose and scope and using the appropriate audit criteria; and
b. during the audit collect and verify information that is relevant
to the audit purpose, scope, and criteria and that will form the basis
for the audit findings and conclusions.
We note that this rule establishes the requirements for the third-
party certification program but does not establish requirements
relating to the use of these certifications for purposes of sections
801(q) and 806 of the FD&C Act. To that end, we urge an eligible entity
seeking a regulatory audit for certification to be used for VQIP
purposes or for purposes of satisfying a requirement for certification
under section 801(q) to ensure that the scope of the regulatory audit
it procures, and any food and facility certifications that are issued
as a result, will be sufficient to meet FDA requirements under sections
801(q) and 806 of the FD&C Act.
Under section 806 of the FD&C Act, FDA will require facility
certifications issued by accredited third-party certification bodies
under section 808 as a condition of an importer's eligibility for VQIP.
We encourage eligible entities, importers, and accredited third-party
certification bodies to consult the VQIP guidance, when finalized, to
ensure the proper scope has been established for any regulatory audit
conducted to obtain facility certification for VQIP purposes.
Any requirement for certification to satisfy a condition of
admissibility under section 801(q) of the FD&C Act would be based on an
FDA safety determination relating to specific circumstances, as
described in section 801(q)(2). An eligible entity seeking
certification from an accredited third-party certification body to meet
the admissibility requirements under section 801(q) of the FD&C Act
must ensure the proper scope has been established for the regulatory
audit it procures to address the circumstances behind the 801(q)
determination.
(Comment 107) Some comments assert that the audit requirements in
proposed Sec. 1.651 are overly detailed and inflexible, contending
that accreditation bodies have their own requirements for good auditing
practices. The comments also suggest that proposed Sec. 1.651, would
be problematic to implement and cite as an example the proposed
requirement for unannounced audits, which the comments say would be
inconsistent with the requirements associated with planned audits that
apply in other programs.
(Response 107) We understand that some of the requirements in
proposed Sec. 1.651 differ from the audit protocols currently used in
conducting many third-party audits of food facilities. The comments do
not identify the good auditing practices they assert accreditation
bodies already require certification bodies to use; however, we are not
incorporating ISO/IEC 17021:2011, ISO/IEC 17065:2012, or ISO/IEC
19011:2011 by reference into this rule for the reasons explained in
section I.D. We are unable to identify a voluntary consensus standard
that would encompass the audit practices required by section 808 of the
FD&C Act (e.g., unannounced audits and notification of conditions that
could cause or contribute to a serious risk to public health) as well
as other practices the statute allows (e.g., audit agents conducting
both consultative and regulatory audits). In the absence of existing
standards that would adequately address the food safety audit
requirements of section 808 of the FD&C Act, Sec. 1.651 offers
accredited third-party certification bodies and audit agents the
requirements needed to conduct food safety audits in the manner the
statute contemplates and requires.
The comment asserting that proposed Sec. 1.651, would be
problematic to implement cited as an example the proposed requirement
for unannounced audits in Sec. 1.651(c)(1). We acknowledge that most
audits are scheduled, and a program involving unannounced audits will
require changes in the current usual practices of accredited third-
party certification bodies and eligible entities. However, section
808(c)(5)(C)(i) of the FD&C Act specifically requires audits performed
under this rule to be unannounced. As described in Response 106,
proposed Sec. 1.651(c)(1) was designed to provide flexibility to
accredited third-party certification bodies and eligible entities,
while fulfilling this statutory requirement. Without additional
examples or other details in the comments to explain why the other
audit protocols in proposedSec. 1.651(a) would be problematic to
implement, we decline to revise Sec. 1.651(a)(2) to (4) in response to
the comments.
(Comment 108) In addition to comments described in section III.E.
regarding the impracticality of unannounced audits, some comments
contend that unannounced audits would be impractical and inefficient
for any food safety audit (e.g., regulatory audits) conducted under
this rule. Other comments express concern about implementing
unannounced audits at farms that may be geographically isolated, while
offering support for unannounced audits in principle.
Other comments note that unannounced audits are conducted for
operations participating in the Leafy Greens Marketing Agreements
(LGMAs) in California and Arizona and in the California Cantaloupe
Marketing Order (CCMO), asserting it is feasible to conduct audits of
seasonal operations during harvest activities, observing practices and
programs in the field and facility. Some comments suggest that
unannounced audits provide a more realistic view of the entity's
compliance status than planned audits do.
Some comments endorse the approach of a planned records review
prior to an unscheduled site audit occurring at any point during a 30-
day operating window. Other comments ask us to clarify in the final
rule which parts of a food safety audit may be performed on a scheduled
basis and which parts must be performed on an unannounced basis within
a 30-day window.
(Response 108) We decline to revise our approach to unannounced
audits under Sec. 1.651, as section 808(c)(5)(C)(i) of the FD&C Act
explicitly requires that audits be unannounced. We are, however, adding
language to Sec. 1.651(c)(1) to clarify that the records review
portion of a food safety audit may be scheduled with an eligible entity
and, through revisions to Sec. 1.651(c)(2), are requiring the records
review to occur before the onsite facility examination portion of the
audit, consistent with the description in the preamble to the proposed
rule (78 FR 45782 at 45811 to 45812). We are retaining the requirement
in Sec. 1.651(c)(1) to conduct an unannounced audit through an
unscheduled onsite facility examination at any time during the 30-day
timeframe identified pursuant to Sec. 1.651(a)(1)(ii).
As discussed in the preamble to the proposed rule (78 FR 45782 at
45811), when developing the audit protocols to implement the statutory
requirement for unannounced audits, we considered the British Retail
Consortium (BRC) Global Standard for Food Safety (Ref. 22) unannounced
audit option to help us ensure that our approach to unannounced audits
would be practical and feasible to implement. The BRC unannounced audit
option provides for a ``Good Manufacturing Practices-type audit'' to be
unannounced, while a separate records review could occur during a
planned visit. We have concluded that it is reasonable and appropriate
to interpret the statutory
[[Page 74612]]
requirement for unannounced audits to allow a record review to be
conducted during a planned visit to the eligible entity, provided that
the onsite audit is conducted on an unannounced basis. In addition, as
discussed previously, we have revised Sec. 1.651(c)(2) to require that
the records review must precede the onsite examination to facilitate
the facility visit.
We agree with comments suggesting that unannounced audits are
feasible and note, for example, that another GFSI-benchmarked scheme,
the Safe Quality Food Code in July 2014 began implementing an
unannounced audit component, wherein unannounced audits are mandatory
for every third audit (Ref. 23). Additionally, while we appreciate the
concern expressed by comments regarding the implementation of
unannounced audits at farms that may be geographically isolated, we
believe the examples cited by comments of unannounced audits of
participants that are performed at least once each year under the LGMA
and the CCMO are persuasive in demonstrating the feasibility of
unannounced audits for primary production. Moreover, the requirements
for audits specified in the statute and our experiences planning
foreign inspections lead us to believe that the requirement for a 30-
day operating window will assist in preventing logistic problems
associated with unannounced audits in geographically isolated areas.
For the foregoing reasons, we have concluded that the unannounced audit
protocol in Sec. 1.651(a)(1) is practical and efficient to implement,
while meeting the requirements of section 808(c)(5)(C)(i) of the FD&C
Act.
(Comment 109) Some comments suggest that FDA increase the window of
time between the records review, which informs the audit planning, and
the unannounced site audit, which examines the facility, its
process(es), and food for compliance with the applicable food safety
requirements of the FD&C Act and FDA regulations. To maximize the
element of surprise while ensuring the relevance of the records review
to the conduct of the site audit, the comments suggest we should expand
the timeframe to allow the audit agent to conduct the site audit any
time during a 90-day period.
(Response 109) Food safety audits conducted under this program,
particularly regulatory audits for certification purposes, often are
time sensitive in nature, because they are necessary for issuance of
certifications that are used facilitate trade. Establishing a lengthy
window of time during which an unannounced audit could occur could have
significant implications, for example, where certification is used in
satisfying a condition of admissibility for a food subject an FDA
safety determination under section 801(q) of the FD&C Act. A lengthy
window of time for an unannounced audit to be conducted also could
hinder participation in the VQIP program under section 806 of the FD&C
Act, which requires an importer to provide facility certification as a
condition of participation. In light of the foregoing, we do not
believe it would be reasonable to extend the length of time between
records review and the site audit from 30 to 90 days.
C. What must an accredited third-party certification body include in
food safety audit reports? (Sec. 1.652)
Proposed Sec. 1.652 would implement section 808(c)(3)(A) of the
FD&C Act, which authorizes FDA to establish the requirements for audit
reports that an accredited third-party certification body would need to
prepare as a condition of its accreditation. The statute specifies that
such report of an audit must include: (1) The identity of the persons
at the eligible entity responsible for compliance with food safety
requirements; (2) the dates and scope of the audit; and (3) any other
information FDA requires that relates to or may influence an assessment
of compliance.
Proposed Sec. 1.652(a) would specify the form of consultative
audit reports, which would include: The name, address, and unique
facility identifier (UFI) of the facility subject to audit; the name,
address, and UFI of the eligible entity (if it differs from the
facility); the contact information for the person(s) responsible for
food safety compliance at the facility; the dates and scope of the
consultative audit; and any deficiency(ies) observed during the audit
that require corrective action(s) and the date on which such corrective
action(s) were completed. Proposed Sec. 1.652(a) would require that a
consultative audit report be prepared by no later than 45 days after
completing the audit and would require preparing the report in English
and maintaining it as a record under proposed Sec. 1.658.
Proposed Sec. 1.652(b) would specify the form of regulatory audit
reports, which would include: (1) The name, address, and UFI of the
facility subject to audit; (2) the FDA food facility registration
number (where applicable); (3) the name, address, and UFI of the
eligible entity (if it differs from the facility); (4) the contact
information for the person(s) responsible for food safety compliance at
the facility; (5) the dates and scope of the regulatory audit; (6) the
process(es) and food(s) observed during the audit; (7) whether sampling
and laboratory analysis is used in the facility; (8) recent food
recalls; (9) recent significant changes at the facility; and (10) any
food or facility certifications recently issued to the entity. With
respect to deficiencies and corrective actions, proposed Sec. 1.652(b)
would require the accredited third-party certification body to include
in the regulatory audit report any deficiency(ies) observed during the
audit that meet FDA's Class I and Class II recall standards--i.e., the
deficiency(ies) present(s) a reasonable probability that the use of or
exposure to the violative product will cause serious adverse health
consequences or death; or may cause temporary or medically reversible
adverse health consequences or where the probability of serious adverse
health consequences is remote, and the corrective action plan for any
identified deficiency unless the corrective action was implemented
immediately and verified onsite by the accredited third-party
certification body. Proposed Sec. 1.652(b) also would require that a
regulatory audit report be submitted to FDA electronically, in English,
by no later than 45 days after completing the audit.
Under proposed Sec. 1.652(c), an accredited third-party
certification body would have to submit to FDA an audit report for any
regulatory audit it conducts, regardless of whether the certification
body issued a certification based on the results of the regulatory
audit. Proposed Sec. 1.652(d) would require an accredited third-party
certification body to implement written procedures for receiving and
addressing challenges from eligible entities contesting adverse
regulatory audit results and would require them to maintain records of
such challenges under proposed Sec. 1.658.
On our initiative, we revised paragraphs (a) and (b) of Sec. 1.652
to clarify that an accredited third-party certification body must
provide a copy of a consultative audit report or regulatory audit
report (respectively) to the eligible entity. We also on our own
initiative added a requirement for the accredited third-party
certification body to include in the audit report the FDA Establishment
Identifier (FEI) of the facility audited and the FEI of the eligible
entity, if different than the FEI for the audited facility to help
verify the identity of the facility and eligible entity based on
information contained in FDA's database of FEIs. Further, we aligned
the elements of the consultative audit report and regulatory audit
report; for example, we redesignated proposed paragraph (a)(5) as
(a)(6) and added a
[[Page 74613]]
new paragraph (a)(5) to require that the consultative audit report
include the processes and foods observed during the consultative audit.
Additionally, on our own initiative we revised Sec. 1.652(d) to
clarify that an accredited third-party certification body must notify
an eligible entity of a denial of certification.
(Comment 110) Several comments raise concerns regarding the
requirements that would apply to consultative audit reports under
proposed Sec. 1.652(a). The comments assert that because consultative
audits are specifically intended to be for internal purposes, FDA
should delete proposed Sec. 1.652(a) and should not propose any
requirements for consultative audit reports. Other comments suggest
that we remove the proposed requirement to prepare a consultative audit
report no later than 45 days after conducting the audit, asserting the
deadline is infeasible. Still other comments suggested we should allow
consultative audit reports to be prepared and maintained in languages
other than English.
Some comments interpret proposed Sec. 1.652(a) to require
consultative audit reports to be submitted to FDA. Other comments urge
us to emphasize to industry that proposed Sec. 1.652(a) would only
require accredited third-party certification bodies to maintain
consultative audit reports in their records and not submit them to FDA,
and that FDA could only access consultative audit reports in
circumstances meeting the serious adverse health conditions or death to
humans or animals (SAHCODHA) standard for records access under section
414 of the FD&C Act. Other comments note that the proposed rule was
silent on the protection of proprietary information in audit reports.
(Response 110) We disagree with comments suggesting that because
consultative audits are for internal purposes only, FDA is precluded
from imposing any requirements for consultative audit reports prepared
by accredited third-party certification bodies under this rule. Section
808(c)(3)(A) of the FD&C Act requires certain elements to be included
in reports for all food safety audits. This includes both consultative
audits and regulatory audits, which are the two types of audits
described in section 808(c)(4)(B) of the FD&C Act. Section 808(c)(3)(A)
sets a 45-day deadline for the preparation of all audit reports,
including consultative audit reports, and sets a separate requirement
that the audit reports for regulatory audits be submitted. Section
808(c)(3)(A) of the FD&C Act also gives FDA discretion to designate the
form and manner of audit reports and to require accredited third-party
certification bodies to include in audit reports other information that
relates to or may influence an assessment of compliance with the FD&C
Act. In light of these statutory provisions, we decline the suggestions
to delete proposed Sec. 1.652(a) or to remove the proposed 45-day
deadline for preparation of a consultative audit report.
We are, however, removing the proposed requirement in Sec.
1.652(a) that consultative audit reports would need to be prepared and
maintained in English in the accredited third-party certification
body's records. As explained in Response 59, we are removing the
proposed requirements for recognized accreditation bodies and
accredited third-party certification bodies to create and maintain
records that do not need to be submitted to FDA, outside of a specific
request, under this rule in English.
We disagree with comments suggesting that Sec. 1.652(a) should
require accredited third-party certification bodies to submit
consultative audit reports to FDA. We note that section 808(c)(3)(A)
only requires the submission of regulatory audit reports. Because
consultative audits are for internal purposes, we consider it
appropriate to require the maintenance of these reports, but not the
submission of the reports. Under section 808(c)(3)(C) of the FD&C Act,
we could only access consultative audit reports in circumstances
meeting the standard for records access under section 414 of the FD&C
Act.
With respect to protection of proprietary information in
consultative audit reports submitted to or obtained by FDA, we note
that the final rule includes new provision Sec. 1.695, which addresses
disclosure and the protection of trade secrets and confidential
commercial information under applicable law.
(Comment 111) Some comments support our proposal to require that
consultative audit reports under proposed Sec. 1.652(a)(2) and
regulatory audit reports under proposed Sec. 1.652(b)(1)(i) and (b)(2)
include UFIs for audited facilities and for eligible entities (where
different from audited facilities). In the preamble to the proposed
rule (78 FR 45782 at 45812), we solicited comment on whether a UFI
should comprise a Data Universal Numbering System (DUNS[supreg]) number
and Global Positioning System (GPS) coordinates for an audited facility
and for the eligible entity (if different from the audited facility).
Some comments support using DUNS[supreg] numbers in UFIs for
eligible entities and audited facilities, asserting that approximately
230 million establishments around the world have DUNS[supreg] numbers.
The comments assert that DUNS[supreg] numbers are easy to obtain and
free to the establishment. Comments also emphasize that the use of
DUNS[supreg] numbers would be particularly helpful under the third-
party certification rule, because the numbers help to determine
corporate ``families''--e.g., related establishments.
Other comments oppose using DUNS[supreg] numbers as UFIs,
contending that DUNS[supreg] numbers are not widely used outside the
United States and frequently have errors. Some of these comments
propose alternatives to DUNS[supreg] numbers, including: GPS
coordinates, FDA's food facility registration numbers, or the U.S.
Internal Revenue Service taxpayer identification numbers which comments
suggest foreign companies can request from U.S. Customs and Border
Protection.
(Response 111) We received valuable input in response to our
solicitation of comments on UFIs for audited facilities and eligible
entities. Having a UFI for eligible entities (and audited facilities if
different) would be useful to FDA in identifying an eligible entity
that does not already have a numerical identifier in one of FDA's
databases. For example, farms generally are not required to register
with FDA under section 415 of the FD&C Act, so they would not have an
FDA Food Facility Registration Number, unless they conduct activities
for which such registration is required, and some eligible entities may
not have been assigned an FDA Facility Establishment Identifier.
We note that FDA currently is considering whether to require UFIs
for regulated establishments, such as facilities as defined in 21 CFR
1.227, and the types of numbering systems that might be used for UFIs.
Under this final rule, an accredited third-party certification body
will be required to include a UFI for an audited facility and for an
eligible entity (if different from the audited facility) in a
consultative audit report under Sec. 1.652(a)(1)(i) and (a)(2), and a
regulatory audit report under Sec. 1.652(b)(1)(i) and (b)(2), if FDA
designates a UFI system.
(Comment 112) Some comments focus on proposed Sec. 1.652(a)(5),
which would require a consultative audit report to include any
deficiencies observed that require corrective action, the corrective
action plan, and the date corrective
[[Page 74614]]
actions were completed. Some comments ask us to clarify what
information about deficiencies should be included in consultative audit
reports. The comments distinguish between FDA investigators who collect
physical evidence during inspections and third-party certification
bodies who typically observe process(es), review records, and cite
nonconformity to standards--e.g., ``Canning retort time did not meet x
temperature for y time of the scheduled process.'' Other comments ask
FDA to clarify that the eligible entity, not the audit agent, would be
responsible for corrective actions, including analyzing the cause of
the nonconformity and developing corrective actions to address the
nonconformity. These comments support the proposed requirement to
require documentation and verification of corrective actions, whether
through document review or onsite audits.
(Response 112) As the comments suggest, third-party certification
bodies commonly describe their audit findings in terms of conformity or
nonconformity with audit criteria, such as a GFSI-benchmarked food
safety scheme or the ISO/TS 22003:2013 series of food safety standards
(Ref. 24). Under section 808 of the FD&C Act, accredited third-party
certification bodies examine eligible entities and their foods for
compliance with the applicable food safety requirements of the FD&C Act
and FDA regulations and, for consultative audits, also assess
conformity with applicable industry standards and practices.
Under proposed Sec. 1.652(a)(5), a consultative audit report would
identify any deficiencies observed by audit agent, which we intended
would encompass any deficiency that relates to or may influence the
accredited third-party certification body's determination of whether
the eligible entity is in compliance with the applicable food safety
requirements of the FD&C Act and FDA regulations. We were not proposing
to require that consultative audit reports include information on an
observation solely related to a nonconformity with industry standards
or practices that FDA does not implement or enforce. An observation
relating to both a nonconformity with an industry standard or practice
and a deficiency that relates to or may influence a compliance
determination would need to be included in the audit report as a
deficiency under proposed Sec. 1.652(a)(5). In response to comments,
we are revising Sec. 1.652(a)(5), renumbered as Sec. 1.652(a)(6), to
clarify that a consultative audit report must include any deficiency
that relates to or may influence a determination of compliance with the
applicable food safety requirements of the FD&C Act and FDA regulations
and information on the corrective action(s) to address such deficiency.
We agree with comments distinguishing between the roles of eligible
entities (who must identify and implement effective corrective actions)
and accredited third-party certification bodies and their audit agents
(who identify deficiencies and verify that effective corrective actions
have been implemented). After identifying deficiencies that will
require corrective action, accredited third-party certification bodies
and their audit agents must maintain their impartiality by allowing
eligible entities to select the appropriate corrective actions to
employ. To recommend or suggest corrective actions to eligible entities
during consultative or regulatory audits would undermine the
objectivity of the third-party certification bodies or audit agents in
performing their critical task of verifying the effectiveness of the
corrective actions once implemented. To address this concern, we have
elected to revise Sec. 1.651(c)(3) as described in section IX.B.,
because we believe this issue is better addressed as part of the
protocols for audits conducted under subpart M.
(Comment 113) Some comments assert that proposed Sec. 1.652(b) is
unnecessary, because many of the elements of regulatory audit reports
that we propose already are commonly included in audit reports. The
comments contend that listing specific elements to be included in a
regulatory audit report would be too prescriptive and would stifle
creativity. Other comments suggest that proposed Sec. 1.652(b) is
overly broad, and the comments object to the elements of the audit
reports. Some comments assert that reporting of recent recalls is
unnecessary because this is information already in FDA's possession.
Still other comments note that documents that are routinely part of an
audit process may contain critical business information. These comments
suggest that FDA should consider a ``tiered'' approach, by requiring
only summary reports on audit results to be submitted to FDA, not
proprietary information.
Other comments support proposed Sec. 1.652(b) and the data
elements we proposed to require in regulatory audit reports. Some of
these comments seek additional information on the form and manner of
submitting this information to FDA. The comments also ask whether the
regulatory audit reports will be publicly released.
(Response 113) We disagree with comments suggesting that proposed
Sec. 1.652(b) is unnecessary because the information we proposed to
require in regulatory audit reports already is included in the audit
reports prepared by third-party certification bodies. Although many of
the elements required to be included in the reports under this rule are
currently being included in audit reports prepared by third-party
certification bodies, it is important that we require the elements
included in this final rule because they are essential to the
preparation of audit reports that are consistent with the purpose of
this program.
We disagree with the comments asserting that proposed Sec.
1.652(b) is overly broad and the comments contending that the provision
is overly prescriptive. Section 808(c)(3)(A) of the FD&C Act requires
that audit reports include the dates and scope of the audit and the
identity of the persons at the audited eligible entity responsible for
compliance with food safety requirements. Section 808(c)(3)(A) of the
FD&C Act also gives FDA discretion to require that audit reports
include other information that relates to or may influence an
assessment of compliance with the FD&C Act. Under proposed Sec.
1.652(b), a regulatory audit report would include the elements required
by the statute, as well as the following information: Identifying
information for the eligible entity (and for the facility, if different
from the eligible entity); the food(s) and process(es) observed; any
deficiencies observed during the audit that relate to an FDA Class I or
Class II recall situation; and the corrective action plan for such
deficiencies. We also proposed to require the regulatory audit report
to indicate whether any sampling and laboratory analysis is used in the
facility and whether in the 2 years preceding the audit the entity:
Issued a food safety-related recall; made significant changes in the
facility, its process(es), or products; or was issued any food or
facility certifications.
As to the elements of the regulatory audit report in proposed Sec.
1.652, we note that paragraphs (b)(1) and (2) provide identifying
information for the eligible entity (and the facility audited, if
different than the eligible entity) and paragraphs (b)(3) and (5)
contain the elements required by section 808(c)(3)(A) of the FD&C Act.
We agree with comments asserting that it is not be necessary to include
information in regulatory audit reports that is already in FDA records;
therefore, we are removing the proposed requirements in Sec.
1.652(b)(9) and (11) to report information on food-safety related
[[Page 74615]]
recalls conducted by the eligible entity and food and facility
certifications issued to the eligible entity in the 2 years preceding
the audit. We are retaining the other elements of the regulatory audit
report under proposed Sec. 1.652(b)(4), (6) to (8), and (10)--i.e.,
whether the facility uses sampling and laboratory analysis, whether the
entity has made significant changes to the facility, its process(es),
or products during the 2 years preceding the audit; the foods and
process(es) that were observed, as well as any deficiencies related to
a Class I or Class II recall situation and the corrective action plans
for deficiencies--because they are related to or influential to a
determination of compliance with the applicable food safety standards
of the FD&C Act and FDA regulations.
As discussed in Response 67, we intend to provide additional
instructions relating to the form and manner of submitting information
to FDA. We also acknowledge comments' concerns about the protection of
proprietary information in regulatory audit reports submitted to FDA.
Information submitted to FDA is subject to public disclosure and under
part 20, and we are including new Sec. 1.695 on public disclosure in
section XIII.F of this final rule.
(Comment 114) Some comments contend that the submission of
regulatory audit reports under proposed Sec. 1.652 would ``empower''
accredited third-party certification bodies as ``de facto'' regulatory
authorities.
(Response 114) We disagree. Nothing in section 808 of the FD&C Act
or in the proposed rule would empower accredited third-party
certification bodies to implement or enforce the FD&C Act or FDA
regulations. Further, section 808(h) of the FD&C Act clearly states
that audits performed under this section shall not be considered
inspections under section 704 of the FD&C Act, which governs FDA
inspections.
(Comment 115) Some comments assert that regulatory audit reports
should be submitted to FDA only when there are questions about product
safety. Some comments suggest that proposed Sec. 1.652(b) could be
onerous because it would require regulatory audit reports to be
submitted to FDA in English by no later than 45 days after the audit
was completed. The comments assert that a lack of auditor capacity in
countries that export food to the United States could make it difficult
for accredited third-party certification bodies to meet the 45-day
deadline and suggest that FDA should consider adjusting the deadline
for regulatory audit report submission in light of factors such as
auditor capacity and the needs of seasonal producers. Other comments
support the proposed 45-day deadline for audit report submission,
noting that many audit reports currently take more than 45 days to
complete, some taking nearly a year to be issued. Still other comments
focus on the proposed requirement in Sec. 1.652(b) to submit
regulatory audit reports in English, urging us to accept reports in
various languages, including Spanish.
(Response 115) Section 808(c)(3)(A) of the FD&C Act requires as a
condition of accreditation that regulatory audit reports to be
submitted to FDA within 45 days after conducting the audit.
Accordingly, we decline the suggestion to limit the submission of
regulatory audit reports to circumstances where there are questions
about product safety. We also decline to extend the statutory 45-day
deadline for submission of a regulatory audit report.
We believe that allowing regulatory audit reports to be submitted
in languages other than English, as some comments suggest, would create
unnecessary obstacles to our program management and oversight. For
example, we may review a regulatory audit report to assist us in
deciding whether to accept a certification or to reject the
certification after determining that is not valid or reliable. If we
were to allow regulatory audit reports to be submitted in languages
other than English, we might have to wait weeks for a translation. Such
a delay would postpone our decision on whether to accept or refuse the
certification and might have negative effects on the flow of trade.
(Comment 116) Some comments oppose a proposal to use DUNS[supreg]
numbers in UFIs for audited facilities and eligible entities that would
be required to be submitted to FDA in regulatory audit reports under
proposed Sec. 1.652(b)(1)(i) and (b)(2). The comments suggest that
using DUNS [supreg] numbers in UFIs would create a monopoly for Dun and
Bradstreet (D&B) and give D&B an unfair competitive advantage. The
comments also express concern that establishments will face increased
pressure to buy other D&B products. Other comments suggest that DUNS
[supreg] numbers are not used outside the United States because, for
example, DUNS[supreg] numbers require data such as street names,
telephone numbers and other data points that small producers located
outside the United States might not have. Instead, these comments
suggest, FDA should use GPS latitude and longitude coordinates as UFIs.
Some other comments express support for UFI requirements that would
include the use of DUNS[supreg] numbers in UFIs for audited facilities
and eligible entities. The comments assert that because DUNS[supreg]
numbers are widely used, it would be reasonable for FDA to require
DUNS[supreg] numbers to be used in UFIs under the third-party
certification program.
(Response 116) As explained in Response 111, FDA currently is
considering whether to require regulated establishments to have UFIs
and, if so, whether DUNS[supreg] numbers should be included in UFIs. As
explained previously, under this final rule, an accredited third-party
certification body will be required to include a UFI for an audited
facility and for an eligible entity (if different from the audited
facility) in a regulatory audit report under Sec. 1.652(b)(1)(i) and
(b)(2), if FDA designates a UFI system.
(Comment 117) Some comments agree with proposed Sec. 1.652(b)(4),
which would require regulatory audit reports to include information on
the process(es) and food(s) observed during the audit. Some comments
request clarification of what process(es) and food(s) would need to be
observed in a facility with several processes, and other comments ask
what information FDA is seeking about the process(es) that were
observed during a regulatory audit.
(Response 117) As explained in Response 106, we do not believe that
direct observation of each type of food produced under a management
system is necessary when an audit covers the appropriate physical
locations, activities, and processes that are part of the management
system to be audited, and information collected during the audit must
be relevant to the audit scope, purpose, and criteria, including
information relating to interfaces between functions, activities, and
processes of the management system. Therefore, information on the
process(es) and food(s) observed by the audit agent (or accredited
third-party certification body that is an individual) is useful in
light of the scope of the audit and the management system(s) audited.
(Comment 118) Some comments endorse proposed Sec. 1.652(b)(8),
which would require the regulatory audit report to include information
on whether sampling and analysis is used at the facility being audited.
Of the comments that support proposed Sec. 1.652(b)(8), some would
further require regulatory audit reports to include reporting of
sampling and analytical results of sampling by the
[[Page 74616]]
eligible entity. Others suggest including analytical results relating
to any deficiencies observed during an audit and the effectiveness of
corrective actions taken to address the deficiency.
(Response 118) We agree that it is useful for FDA to have
information on whether an eligible entity uses sampling and analysis as
a tool for verifying the effectiveness of its controls. Section 1.652
does not require sampling or analysis on a routine basis; however,
analytical reports must be included in regulatory audit reports if the
certification body finds them to be relevant to the any elements of an
audit report, such as a verification of corrective actions or in
support of a decision not to certify. We note that sampling or
analytical reports that are collected as part of a regulatory audit
must be maintained as required under Sec. 1.658(a)(3).
(Comment 119) Some comments support proposed Sec. 1.652(b)(9),
which would require information on recent recalls to be included in
regulatory audit reports. Other comments suggest that requiring recall
information to be included in a regulatory audit report might lead to
questions about the validity of a certification that the accredited
third-party certification body might issue based on the results of its
regulatory audit of the eligible entity. Some other comments suggest
that requiring an accredited third-party certification body to include
information on recent recalls in a regulatory audit report would be
duplicative, because FDA should already have information on any recalls
of regulated product exported to the United States, and recalls of
product that was not exported to the United States would not be
relevant to the regulatory audit report.
(Response 119) We agree with comments suggesting that it would be
duplicative to require accredited third-party certification bodies to
include information on recent recalls in regulatory audit reports and
are removing proposed Sec. 1.652(b)(9) in the final rule.
(Comment 120) Some comments ask for clarification on proposed Sec.
1.652(b)(11), which would require information on recent certifications
to be included in regulatory audit reports. The comments ask whether a
certification issued outside of the third-party certification program
should be included in a regulatory audit report and if so, should the
report identify the standards under which the certification was issued.
(Response 120) Requiring information on certifications issued under
the third-party certification program would be duplicative because
certifications previously issued by the accredited third-party
certification body under the program already would have been submitted
to FDA. Further, we see no benefit to requiring the submission of
information on certifications issued outside of this program.
Accordingly, we are removing proposed Sec. 1.652(b)(11) from the final
rule.
(Comment 121) Some comments urge us to create a clear mechanism for
eligible entities to appeal adverse audit results.
(Response 121) Under proposed Sec. 1.652(d) an accredited third-
party certification body would have to implement written procedures for
receiving, evaluating, and deciding on eligible entity challenges to
adverse regulatory audit results. We believe this section provides a
clear mechanism for eligible entities to be able to appeal adverse
regulatory audit results. As explained in Response 36, we are
clarifying that persons presiding over such appeals may be internal or
external to the accredited third-party certification body.
D. What must an accredited third-party certification body do when
issuing food or facility certifications? (Sec. 1.653)
The proposed rule describes the activities that an accredited
third-party certification body would have to perform when issuing food
and facility certifications. Proposed Sec. 1.653 would require the
certification body to have conducted a regulatory audit under proposed
Sec. 1.651 and to conduct any other activities necessary to determine
compliance under the applicable food safety requirements of the FD&C
Act and FDA regulations.
No certificate could be issued until the eligible entity took
corrective actions to address any deficiencies reported under proposed
Sec. 1.652(b)(6), and the corrective actions were verified by the
accredited third-party certification body. The verification would need
to occur onsite, unless the deficiency was a minor issue. A single
audit could result in food and facility certifications or multiple food
certifications only if the regulatory audit requirements were met as to
each.
Where a certification body uses audit agents, the certification
body, not the audit agent, would make the determination whether to
issue certification. However, the statute allows for individuals to be
accredited as certification bodies; in that circumstance, the same
individual would conduct the audit and also determine whether to issue
certification.
On our own initiative, we are revising Sec. 1.653(a)(3) to replace
the phrase ``assessment made during'' with ``the data and other
information'' to clarify what an accredited third-party certification
body must consider when determining whether an eligible entity is in
compliance with the applicable food safety requirements of the FD&C Act
and FDA regulations.
On our own initiative, we are making a number of revisions Sec.
1.653(b). We are revising paragraph (b)(1) to clarify that the
accredited third-party certification body may issue a food or facility
certification under this subpart for a term of up to 12 months.
Throughout paragraph (b)(2) we are specifying that the food or facility
certification must contain information about regulatory audits. At our
own initiative, we are revising Sec. 1.653(b)(2)(ii) and (iii) to
require accredited third-party certification bodies to provide the FEI
of the audited facility and the FEI of the eligible entity, if
different from the audited facility, and we revised Sec. 1.653(b)(2)
(iv) to require accredited third-party certification bodies to assign
numbers to certifications they issue under the program. We are revising
paragraph (b)(3) to clarify that FDA may refuse to accept any
certification for purposes of section 801(q) or 806 of the FD&C Act if
we determine that the certification is not valid or reliable. We are
also adding new subparagraph (b)(3)(iii) to specify that if the
certification was issued without reliable demonstration that the
requirements of paragraph (a) were met, we may determine that the
certification is not valid or reliable.
(Comment 122) Some comments contend that proposed Sec. 1.653(a)(2)
would require accredited third-party certification bodies to perform
onsite verifications of corrective actions in situations where other
methods of verification would be adequate. The comments assert that, by
requiring onsite verification for any corrective action (other than an
action taken to address recordkeeping deficiencies), the proposed rule
would impose undue costs on eligible entities and would exacerbate
issues of auditor capacity.
The comments suggest that we allow for remote verification of
corrective actions through photographs, live web-cam transmissions, and
any other means that would provide evidence that corrective action has
been taken and the eligible entity is in compliance with the FD&C Act.
The comments suggest that FDA may, in its discretion, require onsite
visits to confirm that corrective actions were taken in extraordinary
situations where efforts short of onsite
[[Page 74617]]
observation would be insufficient to protect the public, such as in
Class I recall situations. Some comments urge us to follow the
requirements of ISO/IEC 17021:2011 (Ref. 6) for verification of
corrective actions.
(Response 122) We agree that onsite verification of corrective
actions would not be necessary to address every deficiency identified
in a regulatory audit report under proposed Sec. 1.652(b)(6). ISO/IEC
17021:2011 (Ref. 6) (clauses 9.1.12-9.1.13) describes a range of
activities--from document review to onsite verification to additional
full audits--that a third-party certification body may use verifying
the effectiveness of corrective actions. Remote verification may be
appropriate where it would provide an adequate basis for the accredited
third-party certification body to determine that the eligible entity
had implemented effective corrective action(s) to address the
identified deficiency or deficiencies. Accordingly, we are revising
Sec. 1.653(a)(2) to expand the methods of verification an accredited
third-party certification body may use to verify corrective actions for
deficiencies identified in Sec. 1.652(b)(6), except that corrective
actions in a facility that was the subject of a notification under
Sec. 1.656(c) must be verified onsite.
(Comment 123) Some comments urge FDA to establish qualifications
for the individuals accredited third-party certification bodies would
use to make certification decisions. The comments suggest that an
accredited third-party certification body should use a panel of experts
with appropriate industry or regulatory experience to make
certification decisions on behalf of the body. Other comments urge FDA
to identify the criteria an accredited third-party certification body
should use in determining whether to issue certification under section
808 of the FD&C Act.
(Response 123) We agree with the comments suggesting that
individuals involved in compliance determinations and certification
decisions under section 808 of the FD&C Act must be appropriately
qualified for those responsibilities. We agree that decisions on
certification should be made by individuals other than audit agents who
conducted the regulatory audits that would form the basis for the
decisions on certification, except individuals accredited as third-
party certification bodies may perform regulatory audits and issue
certifications based on the results of regulatory audits they
performed. An assessment for accreditation of a third-party
certification body under Sec. 1.642 would focus not only on its
competency and capacity for auditing food facilities but also on its
capacity to review audit results to determine compliance with
applicable food safety requirements for purposes of certification.
While an accredited third-party certification body may wish to use a
panel of experts for certification decisions, it is not necessary under
this rule.
(Comment 124) Some comments suggest that certifications issued
under section 808 of the FD&C Act should clearly delineate the scope of
products and processes covered by the certification.
(Response 124) Proposed Sec. 1.653(b)(2)(iv) and (vi) would
require the certification to include both the scope of the audit and
the scope of the food or facility certification. We believe the concern
about the scope of products and processes covered by the food or
facility certification is adequately addressed by the proposed rule,
and we are retaining these provisions in the final rule.
E. When must an accredited third-party certification body monitor an
eligible entity that it has issued a food or facility certification?
(Sec. 1.654)
Proposed Sec. 1.654 would require an accredited third-party
certification body to conduct monitoring of an eligible entity if the
certification body has reason to believe that an eligible entity to
which it issued a certification may no longer be in compliance with the
FD&C Act.
(Comment 125) Comments endorsing proposed Sec. 1.654 suggest that
FDA establish criteria for the ``reason to believe'' standard--that is,
the circumstances FDA believes would trigger a requirement for an
accredited third-party certification body to monitor an eligible
entity. The comment further suggests that FDA should make these
criteria available for public comment.
(Response 125) FDA declines to codify specific criteria that would
trigger the need for an accredited third-party certification body to
conduct monitoring of an eligible entity to determine whether the
entity is still in compliance with applicable requirements, as such
criteria would be fact-specific and FDA cannot contemplate all
situations that would require such monitoring. FDA envisions that the
circumstances that might trigger monitoring under Sec. 1.654 are ones
that may affect the eligible entity's capability to continue to comply
with the applicable food safety requirements of the FD&C Act and FDA
regulations, such as: (1) Significant changes to the audited facility,
such as capital improvements; (2) major changes to the eligible
entity's management system and processes; or (3) changes to the scope
of operations, such as changes in manufacturing processes, that may
affect the compliance status of an eligible entity.
(Comment 126) Other comments urge FDA to require an accredited
third-party certification body to notify an eligible entity immediately
upon determining that monitoring of the eligible entity prior to
recertification would be necessary.
(Response 126) We decline the suggestion to require notification of
an eligible entity prior to monitoring under Sec. 1.654, as we believe
it is more appropriate for the accredited third-party certification
body to decide based on the circumstances whether it should alert an
eligible entity it has certified that monitoring is necessary or
conduct unannounced monitoring activities. An accredited third-party
certification body may choose to notify an eligible entity before
conducting monitoring activities that are unrelated to the eligible
entity's annual audit for recertification purposes, which must be
conducted on an unannounced basis pursuant to Sec. 1.651(c)(1).
F. How must an accredited third-party certification body monitor its
own performance? (Sec. 1.655)
Proposed Sec. 1.655 would require an accredited third-party
certification body to conduct self-assessments annually and in the case
of revocation of the recognition of its accreditation body and prepare
a report of the results of each self-assessment.
On our own initiative, we are revising Sec. 1.655(a)(1) to clarify
that as part of the self-assessment, an accredited third-party
certification body must evaluate the performance of its audit agents in
examining facilities, process(es), and food using the applicable food
safety requirements of the FD&C Act and FDA regulations, which will
conform with other changes being made to the final rule.
(Comment 127) Some comments support the proposal to require
accredited third-party certification bodies to conduct self-
assessments. Other comments recommend that FDA should be more explicit
in the requirements for self-assessments.
(Response 127) We decline the suggestion to be more explicit in the
requirements for self-assessments, as the requirements in Sec. 1.655
include sufficient details for conducting self-assessments. Comments
did not provide adequate justification for adding
[[Page 74618]]
additional elements to the self-assessment.
(Comment 128) Some comments request that accredited governmental
certification bodies be allowed to conduct self-assessments at a
frequency different than other accredited third-party certification
bodies.
(Response 128) We decline to create different timeframes for self-
assessments for governmental versus private certifications bodies. As
explained in Response 39, Sec. 1.655 is part of a set of proposed
monitoring and self-assessment requirements intended to work together
in helping to ensure that the recognized accreditation bodies and
accredited third-party certification bodies maintain compliance with
the rule's requirements. The certification body self-assessment in
Sec. 1.655 is intended to serve, in part, as information for use in
the annual accreditation body monitoring in Sec. 1.621, the results of
which we intend the accreditation body to use in its annual self-
assessment under Sec. 1.622. This system of assessments takes place on
an annual basis and is an essential part of the program's safety net.
Allowing different timeframes for assessments by different participants
would undermine the credibility of the program and create undue
administrative complexity. We believe this section will be far less
burdensome in practice than some of the commenters may have
anticipated. We note that to address general concerns about the burden
of these requirements, similar to other sections of the final rule, FDA
is adding a new Sec. 1.655(e) to allow an accredited third-party
certification body to use documentation of its conformance to ISO/IEC
17021:2011 or ISO/IEC 17065:2012, supplemented as necessary, to meet
the requirements of this section.
(Comment 129) Some comments assert that accredited third-party
certification bodies should not be required to be prepare self-
assessment reports in English under proposed Sec. 1.655(d).
(Response 129) In response to comments and consistent with
revisions made elsewhere in the final rule, we are removing the English
language requirement in Sec. 1.655(d) for self-assessment reports
prepared by third-party certification bodies accredited by a recognized
accreditation body. However, we are now including a requirement in
Sec. 1.656(b) of submission in English for self-assessment reports
prepared by third-party certification bodies directly accredited by FDA
and self-assessments submitted to FDA as a result of an FDA request for
cause or due to the termination of an accreditation body's recognition
due to denial of renewal, revocation, or relinquishment/failure to
renew under Sec. 1.631(f)(1)(i), 1.634(d)(1)(i), or 1.635(c)(1)(i),
respectively.
G. What reports and notifications must an accredited third-party
certification body submit? (Sec. 1.656)
Proposed Sec. 1.656 would establish requirements for various
reports and notifications that accredited third-party certification
bodies would have to submit to FDA and, as appropriate, recognized
accreditation bodies. Proposed Sec. 1.656(a) would establish the
requirements for submission of regulatory audit reports, and proposed
Sec. 1.656(b) would establish the requirements for submission of
reports of accredited third-party certification body self-assessments.
Proposed Sec. 1.656(c) would require an accredited third-party
certification body to immediately notify us, in English, of a condition
that could cause or contribute to a serious risk to the public health
(notifiable condition) that the certification body (or its audit agent)
discovered while conducting a regulatory or consultative audit of an
eligible entity. In the preamble discussion of proposed Sec. 1.656(c)
(78 FR 45782 at 45815), we solicited examples of conditions that might
and might not meet the standard in section 808(c)(4)(A) of the FD&C Act
for notifying FDA. We asked for input on whether the FDA Class I and
Class II recall standards, taken together, might adequately address any
condition covered by section 808(c)(4)(A) of the FD&C Act.
Proposed Sec. 1.656(d) would require an accredited third-party
certification body to immediately notify us electronically, in English,
upon withdrawing or suspending the food or facility certification of an
eligible entity. Proposed Sec. 1.656(e)(1) would require an accredited
third-party certification body that notified FDA under proposed Sec.
1.656(c) also to notify the eligible entity where the condition was
discovered. Proposed Sec. 1.656(e)(2) would require the accredited
third-party certification body to notify its accreditation body (or, in
the case of direct accreditation, to us) electronically, in English,
within 30 days after making any significant change that may affect its
compliance with the requirements of Sec. Sec. 1.640 through 1.658.
On our own initiative we are revising Sec. 1.656(c)(1) and (2) to
clarify if a condition that could cause or contribute to a serious
public risk to the public health is discovered, that in addition to the
name of the eligible entity and/or facility, an accredited third-party
certification body must also provide the physical address, unique
facility identifier (if designated by FDA), and the registration number
under subpart H of this part (where applicable).
(Comment 130) Some comments support proposed Sec. 1.656(a), which
would require submission of regulatory audit reports to FDA, but would
not require reports of consultative audits to be submitted. Other
comments interpret the proposed rule as requiring submission of
consultative audit reports to FDA and the reporting of laboratory
analytical results under section 422 of the FD&C Act.
(Response 130) Under section 808(c)(3)(A) of the FD&C Act, an
accredited third-party certification body or an audit agent of a third-
party certification body, where applicable, ``shall prepare, and, in
the case of a regulatory audit, submit, the audit report for each audit
conducted . . .'' Based on the statutory language, it is clear that
Congress only desired reports of regulatory audits to be submitted to
FDA. We also note that section 808(c)(3)(C) of the FD&C Act limits the
ability for FDA to access the results of consultative audits to
circumstances described in the records access standard of section 414
of the FD&C Act. Some comments incorrectly interpreted the proposed
rule to require the submission of the certification bodies' laboratory
records and results. We are only requiring maintenance of such records
and results under Sec. 1.658.
(Comment 131) Some comments contend that we are interpreting the
notification standard in section 808(c)(4)(A) of the FD&C Act too
broadly, because the statute only requires accredited third-party
certification bodies to notify FDA of notifiable conditions discovered
during a regulatory audit. The comments assert that Congress did not
intend us to require notification of conditions found during
consultative audits, because those audits are for internal purposes;
therefore, we should revise proposed Sec. 1.656(c) to remove the
reference to a consultative audit. Other comments assert that
notifications submitted for conditions found during a consultative
audit could overwhelm FDA with data that could make it difficult to
identify the most serious risks to public health. Still other comments
support our proposal to require notification of conditions found during
consultative and regulatory audits.
Some comments describe a range of activities that generally may be
referred to as consultative audits and suggest
[[Page 74619]]
that requiring notification to FDA of conditions found during these
types of consultative audits may have unintended consequences. The
comments note the important role of third-party audits (and
consultative audits, in particular) in assisting the food industry
identify and fix internal problems and drive continuous improvements.
The comments suggest that requiring notification during consultative
audits might create disincentives for firms who might otherwise use
accredited third-party certification bodies to perform consultative
audits and for third-party certification bodies who might otherwise be
interested in participating in the program.
(Response 131) We decline the suggestion to limit Sec. 1.656(c) to
require notification only of conditions found during a regulatory
audit, because section 808(c)(4)(A) and (B) of the FD&C Act require
notification based on conditions found ``at any time during an audit''
and identifies ``audits'' as both consultative and regulatory audits.
Although we decline to limit Sec. 1.656(c) as the comment suggests
we believe that many of the concerns about notification during a
consultative audit are mitigated by revisions that clarify the scope of
the consultative audits that are, and are not, covered by the rule (see
Sections III.E and III.J). Under the final rule, an accredited third-
party certification body would only be required to notify FDA of a
condition that could cause or contribute to a serious risk to the
public health if the condition was discovered during an audit that an
eligible entity has specifically declared to be a regulatory audit for
certification purposes or a consultative audit in preparation for a
regulatory audit under this rule.
(Comment 132) Several comments contend that ``serious risk to the
public health'' has the same meaning as ``serious adverse health
conditions or death to humans or animals'' (SAHCODHA) as that phrase is
used throughout the FD&C Act. Specifically, the comments assert that
FDA should only require accredited third-party certification bodies to
notify FDA of conditions that pose a risk of SAHCODHA, as that standard
is interpreted for purposes of the Reportable Food Registry (RFR) under
section 417 of the FD&C Act (21 U.S.C. 350f).
The comments reject our tentative conclusion that the range of
conditions that require notification under section 808(c)(4)(A) of the
FD&C Act is broader than SAHCODHA, because the statute describes
notifiable conditions as ones that ``could'' cause or contribute to a
serious risk to public health. In response to our request for input,
the comments specifically reject an interpretation of ``serious risk to
the public health'' that might include, for example, conditions that
pose a risk of temporary or medically reversible adverse health
consequences or where the probability of adverse health consequences is
remote. Some comments suggest that accredited third-party certification
bodies and audit agents would be more readily able to identify
conditions that pose a SAHCODHA risk but would find it more difficult
to identify other conditions that would need to be notified to FDA
under proposed Sec. 1.656(c). Other comments support our tentative
conclusion that a ``condition that could cause or contribute to a
serious risk to the public health'' is broader than a condition
relating to a SAHCODHA risk.
(Response 132) We disagree with comments suggesting that the phrase
``serious risk to public health'' in section 808(c)(4)(A) of the FD&C
Act should be interpreted as a risk of SAHCODHA. We note that Congress
chose to incorporate SAHCODHA in section 808(c)(6)(A) to describe
outbreak situations that would lead to withdrawal of accreditation, but
did not use SAHCODHA in describing the conditions that must be notified
to FDA under section 808(c)(4)(A) of the FD&C Act. Additionally,
Congress chose to incorporate SAHCODHA in other sections of FSMA, such
as in provisions on suspension of registration in section 102(b)
amending section 415 of the FD&C Act. In light of the foregoing, we
believe that Congress intended for a ``serious risk to the public
health'' to be distinct from a risk of SAHCODHA and, therefore, reject
the suggestion that accredited third-party certification bodies would
only need to notify FDA of conditions that pose a risk of SAHCODHA
under proposed Sec. 1.656(c). We conclude that notifiable conditions
include not only those that present a risk of SAHCODHA, but also other
conditions that ``could cause or contribute to a serious risk to the
public health.''
Although it is difficult to predict the range of conditions or
circumstances that accredited third-party certification bodies and
audit agents might encounter, we offer some factors that may be useful
in identifying whether a condition would need to be notified under
Sec. 1.656(c), such as whether the condition relates to incoming
ingredients that will be subject to control within the facility, or an
area of the facility where pre-production materials are held; whether
the condition relates to the post-processing environment or where
finished product is held prior to distribution; and whether the
condition relates to food, process(es), or areas of the facility
associated with food that is destined for export to the United States,
and not if it relates solely to food, process(es), or areas of the
facility associated with food for consumption other than in the United
States.
(Comment 133) Some comments urge us to revise proposed Sec.
1.656(c) to incorporate the limitations on reporting that apply to the
RFR under section 417(d)(2) of the FD&C Act, such that notification
would only be submitted if food adulterated as a result of the
notifiable condition had left the control of the eligible entity. The
comments assert it would be reasonable for FDA to interpret section
808(c)(4)(A) of the FD&C Act such that an accredited third-party
certification body would not need to alert FDA immediately upon
discovering a notifiable condition if the eligible entity reworked
adulterated product or destroyed it before the adulterated food was
transferred to another person. Other comments suggest that proposed
Sec. 1.656(c) is redundant because such conditions are subject to RFR
reporting.
(Response 133) We decline the suggestion to revise Sec. 1.656(c)
to incorporate an exception similar to section 417(d) of the FD&C Act
as there is no exception to the notification requirement in section
808(c)(4) as there is in section 417(d). Further, we believe the
notification requirement in section 808(c)(4) serves not only to inform
FDA of potential risks to the public, but also enhances credibility of
the program by giving FDA, accredited certification bodies, and
recognized accreditation bodies information that may be relevant to our
oversight of the food safety and third-party programs. We believe that
given the statutory language and goals of the third-party certification
program, it is appropriate for the notification requirement in this
rule to have different requirements and exceptions than other
notification provisions in the FD&C Act.
As such, we also disagree with comments suggesting the obligation
of a responsible party to submit a report to FDA through the RFR makes
proposed Sec. 1.656(c) redundant. Among other things, RFR requirements
only apply to facilities that are required to register with FDA under
section 415 of the FD&C Act. An eligible entity that is a farm, for
example, would not be subject to RFR requirements. Additionally, as
discussed previously, the reporting
[[Page 74620]]
requirement under this rule contains no exception for circumstances
when the food adulterated as a result of the notifiable condition has
not left the control of the eligible entity. In light of the foregoing,
we are retaining Sec. 1.656(c) without the revisions suggested by the
comments.
(Comment 134) Some comments urge us to revise proposed Sec.
1.656(e)(1) to allow for concurrent notification of FDA and the
eligible entity where the notifiable condition was discovered.
(Response 134) We agree and are adding to Sec. 1.656(e)(1) a
provision that allows, where feasible and reliable, for the accredited
third-party certification body to contemporaneously notify its
recognized accreditation body and/or the eligible entity when notifying
FDA. We note that this provision does not affect the obligation for the
accredited third-party certification body to notify FDA immediately of
a notifiable condition under Sec. 1.656(c).
H. How must an accredited third-party certification body protect
against conflicts of interest? (Sec. 1.657)
Proposed Sec. 1.657 sets out the elements of a conflict of
interest program that an accredited third-party certification body
would be required to have. Proposed Sec. 1.657(a) would require the
accredited third-party certification body to have a written program
that covers the certification body itself and any of its officers,
employees, or other agents (e.g., audit agents) conducting audits or
certification activities under this program. Proposed Sec. 1.657(b)
would address the requirement, in section 808(c)(5)(C) of the FD&C Act,
to issue implementing regulations that include a structure to decrease
the potential for conflicts of interest, including timing and public
disclosure, for fees paid by eligible entities to accredited third-
party certification bodies. Proposed Sec. 1.657(c) would impute to an
accredited third-party certification body's officer, employee, or other
agent the financial interests of his or her spouse and minor children,
if any. Proposed Sec. 1.657(d) would require an accredited third-party
certification body to maintain on its Web site an up-to-date list of
eligible entities to which it issued certifications under this subpart,
the duration and scope of each such certifications, and the date on
which the eligible entity paid any fee or reimbursement under proposed
Sec. 1.657(c).
On our own initiative, we are revising the accredited third-party
certification body conflict of interest provisions in Sec. 1.657(a)(1)
to clarify that the certification body, its officers, employees, and
other agents involved in auditing and certification activities cannot
own, operate, have a financial interest in, manage, or otherwise
control an eligible entity to be certified. We also are redesignating
proposed paragraphs (a)(2) to (4) as (a)(3) to (5) and adding a new
paragraph (a)(2) to conform to section 808(c)(5)(A)(i) of the FD&C Act.
Additionally, we are revising redesignated Sec. 1.657(a)(3) to add
financial interests, management, or control to the proposed list of
prohibited interests for audit agents.
(Comment 135) Some comments support proposed Sec. 1.657, asserting
that it strikes the right balance between ensuring rigorous protections
against conflicts of interest and protection of trade secrets and
confidential commercial information. Other comments oppose the third-
party certification program that is the subject of this rulemaking
because private auditors are inherently conflicted and food safety
inspections should be conducted only by FDA.
Other comments suggest various additional conflict of interest
restrictions that should be placed, such as requiring an individual
audit agent or an individual accredited as a third-party certification
body to divest of all interests in FDA-regulated food firms;
prohibiting such individual from conducting a regulatory audit of an
eligible entity where the individual previously conducted a
consultative audit or where the individual was previously employed; and
prohibiting the individual from accepting an offer of employment from
an audited eligible entity for 1 year following an audit. Still other
comments urge FDA to prohibit meals or beverages from being provided
during an audit or to define the de minimis value of meals and
beverages that may be provided onsite during an audit.
(Response 135) We believe the accredited third-party certification
program that Congress directed us to establish under section 808 of the
FD&C Act will provide a valuable complement to FDA inspections and will
allow us to leverage rigorous, independent third-party audits in
helping to ensure the safety of the U.S. food supply. We disagree with
comments contending that third-party certification programs are so
inherently conflicted that such a program is not worthwhile.
We believe the conflict of interest restrictions for accredited
third-party certification bodies and for their audit agents that are
established by section 808 of the FD&C Act for public and private
third-party certification bodies, as implemented by this rule, provide
the safeguards necessary for a credible third-party certification
program. Accordingly, we decline suggestions to revise Sec. 1.657 to
place additional conflict of interest limitations that would be
impractical and unnecessary, such as requiring: (1) Requiring full
divestment by audit agents of interests in any FDA-regulated food firm;
(2) prohibiting an individual who conducted a consultative audit of an
eligible entity from ever conducting a regulatory audit of the same
eligible entity; (3) prohibiting an individual who audited an eligible
entity from accepting an offer of employment from the eligible entity
for 1 year following the audit; and (4) prohibiting an individual
conducting an audit from accepting a beverage or a meal of de minimis
value that is provided onsite during audit.
We disagree with comments suggesting that by providing meals of a
de minimis value, an eligible entity or facility might influence the
outcome of an audit by an accredited third-party certification body,
particularly if the only allowable meals are ones of minimal value that
are provided during the course of an activity and with the purpose of
facilitating timeliness and efficiency. As explained in Response 55,
FDA follows a similar approach for investigators conducting foreign
inspections--that is, FDA investigators performing foreign inspections
are allowed to accept lunches (of little cost) provided by firms during
the course of foreign inspections. We also note that the U.S.
government allows its employees to accept meals, within per diem
limits, when on official business in a foreign country, as an exception
to the prohibition on the acceptance of gifts or gratuities from
outside sources (5 CFR 2635.204(i)(1)), though we believe the FDA's
practices for foreign inspections serve as a better model because
foreign inspections are more analogous to foreign audits than are the
range of activities that covered by the general requirements applicable
to all U.S. government employees on official business in foreign
countries. Accordingly, in light of the comments received and analogous
FDA guidelines, we have concluded that it is reasonable and appropriate
to limit the meal exception in Sec. 1.657(a)(4)(ii) to only lunches of
de minimis value provided during the course of an audit, on site at the
premises where the assessment is being conducted, and only if necessary
to facilitate the efficient conduct of the audit. We believe these
revisions help to address concerns regarding the threats to
impartiality, while accommodating the practical considerations that
apply to foreign audits.
[[Page 74621]]
Consistent with our guidance to recognized accreditation bodies
under Response 55, we offer the following additional input to
accredited third-party bodies seeking guidance on the application of
Sec. 1.657(a)(4)(ii). In considering whether a meal is allowable under
this provision, we recommend first considering whether accepting the
lunch is necessary to facilitate the efficient conduct of the audit. We
recommend considering: (1) Whether the circumstances surrounding the
travel would allow a lunch to be packed bring on site; (2) Whether the
meal is being provided during the midday or early afternoon. A lunch
provided in the midst of an audit is different than a lunch or other
meal provided at the completion of the audit; (3) Whether the site of
the audit is in close proximity to a retail food establishment, or is
at a remote location far from a retail food establishment; (4) What is
the estimated value (or cost) of the lunch in light of the costs
associated with the area where the audit is being conducted; and (5)
other similar considerations.
For accredited third-party certification bodies or audit agents
seeking additional guidance on determining what constitutes a ``de
minimis'' amount for purposes of complying with Sec. 1.624(a)(3)(ii),
we offer the following guidance that is based on the requirements
applicable to U.S. government employees who accept certain meals while
on official travel in foreign countries. Such employees must deduct
from the per diem the value of that meal, calculated using a two-step
process.
First, the individual must determine the per diem applicable to the
foreign area where the meal was provided, as specified in the U.S.
Department of State's Maximum Per Diem Allowances for Foreign Areas,
Per Diem Supplement Section 925 to the Standardized Regulations (GC,FA)
available from the Superintendent of Documents, U.S. Government
Printing Office, Washington, DC 20402, and available on the Department
of State Web site at https://aoprals.state.gov/Web920/per_diem.asp.
(Foreign per diem rates are established monthly by the Department of
State's Office of Allowances as maximum U.S. dollar rates for
reimbursement of U.S. Government civilians traveling on official
business in foreign areas.)
Second, the individual must determine the appropriate allocation
for the meal within the daily per diem rate which is broken down into
Lodging and M&IE that are reported separately in Appendix B of the
Federal Travel Regulation and available on the Department of State's
Web site at https://aoprals.state.gov/content.asp?content_id=114&menu_id=78.
Accordingly, under Sec. 1.657(a)(4)(ii), an accredited third-party
certification body that is an individual or an audit agent of an
accredited third-party certification body who is conducting a food
safety audit of an eligible entity may accept lunch provided during an
audit and on the premises where the audit is conducted, if necessary to
facilitate the efficient conduct of the audit.
(Comment 136) Some comments raise concerns about possible conflicts
of interests. Some comments urge us to attach additional controls to
the accreditation of foreign cooperatives to prevent them from auditing
and certifying their members' facilities and food. Other comments
recommend we further consider the difficulties involved with foreign
governments demonstrating impartiality of their processes in auditing
and certifying facilities owned by the foreign government.
(Response 136) We note that under proposed Sec. 1.657, foreign
cooperatives accredited as third-party certification bodies would not
be able to audit or certify their members' facilities or foods under
the program, because of their shared financial interests.
We decline the suggestion to develop special sets of controls for
one or more types of third-party certification bodies eligible to be
considered for accreditation under section 808 of the FD&C Act. We note
that the conflict of interest requirements in section 808(c)(5) of the
FD&C Act apply equally to the foreign governments, agencies of foreign
governments, foreign cooperatives, and other third-parties. That is, a
foreign government accreditation body that is recognized by FDA under
this program may accredit government auditors (i.e., the competent
authority for food safety) from the same nation, provided that the
conflict of interest requirements in Sec. 1.657 are met. Consistent
with the approach taken in the statute, we believe that this
comprehensive, rigorous set of conflict of interest requirements make
it unnecessary for us to create a different or special controls for
certain types of certification bodies.
(Comment 137) Some comments support the proposal to require
accredited third-party certification bodies to maintain up-to-date
lists of eligible entities to which food or facility certification were
issued, together with the duration and scope of each such
certification. The comments suggest that having this information
readily available would be helpful to importers seeking to participate
in VQIP and those seeking to import food that is subject to import
certification under section 801(q) of the FD&C Act.
Other comments suggest that requiring an accredited third-party
certification body to maintain a list of certified eligible entities on
its Web site, together with the dates each eligible entity paid
certification fees, could create an unfair competition. The comments
contend that the statute does not require disclosure of the date of
payment of fees and seek clarification on the basis for disclosing the
timing of fee payments. Other comments suggest that information on
payment of fees should remain confidential between the accredited
third-party certification body and the eligible entities it audited and
suggest the information could be made available to FDA on request.
Still other comments contend that FDA should only have access to
information on fee payments by eligible entities upon a showing of
cause.
(Response 137) We agree with comments suggesting that Web site
listings of eligible entities to which food or facility certification
were issued will be helpful to importers. We disagree that such
information would create unfair competition, and the comment did not
provide an explanation as to why this would be the case. To the
contrary, publicizing this information will increase transparency and
accountability of the program. We are not proposing to require
disclosure of the amount of fees paid by eligible entities, because we
are concerned that publicizing the amounts of fee payments may lead to
certification bodies using this information to gain a competitive
advantage by offering audits at discount rates. However, we believe
proposed Sec. 1.657(c) meets the requirement of section
808(c)(5)(C)(ii) of the FD&C Act to provide information on the timing
of fee payments and will help build confidence in the third-party
certification program by providing assurances that payments are not
related to the results of regulatory audits. We decline to adopt the
alternative approach suggested by comments--i.e., such information
should be disclosed to FDA only when needed to investigate problems if
they occur, and publicly released only if disclosure would improve
public health--as inadequate to satisfy the requirements of section
808(c)(5)(C)(ii) of the FD&C Act. In light of the foregoing, we are
retaining Sec. 1.657(c), redesignated as Sec. 1.657(d), as proposed.
[[Page 74622]]
I. What records requirements must a third-party certification body that
has been accredited meet? (Sec. 1.658)
Proposed Sec. 1.658 would require accredited third-party
certification bodies to maintain the following documents and data
electronically, in English, for 4 years, to document compliance with
the rule: (1) Requests for regulatory audits; (2) audit reports and
other documents resulting from a consultative or regulatory audit; (3)
any notification of a condition under proposed Sec. 1.650(a)(5) or by
the accredited third-party certification body to FDA under proposed
Sec. 1.656(c); (4) any food or facility certification issued under
this program; (5) any challenge to an adverse regulatory audit decision
and its disposition; (6) any monitoring it conducted of a certified
eligible entity; (7) the auditor's/certification body's self-
assessments and corrective actions; and (8) any significant change to
the auditing and certification program that might affect compliance
with this rule.
On our own initiative, we are requiring under Sec. 1.658(a)(3) the
maintenance of any laboratory testing records and results and
documentation demonstrating that such laboratory is accredited in
accordance with Sec. 1.651(b)(3).
(Comment 138) Some comments recommend that we allow accredited
third-party certification bodies to maintain their records in languages
other than English, coupled with a requirement to provide an English
language translation upon FDA request. Some comments suggest that we
should allow for flexibility in the timeline for submission of
translated records in the regulations, rather than establishing a
specific deadline, because the circumstances of each records request
will dictate what would be appropriate--e.g., where there is a recall
involving a certified facility, then the timeframe for providing
translations should be very stringent, but where records are requested
for routine verification purposes, the accredited third-party
certification body should have more time to comply. Other comments note
that a minimum of 5 business days would be required for English
language translations of records.
(Response 138) We agree that records should not be required to be
maintained in English, for the same reasons as we explained in Response
64 (regarding the records of recognized accreditation bodies) and are
revising Sec. 1.658 accordingly. We further agree with comments
suggesting that we should have a flexible, rather than a fixed timeline
for providing English language translations of requested records to FDA
and are requiring translations to be provided within a reasonable time
after an FDA request.
(Comment 139) Some comments urge us ensure that Sec. 1.658 fully
incorporates the limitation on access to reports and documents relating
to consultative audits in section 808(c)(3)(C) of the FD&C Act.
(Response 139) Section 808(c)(3)(C) of the FD&C Act states that
reports or other documents resulting from a consultative audit are
accessible to us only under circumstances that meet the requirements
for records access under section 414 of the FD&C Act. Proposed Sec.
1.658(a)(1) utilizes the language of section 808(c)(3)(C) of the FD&C
Act in describing the types of records of consultative audits that an
accredited third-party certification body must maintain, and proposed
Sec. 1.658(b) states that those records must be made available to FDA
in accordance with 21 CFR part 1, subpart J, which implements section
414 of the FD&C Act. Therefore, the requirements in Sec. 1.658 do
fully incorporate the limitation on access to reports and documents
relating to consultative audits as specified in section 808(c)(3)(C) of
the FD&C Act.
(Comment 140) Some comments urge us to ensure that trade secrets
and confidential commercial information contained in any records
submitted to FDA would be adequately protected. The comments note that
the proposed rule does not contain language on the protection of trade
secrets, such as the language in 21 CFR parts 120 and 123 indicating
that HACCP plans are trade secrets exempt from disclosure. Other
comments suggest that FDA should consider examining accredited third-
party certification body records without taking custody of them. The
comments further suggest that FDA should establish an administrative
process for requesting records from accredited third-party
certification bodies participating in the program.
Some comments urge us to clarify that we will not be applying the
records access and submission requirements of subpart M to audits that
are not conducted under the rule or to records of the audited food
facilities.
(Response 140) We acknowledge concerns about protecting proprietary
information and are adding Sec. 1.695 to address disclosure issues
(see Section XIII.F).
We decline the suggestion to review records of accredited third-
party certification bodies without taking custody of the records,
because such an approach would be inconsistent with the records
provisions in section 808(c)(3)(B) of the FD&C Act and would undermine
the credibility of the program. We also decline the suggestion to
establish separate administrative processes for handling records
requests that might include, for example, procedures for challenges to
records requests and appealing adverse decisions on records requests.
Establishing and administering a process for FDA records requests would
hinder our program oversight and would be overly burdensome. We note
that in this rulemaking, FDA has established a number of mechanisms to
address challenges to FDA's decisions, including Sec. 1.691 (for
requests for reconsideration of the denial of an application of waiver
request); Sec. 1.692 (for internal agency review of the denial of an
application or waiver request upon reconsideration); and Sec. 1.693
(for regulatory hearings on withdrawal of accreditation).
We recommend third-party certification bodies to fully consider the
program requirements before deciding to pursue recognition under the
voluntary third-party certification program. Once accredited a
certification body may voluntarily relinquish its accreditation under
Sec. 1.665.
We note that the records maintenance and access requirements of
subpart M apply only to records relating to an accreditation of a
third-party certification body under this rule and to the audits and
certification activities conducted under this program. Records of
audits or certifications issued by an accredited third-party
certification body for any other purpose outside of the scope of the
program under subpart M are not covered by Sec. 1.658. We also note
that the rule does not affect the records maintenance and access
requirements that apply to facilities under subpart J of this part.
X. Comments on Procedures for Accreditation of Third-Party
Certification Bodies Under This Subpart
A. Where do I apply for accreditation or renewal of accreditation by a
recognized accreditation body and what happens once the recognized
accreditation body decides on my application? (Sec. 1.660)
Proposed Sec. 1.660 states that auditors/certification bodies must
apply directly to a recognized accreditation body for accreditation
(except for circumstances meeting the requirements of Sec. 1.670 for
direct accreditation).
On our own initiative, we are adding new provisions (b) through (d)
to Sec. 1.660 to explain what happens when a third-party certification
body's renewal
[[Page 74623]]
application is denied. We are adding provisions to clarify what the
applicant must do, the effect of denial of an application for renewal
of accreditation on food or facility certifications issued to eligible
entities, and how FDA will notify the public.
(Comment 141) Some comments propose that we include a time limit
for recognized accreditation bodies to issue an accreditation decision.
They argue a time limit would set measurable standards for the process
and would also help ensure an adequate supply of accredited auditors/
certification bodies. Comments suggest the timeframe be 90 days. Some
comments suggest the timeframe could be stipulated in the Model
Accreditation Standards.
(Response 141) We acknowledge the interest in having timely
accreditation decisions. However, the comments failed to provide an
adequate basis to support a decision to impose a 90-day deadline for
decisions on accreditation. No other information available to FDA
provides an adequate basis for us to establish such a deadline, nor do
we think it would be appropriate to do so at this time. We expect that
the time required to perform various actions in the program will be
longer in the early days of the program than it will when FDA, the
accreditation bodies, and the third-party certification bodies gain
experience with the program.
We decline to revise these regulations to impose a deadline for
accreditation decisions, but may consider addressing the issue of
deadlines for accreditation decisions in guidance, if we later
determine it would be appropriate. We are mindful that section
808(c)(1)(C) of the FD&C Act requires revocation of recognition for
failure to comply with the applicable requirements of the FD&C Act and
FDA regulations. We would not want an accreditation body to take
shortcuts in accreditation assessments to ensure that it could meet a
regulatory deadline for its accreditation decisions out of concern for
revocation for failure to comply with the deadline. The final rule
reflects our view that the rigor of the accreditation assessment is
essential in helping to ensure the credibility and success of the
third-party certification program.
(Comment 142) Some comments ask whether the processes for
accreditation are the same for governmental and private bodies.
(Response 142) Section 808(c)(1)(A) and (B) of the FD&C Act
establishes different requirements for public certification bodies and
for private certification bodies by specifying different criteria for
the assessment of foreign governments/agencies than it does for foreign
cooperatives and other private third-party certification bodies seeking
accreditation. However, the statute makes no distinction between public
and private certification bodies in procedural matters for
accreditation. Therefore, we are establishing a single set of
accreditation procedures in this rule that apply to both public and
private third-party certification bodies.
(Comment 143) Some comments ask how a third-party certification
body could apply for accreditation under this program.
(Response 143) Third-party certification bodies seeking to apply
for accreditation under our program may wish to review Sec. 1.660 of
this final rule, which describes the general procedures for applying
for accreditation from a recognized accreditation body, as well as the
eligibility requirements for certification bodies seeking accreditation
in Sec. Sec. 1.640 through 1.645. We will post on the FDA Web site a
list of all recognized accreditation bodies and will include a
description of the scope of recognition of each.
As provided in Sec. 1.670(a)(3), FDA will announce on our Web site
if we determine that the conditions for direct accreditation by FDA in
section 808(b)(1)(A)(ii) of the FD&C Act have been met. We will accept
applications for direct accreditation or renewal of direct
accreditation only if we determine that we have not identified and
recognized an accreditation body to meet the requirements of section
808 of the FD&C Act within 2 years after establishing the program.
Unless and until FDA makes such a determination, third-party
certification bodies must apply for accreditation from an accreditation
body that FDA has recognized.
(Comment 144) Some comments suggest that third-party certification
bodies who receive an adverse decision on accreditation from a
recognized accreditation body should have access to a competent,
independent person outside the recognized accreditation body to whom
they could appeal.
Other comments contend that we have the authority to challenge the
decisions of an accreditation body.
(Response 144) As explained in Response 36, we are revising Sec.
1.620(d)(2) to require a recognized accreditation body must use
competent persons, who may be external to the accreditation body, for
investigating and deciding on certification body challenges to an
adverse accreditation body decision. Such competent persons must meet
the following criteria: (1) Are free from bias or prejudice; (2) did
not participate in the accreditation decision being appealed; and (3)
are not subordinate to a person who participated in such accreditation
decision. Although we are not requiring the accreditation body to use
an external party for certification body appeals, we believe the
enhanced requirements of Sec. 1.620(d)(2) will be adequate to ensure
any person the accreditation body would select for investigating and
deciding on appeals--whether internal or external--would be objective
and independent.
With respect to comments suggesting that we should exercise our
authority over recognized accreditation bodies to challenge their
accreditation decisions, we note that the enhanced requirements in
Sec. 1.620(d) align with the impartiality provisions in part 16, which
contains the regulations for FDA regulatory hearings that we will
generally apply under Sec. 1.693 to an appeal of a revocation or
withdrawal. We also note that FDA retains the authority to revoke the
recognition of accreditation bodies for good cause under Sec.
1.634(a)(4) for failure to comply with this rule. For these reasons, we
decline to establish a process appealing recognized accreditation body
decisions to FDA.
B. What is the duration of accreditation by a recognized accreditation
body? (Sec. 1.661)
Proposed Sec. 1.661 states that the accreditation of a third-party
certification body may be granted for a period up to 4 years.
(Comment 145) Most comments agree with our proposed maximum 4-year
accreditation timeframe. In this regard, some comments state they are
comfortable with this length of time as long as accreditation bodies
annually review the accreditation. Some comments contend that instead
of allowing accreditation to last ``up to 4 years,'' we should
establish a definite duration period and it should be 5 years. These
comments contend that would align the duration of accreditation with
the duration of recognition. They also argue that having a definite
duration period would be more viable administratively.
(Response 145) We agree with the comments supporting our proposal
to allow accreditation to be issued for a term of up to 4 years. The
comments suggesting accreditation should be granted for 5 years offered
no information that would provide an adequate basis for extending
accreditation such that a third-party certification body could be
accredited for as long as a recognized accreditation body. We note that
the rigor and credibility of the program rests, in part,
[[Page 74624]]
on the extent of oversight of accredited third-party certification
bodies. Through the renewal process, recognized accreditation bodies
(and FDA, for directly accredited third-party certification bodies)
look closely at all aspects of a certification body's and performance
and have the opportunity to decide anew whether the certification body
meets the eligibility requirements.
With respect to comments suggesting that we establish a definite
duration of accreditation that would apply to any third-party
certification body accredited under the program, we acknowledge the
advantages that certainty provides and, where appropriate, we expect
that recognized accreditation bodies will issue accreditation for the
maximum duration of 4 years. Where, for example, a certification body
has little or no experience conducting audits assessing the safety of
food, a recognized accreditation body (or FDA under direct
accreditation) may decide the initial grant of accreditation should be
less than 4 years. A recognized accreditation body (or FDA under direct
accreditation) will make its own decision on whether to approve a
third-party's application for accreditation and has the flexibility to
issue accreditation for a duration it believes appropriate, up to a 4-
year maximum established by this rule.
C. How will FDA monitor accredited third-party certification bodies?
(Sec. 1.662)
We proposed in Sec. 1.662 to monitor directly accredited
certification bodies annually; we proposed to evaluate certification
bodies accredited by a recognized accreditation body by not later than
3 years after the date of accreditation for a 4-year accreditation term
or by no later than the mid-term point of a less-than-4-year
accreditation term. We proposed to review a variety of records and
information such as assessments by a recognized accreditation body,
information regarding the auditor's/certification body's
qualifications, and information obtained during onsite observations. We
proposed to conduct our evaluation through onsite observations of
performance during a food safety audit of an eligible entity or through
document review.
(Comment 146) Some comments advocate for more clarity on the
frequency and methods by which we'll be providing oversight of
accredited third-party certification bodies. Some comments question
whether we have sufficient resources to conduct onsite observation at
any specific frequency. They advise that we further explain how we are
going to provide oversight and how compliance will be reported.
(Response 146) Monitoring assessments of accredited third-party
certification bodies are one of several tools we will use for program
oversight. Section 1.662(a) implements section 808(f) of the FD&C Act,
which states that FDA must evaluate an accredited third-party
certification body periodically, or at least once every 4 years, and
take any other measures FDA deems necessary to ensure compliance. We
anticipate that information gleaned from other monitoring tools, such
as the accreditation body's annual assessment of the certification
body, will also aid in program oversight and may perform additional
assessments of certification bodies in certain instances.
The objective of an assessment under Sec. 1.662 will be to
determine the accredited third-party certification body's compliance
with the requirements of this rule. FDA may conduct an assessment
through a site visit of the third-party certification body's
headquarters, onsite observation of an accredited third-party body's
performance during a food safety audit, document review, or a
combination of these activities. We will develop plans for assessing
accredited third-party certification bodies based on risk and informed
by data and other information available to FDA regarding their programs
and performance in our program. The starting point for each assessment
will be document review, and any additional assessment activities
(e.g., site visits or onsite observations) will be conducted where
circumstances may warrant or for spot-checks of randomly selected
third-party certification bodies. When planning an assessment, we will
establish the time period of activities covered by the assessment. We
may request records of the certification body under Sec. 1.658. We
also may develop plans for any site visits or onsite observations,
including locations to be visited. As part of the assessment, we may
review records relating to conflicts of interest, and interview
officers, employees, and audit agents, and other agents who participate
in decisions on issuance of certification under this program. We are
revising this section to explicitly state that FDA may visit the
certification body's headquarters or other locations where audit agents
are managed.
(Comment 147) Some comments propose alternative schedules for FDA
monitoring of accredited third-party certification bodies. Some
comments propose that if we revise the final rule to establish a fixed,
5-year duration for accreditation, we should monitor accredited third-
party certification bodies not later than 4 years after the date of
accreditation. Other comments state that we should conduct our own
assessments of certification bodies accredited by recognized
accreditation bodies every 3 years. Still other comments ask who will
cover the costs of such assessments.
(Response 147) As explained in Response 145, we decline the
suggestion to lengthen the maximum duration of accreditation from 4
years to 5 years. We will use annual performance assessments by
recognized accreditation bodies and information submitted to FDA as
part of our ongoing monitoring of accredited third-party certification
bodies. The FDA monitoring assessment under Sec. 1.662 will occur at
least once every 4 years and may occur more frequently depending on
circumstances, including available resources. We are proposing that
costs for FDA monitoring will be included in the user fees that are
assessed under section 808(c)(8) of the FD&C Act to recover FDA's costs
in administering the program (80 FR 43987).
(Comment 148) Some comments propose that FDA monitoring of
accredited third-party certification bodies should periodically focus
on compliance with food additive requirements.
(Response 148) Our monitoring will be tailored to the scope of
accreditation under which the accredited third-party certification body
may conduct food safety audits under this program. We will prioritize
our monitoring activities to ensure compliance with the requirements of
section 808(f)(2) based on factors such as our risk-based program
priorities.
(Comment 149) Some comments suggest that, in addition to conducting
onsite observations of accredited certification bodies when conducting
a food safety audits, we could also do so when the recognized
accreditation body assesses the auditor/certification body.
(Response 149) We agree and will do so as appropriate and as
circumstances allow.
(Comment 150) Comments suggest that when FDA selects an accredited
certification body for onsite observation, we should notify it 2 months
in advance, to allow time to make the arrangements.
(Response 150) At this time, we have no basis for determining that
we would be able to provide 2 months' notice prior to each
certification body onsite observation; therefore, we decline the
suggestion. We note that we may begin working with an accredited third-
party
[[Page 74625]]
certification body well before we perform onsite observations, as
feasible.
D. How do I request an FDA waiver or waiver extension for the 13-month
limit for audit agents conducting regulatory audits? (Sec. 1.663)
Proposed Sec. 1.663 would allow accredited third-party
certification bodies to seek an FDA waiver of the limit on audit agents
conducting regulatory audits of an eligible entity where they conducted
a regulatory or consultative audit in the preceding 13 months. Under
section 808(c)(4)(C)(ii) of the FD&C Act, we may waive the limit, which
appears in Sec. 1.650(c), where there is insufficient access to
accredited certification bodies in the country or region where an
eligible entity is located.
Of our own initiative, we are clarifying in the final rule that the
showing of insufficient access is based on lack of audit agents (or in
case where accredited third-party certification bodies are comprised of
an individual, that individual), consistent with changes made to Sec.
1.650 (see Section IX.A).
(Comment 151) Some comments note that capacity issues are currently
problematic, even in regions with highly developed third-party food
safety auditing systems, and are likely to increase once the FSMA rules
are implemented. Some comments contend that we should allow the request
for the waiver to come from other affected parties in addition to
accredited certification bodies. In particular, comments suggest we
should allow the requests to come from a foreign supplier and/or the
importer. Some comments estimate that, with the increased demand from
FSMA for audit services, it will take time for capacity to expand
sufficiently to satisfy the increased demand. Accordingly, they urge us
to act expeditiously on waiver and waiver extension requests. Other
comments express concern that FDA will be overwhelmed with waiver
requests and urge FDA to develop a process for expedited issuance of
waivers.
(Response 151) We acknowledge the concerns and are aware capacity
is an issue the food industry and certification bodies currently face.
However, we decline the suggestion to allow importers and foreign
suppliers to seek waivers on behalf of an accredited certification
body, because we believe the certification body is better positioned to
determine its own capacity than an importer or foreign supplier would
be. Further, it would ultimately be the certification body's choice
regarding whether to take on additional auditing work. If an accredited
third-party certification body concluded it needed a waiver to be able
to perform a particular audit, the certification body would be
motivated to seek a waiver.
We agree with the comments suggesting it will take time to build
adequate food safety auditing capacity around the world and will be
prepared to act on waiver requests as expeditiously as possible. It is
difficult to estimate the amount of the time required to process waiver
requests, because the program has not launched. We anticipate that we
will be able to process most waiver requests within 15 business days,
as permitted by resources and other program activities. In response to
comments suggesting that we should prioritize certain types of waiver
requests, we have modified the first-in, first-out rule of Sec.
1.663(d) to allow specific waiver requests to be prioritized based on
program needs.
We also note that as we gain experience with the program and with
information offered in support of waiver requests, we expect to be able
to process waiver requests more quickly and may reevaluate whether FDA
has adequate information to support issuance of a waiver for a
particular country or region.
E. When would FDA withdraw accreditation? (Sec. 1.664)
Proposed Sec. 1.664 would establish the conditions under which we
could withdraw accreditation from a third-party certification body,
regardless of whether it was directly accredited or accredited by a
recognized accreditation body. This section would implement section
808(c)(6)(A) of the FD&C Act, which requires us to withdraw
accreditation in certain outbreak situations, whenever we find that an
accredited third-party certification body is no longer meeting the
requirements for accreditation, or following a refusal to allow U.S.
officials to conduct audits and investigations to ensure compliance
with these requirements. The statute directs us to withdraw
accreditation if a food or facility certified by an accredited third-
party certification body under our program is linked to an outbreak of
foodborne illness that has a reasonable probability of causing serious
adverse health consequences or death in human or animals. There is an
exception if we conduct an investigation of the material facts of the
outbreak, review the steps and actions taken by the third-party
certification body, and determine that the accredited third-party
certification body satisfied the requirements for issuance of
certification under this rule.
Section 808(c)(6)(B) of the FD&C Act allows us to withdraw
accreditation from an accredited third-party certification body whose
accrediting body had its recognition revoked, if we determine there is
good cause for withdrawal. This statutory provision is reflected in
proposed Sec. 1.664(c), which also provides two examples of
circumstances we believe provide good cause for withdrawal, including
bias or lack of objectivity and performance calling into question the
validity or reliability of its food safety audits and certifications.
In proposed Sec. 1.664(d) we provide for records access when
considering possible withdrawal of accreditation. In proposed Sec.
1.664(e) we provide for notice of withdrawal of accreditation and
describe the processes to challenge such withdrawal.
Proposed Sec. 1.664(f) describes the effect of withdrawal on
eligible entities. Proposed Sec. 1.664(g)(1) explains that FDA will
notify the recognized accreditation body that accredited the third-
party certification body whose accreditation was withdrawn by FDA.
Proposed Sec. 1.664(g)(2) explains that FDA may revoke recognition of
an accreditation body whenever FDA determines there is good cause for
revocation under proposed Sec. 1.634. Proposed Sec. 1.664(h) provides
for public notice of withdrawal of accreditation on FDA's Web site.
At our own initiative, we revised proposed Sec. 1.664(c) on
discretionary withdrawal of accreditation to allow for partial
withdrawal of accreditation. For example, if FDA reviews a self-
assessment submitted by an accredited third-party certification body
following revocation of its accreditation body's recognition and
determines the third-party certification body has failed to perform
food safety audits consistent with this rule in some but not all areas
for which it is accredited, FDA may partially withdraw the third-party
certification body's accreditation as to those areas in which it has
failed to comply with this rule.
(Comment 152) Some comments contend that FDA's interpretation of
the statutory mandatory withdrawal provisions in section 808(c)(6)(A)
of the FD&C Act is overly strict. The comments focus specifically on
mandatory withdrawal when an eligible entity that was issued
certification by an accredited third-party certification body is linked
to a foodborne illness outbreak that meets the SAHCODHA standard. The
comments argue that one adverse event does not necessarily mean the
[[Page 74626]]
third-party certification body should lose its accreditation,
emphasizing that a single certification body might conduct hundreds of
audits in various regions of the world and in diverse product areas.
The comments propose that we limit mandatory withdrawal following an
SAHCODHA outbreak to the country, region, type of food product and
process involved in the event.
Some comments agree that, as described in proposed Sec. 1.664(f),
certifications issued by a third-party certification body prior to
withdrawal of its accreditation should remain in effect until they
expire. Other comments assert that withdrawal of accreditation might
result in unfairly revoking a significant number of certifications at
tremendous cost, adversely affect other eligible entities that depend
on the certification body and its certifications, and disrupt the
marketplace. Still other comments request greater detail on the
withdrawal procedures.
(Response 152) We believe the concerns about mandatory withdrawal
of accreditation in the outbreak situation described above or similar
situations are satisfactorily in addressed in Sec. 1.664(b), codifying
section 808(c)(6)(C) of the FD&C Act, which allows FDA to waive
mandatory withdrawal if FDA investigates the material facts of the
outbreak, reviews the steps and actions taken by the certification
body, and determines that the certification body satisfied the criteria
for issuance of certification under this subpart.
Regarding the comments expressing concerns about the possible
adverse effects of withdrawal of accreditation on certifications issued
by the certification body to other eligible entities, we note that
Sec. 1.664(f) states that certifications issued by an accredited
third-party certification body prior to withdrawal of accreditation by
FDA will remain in effect until they expire, except that FDA may refuse
to consider a certification under sections 801(q) or 806 of the FD&C
Act if FDA has reason to believe such certification is not valid or
reliable.
The comments seeking additional detail on our withdrawal procedures
did not specify what areas of Sec. 1.664 required further explanation.
We believe the procedures described in Sec. 1.664 offer sufficient
detail for interested parties to understand the standards for
withdrawal of accreditation by FDA and the processes involved.
(Comment 153) Some comments suggest that a recognized accreditation
body, not FDA, should withdraw accreditation from a certification body
it accredited, except for certification bodies directly accredited by
FDA. Other comments urge us to include a requirement, in Sec.
1.634(a), for FDA to consult with the appropriate accreditation body
before withdrawal of an accreditation it had issued. The comments argue
that consultation would facilitate coordination with the recognized
accreditation body and would complement Sec. 1.664(c), which addresses
discretionary withdrawal of accreditation in the event we revoke our
recognition of the accrediting accreditation body. Other comments
recommend that we meet with the certification body's accrediting body
when considering possible withdrawal of accreditation and that we allow
for a formal appeal process.
(Response 153) We disagree with the comment asserting that only
accreditation bodies may withdraw accreditations of certification
bodies they have accredited, as FDA is mandated under section 808(c)(6)
of the FD&C Act to withdraw accreditation of a certification body under
the conditions set forth in the section, subject to the waiver
provision in 808(c)(6)(C). We note that a third-party certification
body whose accreditation was withdrawn by FDA may appeal the action by
requesting a regulatory hearing under Sec. 1.693. We further note that
a recognized accreditation body has far broader authority to suspend,
withdraw, reduce, or otherwise dispose of an accreditation it issued,
than FDA does under section 808(c)(6) of the FD&C Act. Even in
circumstances that meet the statutory criteria for withdrawal of
accreditation, FDA believes it generally would not need to initiate
withdrawal unless the recognized accreditation body failed to withdraw
the certification body's accreditation in a timely manner.
We agree that in some cases, consultation with a certification
body's accrediting body before withdrawal could have advantages to FDA
and the accreditation body, if circumstances allow. Decisions on
whether to consult with the certification body's accrediting body prior
to withdrawal will be made on a case-by-case basis. Consultation might
not be appropriate if, for example, the facts that support withdrawal
of the third-party certification body's accreditation also support
revocation of the accreditation body's recognition.
(Comment 154) Some comments ask how individual holders of food or
facility certificates would be made aware of the withdrawal of
accreditation of the third-party certification body that issued the
certificate. Other comments recommended that FDA post on its Web site
not only that fact that a certification body's accreditation has been
withdrawn, but also the reason for the withdrawal.
(Response 154) If we withdraw accreditation of any third-party
certification body, whether accredited by a recognized accreditation
body or by FDA through direct accreditation, we will post information
regarding the withdrawal, including a description of the basis for the
action, on the FDA Web site pursuant to Sec. 1.664(h). We do not
intend to contact each eligible entity that was issued a certification
by the third-party certification body because, as indicated in Response
152, certifications issued to eligible entities prior to withdrawal of
accreditation will remain in effect until they expire, except where FDA
has reason to believe the certification is not valid or reliable and on
that basis may refuse to consider the certification under sections
801(q) or 806 of the FD&C Act.
(Comment 155) Some comments recommend we use ISO\IEC 17011:2004 as
the reference document for the requirements of this section.
(Response 155) We decline the suggestion, because the grounds for
withdrawal under section 808(c)(6) of the FD&C Act are much broader
than those described in ISO/IEC 17011:2004 (Ref. 5). For example, under
section 808(c)(6)(A)(i) and (C) of the FD&C Act FDA may withdraw
accreditation of a certification body if a food or facility it
certified under our program is linked to an outbreak of foodborne
illness that has a reasonable probability of causing SAHCODHA, unless
FDA determines the certification body satisfied the requirements for
issuance of such certification. In such an outbreak situation, the
statute contemplates that withdrawal of accreditation would occur after
a single--albeit significant--failure by the certification body. By
contrast ISO/IEC 17011:2004 allows for withdrawal of accreditation only
when a certification body persistently fails to meet the requirements
of accreditation or abide by the rules of accreditation.
We note that by declining to revise Sec. 1.664 based on the
comments, we are not suggesting that FDA will withdraw accreditation
when the Agency identifies a single incident or mistake by a
certification body, except where required by the statute. Any decision
to withdraw accreditation will be based on the facts and circumstances
of the situation and following due consideration by FDA.
(Comment 156) Some comments state that in a case where FDA
withdraws an accredited certification body, the accreditation body
should make an investigation and analysis and submit the analysis
result to FDA within 3
[[Page 74627]]
months after the analysis report has been established.
(Response 156) We disagree. This rule does not require that the
accreditation body make a full investigation and analysis and submit
the analysis result to FDA within 3 months. Section 1.664(g) requires
the accreditation body to perform a self-assessment and report the
results of the self-assessment to FDA within 60 days. FDA may revoke
the recognition of an accreditation body whenever FDA determines there
is good cause for revocation of recognition under Sec. 1.634. These
procedures will help ensure that accreditation bodies remain in
compliance with the requirements of the third-party program.
F. What if I want to voluntarily relinquish accreditation or do not
want to renew accreditation? (Sec. 1.665)
Proposed Sec. 1.665 offers a mechanism for an accredited third-
party certification body to voluntarily relinquish its accreditation
before it terminates by expiration.
Although we received no adverse comments on this section, we
received comments on other sections of the rule that led us to identify
a gap in procedural requirements when an accredited certification body
decides to allow its accreditation to expire without renewing it. At
our own initiative, we are revising the voluntary relinquishment
provisions in Sec. 1.665 to also address situations where a
certification body decides it does not want to renew its accreditation
once it expires.
G. How do I request reaccreditation? (Proposed Sec. 1.666)
Proposed Sec. 1.666 describes the procedures a certification body
must follow when seeking to be reaccredited after its accreditation was
withdrawn by FDA or after voluntarily relinquishing its accreditation.
FDA received no adverse comments on this section. On our own
initiative we are revising paragraph (a)(2)(i) to conform to the
changes in Sec. 1.634(d) to clarify that the third-party certification
body has to become accredited by another accreditation body or by FDA
through direct accreditation no later than 1 year after the withdrawal
or accreditation, or the original date of expiration of the
accreditation, whichever comes first.
XI. Comments on Additional Procedures for Direct Accreditation of
Third-Party Certification Bodies Under This Subpart
A. How do I apply to FDA for direct accreditation or renewal of direct
accreditation? (Sec. 1.670)
Section 808(b)(1)(A)(ii) of the FD&C Act allows us to directly
accredit third-party auditors/certification bodies if we have not
identified and recognized an accreditation body to meet the
requirements of section 808 within 2 years after establishing this
program. We proposed circumstances and procedures that would apply for
direct accreditation and renewal of direct accreditation.
(Comment 157) Some comments assert that the statute anticipates a
bifurcated system for direct accreditation of certification bodies,
because the standards for review for accreditation of foreign
governments are distinct from those of the private auditing entities
under section 808(c)(1) of the FD&C Act. The comments ask that we draft
additional rules to specifically cover direct accreditation of foreign
governments, asserting that we should provide a separate path for
direct accreditation of foreign governments that prioritizes their
applications based on, among other things, the language in section
808(c)(1) of the FD&C Act. Some comments ask whether the same
eligibility requirements and procedures are required of both
governmental and private bodies applying for direct accreditation.
(Response 157) We disagree with the suggestion to create a
bifurcated system. We acknowledge that section 808(c)(1) of the FD&C
Act contains different requirements for foreign governments/agencies
than it does for foreign cooperatives and other private third-party
certification bodies seeking accreditation. However, we do not
interpret this language as suggesting a preference for public
certification bodies over private certification bodies.
We believe sections 808(c)(1)(A) and (B) of the FD&C Act are
tailored to reflect the objectives and scope of each type of
assessment, which would vary because of the differences between public
and private certification bodies. While governments typically are both
auditors/inspectors and owners of food safety schemes, private
certification bodies usually are not scheme owners, because of concerns
about possible conflicts of interest associated with serving in dual
roles. Therefore, a private certification body would not be assessed
for its food safety program or standards; it would be assessed for the
training and qualifications of its auditors and its internal management
system. In light of the foregoing, we decline the suggestion to
interpret sections 808(c)(1)(A) and (B) of the FD&C Act as supporting
provisions for direct accreditation that would prioritize the
applications of foreign governments/agencies over applications from
private third-party certification bodies.
(Comment 158) Some comments suggest that FDA should not serve as an
accreditation body for third-party certification bodies because it
would open the door for other countries with less capability to do the
same. The comments contend that FDA and its foreign regulatory partners
need to provide the oversight of the industry, but should not be
accreditation bodies.
(Response 158) We disagree. Section 808 of the FD&C Act
contemplates that FDA can provide proper oversight of the program,
while directly accrediting third-party certification bodies. We are
unable to comment on what effects, if any, this would have on the
actions of other countries. However, we emphasize that FDA will not
perform direct accreditation unless the circumstances of section
808(b)(1)(A)(ii) of the FD&C Act are met--that is, if FDA has not
identified and recognized an accreditation body to meet the
requirements of section 808 of the FD&C Act within 2 years after
establishing this program.
(Comment 159) Some comments ask that we wait for more than 2 years
after the program is established to accept applications for direct
accreditation, to allow enough time for accreditation bodies applying
for recognition to satisfy all the necessary requirements. Other
comments assert that we should not directly accredit certification
bodies in a country if we have already recognized an accreditation body
in that country. Some comments ask us to clarify when, under what
conditions, and how we would choose to directly accredit a
certification body.
(Response 159) Under section 808(b)(1)(A)(ii) of the FD&C Act, 2
years after establishing the program is the earliest date that FDA may
begin to directly accredit third-party certification bodies. Further,
we may only do so if we determine that we have not identified and
recognized an accreditation body to meet the requirements of section
808 of the FD&C Act 2 years after establishing the program. In the
proposed rule, we provided examples of how we may make this
determination, such identifying a type of expertise or geographic
location for which a recognized accreditation body is
[[Page 74628]]
lacking, and stated that we will only accept applications for direct
accreditation and renewal applications that are within the scope of the
determination. FDA declines to limit itself to a time period longer
than 2 years before it can consider direct accreditation as any
decision to directly accredit will depend on the circumstances the
needs of the program, as determined by FDA under Sec. 1.670(a).
(Comment 160) Some comments express concern that we will not have
the capacity to undertake the responsibility of directly accrediting
certification bodies.
(Response 160) Section 808(c)(8) of the FD&C Act requires FDA to
create a user fee program to section 808 of the FD&C Act. FDA is in the
process of establishing this program by rulemaking (80 FR 43987). For
more information about the costs of this program, please see the
regulatory analysis of this final rule.
(Comment 161) Some comments ask if we will have a contract
agreement with directly accredited certification bodies. These comments
assert that if we do, the contract should specify that we have the
capacity to access confidential information without prior written
consent of the certification body. The contract should also specify
that having access to records relating to accreditation activities
under this subpart is necessary to ensure the rigor, credibility, and
independence of the program.
(Response 161) Under Sec. 1.671(d), FDA will list any conditions
associated with the accreditation in the issuance and may establish an
agreement with the certification body at that time. With respect to
access to records, a third-party certification body that is directly
accredited by FDA must comply with the records maintenance and access
requirements of Sec. 1.658. Records obtained by FDA will be subject to
the disclosure requirements of Sec. 1.695.
B. How will FDA review my application for direct accreditation or
renewal of direct accreditation and what happens once FDA decides on my
application? (Sec. 1.671)
Proposed Sec. 1.671 describes a process for reviewing and deciding
on applications for direct accreditation and renewal that is consistent
with the procedures for reviewing and deciding on applications under
other provisions in this rule.
On our own initiative we are revising paragraph (a) to clarify that
FDA will review submitted applications for completeness and notify
applicants of any deficiencies. We also are adding new paragraphs (e)
through (h) to Sec. 1.671 to explain what happens when a directly
accredited certification body's renewal application is denied. We are
adding provisions to clarify what the applicant must do, the effect of
denial of an application for renewal of direct accreditation on food or
facility certifications issued to eligible entities, and how FDA will
notify the public.
(Comment 162) Some comments express concern that we are limiting
ourselves to a ``first in, first out'' review process that gives us no
discretion to accredit foreign governments before we consider other
applications from private third-party entities that apply.
Some comments ask that we consider prioritizing approval of
applications for direct accreditation on areas and regions where it is
most needed to benefit our food safety mandates.
Some comments assert that priority for review of applications for
direct accreditation should be for countries without an accreditation
body or in circumstances where it is not economically feasible for a
national accreditation body to expand its scope to include a certain
single certification body.
(Response 162) As indicated Response 25, we intend to treat public
and private certification bodies equally under this program, as both
public and private certification bodies are capable of meeting the
requirements of the program. Additionally, because we will only be
accepting applications for direct accreditation in limited
circumstances as discussed in Responses 158 and 159, all applications
for direct accreditation will need to be able to demonstrate that there
is a need for direct accreditation based on a determination made by FDA
under Sec. 1.670(a)(1). We note that we have revised Sec. 1.671(a) to
allow FDA to prioritize specific direct accreditation applications to
meet the needs of the program.
(Comment 163) Some comments assert that our application review
process must be comprehensive but also expedient. Some comments ask
that our communications with applicants be timely.
Some comments express concern about the length of time it will take
us to recognize and notify an applicant of any deficiencies in the
application. These comments also assert that requiring applicants with
deficiencies to resubmit their applications and sending it to the
bottom of the review list would make for significant delays in the
direct accreditation and renewal of direct accreditation application
process.
(Response 163) We understand the concern expressed by comments with
regard to timeliness. Although we decline to set specific deadlines for
this review, FDA anticipates that a completeness determination could
generally be made within 15 business days, because this is not a
decision on the merits of the application. Nonetheless, the time needed
to identify deficiencies in any particular individual application will
depend on a number of factors, including the quality of the submission,
the availability of resources, and other competing priorities at the
time the application is submitted. With respect to the concerns about
requiring incomplete applications to be resubmitted and added to the
bottom of the review list, we note that from our experience gained from
the third-party certification pilot for aquacultured shrimp, extensive
followup was needed with many of the applicants in order to gain
sufficient information for a complete application. With this in mind,
we are processing only complete applications so that we are not
delaying others that have correctly prepared complete applications.
Further, we are establishing an electronic portal for submission of
applications, reports, notifications, and other information under this
rule and an electronic repository of this information, which will allow
us to communicate with applicants as needed.
C. What is the duration of direct accreditation? (Sec. 1.672)
We proposed that direct accreditation of a third-party
certification body may be granted for a period up to 4 years. We
tentatively concluded that 4 years is an appropriate duration for an
accreditation because we believe the rigor and credibility of this
program rests, in part, on the oversight of accredited certification
bodies to conduct audits and to certify eligible foreign entities. We
requested comment on this tentative conclusion.
(Comment 164) Some comments ask that we establish a specific fixed
duration of 5 years for direct accreditation before renewal is
required. These comments also ask that the duration for recognition of
accreditation bodies and accreditation of third-party certifications
bodies also be fixed at 5 years and assert that having a standardized
accreditation term for all parties in the third-party program would be
more administratively viable for us.
(Response 164) For the reasons we explained in Response 145 we
decline to establish a fixed duration of accreditation and also decline
to establish a standard term of 5 years for
[[Page 74629]]
accreditation for all parties in the third-party program.
XII. Comments on Requirements for Eligible Entities Under This Subpart
A. How and when will FDA monitor eligible entities? (Sec. 1.680)
Proposed Sec. 1.680 would allow FDA to conduct onsite audits of
eligible entities that have received certification from an accredited
certification body at any time, with or without the accredited third-
party certification body present. It also proposed that a food safety
audit by an accredited certification body is not considered an
inspection under section 704 of the FD&C Act. For clarification
purposes at our own initiative, we are revising the second sentence of
Sec. 1.680(a) to add, ``[w]here FDA determines necessary or
appropriate,'' before ``the audit may be conducted with or without the
accredited certification body or the recognized accreditation body
(where applicable) present.''
(Comment 165) Some comments address the timing of FDA's audits of
eligible entities. Some comments encourage FDA to conduct audits of
eligible entities regularly, particularly in the first years of the
program, to ensure compliance with the program and to verify that
certification is appropriate. Some comments encourage FDA to conduct
random as well as targeted audits of eligible entities. For example,
the comments suggest that if FDA withdraws the accreditation of a
certification body, the Agency should conduct onsite audits of a sample
of the eligible entities to which the withdrawn certification body
issued certifications.
(Response 165) We agree that robust government oversight of the
third-party program will be vital to its success and periodic audits of
eligible entities will be conducted consistent with our risk-based
priorities and resources.
(Comment 166) Some comments discuss the substance of FDA's audits
of eligible entities. Some of these comments encourage FDA to ensure
that eligible entities implement corrective actions when deficiencies
are identified. Some comments recommend that company data on tests of
both products and the environment be made available to FDA auditors,
and argue that without access to such data, FDA auditors would not be
able to perform a thorough audit. Comments also maintain that, during
an audit, FDA should be able to access results of the eligible entity's
testing of both products and the environment.
(Response 166) We currently are developing internal operational
procedures for the third-party certification program and will make
these procedures public. As part of this process, we are developing
protocols for FDA audits of eligible entities.
(Comment 167) Some comments argue that unannounced audits of
eligible entities by FDA that have been certified by an accredited
third-party certification body would likely result in incomplete audits
and urge the agency to consider contacting the eligible entity to
schedule such audits. Comments state that scheduled audits would be
more efficient and less burdensome for both eligible entities and FDA
because eligible entities would have a better understanding of what is
needed during the audit and which employees should be present.
(Response 167) Section 808(c)(5)(C) of the FD&C Act directs FDA to
promulgate regulations requiring that ``audits performed under this
section be unannounced.'' Section 808(f)(3) of the FD&C Act allows FDA
to, at any time, conduct an onsite audit of any eligible entity
certified by an accredited third-party certification body to ensure
compliance with the requirements of section 808. Given this statutory
language, we are clarifying in Sec. 1.680 that an FDA audit conducted
under this section will be conducted on an unannounced basis and may be
preceded by a request for a 30-day operating schedule. We note that it
may not be appropriate at all times to precede audits for a 30-day
operating schedule, such as in the case of a for-cause audit.
(Comment 168) Some comments state that when FDA has questions about
eligible entities, it should notify the accreditation bodies and
certification bodies to conduct a joint audit.
(Response 168) It is unclear what the comment means by conducting a
joint audit, but Sec. 1.680 would allow for the certification body and
accreditation body to be present during the FDA audit when FDA
determines it is necessary and appropriate.
(Comment 169) Some comments argue that the monitoring of eligible
entities should be conducted by the competent authority of the
exporting country, particularly where a systems recognition agreement
is in place or where there is a robust national food control system in
place.
(Response 169) We intend to coordinate as appropriate with our
foreign regulatory counterparts; however, section 808(f)(3) of the FD&C
Act specifically directs FDA to conduct onsite audits of eligible
entities to ensure compliance with the requirements of section 808 of
the FD&C Act. We believe onsite audits of certified eligible entities
are an important component of the robust oversight essential to the
success of the third-party program. Without the ability to conduct
onsite audits of a certified eligible entity, FDA would not be able to
directly ascertain whether the certification body and/or its
accreditation body are in fact making accurate determinations of
compliance with FDA requirements. Such oversight is necessary to
maintain confidence in the certifications issued by accredited
certification bodies under this program.
(Comment 170) Some comments ask FDA to clarify why an onsite audit
of an eligible entity is not considered an inspection under section 704
of the FD&C Act, particularly since the purpose of the audit is to
determine if the entity is in compliance with the FD&C Act and since an
FDA inspection may be used to meet the verification requirements under
the proposed FSVP regulation. Other comments endorse FDA's decision not
to consider a food safety audit under this program an inspection under
section 704 of the FD&C Act.
(Response 170) Section 808(h)(1) of the FD&C Act explicitly states
that audits under the third-party certification program ``shall not''
be considered inspections under section 704. The inspections done under
section 704 of the FD&C Act, unlike audits conducted under section
808(f)(3), are not conducted for the purpose of ensuring compliance
with section 808 of the FD&C Act. The objective of an audit under Sec.
1.680(a) extends beyond the eligible entity--through its audit of the
eligible entity FDA is gathering information to use in its monitoring
of the accredited certification body that audited the entity and the
recognized accreditation body that accredited certification body that
audited the eligible entity. We note that an audit under section
808(f)(3) is not a ``food safety audit'' under this subpart. As noted
previously, the audits conducted under section 808(f)(3) are done
specifically to ensure compliance with section 808 of the FD&C Act. As
discussed in section III.C., we are clarifying that an audit conducted
under this subpart is not an inspection under section 704 under the
FD&C Act. Accordingly, we are removing Sec. 1.680(b).
B. How frequently must eligible entities be recertified? (Sec. 1.681)
Proposed Sec. 1.681 stated that an eligible entity seeking to
maintain its facility certification must seek recertification prior to
expiration of its certification. It also proposed that under
[[Page 74630]]
section 801(q)(4)(A) of the FD&C Act, FDA could require, at any time we
deem appropriate, that an eligible entity renew a food certification.
We received no comments on this proposed section. However, to
clarify certain matters, we are amending this section on our own
initiative. We are adding to first sentence the words, ``food or''
before ``facility certification'' because the maximum duration of
certifications under section 808(d) of the FD&C Act applies to both
food and facility certifications. Additionally, we are revising this
section to state that FDA can require an eligible entity to apply for
recertification of both food and facility certifications at any time
that FDA deems appropriate.
XIII. Comments on General Requirements of This Subpart
A. How will FDA make information about recognized accreditation bodies
and accredited third-party certification bodies available to the
public? (Sec. 1.690)
We proposed to post on our Web site a registry of recognized
accreditation bodies and of accredited third-party certification
bodies, including the name and contact information for each. The
registry may provide information on certification bodies accredited by
recognized accreditation bodies through links to the Web sites of such
accreditation bodies. We requested comment on our proposed public
registry.
(Comment 171) Some comments support our proposal to place a
registry of recognized accreditation bodies and accredited
certification bodies on our Web site and to provide links to the Web
sites of recognized accreditation bodies. Some comments assert that
such a web-based resource where members of the industry and public
could access standards associated with accreditation/certification and
a list of accreditation and certification bodies is a meaningful
demonstration of FDA oversight. Some comments ask that this list be
updated regularly so that it stays accurate. These comments also ask
that we provide appropriate indexing and filtering functions so that
the registry is easily searchable and stakeholders can conveniently and
reliably find and use this information.
(Response 171) FDA agrees that the online registry will be a
valuable tool. We intend for it to be updated regularly. We also intend
for it to have indexing and filtering functions which will make
searches more efficient and productive.
(Comment 172) Some comments ask that we not include the name(s) of
audit agent(s) on our Web site or otherwise publicly disclose such
information could disrupt the marketplace for third-party certification
services
Some comments assert that access to detailed, specific, and
sensitive information is not necessary to gain credibility with
consumers. These comments refer us to industry models that provide
detailed information on the requirements of their program and posts a
list of members in good standing along with a list of companies who
have been decertified is an example of credible, balanced information
that is actionable by consumers (i.e., California Leafy Green Products
Handler Marketing Agreement).
(Response 172) To clarify, we do not intend to disclose the names
of audit agents on our Web site. We will be providing the business name
and business contact information for each recognized accreditation
body. The business name and business contact information for each
accredited third-party certification body may be listed on our Web site
or may be provided by link to Web sites of their accreditation bodies.
The Web site will contain program information as well and may be
similar to the industry models recommended by some comments.
(Comment 173) Some comments seek maximum transparency, asserting
that we must also post on our Web site the audit reports, self-
assessments, and notifications prepared by the third-party
certification bodies and submitted to FDA. The comments contend that
making this information public would increase program transparency and
help to ensure that imported products do not receive an unfair
competitive advantage over products available domestically.
Other comments suggest that we allow accreditation bodies and
third-party certification bodies to submit redacted versions of these
documents, where confidential information is blacked out, so that these
documents can also be made publicly available without compromising
confidential information. These comments assert that making public
these reports, self-assessments, and notifications would improve self-
assessments, reduce the Agency's burden of responding to FOIA requests,
and allow independent analysis to complement the Agency's evaluation.
Thus, comments ask us to specify in Sec. 1.690 that we will also place
on our Web site the reports and notifications submitted pursuant to
Sec. Sec. 1.623 and 1.656 and that we will allow a recognized
accreditation body and accredited auditors/certification body to submit
a redacted version of the report or notification that is intended to be
made publicly available.
(Response 173) Generally, we do not intend to post redacted
versions of reports on our Web site. Information submitted to the
Agency, including reports and notifications submitted pursuant to
Sec. Sec. 1.623 and 1.656, becomes an Agency record. We have added a
new Sec. 1.695 to the final rule to clarify that records under this
subpart are subject to part 20; part 20 provides protections for trade
secrets and confidential commercial information (CCI) from public
disclosure (see, e.g., Sec. 20.61).
(Comment 173) Some comments ask us to take action to ensure that
third-party certification bodies act with maximum transparency and to
ensure adequate protections against conflicts of interest. Some
comments ask that we post on our Web site information concerning the
scope of the recognized accreditation body recognition and accredited
certification body accreditation, duration of accreditation, payments
made to those accreditation bodies and certification bodies, and
whether accreditation has been withdrawn or suspended. Some comments
assert that requiring recognized accreditation bodies and accredited
certification bodies to make this information available on their own
Web sites does not ensure that all potential conflicts of interest will
be identified, and suggest that we require that this information be
submitted directly to us as well.
(Response 174) FDA agrees that it would be helpful to include on
our Web site information concerning the scope of accreditation services
that each recognized accreditation body is recognized for, and the
scope of accreditation for each accredited certification body is
accredited for. We also agree it would be useful and increase
transparency to include the duration of recognition for each
accreditation body, and the duration of accreditation for each
certification body. Scope and duration information will make the site
more practically useful and will increase transparency. Therefore, we
intend to include this information on our Web site and we are revising
Sec. 1.690 to reflect this. In addition, we are revising this section
to state that FDA will post on its Web site a list of accreditation
bodies for which it has denied renewal of recognition, for which FDA
has revoked recognition, and that have relinquished their recognition
or have allowed their recognition to expire. Further, FDA will place on
its Web site a list of certification bodies whose renewal of
accreditation has been denied, for which FDA has withdrawn
accreditation, and that have
[[Page 74631]]
relinquished their accreditations or have allowed their accreditations
to expire. Finally, FDA will place on its Web site determinations under
Sec. 1.670(a)(1) and modifications of such determinations under Sec.
1.670(a)(2). This additional information will help ensure maximum
transparency under the program.
With regard to information on dates of payment, we have determined
there is little additional value to posting such information on the FDA
Web site, and it would create an additional administrative burden; we
do not believe the value exceeds the burden. In our view, conflict of
interest and transparency concerns are sufficiently satisfied by making
information on dates of payment publicly available online via the Web
sites of recognized accreditation bodies (see Sec. 1.624(c)) and
accredited certification bodies (see Sec. 1.657(d)).
(Comment 175) Some comments request clarification concerning
whether and what information we collect pursuant to this program will
be made available to importers and the public. Some comments question
the extent and format of the audit data that will be shared, and what
might be held confidential. These comments assert that businesses have
a need to protect proprietary information (e.g., sales lists, supplier
lists, equipment designs and specific information about product
attributes), and any sharing of such information might compromise their
ability to carry out business functions or to maintain competitive
advantage. Some comments inquire about the extent and formats of audit
data we intend to make public, what might be held confidential, and
whether we will take steps to protect information provided by
certification bodies from FOIA requests.
Some comments express concern about our ability to develop and
maintain a dynamic system that will be able to collect, update, and
present audit data to consumers, and assert that it is important for
industry to gain a better understanding of what type of audit data we
will require.
Some comments suggest that we look to USDA's Food Safety and
Inspection Service (FSIS) Public Health Information System for insight
into how to develop a database system that seeks to define the boundary
between increasing public access to data and addressing confidentiality
concerns by companies. Some comments note that the FSIS program is the
result of several years of effort to establish a mechanism for public
access to data that can lead to research and analysis that improves
public health while protecting the proprietary rights of the
establishments.
(Response 175) As discussed previously, newly added Sec. 1.695
clarifies that records under this subpart are subject to part 20; part
20 provides protections for trade secrets and confidential commercial
information from public disclosure (see, e.g., Sec. 20.61).
FDA will provide periodic updates on program activities through our
Web site, and our disclosures will be consistent with our statutory
obligations to protect trade secrets and CCI from disclosure. With
regard to the expressed concern about FDA's ability to develop and
maintain an adequate data system to collect, update, and present audit
data to consumers, we are aware of the size and importance of this
undertaking and are diligently pursuing an effective system. We
appreciate the suggestion to review the FSIS database system and intend
to do so.
(Comment 176) Some comments encourage us to develop communication
strategies to help consumers view the data in audit reports within the
context of food production; specifically, to set proper program
expectations and to provide proper context for consumers to understand
what the data means. These comments assert that it is important to
provide a frame of reference so that consumers have a basis for
understanding what the audit data means and can then proceed to make
informed decisions. The comments note that audits and certifications
are not declarations or guarantees that products are safe, and that FDA
and the industry need to feature this reality in communications
strategies aimed to assist consumer groups and consumers in using any
audit data that might be available for review.
(Response 176) As noted above, we do intend to share updates on
program activities with the public; we will work to properly
contextualize the data in our communications about and presentation of
the information. As noted in Response 173, FDA does not generally
intend to make audit reports public.
(Comment 177) Some comments assert that we must clearly describe
how compliance with the program will be reported to the public.
(Response 177) As noted above, we intend to provide periodic
updates on program activities through our Web site. Where appropriate,
these updates may include aggregated program data. Additional
information about program updates will be shared as we implement this
program. Further, as noted in response to Comment 86, FDA will post
information on its Web site regarding accreditation bodies that have
had their recognition revoked, accreditation bodies for which FDA fails
to renew recognition, certification bodies that have had their
accreditation withdrawn, and certification bodies whose renewal of
accreditation has been denied.
B. How do I request reconsideration of a denial by FDA of an
application or a waiver request? (Sec. 1.691)
We proposed procedures for accreditation bodies and certification
bodies to seek reconsideration of a denial of an application or a
waiver request. We also proposed that after completing our review and
evaluation of the request for reconsideration, we will notify the
requestor, in writing, of our decision to grant or deny the application
or waiver request upon reconsideration.
On our own initiative, we are revising Sec. 1.691(c) to specify
that a request for reconsideration or a waiver request must be
submitted electronically. We are making corresponding changes to Sec.
1.692(b).
(Comment 178) Some comments suggest that we provide an opportunity
for interested stakeholders, in addition to the accreditation body or
third-party certification body seeking reconsideration, to provide
information to us that will inform our decisionmaking on any
reconsideration request.
(Response 178) We decline to adopt comments' suggestion to allow
for others beyond the accreditation body or third-party certification
body seeking reconsideration to engage in this process. Our
reconsideration of a denial is not a public process nor do we wish to
make it one. Applications often contain confidential information not
appropriate for public comment. We note that information shared with
FDA is subject to the information disclosure regulations in part 20, as
stated in Sec. 1.695.
(Comment 179) Some comments ask us to specify that we will notify
the requestor of our decision within 20 business days after receiving a
request for reconsideration. These comments assert that the open-ended
timeframe for our review of reconsideration request may place an undue
burden on the party seeking reconsideration.
(Response 179) FDA agrees that a request for reconsideration should
be reviewed in a timely fashion. FDA would anticipate that this review
will generally be made within 30 business days. However, given the
conflicting demands on Agency resources at various times, the Agency
declines to add this time restriction to Sec. 1.691.
[[Page 74632]]
C. How do I request internal agency review of a denial of an
application or waiver request upon reconsideration? (Sec. 1.692)
We proposed that the requestor who received a denial upon
reconsideration under Sec. 1.691 may seek internal Agency review of
such denial under 21 CFR 10.75(c)(1).
(Comment 180) Some comments suggest that we provide an opportunity
for interested stakeholders to provide information to us that will
inform our decisionmaking on any such reconsideration request.
(Response 180) As with the parallel suggestion in the context of a
request for reconsideration, we decline to adopt comments' suggestion.
The Agency's review of a denial is not a public process nor do we wish
to make it one. As noted previously, applications often contain
confidential information not appropriate for public comment. We note
that information shared with FDA is subject to the information
disclosure regulations in part 20, as stated in Sec. 1.695.
D. How do I request a regulatory hearing on a revocation of a
recognition or withdrawal of accreditation? (Sec. 1.693)
We proposed procedures that would be used for challenges to
revocation of recognition or withdrawal of accreditation.
On our own initiative, we revised Sec. 1.693(f) to include the
standard for denial of a request for a regulatory hearing under 21 CFR
16.26(a).
(Comment 181) Some comments suggest that we provide an opportunity
for interested stakeholders, in addition to the accreditation body or
third-party certification body seeking a regulatory hearing, to provide
information to us that will inform our decisionmaking during a
regulatory hearing.
(Response 181) Again, we decline to adopt comments' suggestion to
allow for others beyond the accreditation body or third-party
certification body seeking to challenge an FDA decision to engage in
this process. For purposes of this final rule, we are not making the
regulatory hearing a public process because issues pertaining to
revocation and withdrawal generally contain confidential or sensitive
information. We note that information shared with FDA is subject to the
information disclosure regulations in part 20, as stated in Sec.
1.695. We are amending proposed Sec. 1.693(g)(3), redesignated as
Sec. 1.693(g)(2), to state that Sec. 16.60(a) (public process) is
inapplicable to hearings under this rule.
E. Are electronic records created under this subpart subject to the
electronic records requirements of part 11? (Sec. 1.694)
We did not specify requirements for the retention of electronic
records in the proposed rule. However, as discussed in relation to
Sec. 1.625, we received several comments regarding the potential
application of the requirements for electronic records in part 11 to
records under this subpart; several comments ask that we not apply the
part 11 requirements here.
We agree that it would be unnecessarily burdensome to require that
records under the third-party program comply with the requirements in
part 11. Therefore, we are adding Sec. 1.694 to the final rule which
states that records that are established or maintained to satisfy the
requirements of this subpart and that meet the definition of electronic
records in Sec. 11.3(b)(6) are exempt from the requirements of part
11. We further specify that records that satisfy the requirements of
this subpart, but those that also are required under other applicable
statutory provisions or regulations, remain subject to part 11 to the
extent that they are not separately exempted. Consistent with these
provisions, we are making a conforming change in part 11 to specify in
Sec. 11.1(m) that part 11 does not apply to records that meet the
definition of electronic records in Sec. 11.3(b)(6) required to be
established or maintained under this subpart, and that records that
satisfy the requirements of this subpart, but that also are required
under other statutory provisions or regulations, remain subject to part
11 to the extent that they are not separately exempted.
F. Are the records required by this subpart subject to public
disclosure? (Sec. 1.695)
In the proposed rule, we did not specify requirements regarding the
public disclosure of records created and retained under this subpart.
However, as discussed previously in the preamble, several comments
express concerns about whether notifications, records, and reports
required by this rule would be protected from public disclosure. The
comments state that notifications, records, and reports will often
contain commercially sensitive information. Some comments ask that the
regulations specify that such information under this program have the
same level of protection from public disclosure under FOIA as juice and
seafood HACCP records.
Information submitted to the Agency, including reports and
notifications submitted pursuant to Sec. Sec. 1.623 and 1.656, becomes
an Agency record. We note we have added a new Sec. 1.695 to the final
rule to clarify that records under this subpart are subject to part 20;
part 20 provides protections for trade secrets and CCI from public
disclosure (see, e.g., Sec. 20.61).
G. May importers use reports of regulatory audits by accredited
certification bodies for purposes of subpart L of this part? (Sec.
1.698)
We proposed that an importer as defined in Sec. 1.500 of this part
may use a regulatory audit of an eligible entity, documented in a
regulatory audit report, in meeting the requirements for an onsite
audit of a foreign supplier under subpart L of this part.
(Comment 182) Some comments agree with FDA's proposal to allow
importers to use regulatory audit reports of foreign suppliers,
conducted for VQIP or import certification purposes, in meeting the
verification requirements under the proposed FSVP program. These
comments state that the use of regulatory audits by accredited third-
party certification bodies should not be required under FSVP. The
comments assert that importers should be free to choose how best to
meet the verification requirements. Some comments misunderstood
proposed Sec. 1.698 to require the use of accredited third-party
certification bodies for FSVP purposes.
(Response 182) To clarify that the use of an accredited third-party
certification body for FSVP purposes is not required by this rule, we
are removing this provision. This rule establishes the framework and
procedures for participation in the accredited third-party
certification program for purposes of sections 808 of the FD&C Act and
does not create substantive requirements for the FSVP program. However,
regulatory audits may be used to meet supplier verification
requirements under FDA's final preventive controls regulations and FSVP
regulations if they comport with those requirements.
XIV. Editorial and Conforming Changes
The revised regulatory text includes several changes that we have
made to clarify requirements and to improve readability. The revised
regulatory text also includes several conforming changes that we have
made when a change to one provision affects other provisions. We
summarize the principal editorial and conforming changes in table 5. We
also made very minor editorial corrections, such as inserting a
[[Page 74633]]
missing end parenthesis symbol; those changes are not included in this
chart.
Table 5--Principal Editorial and Conforming Changes
----------------------------------------------------------------------------------------------------------------
Designation in the revised regulatory
text (section) Revision Explanation
----------------------------------------------------------------------------------------------------------------
Throughout part 1, subpart M............ Where applicable, substituted the term Conforming change.
``assessment'', or its derivations, for
the terms ``audit'' or ``review'', or
their derivations, when describing an FDA
evaluation of an accreditation body and
when describing an evaluation of a third-
party certification body performed by a
recognized accreditation body or by FDA.
Throughout part 1, subpart M............ Where applicable, substituted Conforming change.
``evaluate'', or its derivations, for
``assess'' or ``determine'', or their
derivations, when describing the nature
of activities involved in an
``assessment'' (as defined in this rule)
of an accreditation body or a third-party
certification body.
Throughout part 1, subpart M............ Where applicable, substituted ``examine'', Conforming change.
or its derivations, for ``audit'',
``assess'', ``determine'', or
``evaluate'', or their derivations, when
describing the nature of activities
involved in an ``audit,'' as defined in
this rule, of an eligible entity.
Throughout part 1, subpart M............ Where applicable, revised to refer to Improve clarity.
``audit agent'' rather than ``agent''
when describing individuals who conduct
audits for accredited third-party
certification bodies. Use ``agent(s) used
to conduct audits'' rather than, ``audit
agent(s)'' when referring to individuals
who conduct audits for a third-party
certification body prior to its
accreditation under this program.
Throughout part 1, subpart M............ Revised to refer to ``competency'' rather Improve clarity.
than ``competence''.
Throughout part 1, subpart M............ Where appropriate, revised to refer to Improve clarity.
``recognized accreditation bodies''
rather than ``accreditation bodies''.
Throughout part 1, subpart M............ Where appropriate, revised to refer to Improve clarity.
``accredited third-party certification
bodies'' rather than ``third-party
certification bodies''.
Throughout part 1, subpart M............ Where appropriate, rephrased ``[i]f FDA Improve clarity.
has reason to believe that a food
certification issued for purposes of
section 801(q) of the FD&C Act is not
valid or reliable, FDA may refuse to
consider the certification in determining
the admissibility of the article of food
for which the certification was
offered.''
Throughout part 1, subpart M............ Replaced ``personnel'' with ``employees''. Improve clarity.
Sec. 1.600(c)......................... Deleted ``, including the model Conforming change.
accreditation standards'' from the
definition of ``accreditation''.
Sec. 1.600(c)......................... Revised the definition of ``accredited Improve clarity.
third party certification body'' to
replace ``is authorized'' with ``is
accredited''.
Sec. 1.600(c)......................... Revised the definition of ``eligible Improve clarity.
entity'' to replace ``subject to the
registration requirements of'' with
``required to be registered under''.
Sec. 1.600(c)......................... Revised the definition of ``facility Improve clarity.
certification'' to replace ``establish
that a facility meets'' with ``establish
whether a facility complies with''.
Sec. 1.600(c)......................... Revised the definition of ``food Improve clarity.
certification'' to replace ``establish
that a food meets'' with ``establish
whether a food of an eligible entity
complies with''.
Sec. 1.600(c)......................... Revised the definition of Improve clarity.
``relinquishment'' to state that
relinquishment occurs prior to the
expiration of recognition or
accreditation for accreditation bodies
and certification bodies, respectively.
Sec. 1.601(a)......................... Changed ``for conducting food safety Improve clarity.
audits and for issuing food and facility
certifications to eligible entities'' to
``to conduct food safety audits and to
issue food and facility certifications''.
Sec. 1.601(b)(2)...................... Changed ``Issuing food and facility Improve clarity.
certifications'' to ``Issuing
certifications''.
Changed ``or in meeting the eligibility
requirements'' to ``or issuing a facility
certification for meeting the eligibility
requirements''.
Sec. 1.601(c)......................... Replaced ``except as provided in paragraph Correction.
(d) of this section'' with ``under this
subpart''.
Sec. 1.601(d)......................... Redesignated paragraphs (1), (1)(i), Editorial change.
(1)(ii), (2), (2)(i), and (2)(ii) as
paragraphs (1)(i), (1)(i)(A), (1)(i)(B),
(1)(ii), (1)(ii)(A), and (1)(ii)(B).
Sec. 1.601(d)(1)(i)................... Changed ``[t]he certification of food Conforming change.
under section 801(q)'' to ``[a]ny
certification required under section
801(q)''.
Sec. 1.601(d)(1)(ii).................. Changed ``[c]ertification of food under Conforming change.
section 801(q)'' to ``Any certification
required under section 801(q)''.
Sec. 1.601(d)(1)(ii).................. Changed ``food other than alcoholic Improve clarity.
beverages that is from a facility'' to
``food that is not an alcoholic beverage
that is received and distributed by a
facility''.
Sec. 1.610............................ Section heading changed from ``[w]ho is Improve clarity.
eligible for recognition,'' to ``[w]ho is
eligible to seek recognition;''
Text changed from ``eligible for
recognition'' to ``eligible to seek
recognition.''.
[[Page 74634]]
Sec. 1.611(a)......................... Changed ``through'' to ``as a legal entity Improve clarity.
with''.
Removed ``such'' from between ``perform''
and ``assessments.''.
Changed ``its capability to audit'' to
``its capability to conduct audits.''.
Sec. 1.611(a)(2)...................... Replaced ``personnel and other agents,'' Conforming change.
with ``its agents, (or the third-party
certification body in the case of a third-
party certification body that is an
individual, such individual)''.
Sec. Sec. 1.611(b), 1.612(b), In sentences referencing requirements for Improve clarity.
1.613(b), 1.614(b), 1.615(b), recognized accreditation bodies or
1.623(d)(2), 1.630(b), 1.631(b), accredited third-party certification
1.641(b), 1.642(b), and 1.645(b). bodies, replaced specific references to
other sections of this rule with ``the
applicable [* * *] requirements of this
subpart''.
Sec. 1.612(b)......................... Changed ``capability to meet the* * *'' to Clarify that only the
``capability to meet the applicable''. applicable assessment and
monitoring requirements
apply.
Sec. 1.615(a)......................... Added ``pertaining to this subpart'' Improve clarity.
between ``legal obligations'' and ``and
to provide''.
Sec. 1.615(b)......................... Replaced ``[i]s capable of meeting,'' with Editorial change.
``The capability to meet''.
Sec. 1.620(a)(2)...................... Removed ``that aggregates the products of Conforming change.
growers or processor [sic],'' after
``foreign cooperative''.
Sec. 1.620(d)......................... Replaced ``including,'' with, ``and Editorial change.
include''.
Sec. 1.621............................ Last word of section heading changed from Editorial change.
``accredits'' to ``accredited''.
Sec. 1.621(a)......................... At the end of the previously undesignated Improve clarity.
paragraph which is now paragraph (a),
moved ``recognized accreditation body . .
. with this subpart''.
Sec. 1.622(a)......................... Added ``compliance with this subpart, Improve clarity.
including'' at the end of the opening
phrase.
Sec. 1.622(a)(1)...................... Replaced ``or other agents in activities To clarify that the
under this subpart and the degree of relevant activities under
consistency among such performances,'' this subpart are
with ``or other agents involved in accreditation activities.
accreditation activities and the degree
of consistency in conducting
accreditation activities''.
Sec. 1.622(a)(2)...................... Added ``involved in accreditation Conforming change.
activities,'' between ``other agents,''
and ``with the conflict of interest
requirements''.
Sec. 1.622(c)(1)...................... Changed ``area(s) needing improvement,'' Improve clarity.
to ``area(s) where deficiencies exist''.
Sec. 1.622(c)(2)...................... Changed ``implement effective correction Improve clarity.
action(s) to address those area(s)'' to
``implement corrective action(s) that
effectively address those deficiencies''.
Sec. 1.622(c)(3)...................... Inserted ``any'' between ``records of,'' Improve clarity.
and ``such corrective action(s)''.
Sec. 1.622(d)......................... Changed ``includes:'' to ``includes the Conforming change.
following elements.''.
Sec. 1.622(d)(2)...................... Added ``involved in accreditation Conforming change.
activities,'' between, ``other agents,''
and ``complied with the conflict of
interest requirements''.
Sec. 1.623(b)......................... Created subparagraphs by inserting, Improve clarity.
``(i)'' before ``a report of the results
of an annual self-assessment'' and
``(ii)'' before ``for a recognized
accreditation body subject to Sec.
1.664(g)((1);''
Removed ``must submit'' from between
``Sec. 1.664(g)(1),'' and ``a report of
such self-assessment;''.
Changed ``to FDA within 2 months'' to ``to
FDA within 60 days of the third party
certification body's withdrawal.''.
Sec. 1.623(c)(1)...................... Added ``(including expanding the scope Improve clarity.
of),'' between ``[g]ranting,'' and
``accreditation''.
Sec. 1.623(d)(1)(iv).................. Added ``scope and,'' between ``the'' and Improve clarity.
``basis for such denial''.
Sec. 1.624(a)......................... Changed from ``other agents)'' to ``other Conforming change.
agents involved in accreditation
activities)''.
Sec. 1.624(b) redesignated as Sec. Rephrased ``[t]he financial interests of Improve clarity.
1.624(c). the spouses and children younger than 18
years of age of officers, personnel, and
other agents of a recognized
accreditation body will be considered the
financial interests of such officers,
personnel, and other agents of the
accreditation body''.
Sec. 1.624(d)......................... Changed ``and date(s) on each the Editorial change.
accredited'' to ``and the date(s) on
which the accredited''.
Sec. 1.625 title and paragraphs (a), Changed from ``A recognized accreditation To clarify that the duties
(b), and (c). body,'' to ``An accreditation body that with respect to records
has been recognized''. as required under this
subpart adhere to any
accreditation body that
has been recognized,
including accreditation
bodies that are no longer
recognized.
Sec. 1.625(a)(2)...................... Added ``expand or'' after ``withdraw, or'' Improve clarity.
Sec. 1.630(c)......................... Changed from ``needed by FDA to process Improve clarity.
the application'' to ``needed by FDA
during processing of the application''.
[[Page 74635]]
Sec. 1.630(d)......................... Changed from ``signed by the applicant or Improve clarity.
by any individual authorized'' to
``signed by an individual authorized''.
Sec. 1.631 heading.................... Changed heading from ``How will FDA review Improve clarity.
applications for recognition and renewal
of recognition?'' to ``How will FDA
review my application for recognition or
renewal of recognition and what happens
once FDA decides on my application?''
Sec. 1.631(a)......................... Added ``an accreditation body's'' after Improve clarity.
FDA will review, deleted ``a''.
Sec. 1.631(b)......................... Inserted ``regarding'' before ``whether Editorial change.
the application has been approved or
denied.''
Sec. 1.631(c)......................... Changed to state that the FDA will notify Improve clarity.
an applicant that its recognition or
renewal application has been approved
through issuance of recognition that will
list any limitations associated with the
recognition.
Sec. 1.631(d)......................... Changed to state that the FDA will notify Improve clarity.
an applicant that its recognition or
renewal application has been denied
through issuance of a denial of
recognition that will state the basis for
such denial and provide the procedures
for requesting reconsideration of the
application under Sec. 1.691.
Sec. 1.632............................ Added ``from the date of recognition'' to Improve clarity.
the end of the sentence.
Sec. 1.633(a)......................... Removed ``periodically''.................. Improve clarity.
Sec. 1.633(a)......................... Rephrased ``date of accreditation for a 5- Improve clarity.
year term of recognition, or by no later
than mid-term point for recognition
granted for less than 5 years.''
Sec. 1.633(b)......................... Rephrased ``These may be conducted at any Improve clarity.
time, with or without the accreditation
body or auditor/certification body
present''.
Sec. 1.634(a)......................... Inserted ``found not to be in compliance Improve clarity.
with the requirements of this subpart,
including'' after ``of an accreditation
body''.
Sec. 1.634(a)(2)(ii).................. Changed ``problem with the accreditation Improve clarity.
body'' to ``deficiency''.
Sec. 1.634(a)(2)(iii)................. Inserted ``to do so'' after ``[d]irected'' Improve clarity.
Sec. 1.634(c)(1)...................... Changed ``Upon revocation, FDA will notify Improve clarity.
that accreditation body, electronically,
in English, stating * * *''.
Sec. 1.634(d)(1)...................... Removed ``electronically and in English''. Improve clarity.
Sec. 1.634(d)(1)(i)................... Rephrased from ``[n]o later than 2 months Improve clarity.
after the revocation'' to ``[n]o later
than 60 days after the date of issuance
of the revocation''.
Sec. 1.634(d)(1)(ii).................. Added ``or the original date of the Improve clarity.
expiration of the accreditation,
whichever comes first'' after
``revocation''.
Changed from ``a recognized'' to,
``another recognized''.
Sec. 1.634(d)(2)...................... Added ``(c)'' after ``1.664''............. Improve clarity.
Sec. 1.635 heading.................... Changed heading from ``How do I Improve clarity.
voluntarily relinquish recognition?'' to
``What if I want to voluntarily
relinquish recognition or do not want to
renew recognition?''
Sec. 1.636(a)......................... Removed ``or may be required to submit Improve clarity.
such application after a determination in
a regulatory hearing under Sec. 1.693''.
Sec. 1.640 heading.................... Changed heading from, ``Who is eligible Improve clarity.
for accreditation?'' to, ``Who is
eligible to seek accreditation?''
Sec. 1.641(a)......................... Changed ``or through contractual rights'' Conforming change.
to ``or as a legal entity with
contractual rights'' and added ``and
conformance with applicable'' before
``industry standards and practices''.
Sec. 1.642(a)(1)...................... Changed ``industry standards and practices Improve clarity.
and to issue'' to ``conformance with
applicable industry standards and
practices and issuance of''.
Sec. 1.641(a)(2)...................... Changed ``of the eligible entity'' to ``of Conforming change.
an eligible entity''.
Removed ``such as witnessing the
performance of a statistically
significant number of personnel and other
agents conducting audits of food
facilities.''.
Sec. 1.643(a)......................... Replaced ``certification body (and its Improve clarity.
officers, personnel, and other agents)
and eligible entities (and their owners
and operators) seeking assessment and
certification from,''
Sec. 1.644(a)(1)...................... Rephrased ``[i]dentify areas in its Improve clarity.
auditing and certification program or
performance that need improvement'' to
``[i]dentify deficiencies in its auditing
and certification program or
performance''.
Sec. 1.644(a)(2)...................... Rephrased from ``Quickly execute Improve clarity.
corrective actions when problems are
found'' to ``[q]uickly execute corrective
actions that effectively address any
identified deficiencies''.
Sec. 1.650 heading.................... Changed heading from ``How must an Improve clarity.
accredited auditor/third-party
certification body ensure its audit
agents are competent and objective'', to
``How must an accredited third-party
certification body ensure competency and
objectivity?''
[[Page 74636]]
Sec. 1.650(a)(3)...................... Changed from ``[p]articipates in annual Improve clarity.
food safety under the accredited
auditor's/certification body's training
plan,'' to ``[c]ompletes annual food
safety training that is relevant to
activities conducted under this subpart''.
Throughout Sec. Sec. 1.651 and 1.652. Where appropriate, added ``eligible'' Improve clarity.
before ``entity'' and ``food safety''
before ``audit''.
Sec. 1.651(a)(1)(i)................... Inserted ``subject to the requirements of Improve clarity.
this subpart'' after ``be conducted as a
consultative or regulatory audit''.
Sec. 1.651(b)(1)...................... Changed from ``[c]onduct an unannounced Conforming change.
audit to verify whether the activities
and results'' to ``[c]onduct an
unannounced audit to determine whether
the facility, process(es), and food''.
Sec. 1.651(b)(2)...................... Removed ``and, where appropriate, to issue Improve clarity.
food and facility certifications'' from
end of phrase.
Sec. 1.651(b)(5)...................... Inserted ``audits conducted under this Improve clarity.
subpart as follows'' after ``[p]repare
reports of''.
Sec. 1.651(b)(5)(i) (previously Sec. Inserted ``For'' before ``consultative Improve clarity.
1.651(b)(5)). audits,''.
Inserted ``maintain such records, subject
to FDA access in accordance with section
414 of the FD&C Act.''.
Sec. 1.651(b)(5)...................... Created (i) and (ii) to more easily Improve clarity.
distinguish between the different
requirements for consultative and
regulatory audits.
Sec. 1.651(b)(6)...................... Inserted ``under this subpart'' after Improve clarity.
``food safety audit''.
Sec. 1.651(c)(2)...................... Changed ``to establish compliance with the Improve clarity.
FD&C Act'' to ``to determine compliance
with the applicable food safety
requirements of the FD&C Act and FDA
regulations, and, for consultative
audits, also includes conformance with
applicable industry standards and
practices''.
Sec. 1.651(c)(3)...................... Rephrased ``entity would be likely to Improve clarity.
remain in compliance with the applicable
requirements of the FD&C Act for at least
12 months following the audit, provided
that the facility and its process(es) are
properly maintained and implemented.''
Sec. 1.651(c)(4)...................... Removed ``assessment'' and added ``other Improve clarity.
data and information from the
examination, including information on''.
Removed ``of the accredited auditor/
certification body.''.
Throughout Sec. Sec. 1.652, 1.653.... Where appropriate, inserted, Improve clarity.
``regulatory'' before, ``audit''.
Sec. 1.652(a)......................... Reformatted requirements in Sec. Editorial change.
1.652(a)(1) through (6) to more closely
align with formatting of Sec.
1.652(b)(1) through (6);.
Inserted ``subject to FDA access in Improve clarity.
accordance with the requirements of
section 414 of the FD&C Act.''
Sec. 1.652(b)(1)...................... Replaced ``audited facility'' with ``site Improve clarity.
or location where the regulatory audit
was conducted''.
Sec. 1.652(b)(6)(i) and (ii).......... Inserted ``to humans or animals'' after Improve clarity.
``serious adverse health consequences or
death''.
Sec. 1.652(b)(8)...................... Rephrased from ``is used in the facility'' Improve clarity.
to ``is performed in or used by the
facility''.
Sec. 1.653 heading.................... Changed heading from ``What must Improve clarity.
accredited auditor/certification body do
when issuing food or facility
certifications?'' to ``What must an
accredited third-party certification body
do when issuing food or facility
certifications?''
Sec. 1.653(a)(1)...................... Changed ``(or an audit agent'' to ``(or, Improve clarity.
where applicable, an audit agent''.
Changed ``to establish compliance'' to
``to determine compliance.''.
Sec. 1.653(a)(2)...................... Changed ``an observation'' to ``a Improve clarity.
deficiency''.
Sec. 1.654 heading.................... Rephrased language in heading from Improve clarity.
``eligible entity with a food or facility
certification'' to ``eligible entity that
it has issued a food or facility
certification''.
Sec. 1.654............................ Added ``with such requirements'' after Improve clarity.
``compliance''.
Changed ``if it determines the eligible
entity is no longer'' to ``if it
withdraws or suspends a food or facility
certification because it determines that
the entity is no longer.''.
Sec. 1.655(a)......................... Changed ``must annually, and as required Improve clarity.
under Sec. 1.631(f)(1)(i) or upon FDA
request made for cause, conduct a self-
assessment that includes evaluation of:''
Sec. Sec. 1.655(a)(1), 1.655(a)(2), Added ``involved in auditing and Improve clarity.
1.655(a)(3), 1.655(d)(2), 1.657(a), certification activities,'' after ``other
1.657(a)(1), 1.657(c). agents''.
Sec. Sec. 1.655(a)(1), 1.655(a)(2)... Removed ``under this subpart''............ Improve clarity.
Sec. 1.655(a)(5)...................... Inserted ``of'' between ``determination'' Editorial change.
and ``whether''.
Sec. 1.655(c)(1)...................... Replaced ``area(s) needing improvement'' Improve clarity.
with, ``deficiencies in complying with
the requirements of this subpart''.
[[Page 74637]]
Sec. 1.655(c)(2)...................... Rephrased from ``effective corrective Improve clarity.
action(s) to address those area(s)'' to
``corrective action(s) that effectively
address the identified deficiencies''.
Sec. 1.656(b)......................... Modified submission timeframe from 2 Conforming change.
months to 60 days.
Sec. 1.656(c)......................... Rephrased ``when any of its audit agents Improve clarity.
or the accredited auditor/third-party
certification body itself, discovers any
condition found during a regulatory or
consultative audit of an eligible entity,
which''.
Sec. 1.657(a)(3) redesignated as Sec. Added ``accredited third-party Improve clarity.
1.657(a)(4). certification body's'' after
``[p]rohibiting an''.
Changed ``other agent of the accredited
auditor/certification body from accepting
any money, gift, gratuity, or item of
value'' to ``other agent involving in
auditing and certification activities
from accepting any money, gift, gratuity,
or other item of value.''.
Sec. 1.657(a)(4) redesignated as Sec. Changed reference from ``(a)(3)'' to Editorial change.
1.657(a)(5). ``(a)(4)''.
Sec. 1.657(a)(4)(i) redesignated as Changed from ``accreditation'' to, Correction.
Sec. 1.657(a)(5)(i). ``auditing and certification''.
Sec. 1.657(c)......................... Added ``accredited third-party Improve clarity.
certification body's'' before
``officers''.
Changed ``other agents of an accredited
auditor/certification body'' to ``other
agents involving in auditing and
certification activities.''.
Sec. 1.658 heading.................... Changed heading to ``What records Improve clarity.
requirements must an accredited auditor/
certification body that has been
accredited meet?''
Sec. 1.658(a)......................... Rephrased from ``certification body must Improve clarity.
maintain electronically for 4 years
records'' to ``certification body that
has been accredited must maintain
electronically for 4 years records
created during its period of
accreditation''.
Sec. 1.658(a)(1)...................... Removed ``laboratory testing records and Conforming change.
results (as applicable).
Sec. Sec. 1.658(a)(1), 1.658(a)(3)... Rephrased from ``and corrective actions'' Improve clarity.
to ``verification of any corrective
action(s) taken''.
Sec. 1.658(a)(4)...................... Replaced ``under Sec. 1.650(a)(5) or by Conforming change.
the accredited auditor/certification body
to FDA under Sec. 1.656(e)'' with ``in
accordance with Sec. 1.650(a)(5)''.
Sec. 1.658(a)(5)-(a)(9) redesignated Removed paragraph (a)(5).................. Conforming change.
as Sec. 1.658(a)(5)-(a)(8).
Sec. 1.658(a)(8) redesignated as Sec. Rephrased from, ``taken as a result'' to Improve clarity.
1.658(a)(7). ``taken to address any deficiencies
identified during a self-assessment''.
Sec. 1.658(a)(9) redesignated as Sec. Changed ``the auditing or certification Improve clarity.
1.658(a)(8). program'' to ``its auditing or
certification program''.
Sec. 1.658(b)......................... Changed from ``FDA in accordance with the Correction.
requirements of subpart J of this
chapter'' to ``FDA in accordance with
section 414 of the FD&C Act''.
Sec. 1.660 heading.................... Changed heading to ``Where do I apply for Improve clarity.
accreditation or renewal of accreditation
by a recognized accreditation body and
what happens once the recognized
accreditation body decides on my
application?''
Sec. 1.661............................ Added ``by a recognized accreditation Improve clarity.
body'' at end of header.
Sec. 1.662(a)......................... Rephrased ``comply with the requirements Improve clarity.
of Sec. Sec. 1.640 to 1.658 and
whether there are deficiencies in the
performance of the accredited auditor/
certification body that, if not
corrected, would warrant withdrawal of
its accreditation under this subpart.''
Sec. 1.662(b)(4)...................... Rephrased from ``regarding the accredited Improve clarity.
auditor's/certification body's authority,
qualifications (including the expertise
and training of its audit agents),
conflict of interest program, internal
quality assurance program, and monitoring
by its accreditation body (or, in the
case of direct accreditation, FDA);''
Sec. 1.663(d)......................... Rephrased from ``submission was Improve clarity.
completed'' to ``completed submission is
received''.
Sec. 1.663(e)......................... Removed ``in writing'' and ``Such Conforming change.
notification may be made
electronically.''
Sec. 1.663(f)......................... Replaced ``conditions'' with Improve clarity.
``limitations''.
Sec. 1.663(f)......................... Replaced ``notification'' with ``issuance Improve clarity.
of the waiver'' and ``issuance of a
denial of a waiver request'' as
appropriate.
Replaced ``conditions'' with
``limitations.''.
Sec. 1.664(a)(1)...................... Added ``or chemical or physical hazard''.. Correction.
Sec. 1.664(a)(2)...................... Changed ``meets the requirements'' to Improve clarity.
``complies with the applicable
requirements''.
Sec. 1.664(b)(2)...................... Replaced ``steps'' with ``relevant audit Improve clarity.
records''.
Replaced ``to justify the food or facility
certification'' with ``in support of its
decision to certify''.
Sec. 1.664(c)(2)...................... Deleted ``food or facility''.............. For flexibility.
[[Page 74638]]
Sec. 1.664(e)(1)...................... Added ``of its accreditation through Improve clarity.
issuance of a withdrawal that will
state''.
Sec. 1.664(e)(1)...................... Deleted, ``electronically, in English''... Conforming change.
Sec. 1.664(e)(2)...................... Added ``issuance of the'' between ``date Improve clarity.
of'' and withdrawal''.
Sec. 1.664(g)(1)...................... Replaced ``bodies'' with ``body it Improve clarity.
accredited''.
Added ``by FDA.''.........................
Changed ``2 months'' to ``60 days.''......
Removed ``electronically and in English.''
Sec. 1.664(g)(2)...................... Replaced ``such'' with ``an''............. Editorial change.
Sec. 1.664(h)......................... Replaced ``and the status of recognition Improve clarity.
and food and facility certifications'' in
the heading with ``accreditation''.
Sec. 1.664(h)......................... Replaced ``under this subpart'' with ``and Improve clarity.
provide a description of the basis for
withdrawal''.
Sec. 1.665 heading.................... Changed heading from ``How do I Improve clarity.
voluntarily relinquish accreditation? to
``what if I want to voluntarily
relinquish accreditation or do not want
to renew?''
Sec. 1.665(a)......................... Changed ``2 months'' to ``60 days''....... Improve clarity.
Sec. 1.665(b)......................... Added ``The accreditation body must Clarification.
establish and maintain records of such
notification under Sec. 1.625(a).''
Sec. 1.666(a)(1)...................... Replaced ``requirements for Improve clarity.
accreditation'' with ``applicable
requirements of this subpart''.
Sec. 1.666(a)(2)(i)................... Replaced ``a'' with ``another'' and Editorial changes.
``not'' with ``no''.
Sec. 1.670(a)(3)...................... Added ``(a)(1) of this section, as Correction.
described in paragraph (a)(2)''.
Sec. 1.670(b)(1)...................... Revised to specify provision ``(a)(1)''... Improve clarity.
Sec. 1.670(b)(2)...................... Added subsection title ``Submission''..... Improve clarity.
Sec. 1.670(b)(3)...................... Added subsection title ``Signature''...... Improve clarity.
Sec. 1.671 heading.................... Changed title from ``How will FDA review Improve clarity.
applications for direct accreditation and
for renewal of direct accreditation?'' to
``How will FDA review my application for
direct accreditation or for renewal of
direct accreditation and what happens
once FDA decides on my application?''
Sec. 1.671(b)......................... Reorganized the provision: Moved original Improve clarity.
(f) under (b).
Sec. 1.671(c) previously (c) and (d).. Redesignated as (c) to state that FDA will Improve clarity.
notify an applicant that its direct
accreditation or renewal application has
been approved through issuance of direct
accreditation that will list any
limitations associated with the
accreditation.
Sec. 1.671(e)......................... Redesignated (e) to (d)................... Improve clarity.
Replaced ``denies'' with ``issues a
denial''.
Added ``for direct accreditation or for
renewal of direct accreditation.''.
Replaced ``notification'' with ``issuance
of the denial of direct accreditation.''.
Deleted ``address and''...................
Sec. 1.681............................ Combined (a) and (b)...................... Improve clarity.
Replaced ``seek'' with ``apply for''......
Sec. 1.691(a) and (b)................. Replaced ``decision'' with ``the issuance Improve clarity.
of such denial''.
Sec. 1.691(c)......................... Replaced ``it describes'' with ``described Editorial change.
in the notice''.
Sec. 1.691(d)......................... Deleted ``in writing''.................... Improve clarity.
Rephrased ``of its decision to grant the
application or waiver request upon
reconsideration, or its decision to deny
the application or waiver request upon
reconsideration.''.
Sec. 1.692(a)......................... Replaced ``FDA issued'' to ``of issuance Editorial change.
of''.
Sec. 1.692(d)......................... Deleted ``electronically''................ Improve clarity.
Added phrases ``through issuance of an
application or waiver request upon
reconsideration'' and ``application or
waiver request upon reconsideration
through issuance of a denial of.''.
Sec. 1.692(e)......................... Replaced ``Affirmation'' with ``Issuance'' Improve clarity.
Sec. 1.693............................ Replaced ``FDA issued'' and ``written For consistency and to
notice'' with ``issuance of''. improve clarity.
Sec. 1.693(a)......................... Rephrased ``the accreditation body or an Improve clarity.
individual authorized to act on its
behalf'' to ``an individual authorized to
act on the accreditation body's behalf''.
Sec. 1.693(b)......................... Rephrased ``the auditor/certification body Improve clarity.
or an individual authorized to act on its
behalf'' to ``an individual authorized to
act on the third-party certification
body's behalf''.
----------------------------------------------------------------------------------------------------------------
[[Page 74639]]
XV. Executive Order 13175
In accordance with Executive Order 13175, FDA has consulted with
tribal government officials. A Tribal Summary Impact Statement has been
prepared that includes a summary of Tribal officials' concerns and how
FDA has addressed them (Ref. 26). Persons with access to the Internet
may obtain the Tribal Summary Impact Statement at http://www.regulations.gov. Copies of the Tribal Summary Impact Statement also
may be obtained by contacting the person listed under FOR FURTHER
INFORMATION CONTACT.
XVI. Analysis of Economic Impact
FDA has examined the impacts of the final rule under Executive
Order 12866, Executive Order 13563, the Regulatory Flexibility Act (5
U.S.C. 601-612), and the Unfunded Mandates Reform Act of 1995 (Pub. L.
104-4). Executive Orders 12866 and 13563 direct Agencies to assess all
costs and benefits of available regulatory alternatives and, when
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety, and other advantages; distributive impacts; and
equity). The Agency believes that this final rule is a significant
regulatory action under Executive Order 12866.
The Regulatory Flexibility Act requires Agencies to analyze
regulatory options that would minimize any significant impact of a rule
on small entities. Because the Third-Party program will be used
primarily on voluntary basis where private enterprises determine that
the benefits of participating in our program outweighs their associated
user fee and compliance costs, the Agency certifies that the final rule
will not have a significant economic impact on a substantial number of
small entities.
Section 202(a) of the Unfunded Mandates Reform Act of 1995 requires
that Agencies prepare a written statement, which includes an assessment
of anticipated costs and benefits, before proposing ``any rule that
includes any Federal mandate that may result in the expenditure by
State, local, and tribal governments, in the aggregate, or by the
private sector, of $100,000,000 or more (adjusted annually for
inflation) in any one year.'' The current threshold after adjustment
for inflation is $144 million, using the most current (2014) Implicit
Price Deflator for the Gross Domestic Product. FDA does not expect this
final rule to result in any 1-year expenditure that would meet or
exceed this amount. Annualized cost of the Third-Party final rule is
estimated at approximately $2.8 to $11.6 million, depending on the
scenario.
XVII. Paperwork Reduction Act of 1995
This final rule contains information collection provisions that are
subject to review by OMB under the Paperwork Reduction Act of 1995 (44
U.S.C. 3501-3520). The title, description, and respondent description
of the information collection provisions are shown in the following
paragraphs with an estimate of the annual reporting and recordkeeping
burdens. Included in the estimate is the time for reviewing
instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing each
collection of information.
Title: Accreditation of Third-Party Certification Bodies to Conduct
Food Safety Audits and Issue Certifications (Third-Party final rule)
Description: FDA is amending its regulations to provide for
accreditation of third-party certification bodies (CBs) to conduct food
safety audits of eligible foreign food entities, including foreign food
facilities, and to issue food and facility certifications, pursuant to
the FDA Food Safety Modernization Act. Use of accredited third-party
CBs and food and facility certifications will help us prevent
potentially harmful food from reaching U.S. consumers and thereby
improve the safety of the U.S. food supply. We also expect that these
regulations will increase efficiency by reducing the number of
redundant audits to assess compliance with applicable food safety
requirements of the FD&C Act and FDA regulations.
Description of respondents: The coverage of the Third-Party final
rule includes eligible entities seeking audits, certification, and/or
recertification by accredited CBs participating in our program,
accreditation bodies (ABs) seeking to comply with the recognition
requirements of the Third-Party final rule, and CBs seeking to comply
with the accreditation requirements of the Third-Party final rule
(including those accredited by recognized ABs and those directly-
accredited by FDA). An eligible entity is a foreign entity in the
import supply chain of food for consumption in the United States that
chooses to be subject to a food safety audit conducted by an accredited
third-party certification body.
Based on FDA Operational and Administration System for Import
Support database information, we estimate that there are 200,692
foreign food and feed exporters that offer their food and feed for
import into the United States. These foreign food and feed exporters
include 129,757 food and feed production facilities and 70,935 farms. A
proportion of these foreign food and feed exporters may offer food
subject to mandatory certification requirements under section 801(q) of
the FD&C Act. In that case, the eligible entities must either comply
with the Third-Party final rule in order to obtain certification from a
CB accredited under the third-party program to continue exporting their
food products into the United States, or a foreign government
designated by FDA, or lose their access to U.S. markets. In the
economic analysis of the Third-Party final rule, we assume that in any
given year 75 foreign food and feed exporters will be subject to
section 801(q) of the FD&C Act.
In addition to the entities subject to Sec. 801(q), some food
exporters will seek certificates to participate in VQIP under section
806 of the FD&C Act. We consider three different scenarios for the
participation rate of VQIP importers and their associated foreign
suppliers in a 10-year period: (1) Constant number of VQIP importers in
every year, (2) increasing participation over time, peaking at 20
percent of all importers of perishable products by the fifth year, with
stagnant growth in subsequent years, (3) increasing participation over
time, peaking at 40 percent of all importers of perishable products by
the 10th year of the program.
The VQIP draft guidance document caps the acceptance of
applications by importers for VQIP at 200 for the initial year of the
program. Under Scenario 1, we consider 200 importers participating in
each of first 10 years of VQIP (see table 6). Average number of foreign
suppliers per importers is approximately 5.58; therefore, under
Scenario 1, we expect that 200 importers and approximately 1,116
foreign suppliers (200 importers x 5.58 foreign supplier per importer)
will be participating in VQIP every year for a 10-year period (see
tables 6 and 7).
According to FDA's Office of Regulatory Affairs Reporting Analysis
and Decision Support System database, the number of importers of
perishable products is approximately 2,759. These importers would have
an incentive to participate in VQIP in order to expedite entry of their
perishable food products into the United States. Under Scenario 2, we
consider 200 importers participating in the initial year of VQIP and
increasing steadily until the fifth year of the program until 552
importers (20 percent x 2,759 importers of perishable products) are
participating in the program. For years 6 through 10, we consider 3
percent increase in
[[Page 74640]]
participation of new importers in VQIP (see table 6). Multiplying the
number of importers by the number of foreign suppliers per importers
(5.58), we expect that the number of foreign supplies participating in
VQIP, under Scenario 2, would increase from 1,116 to 3,527 in a 10-year
period (see table 7).
Under Scenario 3, we consider the number of importers will increase
from 200 in the initial year of VQIP to 1,104 importers (40 percent x
2,759 importers of perishable products) in the 10th year of the
program. Tables 6 and 7 include the number of importers and their
associated foreign suppliers for scenario 3. Table 9 includes total
number of eligible entities in the Third-Party final rule based on the
three considered scenarios in the 10th year of the program.
The economic analysis of the Third-Party final rule estimates
compliance costs under the assumption that expected efficiency gains,
and foreign food suppliers' incentive to maintain continued importation
of their food to the United States would lead all foreign suppliers
subject to section 801(q) of the FD&C Act, and foreign suppliers who
choose to use third-party food safety audits to satisfy requirements of
FDA's VQIP, to become eligible entities and seek food safety audits
under the Third-Party final rule.
Considering the demand for food safety audits under the Third-Party
program by foreign suppliers subject to section 801(q) of the FD&C Act
and those wanting to participate in VQIP, we expect that some of the
ABs and CBs operating globally will also have an incentive to
participate and comply with the Third-Party final rule. Under the three
different scenarios discussed above, we have estimated that 11 to 25
ABs will accredit CBs that will conduct food safety audits of foreign
eligible entities that offer food or feed for import to the United
States. We also estimate that approximately 91 to 207 CBs will be
accredited by the potential 11 to 25 AB applicants; these CBs will
comply with the Third-Party final rule in order to participate in the
program. In addition, we expect that one CB will apply and participate
in the third-party program via direct accreditation by FDA under the
Third-Party final rule (see table 9).
Table 6--Potential Number of Importers Participating in VQIP in Its Initial 10 Years
--------------------------------------------------------------------------------------------------------------------------------------------------------
Year
Scenario -----------------------------------------------------------------------------------------
1 2 3 4 5 6 7 8 9 10
--------------------------------------------------------------------------------------------------------------------------------------------------------
1............................................................. 200 200 200 200 200 200 200 200 200 200
2............................................................. 200 288 376 464 552 562 579 596 614 632
3............................................................. 200 300 400 500 600 700 800 900 1,000 1,104
--------------------------------------------------------------------------------------------------------------------------------------------------------
Table 7--Potential Number of Foreign Suppliers (Section 806 of the FD&C Act) Participating in VQIP in Its Initial 10 Years
--------------------------------------------------------------------------------------------------------------------------------------------------------
Year
Scenario -----------------------------------------------------------------------------------------
1 2 3 4 5 6 7 8 9 10
--------------------------------------------------------------------------------------------------------------------------------------------------------
1............................................................. 1,116 1,116 1,116 1,116 1,116 1,116 1,116 1,116 1,116 1,116
2............................................................. 1,116 1,607 2,098 2,589 3,080 3,136 3,231 3,326 3,426 3,527
3............................................................. 1,116 1,674 2,232 2,790 3,348 3,906 4,464 5,022 5,580 6,160
--------------------------------------------------------------------------------------------------------------------------------------------------------
Table 8--Number of Respondents in the Third-Party Final Rule
----------------------------------------------------------------------------------------------------------------
Eligible entities Scenario 1 Scenario 2 Scenario 3
----------------------------------------------------------------------------------------------------------------
Section 801(q) of FD&C Act...................................... 75 75 75
Section 806 of FD&C Act......................................... 1,116 3,527 6,160
-----------------------------------------------
Total eligible entities..................................... 1,191 3,602 6,235
----------------------------------------------------------------------------------------------------------------
Table 9--Number of Respondents to the Third-Party Final Rule
----------------------------------------------------------------------------------------------------------------
Number of ABs/CBs
Status of ABs/CBs -----------------------------------------------
Scenario 1 Scenario 2 Scenario 3
----------------------------------------------------------------------------------------------------------------
ABs seeking recognition......................................... 11 17 25
CBs seeking accreditation by recognized ABs..................... 91 140 207
CBs seeking accreditation by FDA................................ 1 1 1
-----------------------------------------------
Total CBs accredited........................................ 92 141 208
----------------------------------------------------------------------------------------------------------------
Information Collection Burden Estimate: We estimate the burden for
this information collection as follows:
Recordkeeping Burden
In summary, under Scenario 1, total one-time recordkeeping burden
by 11 recognized ABs and 92 CBs accredited under the third-party
program is estimated at 25,792 hours (see table 10). Total annual
recordkeeping burden by 11 recognized ABs and 92 CBs accredited under
the third-party
[[Page 74641]]
program is estimated at 2,673 hours (see table 13).
Under Scenario 2, total one-time recordkeeping burden by 17
recognized ABs and 141 CBs accredited under the third-party program is
estimated at 41,640 hours (see table 11). Total annual recordkeeping
burden by 17 recognized ABs and 141 CBs accredited under the third-
party program s is estimated at 4,553 hours (see table 14).
Under Scenario 3, total one-time recordkeeping burden by 25
recognized ABs and 208 CBs accredited under the third-party program is
estimated at 58,570 hours (see table 12). Total annual recordkeeping
burden by 25 recognized ABs and 208 CBs accredited under the third-
party program is estimated at 6,253 hours (see table 15).
For the purpose of this analysis we assume that all ABs that apply
for recognition in the program become recognized and all CBs that apply
for accreditation are accredited.
Table 10--Scenario 1, Estimated One-Time Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
Average
Number of Number of Total one-time burden per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.615.................... 11 1 11 2 22
Sec. 1.645.................... 92 1 92 2 184
Sec. 1.624(d)................. 11 1 11 160 1,760
Sec. 1.657(d)................. 92 1 92 160 14,720
Contract modification........... 11 8.27 91 2 182
Sec. 1.651.................... 92 48 4,416 2 8,832
Sec. 1.653(b)(2).............. 92 1 92 1 92
-------------------------------------------------------------------------------
Total One-Time Recordkeeping .............. .............. .............. .............. 25,792
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.
Table 11--Scenario 2, Estimated One-Time Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
Average
Number of Number of Total one-time burden per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.615.................... 17 1 17 2 34
Sec. 1.645.................... 141 1 141 2 282
Sec. 1.624(d)................. 17 1 17 160 2,720
Sec. 1.657(d)................. 141 1 141 160 22,560
Contract modification........... 17 8.23 140 2 280
Sec. 1.651.................... 141 55.4 7,811 2 15,623
Sec. 1.653(b)(2).............. 141 1 141 1 141
-------------------------------------------------------------------------------
Total One-Time Recordkeeping .............. .............. .............. .............. 41,640
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.
Table 12--Scenario 3, Estimated One-Time Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
Average
Number of Number of Total one-time burden per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.615.................... 25 1 25 2 50
Sec. 1.645.................... 208 1 208 2 416
Sec. 1.624(d)................. 25 1 25 160 4,000
Sec. 1.657(d)................. 208 1 208 160 33,280
Contract modification........... 25 8.79 220 2 440
Sec. 1.651.................... 208 48.5 10,088 2 20,176
Sec. 1.653(b)(2).............. 208 1 208 1 208
-------------------------------------------------------------------------------
Total One-Time Recordkeeping .............. .............. .............. .............. 58,570
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.
Table 13--Scenario 1, Estimated Annual Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
Average
Number of Number of Total one-time burden per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.625.................... 11 397 4,367 0.025 1,092
(15 minutes)
Sec. 1.624(c)................. 11 1 11 8 88
[[Page 74642]]
Sec. 1.657(d)................. 92 1 92 8 736
Sec. 1.652.................... 92 48 4,416 0.083 367
(5 minutes)
Sec. 1.653(b)(2).............. 92 48 4,416 0.083 367
(5 minutes)
Sec. 1.656(c)................. 92 0.25 23 1 23
-------------------------------------------------------------------------------
Total Annual Recordkeeping .............. .............. .............. .............. 2,673
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.
Table 14--Scenario 2, Estimated Annual Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
Average
Number of Number of Total one-time burden per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.625.................... 17 456 7,752 0.25 1,938
(15 minutes)
Sec. 1.624(c)................. 17 1 17 8 136
Sec. 1.657(d)................. 141 1 141 8 1,128
Sec. 1.652.................... 141 55.4 7,811 0.083 648
(5 minutes)
Sec. 1.653(b)(2).............. 141 55.4 7,811 0.083 648
(5 minutes)
Sec. 1.656(c)................. 141 0.25 35 1 35
-------------------------------------------------------------------------------
Total Annual Recordkeeping .............. .............. .............. .............. 4,533
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.
Table 15--Scenario 3, Estimated Annual Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
Average
Number of Number of Total one-time burden per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.625.................... 25 426 10,650 0.25 2,663
(15 minutes)
Sec. 1.624(c)................. 25 1 25 8 200
Sec. 1.657(d)................. 208 1 208 8 1,664
Sec. 1.652.................... 208 48.5 10,088 0.083 837
(5 minutes)
Sec. 1.653(b)(2).............. 208 48.5 10,088 0.083 837
(5 minutes)
Sec. 1.656(c)................. 208 0 52 1 52
-------------------------------------------------------------------------------
Total Annual Recordkeeping .............. .............. .............. .............. 6,253
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.
Sections 1.615 and 1.645 of the Third-Party final rule require that
at the time an AB submits an application for recognition (under Sec.
1.630 of the Third-Party final rule) or a CB submits an application for
direct accreditation (under Sec. 1.660, or where applicable under
Sec. 1.670), the AB or CB must demonstrate that it has implemented
written procedures to adequately establish, control, and maintain
records for the period of time necessary to meet its contractual and
legal obligations pertaining to the third-party program. Currently, ABs
maintain recordkeeping protocols relating to their operations; however,
we expect that ABs will review their recordkeeping protocols and, if
necessary, modify them to meet the requirements of Sec. 1.615 of the
Third-Party final rule before submitting applications for recognition.
We believe that the records requirements for ABs in Sec. 1.615 and CBs
in Sec. 1.645 would constitute a new one-time burden for the 11 to 25
ABs in each of the three considered scenario, and 92 to 208 CBs
respectively. We expect that it would take no more than 2 hours for an
AB or a CB to modify its recordkeeping protocol to comply with the
written recordkeeping requirements described in Sec. Sec. 1.615 and
1.645 of the Third-Party final rule (see tables 10 to 12). Therefore,
under Scenario 1, we estimate that it would take 22 hours (2 hours/AB x
11 ABs) for ABs to comply with Sec. 1.615 (34 hours under Scenario 2,
and 50 hours under Scenario 3) (see tables 10 to 12). We estimate 184
hours (2 hours/CB x 92 CBs) for CBs to comply with Sec. 1.645 of the
Third-Party final rule
[[Page 74643]]
(282 hours under Scenario 2, and 416 hours under Scenario 3) (see
tables 10 to 12).
Section 1.625 of the Third-Party final rule requires that an AB
that has been recognized maintain records documenting requests by CBs
for accreditation from the AB (per Sec. 1.660), challenges to adverse
accreditation decisions (Sec. 1.620(c)), monitoring activities of its
accredited CBs (Sec. 1.621), self-assessments and corrective actions
(Sec. 1.622), copies of regulatory audit reports submitted by its
accredited CBs (Sec. 1.656), and copies of records of reports or
notifications made to us, as required by Sec. 1.623. A recognized AB's
requirements for reporting and notifications per Sec. 1.623 of the
Third-Party final rule include submission of results of its annual
performance assessment of each of its accredited CBs (Sec. 1.623(a))
and the results of its self-assessment (Sec. 1.623(b)) (see tables 20
to 22). A recognized AB also must notify us immediately upon granting,
withdrawing, suspending, reducing the scope of accreditation of a CB or
upon its determination that a CB it accredited issued a food or
facility certification in violation of subpart M, pursuant to Sec.
1.623(c) of the Third-Party final rule. Additionally, a recognized AB
must notify us within 30 days after making significant changes to its
operations that would affect the manner in which it complies with the
Third-Party final rule (Sec. 1.623(d)).
Under current practice, ABs maintain records documenting requests
by CBs for accreditation, monitoring activities of CBs they have
accredited, and self-assessments and corrective actions. The records
currently maintained by ABs are similar to those that would be required
of a recognized AB under Sec. 1.623 of the Third-Party final rule.
However, CBs do not currently send copies of audit reports of their
clients (food facilities) to their ABs. Therefore, an AB's maintenance
of records pertaining to regulatory audit reports submitted by CBs they
have accredited is considered as a new recordkeeping burden for
recognized ABs. We expect that it would take no more than 15 minutes
(0.25 hour) for a recognized AB to file a regulatory audit report
submitted by its accredited CBs. Under Scenario 1, we estimate the
burden for 11 recognized ABs to maintain regulatory audit reports that
were submitted to them by their accredited CBs. We estimate that
following the implementation of the Third-Party final rule, under
Scenario 1, each recognized AB will accredit approximately 8.27 CBs
under the program (average of 10-year period) (8.23 CBs/AB under
Scenario 2; 8.79 CBs/AB under Scenario 3). In addition, under Scenario
1, we estimate that each CB accredited under the third-party program,
on average, will conduct regulatory audits on approximately 48 eligible
entities a year (average of 10-year period) (55.4 foreign suppliers per
CB under Scenario 2; 48.5 foreign suppliers per CB under Scenario 3).
Under Scenario 1, we expect that each recognized AB will receive, on
average, 397 regulatory audit reports (48 regulatory audit reports/CB x
8.27 CBs/AB) from its CBs annually resulting in a total of 4,367
records per year (397 audit reports/AB x 11 ABs). Under Scenario 2, we
expect that each recognized AB will receive, on average, 456 regulatory
audit reports (55.4 regulatory audit reports/CB x 8.23 CBs/AB) from its
CBs annually resulting in a total of 7,752 records per year (456 audit
reports/AB x 17 ABs). Under Scenario 3, we expect that each recognized
AB will receive, on average, 426 regulatory audit reports (48.5
regulatory audit reports/CB x 8.79 CBs/AB) from its CBs annually
resulting in a total of 10,650 records per year (426 audit reports/AB x
25 ABs). Total annual burden of recordkeeping requirement for
recognized AB under Sec. 1.625 of the Third-Party final rule is
estimated at 1,092 hours (4,367 records x 0.25 hours/record) under
Scenario 1 (1,938 hours under Scenario 2; 2,663 hours under Scenario 3)
(see tables 13 to 15).
Section 1.624(d) of the Third-Party final rule requires each
recognized AB maintain on its Web site an up-to-date list of CBs it has
accredited under the Third-Party final rule and for each CB identify
the duration and scope of accreditation and date(s) on which the CB
paid the AB any fee or reimbursement associated with such
accreditation. Recognized ABs must also include information about
changes in accreditation status of third-party certification bodies.
Our review of AB Web sites found that none of the ABs reviewed publish
all the information that is required by Sec. 1.620(d) of the Third-
Party final rule on their Web sites. We estimate that each AB, on
average, would initially spend approximately 160 hours to update its
Web page to conform with this section of the Third-Party final rule.
Under Scenario 1, the one-time burden of conforming to Sec. 1.624(d)
of the Third-Party final rule by 11 recognized ABs is estimated at
approximately 1,760 hours (11 ABs x 160 hours/AB) (see table 10). Under
Scenario 2, the one-time burden of conforming to Sec. 1.624(d) of the
Third-Party final rule by 17 recognized ABs is estimated at
approximately 2,720 hours (17 ABs x 160 hours/AB) (see table 11). Under
Scenario 3, the one-time burden of conforming to Sec. 1.624(d) of the
Third-Party final rule by 25 recognized ABs is estimated at
approximately 4,000 hours (25 ABs x 160 hours/AB) (see table 12). In
addition, we estimate that each recognized AB would spend 8 hours
annually, following the initial year, to update information as required
by Sec. 1.624(d) of the Third-Party final rule. Under Scenario 1, the
annual hourly burden for 11 recognized ABs to update their Web pages to
conform to disclosure of information requirement per Sec. 1.624(d) of
the Third-Party final rule is estimated at 88 hours (8 hours/AB x 11
ABs) (136 hours under Scenario 2; 200 hours under Scenario 3) (see
tables 13 to 15).
Similarly, Sec. 1.657(d) of the Third-Party final rule requires a
CB accredited in compliance with the Third-Party final rule to maintain
on its Web site an up-to-date list of eligible entities which it has
issued certifications under this subpart. For each such eligible entity
the Web site also must identify the duration and scope of the
certification and date(s) on which the eligible entity paid the CB
accredited under the third-party program any fee or reimbursement
associated with such audit or certification. In the Third-Party final
Regulatory Impact Analysis, we estimate that following the
implementation of the Third-Party final rule and VQIP draft guidance,
there will be approximately 91 CBs accredited by recognized ABs and 1
directly-accredited CB under Scenario 1 (140 CBs and one directly-
accredited CB under Scenario 2; 207 CBs and 1 directly-accredited CB
under Scenario 3). Under Scenario 1, the one-time recordkeeping burden
of 92 CBs accredited under the third-party program to comply with Sec.
1.657(d) of the Third-Party final rule is estimated at 14,720 hours
(160 hours/CB x 92 CBs) (22,560 hours under Scenario 2; 33,280 hours
under Scenario 3) (see tables 10 to 12). In addition, we estimate that
each CB would spend 8 hours annually, following the initial year, to
update information as required by Sec. 1.657(d) of the Third-Party
final rule. Under Scenario 1, annual hourly burden for 92 CBs
accredited under the third-party program to update their Web pages to
conform to disclosure of information requirement per Sec. 1.657(d) of
the Third-Party final rule is estimated at 736 hours (8 hours/CB x 92
CBs) (1,128 hours under Scenario 2; 1,664 hours under Scenario 3) (see
tables 13 to 15).
There are certain provisions within the Third-Party final rule that
may require ABs to modify their contracts
[[Page 74644]]
with their CBs in order to comply with the Third-Party final rule.
Therefore, it is expected that recognized ABs will modify their
contracts with their accredited CBs to be able to conduct activities
such as conducting unannounced audits of their accredited CBs'
facilities. Minor modifications or addenda to contracts with standard
language provided by provisions in the Third-Party final rule would
consist of no more than 1 hour by an AB executive and 1 hour by a legal
counsel representing the AB. As we discussed, following the
implementation of the Third-Party final rule, we expect that each
recognized AB will accredit approximately 8.27 CBs (8.23 CBs/AB under
Scenario 2; 8.79 CBs/AB under Scenario 3). Therefore, under Scenario 1,
a total of 91 contracts (8.27 contracts/AB x 11 ABs) (140 contracts
under Scenario 2; 220 contracts under Scenario 3) are expected to be
modified to reflect changes in contractual obligations between each
recognized AB and its accredited CBs under the Third-Party final rule
(see tables 10 to 12). The one-time burden of initial modification of
91 contracts between 11 recognized ABs and their respective accredited
CBs is approximately 182 hours (91 contracts x 2 hours/contract) (280
hours under Scenario 2; 440 hours under Scenario 3) (see tables 10 to
12).
Similarly, CBs accredited by recognized ABs would need to modify or
create new contracts with their client eligible entities in order to
gain access to any records and any area of the facility, its
process(es), and food of the eligible entity relevant to the scope and
purpose of audit being performed by the CB (Sec. 1.651). Considering
that each of the expected 92 CBs accredited under the third-party
program, under Scenario 1, will each have approximately 48 client
eligible entities, we expect that approximately 4,416 contracts (48
contracts/CB x 92 CBs) between CBs accredited under the third-party
program and eligible entities will be modified (7,811 contracts
scenario 2; 10,088 contracts under Scenario 3) (see tables 10 to 12).
Under Scenario 1, the one-time burden of initial modification of 4,416
contracts between 92 CBs accredited under the third-party program and
their respective client eligible entities is approximately 8,832 hours
(4,416 contracts x 2 hours/contract) (15,623 hours under Scenario 2;
20,176 hours under Scenario 3) (see tables 10 to 12).
Section 1.652 of the Third-Party final rule requires that CBs
accredited under the third-party program include certain information in
reports of food safety audits. We believe that some information such as
the FDA food facility registration number (where applicable) of the
facility subject to the audit are currently not included in food safety
audits conducted by CBs accredited under other programs. Although this
information may not be required as part of the Third-Party program, we
have conservatively included the burden of providing such information
in this analysis. We expect that it would take about 5 minutes (0.083
hour), on average, by a CB accredited under the third-party program to
include additional information, as required in Sec. 1.652, in reports
of food safety audits. Therefore, at a minimum, under Scenario 1, each
CB accredited under the third-party program must modify a regulatory
audit report for each of its 48 eligible entities (55.4 eligible
entities per CB in Scenario 2; 48.5 eligible entities per CB in
Scenario 3) every year. Under Scenario 1, total annual records of 92
CBs accredited under the third-party program modifying regulatory audit
reports of their client eligible entities is estimated at 4,416 records
(92 CBs x 48 eligible entities/CB x 1 record/eligible entity) (7,811
records under Scenario 2; 10,088 records under Scenario 3). Annual
recordkeeping burden of CBs accredited under the third-party program,
per Sec. 1.652 of the Third-Party final rule, is estimated at 367
hours (4,416 records x 0.083 hour/record) for Scenario 1 (648 hours for
Scenario 2; 837 hours for Scenario 3) (see tables 13 to 15).
Accredited third-party CBs will incur additional recordkeeping
costs associated with modifying existing certification templates to
meet the requirements of Sec. 1.653(b)(2). For example, we are
requiring accredited CBs to provide a certification number that follows
an FDA numeric designation. We have included the burden of providing
such information in this analysis because we know that CBs currently do
not use an FDA designation in numbering their certificates. To the
extent that any of the elements in Sec. 1.653(b)(2) are already
included in current certificates issued by some CBs, such as the
date(s) and scope of the audit, the recordkeeping burden may be
overestimated. We expect that it will take no more than 1 hour, on
average, to change the design of certifications issued by CBs
accredited under the third-party program. Under Scenario 1, we estimate
a one-time recordkeeping burden of modifying the design of the
certifications of 92 CBs accredited under the third-party program at 92
hours (92 CBs x 1 hour/CB) (141 hours under Scenario 2; 208 hours under
Scenario 3) (see tables 16 to 18).
We expect that the burden to fill additional information on a
certification that is issued is 5 minutes (0.083 hour). Therefore,
under Scenario 1, the annual burden of Sec. 1.653(b)(2) is estimated
at 367 hours (92 CBs x 1 certificate/entity x 48 entities/CB x 0.083
hour/certificate) (see table 19). Under Scenario 2, the annual burden
of Sec. 1.653(b)(2) is estimated at 648 hours (141 CBs x 1
certificate/entity x 55.4 entities/CB x 0.083 hour/certificate) (see
table 20). Finally, under Scenario 3, the annual burden of Sec.
1.653(b)(2) is estimated at 837 hours (208 CBs x 1 certificate/entity x
48.5 entities/CB x 0.083 hour/certificate) (see table 21).
Section 1.656(c) of the Third-Party final rule requires that CBs
accredited under the third-party program report to us any condition,
found during a regulatory or consultative audit of an eligible entity,
which could cause or contribute to a serious risk to the public health.
We believe that these occurrences are rare and may occur once every 4
years, or 0.25 times per year. Reporting serious hazard conditions
would consist of the onsite audit agent of a CB accredited under the
third-party program to document the event as a record and to
immediately submit the record to us. Therefore, under Scenario 1, the
annual number of records prepared by 92 CBs accredited under the third-
party program is estimated at 23 (0.25 records/CB x 92 CBs) (35 records
under Scenario 2; 52 records under Scenario 3). It is expected that a
CB accredited under the third-party program would take no more than 1
hour to prepare such record (notification). Under Scenario 1, annual
burden of preparation of records per Sec. 1.656(c) of the Third-Party
final rule by 92 CBs accredited under the third-party program is
estimated at 23 hours (23 records x 1 hour/record; see table 13) (35
hours for Scenario 2, and 52 hours for Scenario 3; see tables 14 to
15).
We also acknowledge that an accreditation body seeking to challenge
a denial of its application for recognition, renewal of recognition, or
reinstatement of recognition will incur costs in compiling information
to support its request for reconsideration under Sec. 1.691 or its
request for internal Agency review under Sec. 1.692. A third-party
certification body seeking to challenge a denial of its application for
direct accreditation, renewal of direct accreditation, or
reaccreditation as a directly accredited third-party certification body
will incur costs in compiling information to support its
[[Page 74645]]
request for reconsideration under Sec. 1.691 or its request for
internal Agency review under Sec. 1.692, as will any accredited third-
party certification body seeking to challenge a denial of its request
for a waiver of the conflict of interest requirement of Sec. 1.650(b)
or a waiver extension. We anticipate that most accreditation bodies and
third-party certification bodies who seek to participate in our program
will carefully consider the program requirements before applying to, or
joining, the program or before submitting a waiver request. We
anticipate the submission of challenges under Sec. 1.691 or Sec.
1.692 to be an infrequent event, and one that most program participants
will not encounter. Therefore, we are not calculating costs associated
with the compiling of information to support a request for
reconsideration under Sec. 1.691 or a request for internal agency
review under Sec. 1.692 by an accreditation body seeking to challenge
a denial of its application for recognition, renewal of recognition, or
reinstatement of recognition; by an third-party certification body
seeking to challenge a denial of its application for direct
accreditation, renewal of direct accreditation, or reaccreditation as a
directly accredited third-party certification body; or by an accredited
third-party certification body seeking to challenge a denial of its
request for a waiver of the conflict of interest requirement of Sec.
1.650(b) or a waiver extension.
Reporting Burden
In summary, under Scenario 1, total one-time reporting burden by 11
recognized ABs and 92 CBs accredited under the third-party program is
estimated at 960 hours (see table 16). Under Scenario 2, total one-time
reporting burden by 17 recognized ABs and 141 CBs accredited under the
third-party program is estimated at 1,440 hours (see table 17). Under
Scenario 3, total one-time reporting burden by 25 recognized ABs and
208 CBs accredited under the third-party program is estimated at 2,080
hours (see table 18). Total annual reporting burden, under Scenarios 1
to 3 is estimated between 3,466 and 7,919 hours (see tables 19 to 21).
Table 16--Scenario 1, Estimated One-Time Reporting Burden
----------------------------------------------------------------------------------------------------------------
Average
Number of Number of Total one-time burden per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.630.................... 11 1 11 80 880
Sec. 1.670(a-b)............... 1 1 1 80 80
-------------------------------------------------------------------------------
Total One-Time Reporting .............. .............. .............. .............. 960
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time reporting burden.
Table 17--Scenario 2, Estimated One-Time Reporting Burden
----------------------------------------------------------------------------------------------------------------
Average
Number of Number of Total one-time burden per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.630.................... 17 1 17 80 1,360
Sec. 1.670(a-b)............... 1 1 1 80 80
-------------------------------------------------------------------------------
Total One-Time Reporting .............. .............. .............. .............. 1,440
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time reporting burden.
Table 18--Scenario 3, Estimated One-Time Reporting Burden
----------------------------------------------------------------------------------------------------------------
Average
Number of Number of Total one-time burden per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.630.................... 25 1 25 80 2,000
Sec. 1.670(a-b)............... 1 1 1 80 80
-------------------------------------------------------------------------------
Total One-Time Reporting .............. .............. .............. .............. 2,080
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time reporting burden.
Table 19--Scenario 1, Estimated Annual Reporting Burden
----------------------------------------------------------------------------------------------------------------
Average
Number of Number of Total one-time burden per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.634.................... 11 1 11 8 88
Sec. 1.673.................... 1 1 1 10 10
Sec. 1.623(a)................. 11 8.27 91 0.25 23
(15 minutes)
Sec. 1.623(b)................. 11 1 11 0.25 3
(15 minutes)
[[Page 74646]]
Sec. 1.653(b)(1).............. 92 48 4,416 0.25 1,104
(15 minutes)
Sec. 1.656(a) \1\............. 91 48 4,368 0.25 1,092
(15 minutes)
Sec. 1.656(a) \2\............. 91 48 4,368 0.25 1,092
(15 minutes)
Sec. 1.656(a) \3\............. 1 48 48 0.25 12
(15 minutes)
Sec. 1.656(b) \4\............. 91 1 91 0.25 23
(15 minutes)
Sec. 1.656(b) \5\............. 1 1 1 0.25 1
(15 minutes)
Sec. 1.656(c)................. 92 0.25 23 0.25 6
(15 minutes)
Sec. 1.656(e) \6\............. 92 0.25 23 0.25 6
(15 minutes)
Sec. 1.656(e) \7\............. 91 0.25 23 0.25 6
(15 minutes)
-------------------------------------------------------------------------------
Total Annual Reporting .............. .............. .............. .............. 3,446
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with annual reporting burden.
\1\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to their accrediting ABs.
\2\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to the FDA.
\3\ Annual reporting of regulatory audit reports by directly accredited CBs to the FDA.
\4\ Annual reporting of self-assessment by accredited CBs to their recognized ABs.
\5\ Annual reporting of self-assessment by directly-accredited CBs to the FDA.
\6\ Annual reporting of serious risk to public health by CBs accredited under the third-party program to
eligible entities.
\7\ Annual reporting of serious risk to public health by accredited CBs to their recognized ABs.
Table 20--Scenario 2, Estimated Annual Reporting Burden
----------------------------------------------------------------------------------------------------------------
Average
Number of Number of Total one-time burden per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.634.................... 17 1 17 8 136
Sec. 1.673.................... 1 1 1 10 10
Sec. 1.623(a)................. 17 8.23 140 0.25 35
(15 minutes)
Sec. 1.623(b)................. 17 1 17 0.25 4
(15 minutes)
Sec. 1.653(b)(1).............. 141 55.4 7,811 0.25 1,953
(15 minutes)
Sec. 1.656(a) \1\............. 140 55.4 7,756 0.25 1,939
(15 minutes)
Sec. 1.656(a) \2\............. 140 55.4 7,756 0.25 1,939
(15 minutes)
Sec. 1.656(a) \3\............. 1 55.4 55 0.25 14
(15 minutes)
Sec. 1.656(b) \4\............. 140 1 140 0.25 35
(15 minutes)
Sec. 1.656(b) \5\............. 1 1 1 0.25 1
(15 minutes)
Sec. 1.656(c)................. 141 0.25 35 0.25 9
(15 minutes)
Sec. 1.656(e) \6\............. 141 0.25 35 0.25 9
(15 minutes)
Sec. 1.656(e) \7\............. 140 0.25 35 0.25 9
(15 minutes)
-------------------------------------------------------------------------------
Total Annual Reporting .............. .............. .............. .............. 6,093
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with annual reporting burden.
\1\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to their accrediting ABs.
\2\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to the FDA.
\3\ Annual reporting of regulatory audit reports by directly-accredited CBs to the FDA.
\4\ Annual reporting of self-assessment by CBs to their recognized ABs.
\5\ Annual reporting of self-assessment by directly-accredited CBs to the FDA.
\6\ Annual reporting of serious risk to public health by CBs accredited under the third-party program to
eligible entities.
\7\ Annual reporting of serious risk to public health by CBs to their recognized ABs.
[[Page 74647]]
Table 21--Scenario 3, Estimated Annual Reporting Burden
----------------------------------------------------------------------------------------------------------------
Average burden
Number of Number of Total one-time per
21 CFR Part 1, subpart M recordkeepers records per records recordkeeping Total hours
recordkeeper (in hours)
----------------------------------------------------------------------------------------------------------------
Sec. 1.634.................... 25 1 25 8 200
Sec. 1.673.................... 1 1 1 10 10
Sec. 1.623(a)................. 25 8.79 220 0.25 55
(15 minutes)
Sec. 1.623(b)................. 25 1 25 0.25 6
(15 minutes)
Sec. 1.653(b)(1).............. 208 48.5 10,088 0.25 2,522
(15 minutes)
Sec. 1.656(a) \1\............. 207 48.5 10,040 0.25 2,510
(15 minutes)
Sec. 1.656(a) \2\............. 207 48.5 10,040 0.25 2,510
(15 minutes)
Sec. 1.656(a) \3\............. 1 55.4 55 0.25 14
(15 minutes)
Sec. 1.656(b) \4\............. 207 1 207 0.25 52
(15 minutes)
Sec. 1.656(b) \5\............. 1 1 1 0.25 1
(15 minutes)
Sec. 1.656(c)................. 208 0.25 52 0.25 13
(15 minutes)
Sec. 1.656(e) \6\............. 208 0.25 52 0.25 13
(15 minutes)
Sec. 1.656(e) \7\............. 207 0.25 52 0.25 13
(15 minutes)
-------------------------------------------------------------------------------
Total Annual Reporting .............. .............. .............. .............. 7,919
Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with annual reporting burden.
\1\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to their accrediting ABs.
\2\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to the FDA.
\3\ Annual reporting of regulatory audit reports by directly-accredited CBs to the FDA.
\4\ Annual reporting of self-assessment by CBs to their recognized ABs.
\5\ Annual reporting of self-assessment by directly-accredited CBs to the FDA.
\6\ Annual reporting of serious risk to public health by CBs accredited under the third-party program to
eligible entities.
\7\ Annual reporting of serious risk to public health by CBs to their recognized ABs.
Section 1.630 of the Third-Party final rule allows for any AB to
apply for recognition. Under Scenario 1, we estimate that approximately
11 ABs would apply for recognition. We estimate that it will take 80
person-hours to compile all the relevant information and complete the
application for recognition. The initial application for recognition is
a one-time burden for each AB that applies. Under Scenario 1, the one-
time initial application burden for 11 ABs is estimated at 880 hours
(11 applications x 80 hours/application) (see table 16). The one-time
initial application burden for 17 ABs, under Scenario 2 (25 ABs under
Scenario 3), is estimated at 1,360 hours (2,000 hours under Scenario 3)
(see tables 17 and 18). The duration of recognition for a recognized AB
will not exceed 5 years per Sec. 1.632 of the Third-Party final rule.
Therefore, it is expected that each of the recognized ABs would apply
to renew its recognition every 5 years per Sec. 1.634 of the Third-
Party final rule. We expect that applications for renewal of
recognition will take significantly less time to prepare. We use 50
percent of the amount of effort to prepare and submit an application
for renewal of recognition. Therefore, it is expected that, on average,
each recognized AB will spend 40 hours every 5 years (after the initial
application) to complete and submit an application for renewal of its
recognition, or approximately 8 hours per year (40 hours / 5 years) for
each AB. Therefore, the annual burden of completing the renewal of
recognition application by 11 ABs, under Scenario 1, is 88 hours (11
applications x 8 hours/application) per year (136 hours per year for 17
ABs under Scenario 2; 200 per hour for each of 25 ABs under Scenario 3)
(see tables 19 to 21).
Similarly, Sec. 1.670(a) and (b) of the Third-Party final rule
allows for CBs to apply to us for direct accreditation, when the
criteria for direct accreditation are met. We estimate that
approximately one CB would apply for direct accreditation. It is
expected that the application for direct accreditation would require
the same amount of effort as does an AB's application for recognition.
Hence, we estimate that the initial application for direct
accreditation would take 80-person hours. The one-time initial
application burden for 1 CB, for each scenario, is estimated at 80
hours (1 application x 80 hours/application) (see tables 16 to 18). The
duration of accreditation for a directly-accredited CB will not exceed
4 years, per Sec. 1.671 of the Third-Party final rule. Therefore, it
is expected that each of the expected directly-accredited CBs would
apply to renew its accreditation every 4 years, per Sec. 1.673 of the
Third-Party final rule. We expect that directly accredited CBs use 50
percent amount of effort, or 40 person-hours, for their initial
application for direct accreditation, yielding an average of 10 hours
per year. Therefore, the annual burden of completing the application
for renewal by 1 directly-accredited CB is 10 hours (1 application x 10
hours/application) per year (see tables 19 to 21).
For the purposes of the Third-Party final economic and PRA
analyses, we have estimated costs assuming that, during the application
process, affected entities will do their paperwork properly and
completely the first time. If we assumed a less consistent outcome, one
that would result in
[[Page 74648]]
recognition denials, the initial burden might increase.
Section 1.623(a) of the Third-Party final rule requires that
recognized ABs annually conduct comprehensive assessments of the
performance of CBs they have accredited and submit the results of the
assessments to us within 45 days of their completion. We expect that it
would take no more than 15 minutes (0.25 hour) for a recognized AB to
electronically submit the assessment of each its accredited CBs.
Following the implementation of the Third-Party final rule and VQIP
draft guidance, we expect, on average, each recognized AB would
accredit approximately 8.27 CBs (8.23 CBs under Scenario 2; 8.79 under
Scenario 3). Therefore, under Scenario 1, each recognized AB would
submit, on average, approximately 91 copies of assessments of
performance of their accredited CBs (8.27 assessments/AB x 11 ABs) (140
assessments under Scenario 2; 220 under Scenario 3). Under Scenario 1,
annual reporting of 91 assessments by 11 recognized ABs is estimated at
23 hours (91 submission of assessments x 0.25 hour/submission) (35
hours under Scenario 2; 55 hours under Scenario 3) (see tables 19 to
21).
Section 1.623(b) of the Third-Party final rule requires that
recognized ABs annually conduct a self-assessment and submit the
assessments within 45 days of their completion. We expect that it would
take no more than 15 minutes for an AB to electronically submit a copy
of its self-assessment. Under Scenario 1, annual reporting of 11 self-
assessments by 11 recognized ABs is estimated at 3 hours (11 submission
of self-assessments x 0.25 hour/submission) (4 hours under Scenario 2;
6 hours under Scenario 3) (see tables 10 to 21).
Section 1.656(a) of the Third-Party final rule requires that a CB
accredited under the third-party program must submit the regulatory
audit reports it conducts to us and to the AB that granted its
accreditation (where applicable) within 45 days after completing such
audit. In the Third-Party final economic analysis, we estimate that
following the implementation of the Third-Party final rule, there will
be 11 recognized ABs that accredit 91 CBs (17 recognized ABs and 140
accredited CBs under Scenario 2; 25 recognized ABs and 207 accredited
CBs under Scenario 3), and we will directly accredit one CB. In
addition, we estimated that each CB accredited under the third-party
program, on average, conducts food safety audits and certifies 48
eligible entities under Scenario 1 (55.4 eligible entities/CB under
Scenario 2; 48.5 eligible entities/CB under Scenario 3). Therefore,
under Scenario 1, CBs accredited by recognized ABs will annually submit
4,368 regulatory audit reports (91 CBs x 48 reports/CB) to their
accrediting ABs and 4,368 reports to us (see table 19). Similarly,
under Scenarios 2 and 3, CBs accredited by recognized ABs will annually
submit 7,756 and 10,040 regulatory audit reports to their accrediting
ABs and the FDA, respectively (see tables 20 and 21). Under Scenario 1,
the directly-accredited CB will annually submit 48 regulatory audit
reports (1 CB x 48 reports/CB) (see table 19). The number of eligible
entities per directly-accredited CB increases to 55.4 in Scenario 2. We
assume that the number of eligible entities per directly-accredited CBs
remains the same for Scenario 3. We expect that it would take no more
than 15 minutes (0.25 hour) for a CB accredited under the third-party
program to electronically submit a copy of the regulatory report it
conducts to us and to its AB (where applicable).
Under Scenario 1, annual reporting burden for CBs accredited by
recognized ABs is estimated at 1,092 hours (4,368 reports x 0.25 hours/
report) for submitting copies of regulatory audit reports they have
conducted to their accrediting ABs and 1,092 hours for submitting the
same records to us (see table 19). Under Scenario 2, annual reporting
burden for CBs accredited by recognized ABs is estimated at 1,939 hours
(7,756 reports x 0.25 hours/report) for submitting copies of regulatory
audit reports they have conducted to their accrediting ABs and 1,939
hours for submitting the same records to us (see table 20). Similarly,
under Scenario 3, annual reporting burden for CBs accredited by
recognized ABs is estimated at 2,510 hours (10,040 reports x 0.25
hours/report) for submitting copies of regulatory audit reports they
have conducted to their accrediting ABs and 2,510 hours for submitting
the same records to us (see table 21). Under Scenario 1, annual burden
for submission of regulatory audit reports by directly-accredited CBs
is estimated at 12 hours (48 reports x 0.25 hours/report) (14 hours for
Scenarios 2 and 3) (see tables 19 to 21).
Section 1.656(b) of the Third-Party final rule requires CBs
accredited under the third-party program to submit reports of their
annual self-assessments electronically to their ABs, or in the case of
direct accreditation to us, within 45 days of the anniversary date of
their accreditation under subpart M. We expect that it would take no
more than 15 minutes (0.25 hour) for a CB accredited under the third-
party program to electronically send a copy of its annual self-
assessment to its AB or us (as applicable). Under Scenario 1, the
annual burden for CBs accredited by recognized ABs is estimated at 23
hours (91 self-assessments x 0.25 hour/self-assessment; see table 19)
(35 hours under Scenario 2 and 52 hours under Scenario 3; see tables 20
and 21). Annual burden for submission of self-assessments by one
directly-accredited CB is estimated at 0.25 hour (1 self-assessment x
0.25 hour/self-assessment; see tables 19 to 21) (rounded to 1 hour).
As we discussed, Sec. 1.656(c) of the Third-Party final rule
requires that a CB accredited under the third-party program report to
us any condition, found during a regulatory or consultative audit of an
eligible entity, which could cause or contribute to a serious risk to
the public health. In the Recordkeeping Burden section above, we
estimated that such events are expected to occur once every 4 years, or
0.25 per year. We expect that it would take no more than 15 minutes
(0.25 hour) for a CB accredited under the third-party program to
electronically send a copy of its notification to us. Therefore, under
Scenario 1, the total number of notifications sent to us on an annual
basis per Sec. 1.656(c) of the Third-Party final rule is estimated at
23 (92 CBs x 0.25 records/CB) (35 notifications under Scenario 2; 52
notifications under Scenario 3). Under Scenario 1, annual burden for
submitting a notification under Sec. 1.656(c) of the Third-Party final
rule to us by CBs accredited under the third-party program is estimated
at 6 hours (23 records x 0.25 hour/record) (9 hours under Scenario 2;
13 hours under Scenario 3) (see tables 19 to 21).
Following reporting under Sec. 1.656(c), a CB accredited under the
third-party program is required under Sec. 1.656(e) of the Third-Party
final rule to immediately notify the eligible entity and its
accrediting AB of any conditions identified during the audit which
triggered the reporting requirement per Sec. 1.656(c) of the Third-
Party final rule. Under Scenario 1, total number of notification sent
to eligible entities by 141 CBs accredited under the third-party
program is estimated at 23 (92 CBs x 0.25 records/CB) (35 notifications
under Scenario 2; 52 notifications under Scenario 3) while the number
of notifications sent to recognized ABs by their accredited CBs is
estimated at 23 (91 CBs x 0.25 records/CB) (35 under Scenario 2; 52
under Scenario 3). Under Scenario 1, annual burden of submitting a
notification under Sec. 1.656(e) of the Third-Party final rule to
affected eligible entities and ABs by accredited CBs is estimated at 6
hours (9 hours under Scenario 2; 13 hours under Scenario 3) (see tables
19 to 21).
[[Page 74649]]
XVIII. Analysis of Environmental Impact
We have determined under 21 CFR 25.30(j) that this action is of a
type that does not individually or cumulatively have a significant
effect on the human environment. Therefore, neither an environmental
assessment nor an environmental impact statement is required.
XIX. Federalism
We have analyzed the final rule in accordance with the principles
set forth in Executive Order 13132. We have determined that the rule
does not contain policies that have substantial direct effects on the
States, on the relationship between the National Government and the
States, or on the distribution of power and responsibilities among the
various levels of government. Accordingly, we conclude that the rule
does not contain policies that have federalism implications as defined
in the Executive Order and, consequently, a federalism summary impact
statement is not required.
XX. References
The following references have been placed on display in the
Division of Dockets Management (see ADDRESSES) and may be seen by
interested persons between 9 a.m. and 4 p.m., Monday through Friday,
and are available electronically at http://www.regulations.gov. We have
verified the Web site addresses, but we are not responsible for any
subsequent changes to Web sites after this document publishes in the
Federal Register.
1. FDA, ``Transcript: FSMA Proposed Rules on Foreign Supplier
Verification Programs and the Accreditation of Third-Party Auditors/
Certification Bodies, Public Meeting, Day One, September 19, 2013.''
Available in Docket No. FDA-2011-N-0143.
2. FDA, ``Transcript: FSMA Proposed Rules on Foreign Supplier
Verification Programs and the Accreditation of Third-Party Auditors/
Certification Bodies, Public Meeting, Day Two, September 20, 2013.''
Available in Docket No. FDA-2011-N-0143.
3. FDA, ``FDA Office of Foods and Veterinary Medicine Memorandum to
the Division of Dockets Management on FDA Records of Outreach
Sessions,'' November 21, 2013. Available in Docket No. FDA-2011-N-
0920.
4. International Organization for Standardization/International
Electrotechnical Commission, ``ISO/IEC 17000:2004 Conformity
Assessment--Vocabulary and General Principles.'' Copies are
available from the International Organization for Standardization,
1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland,
or on the Internet at http://www.iso.org/iso/catalogue_detail.htm?csnumber=29316 or may be examined at the
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
5. International Organization for Standardization/International
Electrotechnical Commission, ISO/IEC ``17011:2004 Conformity
Assessment--General Requirements for Accreditation Bodies
Accrediting Conformity Assessment Bodies.'' Copies are available
from the International Organization for Standardization, 1, rue de
Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the
Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=29332 or may be examined at the
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
6. International Organization for Standardization/International
Electrotechnical Commission, ``ISO/IEC 17021:2011 Conformity
Assessment--Requirements for Bodies Providing Audit and
Certification of Management Systems.'' Copies are available from the
International Organization for Standardization, 1, rue de Varembe,
Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet
at http://www.iso.org/iso/home/store/publication_item.htm?pid=PUB100353 or may be examined at the
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
7. International Organization for Standardization/International
Electrotechnical Commission, ``ISO/IEC 17065:2012 Conformity
Assessment--Requirements for Bodies Certifying Products, Processes
and Services.'' Copies are available from the International
Organization for Standardization, 1, rue de Varembe, Case postale
56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46568 or may be examined at the
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
8. International Organization for Standardization, ISO 19011:2011
Guidelines for Auditing Management Systems.'' Copies are available
from the International Organization for Standardization, 1, rue de
Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the
Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=50675 or may be examined at the
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
9. International Organization for Standardization/International
Electrotechnical Commission, ``ISO/IEC Guide 65:1996 General
Requirements for Bodies Operating Product Certification Systems.''
Copies are available from the International Organization for
Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve
20, Switzerland, or on the Internet at http://www.iso.org/iso/catalogue_detail.htm?csnumber=26796 or may be examined at the
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
10. International Organization for Standardization/International
Electrotechnical Commission, ``ISO/IEC 17020:2012 Conformity
Assessment--Requirements for the Operation of Various Types of
Bodies Performing Inspection.'' Copies are available from the
International Organization for Standardization, 1, rue de Varembe,
Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet
at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=52994 or may be examined at the
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
11. Global Food Safety Initiative, ``Enhancing Food Safety Through
Third-Party Certification,'' March 2011.
12. International Organization for Standardization/International
Electrotechnical Commission, ``ISO/IEC 17040:2005 Conformity
Assessment--General Requirements for Peer Assessment of Conformity
Assessment Bodies and Accreditation Bodies.'' Copies are available
from the International Organization for Standardization, 1, rue de
Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the
Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=31815 or may be examined at the
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
13. International Accreditation Forum, ``IAF Endorsed Normative
Documents, Issue 4 (IAF PR 4:2007),'' http://www.iaf.nu/upFiles/197878.IAF-PR4-2007_Endorsed_NormDocs_Issue_4_Pub.pdf. Accessed on
October 26, 2015.
14. Codex Alimentarius Commission, ``Principles for Food Import and
Export Inspection and Certification (CAC/GL 20-1995).'' http://www.codexalimentarius.org/input/download/standards/37/CXG_020e.pdf.
Accessed on October 26, 2015.
15. Armour, S., Lippert, J., and Smith, M., ``Food Sickens Millions
as Company-Paid Checks Find It Safe,'' Bloomberg Business, October
11, 2012. http://www.bloomberg.com/news/articles/2012-10-11/food-sickens-millions-as-industry-paid-inspectors-find-it-safe. Accessed
on October 26, 2015.
16. Zheng, Y., Muth, M.M., Kosa, K., ``Economic Analysis of Third-
Party Food
[[Page 74650]]
Safety Certification of Imported Food,'' RTI International, June
2012.
17. American National Standards Institute, ``About ANSI,'' http://www.ansi.org/about_ansi/overview/overview.aspx?menuid=1. Accessed on
May 6, 2015.
18. United Kingdom Accreditation Service, ``About UKAS,'' http://www.ukas.com/about/. Accessed on October 26, 2015.
19. Danish Accreditation Fund, ``DANAK Home'' http://english.danak.dk/. Accessed on May 4, 2015.
20. International Organization for Standards, ``ISO/TS 22003:2007
Food Safety Management Systems--Requirements for Bodies Providing
Audit and Certification of Food Safety Management Systems.'' Copies
are available from the International Organization for
Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve
20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=39834 or may be
examined at the Division of Dockets Management (see ADDRESSES) (Ref.
Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).
21. International Organization for Standardization/International
Electrotechnical Commission, ``ISO 22000:2005 Food Safety Management
Systems--Requirements for Any Organization in the Food Chain.''
Copies are available from the International Organization for
Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve
20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=35466 or may be
examined at the Division of Dockets Management (see ADDRESSES) (Ref.
Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).
22. British Retail Consortium, ``Global Standard for Food Safety,
Issue 6,'' 2012. Copies are available from the British Retail
Consortium, Second Floor, 21 Dartmouth Street, London SW1H 9BP, or
may be examined at the Division of Dockets Management (see
ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).
23. Safe Quality Food Institute, ``SQF Code, Edition 7.2: A HACCP-
Based Supplier Assurance Code for the Food Industry,'' July 2014.
https://www.sqfi.com/wp-content/uploads/SQF-Code_Ed-7.2-July.pdf.
Accessed on October 27, 2015.
24. International Organization for Standardization, ``ISO/TS
22003:2013 Food Safety Management Systems--Requirements for Bodies
Providing Audit and Certification of Food Safety Management
Systems.'' Copies are available from the International Organization
for Standardization, 1, rue de Varembe, Case postale 56, CH-1211
Geneve 20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=60605 or
may be examined at the Division of Dockets Management (see
ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).
25. FDA, ``Tribal Summary Impact Statement: Final Rule on
Accreditation of Third-Party Certification Bodies to Conduct Food
Safety Audits and to Issue,'' Docket No. FDA-2011-N-0146.
List of Subjects
21 CFR Part 1
Cosmetics, Drugs, Exports, Food labeling, Imports, Labeling,
Reporting and recordkeeping requirements.
21 CFR Part 11
Administrative practice and procedure, Computer technology,
Reporting and recordkeeping requirements.
21 CFR Part 16
Administrative practice and procedure.
Therefore, under the Federal Food, Drug, and Cosmetic Act and under
authority delegated to the Commissioner of Food and Drugs, 21 CFR parts
1, 11, and 16 are amended as follows:
PART 1--GENERAL ENFORCEMENT REGULATIONS
0
1. The authority citation for 21 CFR part 1 is revised to read as
follows:
Authority: 15 U.S.C. 1333, 1453, 1454, 1455, 4402; 19 U.S.C.
1490, 1491; 21 U.S.C. 321, 331, 332, 333, 334, 335a, 343, 350c,
350d, 350j, 352, 355, 360b, 360ccc, 360ccc-1, 360ccc-2, 362, 371,
374, 381, 382, 384a, 384b, 384d, 387, 387a, 387c, 393; 42 U.S.C.
216, 241, 243, 262, 264, 271.
0
2. Add subpart M, consisting of Sec. Sec. 1.600 through 1.695, to read
as follows:
Subpart M--Accreditation of Third-Party Certification Bodies To Conduct
Food Safety Audits and To Issue Certifications
Sec.
1.600 What definitions apply to this subpart?
1.601 Who is subject to this subpart?
Recognition of Accreditation Bodies Under This Subpart
1.610 Who is eligible to seek recognition?
1.611 What legal authority must an accreditation body have to
qualify for recognition?
1.612 What competency and capacity must an accreditation body have
to qualify for recognition?
1.613 What protections against conflicts of interest must an
accreditation body have to qualify for recognition?
1.614 What quality assurance procedures must an accreditation body
have to qualify for recognition?
1.615 What records procedures must an accreditation body have to
qualify for recognition?
Requirements for Accreditation Bodies That Have Been Recognized Under
This Subpart
1.620 How must a recognized accreditation body evaluate third-party
certification bodies seeking accreditation?
1.621 How must a recognized accreditation body monitor the
performance of third-party certification bodies it accredited?
1.622 How must a recognized accreditation body monitor its own
performance?
1.623 What reports and notifications must a recognized accreditation
body submit to FDA?
1.624 How must a recognized accreditation body protect against
conflicts of interest?
1.625 What records requirements must an accreditation body that has
been recognized meet?
Procedures for Recognition of Accreditation Bodies Under This Subpart
1.630 How do I apply to FDA for recognition or renewal of
recognition?
1.631 How will FDA review my application for recognition or renewal
of recognition and what happens once FDA decides on my application?
1.632 What is the duration of recognition?
1.633 How will FDA monitor recognized accreditation bodies?
1.634 When will FDA revoke recognition?
1.635 What if I want to voluntarily relinquish recognition or do not
want to renew recognition?
1.636 How do I request reinstatement of recognition?
Accreditation of Third-Party Certification Bodies Under This Subpart
1.640 Who is eligible to seek accreditation?
1.641 What legal authority must a third-party certification body
have to qualify for accreditation?
1.642 What competency and capacity must a third-party certification
body have to qualify for accreditation?
1.643 What protections against conflicts of interest must a third-
party certification body have to qualify for accreditation?
1.644 What quality assurance procedures must a third-party
certification body have to qualify for accreditation?
1.645 What records procedures must a third-party certification body
have to qualify for accreditation?
Requirements for Third-Party Certification Bodies That Have Been
Accredited Under This Subpart
1.650 How must an accredited third-party certification body ensure
its audit agents are competent and objective?
1.651 How must an accredited third-party certification body conduct
a food safety audit of an eligible entity?
1.652 What must an accredited third-party certification body include
in food safety audit reports?
1.653 What must an accredited third-party certification body do when
issuing food or facility certifications?
1.654 When must an accredited third-party certification body monitor
an eligible entity that it has issued a food or facility
certification?
1.655 How must an accredited third-party certification body monitor
its own performance?
1.656 What reports and notifications must an accredited third-party
certification body submit?
[[Page 74651]]
1.657 How must an accredited third-party certification body protect
against conflicts of interest?
1.658 What records requirements must a third-party certification
body that has been accredited meet?
Procedures for Accreditation of Third-Party Certification Bodies Under
This Subpart
1.660 Where do I apply for accreditation or renewal of accreditation
by a recognized accreditation body and what happens once the
recognized accreditation body decides on my application?
1.661 What is the duration of accreditation by a recognized
accreditation body?
1.662 How will FDA monitor accredited third-party certification
bodies?
1.663 How do I request an FDA waiver or waiver extension for the 13-
month limit for audit agents conducting regulatory audits?
1.664 When would FDA withdraw accreditation?
1.665 What if I want to voluntarily relinquish accreditation or do
not want to renew accreditation?
1.666 How do I request reaccreditation?
Additional Procedures for Direct Accreditation of Third-Party
Certification Bodies Under This Subpart
1.670 How do I apply to FDA for direct accreditation or renewal of
direct accreditation?
1.671 How will FDA review my application for direct accreditation or
renewal of direct accreditation and what happens once FDA decides on
my application?
1.672 What is the duration of direct accreditation?
Requirements for Eligible Entities Under This Subpart
1.680 How and when will FDA monitor eligible entities?
1.681 How frequently must eligible entities be recertified?
General Requirements of This Subpart
1.690 How will FDA make information about recognized accreditation
bodies and accredited third-party certification bodies available to
the public?
1.691 How do I request reconsideration of a denial by FDA of an
application or a waiver request?
1.692 How do I request internal agency review of a denial of an
application or waiver request upon reconsideration?
1.693 How do I request a regulatory hearing on a revocation of
recognition or withdrawal of accreditation?
1.694 Are electronic records created under this subpart subject to
the electronic records requirements of part 11 of this chapter?
1.695 Are the records obtained by FDA under this subpart subject to
public disclosure?
Subpart M--Accreditation of Third-Party Certification Bodies To
Conduct Food Safety Audits and To Issue Certifications
Sec. 1.600 What definitions apply to this subpart?
(a) The FD&C Act means the Federal Food, Drug, and Cosmetic Act.
(b) Except as otherwise defined in paragraph (c) of this section,
the definitions of terms in section 201 of the FD&C Act apply when the
terms are used in this subpart.
(c) In addition, for the purposes of this subpart:
Accreditation means a determination by a recognized accreditation
body (or, in the case of direct accreditation, by FDA) that a third-
party certification body meets the applicable requirements of this
subpart.
Accreditation body means an authority that performs accreditation
of third-party certification bodies.
Accredited third-party certification body means a third-party
certification body that a recognized accreditation body (or, in the
case of direct accreditation, FDA) has determined meets the applicable
requirements of this subpart and is accredited to conduct food safety
audits and to issue food or facility certifications to eligible
entities. An accredited third-party certification body has the same
meaning as accredited third-party auditor as defined in section
808(a)(4) of the FD&C Act.
Assessment means:
(i) With respect to an accreditation body, an evaluation by FDA of
the competency and capacity of the accreditation body under the
applicable requirements of this subpart for the defined scope of
recognition. An assessment of the competency and capacity of the
accreditation body involves evaluating the competency and capacity of
the operations of the accreditation body that are relevant to decisions
on recognition and, if recognized, an evaluation of its performance and
the validity of its accreditation decisions under the applicable
requirements of this subpart.
(ii) With respect to a third-party certification body, an
evaluation by a recognized accreditation body (or, in the case of
direct accreditation, FDA) of the competency and capacity of a third-
party certification body under the applicable requirements of this
subpart for the defined scope of accreditation. An assessment of the
competency and capacity of the third-party certification body involves
evaluating the competency and capacity of the operations of the third-
party certification body that are relevant to decisions on
accreditation and, if accredited, an evaluation of its performance and
the validity of its audit results and certification decisions under the
applicable requirements of this subpart.
Audit means the systematic and functionally independent examination
of an eligible entity under this subpart by an accredited third-party
certification body or by FDA. An audit conducted under this subpart is
not considered an inspection under section 704 of the FD&C Act.
Audit agent means an individual who is an employee or other agent
of an accredited third-party certification body who, although not
individually accredited, is qualified to conduct food safety audits on
behalf of an accredited third-party certification body. An audit agent
includes a contractor of the accredited third-party certification body
but excludes subcontractors or other agents under outsourcing
arrangements for conducting food safety audits without direct control
by the accredited third-party certification body.
Consultative audit means an audit of an eligible entity:
(i) To determine whether such entity is in compliance with the
applicable food safety requirements of the FD&C Act, FDA regulations,
and industry standards and practices;
(ii) The results of which are for internal purposes only; and
(iii) That is conducted in preparation for a regulatory audit; only
the results of a regulatory audit may form the basis for issuance of a
food or facility certification under this subpart.
Direct accreditation means accreditation of a third-party
certification body by FDA.
Eligible entity means a foreign entity in the import supply chain
of food for consumption in the United States that chooses to be subject
to a food safety audit under this subpart conducted by an accredited
third-party certification body. Eligible entities include foreign
facilities required to be registered under subpart H of this part.
Facility means any structure, or structures of an eligible entity
under one ownership at one general physical location, or, in the case
of a mobile facility, traveling to multiple locations, that
manufactures/processes, packs, holds, grows, harvests, or raises
animals for food for consumption in the United States. Transport
vehicles are not facilities if they hold food only in the usual course
of business as carriers. A facility may consist of one or more
contiguous structures, and a single building may house more than one
[[Page 74652]]
distinct facility if the facilities are under separate ownership. The
private residence of an individual is not a facility. Non-bottled water
drinking water collection and distribution establishments and their
structures are not facilities. Facilities for the purposes of this
subpart are not limited to facilities required to be registered under
subpart H of this part.
Facility certification means an attestation, issued for purposes of
section 801(q) or 806 of the FD&C Act by an accredited third-party
certification body, after conducting a regulatory audit and any other
activities necessary to establish whether a facility complies with the
applicable food safety requirements of the FD&C Act and FDA
regulations.
Food has the meaning given in section 201(f) of the FD&C Act,
except that food does not include pesticides (as defined in 7 U.S.C.
136(u)).
Food certification means an attestation, issued for purposes of
section 801(q) of the FD&C Act by an accredited third-party
certification body, after conducting a regulatory audit and any other
activities necessary to establish whether a food of an eligible entity
complies with the applicable food safety requirements of the FD&C Act
and FDA regulations.
Food safety audit means a regulatory audit or a consultative audit
that is conducted to determine compliance with the applicable food
safety requirements of the FD&C Act, FDA regulations, and for
consultative audits, also includes conformance with industry standards
and practices. An eligible entity must declare that an audit is to be
conducted as a regulatory audit or consultative audit at the time of
audit planning and the audit will be conducted on an unannounced basis
under this subpart.
Foreign cooperative means an autonomous association of persons,
identified as members, who are united through a jointly owned
enterprise to aggregate food from member growers or processors that is
intended for export to the United States.
Recognized accreditation body means an accreditation body that FDA
has determined meets the applicable requirements of this subpart and is
authorized to accredit third-party certification bodies under this
subpart.
Regulatory audit means an audit of an eligible entity:
(i) To determine whether such entity is in compliance with the
applicable food safety requirements of the FD&C Act and FDA
regulations; and
(ii) The results of which are used in determining eligibility for
certification under section 801(q) or under section 806 of the FD&C
Act.
Relinquishment means:
(i) With respect to an accreditation body, a decision to cede
voluntarily its authority to accredit third-party certification bodies
as a recognized accreditation body prior to expiration of its
recognition under this subpart; and
(ii) With respect to a third-party certification body, a decision
to cede voluntarily its authority to conduct food safety audits and to
issue food and facility certifications to eligible entities as an
accredited third-party certification body prior to expiration of its
accreditation under this subpart.
Self-assessment means an evaluation conducted by a recognized
accreditation body or by an accredited third-party certification body
of its competency and capacity under the applicable requirements of
this subpart for the defined scope of recognition or accreditation. For
recognized accreditation bodies this involves evaluating the competency
and capacity of the entire operations of the accreditation body and the
validity of its accreditation decisions under the applicable
requirements of this subpart. For accredited third-party certification
bodies this involves evaluating the competency and capacity of the
entire operations of the third-party certification body and the
validity of its audit results under the applicable requirements of this
subpart.
Third-party certification body has the same meaning as third-party
auditor as that term is defined in section 808(a)(3) of the FD&C Act
and means a foreign government, agency of a foreign government, foreign
cooperative, or any other third party that is eligible to be considered
for accreditation to conduct food safety audits and to certify that
eligible entities meet the applicable food safety requirements of the
FD&C Act and FDA regulations. A third-party certification body may be a
single individual or an organization. Once accredited, a third-party
certification body may use audit agents to conduct food safety audits.
Sec. 1.601 Who is subject to this subpart?
(a) Accreditation bodies. Any accreditation body seeking
recognition from FDA to accredit third-party certification bodies to
conduct food safety audits and to issue food and facility
certifications under this subpart.
(b) Third-party certification bodies. Any third-party certification
body seeking accreditation from a recognized accreditation body or
direct accreditation by FDA for:
(1) Conducting food safety audits; and
(2) Issuing certifications that may be used in satisfying a
condition of admissibility of an article of food under section 801(q)
of the FD&C Act; or issuing a facility certification for meeting the
eligibility requirements for the Voluntary Qualified Importer Program
under section 806 of the FD&C Act.
(c) Eligible entities. Any eligible entity seeking a food safety
audit or a food or facility certification from an accredited third-
party certification body under this subpart.
(d) Limited exemptions from section 801(q) of the FD&C Act--(1)
Alcoholic beverages. (i) Any certification required under section
801(q) of the FD&C Act does not apply with respect to alcoholic
beverages from an eligible entity that is a facility that meets the
following two conditions:
(A) Under the Federal Alcohol Administration Act (27 U.S.C. 201 et
seq.) or chapter 51 of subtitle E of the Internal Revenue Code of 1986
(26 U.S.C. 5001 et seq.), the facility is a foreign facility of a type
that, if it were a domestic facility, would require obtaining a permit
from, registering with, or obtaining approval of a notice or
application from the Secretary of the Treasury as a condition of doing
business in the United States; and
(B) Under section 415 of the FD&C Act, the facility is required to
register as a facility because it is engaged in manufacturing/
processing one or more alcoholic beverages.
(ii) Any certification required under section 801(q) of the FD&C
Act does not apply with respect to food that is not an alcoholic
beverage that is received and distributed by a facility described in
paragraph (d)(1)(i) of this section, provided such food:
(A) Is received and distributed in prepackaged form that prevents
any direct human contact with such food; and
(B) Constitutes not more than 5 percent of the overall sales of the
facility, as determined by the Secretary of the Treasury.
(iii) Any certification required under section 801(q) of the FD&C
Act does not apply with respect to raw materials or other ingredients
that are imported for use in alcoholic beverages provided that:
(A) The imported raw materials or other ingredients are used in the
manufacturing/processing, packing, or holding of alcoholic beverages;
(B) Such manufacturing/processing, packing, or holding is performed
by the importer;
[[Page 74653]]
(C) The importer is required to register under section 415 of the
Federal Food, Drug, and Cosmetic Act; and
(D) The importer is exempt from the regulations in part 117 of this
chapter in accordance with Sec. 117.5(i).
(2) Certain meat, poultry, and egg products. Any certification
required under section 801(q) of the FD&C Act does not apply with
respect to:
(i) Meat food products that at the time of importation are subject
to the requirements of the United States Department of Agriculture
(USDA) under the Federal Meat Inspection Act (21 U.S.C. 601 et seq.);
(ii) Poultry products that at the time of importation are subject
to the requirements of the USDA under the Poultry Products Inspection
Act (21 U.S.C. 451 et seq.); and
(iii) Egg products that at the time of importation are subject to
the requirements of the USDA under the Egg Products Inspection Act (21
U.S.C. 1031 et seq.).
Recognition of Accreditation Bodies Under This Subpart
Sec. 1.610 Who is eligible to seek recognition?
An accreditation body is eligible to seek recognition by FDA if it
can demonstrate that it meets the requirements of Sec. Sec. 1.611
through 1.615. The accreditation body may use documentation of
conformance with International Organization for Standardization/
International Electrotechnical Commission (ISO/IEC) 17011:2004,
supplemented as necessary, in meeting the applicable requirements of
this subpart.
Sec. 1.611 What legal authority must an accreditation body have to
qualify for recognition?
(a) An accreditation body seeking recognition must demonstrate that
it has the authority (as a governmental entity or as a legal entity
with contractual rights) to perform assessments of a third-party
certification body as are necessary to determine its capability to
conduct audits and certify food facilities and food, including
authority to:
(1) Review any relevant records;
(2) Conduct onsite assessments of the performance of third-party
certification bodies, such as by witnessing the performance of a
representative sample of its agents (or, in the case of a third-party
certification body that is an individual, such individual) conducting a
representative sample of audits;
(3) Perform any reassessments or surveillance necessary to monitor
compliance of accredited third-party certification bodies; and
(4) Suspend, withdraw, or reduce the scope of accreditation for
failure to comply with the requirements of accreditation.
(b) An accreditation body seeking recognition must demonstrate that
it is capable of exerting the authority (as a governmental entity or as
a legal entity with contractual rights) necessary to meet the
applicable requirements of this subpart, if recognized.
Sec. 1.612 What competency and capacity must an accreditation body
have to qualify for recognition?
An accreditation body seeking recognition must demonstrate that it
has:
(a) The resources required to adequately implement its
accreditation program, including:
(1) Adequate numbers of employees and other agents with relevant
knowledge, skills, and experience to effectively evaluate the
qualifications of third-party certification bodies seeking
accreditation and to effectively monitor the performance of accredited
third-party certification bodies; and
(2) Adequate financial resources for its operations; and
(b) The capability to meet the applicable assessment and monitoring
requirements, the reporting and notification requirements, and the
procedures of this subpart, if recognized.
Sec. 1.613 What protections against conflicts of interest must an
accreditation body have to qualify for recognition?
An accreditation body must demonstrate that it has:
(a) Implemented written measures to protect against conflicts of
interest between the accreditation body (and its officers, employees,
and other agents involved in accreditation activities) and any third-
party certification body (and its officers, employees, and other agents
involved in auditing and certification activities) seeking
accreditation from, or accredited by, such accreditation body; and
(b) The capability to meet the applicable conflict of interest
requirements of this subpart, if recognized.
Sec. 1.614 What quality assurance procedures must an accreditation
body have to qualify for recognition?
An accreditation body seeking recognition must demonstrate that it
has:
(a) Implemented a written program for monitoring and evaluating the
performance of its officers, employees, and other agents and its
accreditation program, including procedures to:
(1) Identify areas in its accreditation program or performance
where deficiencies exist; and
(2) Quickly execute corrective actions that effectively address
deficiencies when identified; and
(b) The capability to meet the applicable quality assurance
requirements of this subpart, if recognized.
Sec. 1.615 What records procedures must an accreditation body have to
qualify for recognition?
An accreditation body seeking recognition must demonstrate that it
has:
(a) Implemented written procedures to establish, control, and
retain records (including documents and data) for the period of time
necessary to meet its contractual and legal obligations pertaining to
this subpart and to provide an adequate basis for evaluating its
program and performance; and
(b) The capability to meet the applicable reporting and
notification requirements of this subpart, if recognized.
Requirements for Accreditation Bodies That Have Been Recognized Under
This Subpart
Sec. 1.620 How must a recognized accreditation body evaluate third-
party certification bodies seeking accreditation?
(a) Prior to accrediting a third-party certification body under
this subpart, a recognized accreditation body must perform, at a
minimum, the following:
(1) In the case of a foreign government or an agency of a foreign
government, such reviews and audits of the government's or agency's
food safety programs, systems, and standards as are necessary to
determine that it meets the eligibility requirements of Sec. 1.640(b).
(2) In the case of a foreign cooperative or any other third-party
seeking accreditation as a third-party certification body, such reviews
and audits of the training and qualifications of agents conducting
audits for such cooperative or other third party (or in the case of a
third-party certification body that is an individual, such individual)
and such reviews of internal systems and any other investigation of the
cooperative or other third party necessary to determine that it meets
the eligibility requirements of Sec. 1.640(c).
(3) In conducting a review and audit under paragraph (a)(1) or (2)
of this section, an observation of a representative sample of onsite
audits examining compliance with the applicable food safety
requirements of the FD&C Act and FDA regulations as conducted by the
third-party
[[Page 74654]]
certification body or its agents (or, in the case of a third-party
certification body that is an individual, such individual).
(b) A recognized accreditation body must require a third-party
certification body, as a condition of accreditation under this subpart,
to comply with the reports and notification requirements of Sec. Sec.
1.652 and 1.656 and to agree to submit to FDA, electronically and in
English, any food or facility certifications it issues for purposes of
sections 801(q) or 806 of the FD&C Act.
(c) A recognized accreditation body must maintain records on any
denial of accreditation (in whole or in part) and on any withdrawal,
suspension, or reduction in scope of accreditation of a third-party
certification body under this subpart. The records must include the
name and contact information for the third-party certification body;
the date of the action; the scope of accreditation denied, withdrawn,
suspended, or reduced; and the basis for such action.
(d) A recognized accreditation body must notify any third-party
certification body of an adverse decision associated with its
accreditation under this subpart, including denial of accreditation or
the withdrawal, suspension, or reduction in the scope of its
accreditation. The recognized accreditation body must establish and
implement written procedures for receiving and addressing appeals from
any third-party certification body challenging such an adverse decision
and for investigating and deciding on appeals in a fair and meaningful
manner. The appeals procedures must provide similar protections to
those offered by FDA under Sec. Sec. 1.692 and 1.693, and include
requirements to:
(1) Make the appeals procedures publicly available;
(2) Use competent persons, who may or may not be external to the
recognized accreditation body, who are free from bias or prejudice and
have not participated in the accreditation decision or be subordinate
to a person who has participated in the accreditation decision to
investigate and decide appeals;
(3) Advise third-party certification bodies of the final decisions
on their appeals; and
(4) Maintain records under Sec. 1.625 of appeals, final decisions
on appeals, and the bases for such decisions.
Sec. 1.621 How must a recognized accreditation body monitor the
performance of third-party certification bodies it accredited?
(a) A recognized accreditation body must annually conduct a
comprehensive assessment of the performance of each third-party
certification body it accredited under this subpart by reviewing the
accredited third-party certification body's self-assessments (including
information on compliance with the conflict of interest requirements of
Sec. Sec. 1.643 and 1.657); its regulatory audit reports and
notifications submitted to FDA under Sec. 1.656; and any other
information reasonably available to the recognized accreditation body
regarding the compliance history of eligible entities the accredited
third-party certification body certified under this subpart; or that is
otherwise relevant to a determination whether the accredited third-
party certification body is in compliance with this subpart.
(b) No later than 1 year after the initial date of accreditation of
the third-party certification body and every 2 years thereafter for
duration of its accreditation under this subpart, a recognized
accreditation body must conduct onsite observations of a representative
sample of regulatory audits performed by the third-party certification
body (or its audit agents) (or, in the case of a third-party
certification body that is an individual, such individual) accredited
under this subpart and must visit the accredited third-party
certification body's headquarters (or other location that manages audit
agents conducting food safety audits under this subpart, if different
than its headquarters). The recognized accreditation body will consider
the results of such observations and visits in the annual assessment of
the accredited third-party certification body required by paragraph (a)
of this section.
Sec. 1.622 How must a recognized accreditation body monitor its own
performance?
(a) A recognized accreditation body must annually, and as required
under Sec. 1.664(g), conduct a self-assessment that includes
evaluation of compliance with this subpart, including:
(1) The performance of its officers, employees, or other agents
involved in accreditation activities and the degree of consistency in
conducting accreditation activities;
(2) The compliance of the recognized accreditation body and its
officers, employees, and other agents involved in accreditation
activities, with the conflict of interest requirements of Sec. 1.624;
and
(3) If requested by FDA, any other aspects of its performance
relevant to a determination whether the recognized accreditation body
is in compliance with this subpart.
(b) As a means to evaluate the recognized accreditation body's
performance, the self-assessment must include onsite observation of
regulatory audits of a representative sample of third-party
certification bodies it accredited under this subpart. In meeting this
requirement, the recognized accreditation body may use the results of
onsite observations performed under Sec. 1.621(b).
(c) Based on the evaluations conducted under paragraphs (a) and (b)
of this section, the recognized accreditation body must:
(1) Identify any area(s) where deficiencies exist;
(2) Quickly implement corrective action(s) that effectively address
those deficiencies; and
(3) Establish and maintain records of any such corrective action(s)
under Sec. 1.625.
(d) The recognized accreditation body must prepare, and as required
by Sec. 1.623(b) submit, a written report of the results of its self-
assessment that includes the following elements. Documentation of
conformance to ISO/IEC 17011:2004 may be used, supplemented as
necessary, in meeting the requirements of this paragraph.
(1) A description of any corrective actions taken under paragraph
(c) of this section;
(2) A statement disclosing the extent to which the recognized
accreditation body, and its officers, employees, and other agents
involved in accreditation activities, complied with the conflict of
interest requirements in Sec. 1.624; and
(3) A statement attesting to the extent to which the recognized
accreditation body complied with applicable requirements of this
subpart.
Sec. 1.623 What reports and notifications must a recognized
accreditation body submit to FDA?
(a) Reporting results of assessments of accredited third-party
certification body performance. A recognized accreditation body must
submit to FDA electronically, in English, a report of the results of
any assessment conducted under Sec. 1.621, no later than 45 days after
completing such assessment. The report must include an up-to-date list
of any audit agents used by the accredited third-party certification
body to conduct food safety audits under this subpart.
(b) Reporting results of recognized accreditation body self-
assessments. A recognized accreditation body must submit to FDA
electronically, in English:
(1) A report of the results of an annual self-assessment required
under Sec. 1.622, no later than 45 days after completing such self-
assessment; and
[[Page 74655]]
(2) For a recognized accreditation body subject to Sec.
1.664(g)(1), a report of such self-assessment to FDA within 60 days of
the third-party certification body's withdrawal. A recognized
accreditation body may use a report prepared for conformance to ISO/IEC
17011:2004, supplemented as necessary, in meeting the requirements this
section.
(c) Immediate notification to FDA. A recognized accreditation body
must notify FDA electronically, in English, immediately upon:
(1) Granting (including expanding the scope of) accreditation to a
third-party certification body under this subpart, and include:
(i) The name, address, telephone number, and email address of the
accredited third-party certification body;
(ii) The name of one or more officers of the accredited third-party
certification body;
(iii) A list of the accredited third-party certification body's
audit agents; and
(iv) The scope of accreditation, the date on which it was granted,
and its expiration date.
(2) Withdrawing, suspending, or reducing the scope of an
accreditation under this subpart, and include:
(i) The basis for such action; and
(ii) Any additional changes to accreditation information previously
submitted to FDA under paragraph (c)(1) of this section.
(3) Determining that a third-party certification body it accredited
failed to comply with Sec. 1.653 in issuing a food or facility
certification under this subpart, and include:
(i) The basis for such determination; and
(ii) Any changes to accreditation information previously submitted
to FDA under paragraph (c)(1) of this section.
(d) Other notification to FDA. A recognized accreditation body must
notify FDA electronically, in English, within 30 days after:
(1) Denying accreditation (in whole or in part) under this subpart
and include:
(i) The name, address, telephone number, and email address of the
third-party certification body;
(ii) The name of one or more officers of the third-party
certification body;
(iii) The scope of accreditation requested; and
(iv) The scope and basis for such denial.
(2) Making any significant change that would affect the manner in
which it complies with the applicable requirements of this subpart and
include:
(i) A description of the change; and
(ii) An explanation for the purpose of the change.
Sec. 1.624 How must a recognized accreditation body protect against
conflicts of interest?
(a) A recognized accreditation body must implement a written
program to protect against conflicts of interest between the recognized
accreditation body (and its officers, employees, and other agents
involved in accreditation activities) and any third-party certification
body (and its officers, employees, and other agents involved in
auditing and certification activities) seeking accreditation from, or
accredited by, such recognized accreditation body, including the
following:
(1) Ensuring that the recognized accreditation body (and its
officers, employees, or other agents involved in accreditation
activities) does not own or have a financial interest in, manage, or
otherwise control the third-party certification body (or any affiliate,
parent, or subsidiary); and
(2) Prohibiting officers, employees, or other agents involved in
accreditation activities of the recognized accreditation body from
accepting any money, gift, gratuity, or item of value from the third-
party certification body.
(3) The items specified in paragraph (a)(2) of this section do not
include:
(i) Money representing payment of fees for accreditation services
and reimbursement of direct costs associated with an onsite assessment
of the third-party certification body; or
(ii) Lunch of de minimis value provided during the course of an
assessment and on the premises where the assessment is conducted, if
necessary to facilitate the efficient conduct of the assessment.
(b) A recognized accreditation body may accept the payment of fees
for accreditation services and the reimbursement of direct costs
associated with assessment of a certification body only after the date
on which the report of such assessment was completed or the date of
which the accreditation was issued, whichever comes later. Such payment
is not considered a conflict of interest for purposes of paragraph (a)
of this section.
(c) The financial interests of the spouses and children younger
than 18 years of age of a recognized accreditation body's officers,
employees, and other agents involved in accreditation activities will
be considered the financial interests of such officers, employees, and
other agents involved in accreditation activities.
(d) A recognized accreditation body must maintain on its Web site
an up-to-date list of the third-party certification bodies it
accredited under this subpart and must identify the duration and scope
of each accreditation and the date(s) on which the accredited third-
party certification body paid any fee or reimbursement associated with
such accreditation. If the accreditation of a certification body is
suspended, withdrawn, or reduced in scope, this list must also include
the date of suspension, withdrawal, or reduction in scope and maintain
that information for the duration of accreditation or until the
suspension is lifted, the certification body is reaccredited, or the
scope of accreditation is reinstated, whichever comes first.
Sec. 1.625 What records requirements must an accreditation body that
has been recognized meet?
(a) An accreditation body that has been recognized must maintain
electronically for 5 years records created while it is recognized
(including documents and data) demonstrating its compliance with this
subpart, including records relating to:
(1) Applications for accreditation and renewal of accreditation
under Sec. 1.660;
(2) Decisions to grant, deny, suspend, withdraw, or expand or
reduce the scope of an accreditation;
(3) Challenges to adverse accreditation decisions under Sec.
1.620(c);
(4) Its monitoring of accredited third-party certification bodies
under Sec. 1.621;
(5) Self-assessments and corrective actions under Sec. 1.622;
(6) Regulatory audit reports, including any supporting information,
that an accredited third-party certification body may have submitted;
(7) Any reports or notifications to FDA under Sec. 1.623,
including any supporting information; and
(8) Records of fee payments and reimbursement of direct costs.
(b) An accreditation body that has been recognized must make
records required by paragraph (a) of this section available for
inspection and copying promptly upon written request of an authorized
FDA officer or employee at the place of business of the accreditation
body or at a reasonably accessible location. If the records required by
paragraph (a) of this section are requested by FDA electronically, the
records must be submitted to FDA electronically not later than 10
business days after the date of the request. Additionally, if the
requested records are maintained in a language other than
[[Page 74656]]
English, the accreditation body must electronically submit an English
translation within a reasonable time.
(c) An accreditation body that has been recognized must not prevent
or interfere with FDA's access to its accredited third-party
certification bodies and the accredited third-party certification body
records required by Sec. 1.658.
Procedures for Recognition of Accreditation Bodies Under This Subpart
Sec. 1.630 How do I apply to FDA for recognition or renewal of
recognition?
(a) Applicant for recognition. An accreditation body seeking
recognition must submit an application demonstrating that it meets the
eligibility requirements in Sec. 1.610.
(b) Applicant for renewal of recognition. An accreditation body
seeking renewal of its accreditation must submit a renewal application
demonstrating that it continues to meet the requirements of this
subpart.
(c) Submission. Recognition and renewal applications and any
documents provided as part of the application process must be submitted
electronically, in English. An applicant must provide any translation
and interpretation services needed by FDA during the processing of the
application, including during onsite assessments of the applicant by
FDA.
(d) Signature. Recognition and renewal applications must be signed
in the manner designated by FDA, by an individual authorized to act on
behalf of the applicant for purposes of seeking recognition or renewal
of recognition.
Sec. 1.631 How will FDA review my application for recognition or
renewal of recognition and what happens once FDA decides on my
application?
(a) Review of recognition or renewal application. FDA will examine
an accreditation body's recognition or renewal application for
completeness and notify the applicant of any deficiencies. FDA will
review an accreditation body's recognition or renewal application on a
first in, first out basis according to the date on which the completed
application was submitted; however, FDA may prioritize the review of
specific applications to meet the needs of the program.
(b) Evaluation of recognition or renewal. FDA will evaluate any
completed recognition or renewal application to determine whether the
applicant meets the applicable requirements of this subpart. Such
evaluation may include an onsite assessment of the accreditation body.
FDA will notify the applicant, in writing, regarding whether the
application has been approved or denied. FDA may make such notification
electronically. If FDA does not reach a final decision on a renewal
application before an accreditation body's recognition terminates by
expiration, FDA may extend such recognition for a specified period of
time or until the Agency reaches a final decision on the renewal
application.
(c) Issuance of recognition. FDA will notify an applicant that its
recognition or renewal application has been approved through issuance
of recognition that will list any limitations associated with the
recognition.
(d) Issuance of denial of recognition or renewal application. FDA
will notify an applicant that its recognition or renewal application
has been denied through issuance of a denial of recognition or denial
of a renewal application that will state the basis for such denial and
provide the procedures for requesting reconsideration of the
application under Sec. 1.691.
(e) Notice of records custodian after denial of an application for
renewal of recognition. An applicant whose renewal application was
denied must notify FDA electronically, in English, within 10 business
days of the date of issuance of a denial of a renewal application, of
the name and contact information of the custodian who will maintain the
records required by Sec. 1.625(a) and make them available to FDA as
required by Sec. 1.625(b). The contact information for the custodian
must include, at a minimum, an email address and the physical address
where the records required by Sec. 1.625(a) will be located.
(f) Effect of denial of an application for renewal of recognition
of an accreditation body on accredited third-party certification
bodies. (1) FDA will issue a notice of the denial of a recognition
renewal to any third-party certification bodies accredited by the
accreditation body whose renewal application was denied. The third-
party certification body's accreditation will remain in effect so long
as the third-party certification body:
(i) No later than 60 days after FDA's issuance of the notice of the
denial of recognition renewal, conducts a self-assessment under Sec.
1.655 and reports the results of the self-assessment to FDA under Sec.
1.656(b); and
(ii) No later than 1 year after issuance of the notice of denial of
recognition renewal or the original date of the expiration of the
accreditation, whichever comes first, becomes accredited by another
recognized accreditation body or by FDA through direct accreditation.
(2) FDA may withdraw the accreditation of a third-party
certification body whenever FDA determines there is good cause for
withdrawal of accreditation under Sec. 1.664(c).
(g) Effect of denial of an application for renewal of recognition
of an accreditation body on food or facility certifications issued to
eligible entities. A food or facility certification issued by a third-
party certification body accredited by a recognized accreditation body
prior to issuance of a denial of the renewal application will remain in
effect until the certification expires. If FDA has reason to believe
that a certification issued for purposes of section 801(q) or 806 of
the FD&C Act is not valid or reliable, FDA may refuse to consider the
certification in determining the admissibility of the article of food
for which the certification was offered or in determining the
importer's eligibility for participation in the voluntary qualified
importer program (VQIP).
(h) Public notice of denial of an application for renewal of
recognition of an accreditation body. FDA will provide notice on the
Web site described in Sec. 1.690 of the date of issuance of a denial
of a renewal application and will describe the basis for the denial.
Sec. 1.632 What is the duration of recognition?
FDA may grant recognition of an accreditation body for a period not
to exceed 5 years from the date of recognition.
Sec. 1.633 How will FDA monitor recognized accreditation bodies?
(a) FDA will evaluate the performance of each recognized
accreditation body to determine its compliance with the applicable
requirements of this subpart. Such assessment must occur by at least 4
years after the date of recognition for a 5-year recognition period, or
by no later than the mid-term point for a recognition period of less
than 5 years. FDA may conduct additional assessments of a recognized
accreditation body at any time.
(b) An FDA assessment of a recognized accreditation body may
include onsite assessments of a representative sample of third-party
certification bodies the recognized accreditation body accredited and
onsite audits of a representative sample of eligible entities certified
by such third-party certification bodies under this subpart. These may
be conducted at any time and, as FDA determines necessary
[[Page 74657]]
or appropriate, may occur without the recognized accreditation body or,
in the case of an audit of an eligible entity, the accredited third-
party certification body present.
Sec. 1.634 When will FDA revoke recognition?
(a) Grounds for revocation of recognition. FDA will revoke the
recognition of an accreditation body found not to be in compliance with
the requirements of this subpart, including for any one or more of the
following:
(1) Refusal by the accreditation body to allow FDA to access
records required by Sec. 1.625, or to conduct an assessment or
investigation of the accreditation body or of a third-party
certification body it accredited to ensure the accreditation body's
continued compliance with the requirements of this subpart.
(2) Failure to take timely and necessary corrective action when:
(i) The accreditation of a third-party certification body it
accredited is withdrawn by FDA under Sec. 1.664(a);
(ii) A significant deficiency is identified through self-assessment
under Sec. 1.622, monitoring under Sec. 1.621, or self-assessment by
one or more of its accredited third-party certification bodies under
Sec. 1.655; or
(iii) Directed to do so by FDA to ensure compliance with this
subpart.
(3) A determination by FDA that the accreditation body has
committed fraud or has submitted material false statements to the
Agency.
(4) A determination by FDA that there is otherwise good cause for
revocation, including:
(i) Demonstrated bias or lack of objectivity when conducting
activities under this subpart; or
(ii) Failure to adequately support one or more decisions to grant
accreditation under this subpart.
(b) Records request associated with revocation. To assist in
determining whether revocation is warranted under paragraph (a) of this
section, FDA may request records of the accreditation body required by
Sec. 1.625 or the records, required by Sec. 1.658, of one or more of
the third-party certification bodies it accredited under this subpart.
(c) Issuance of revocation of recognition. (1) FDA will notify an
accreditation body that its recognition has been revoked through
issuance of a revocation that will state the grounds for revocation,
the procedures for requesting a regulatory hearing under Sec. 1.693 on
the revocation, and the procedures for requesting reinstatement of
recognition under Sec. 1.636.
(2) Within 10 business days of the date of issuance of the
revocation, the accreditation body must notify FDA electronically, in
English, of the name of the custodian who will maintain the records and
make them available to FDA as required by Sec. 1.625. The contact
information for the custodian must provide, at a minimum, an email
address and the physical address where the records will be located.
(d) Effect of revocation of recognition of an accreditation body on
accredited third-party certification bodies. (1) FDA will issue a
notice of the revocation of recognition to any accredited third-party
certification body accredited by the accreditation body whose
recognition was revoked. The third-party certification body's
accreditation will remain in effect if the third-party certification
body:
(i) No later than 60 days after FDA's issuance of the notice of
revocation, conducts a self-assessment under Sec. 1.655 and reports
the results of the self-assessment to FDA under Sec. 1.656(b); and
(ii) No later than 1 year after issuance of the notice of the
revocation, or the original date of expiration of the accreditation,
whichever comes first, becomes accredited by another recognized
accreditation body or by FDA through direct accreditation.
(2) FDA may withdraw the accreditation of a third-party
certification body whenever FDA determines there is good cause for
withdrawal of accreditation under Sec. 1.664(c).
(e) Effect of revocation of recognition of an accreditation body on
food or facility certifications issued to eligible entities. A food or
facility certification issued by a third-party certification body
accredited by a recognized accreditation body prior to issuance of the
revocation of recognition will remain in effect until the certificate
terminates by expiration. If FDA has reason to believe that a
certification issued for purposes of section 801(q) or 806 of the FD&C
Act is not valid or reliable, FDA may refuse to consider the
certification in determining the admissibility of the article of food
for which the certification was offered or in determining the
importer's eligibility for participation in VQIP.
(f) Public notice of revocation of recognition. FDA will provide
notice on the Web site described in Sec. 1.690 of the issuance of the
revocation of recognition of an accreditation body and will describe
the basis for revocation.
Sec. 1.635 What if I want to voluntarily relinquish recognition or do
not want to renew recognition?
(a) Notice to FDA of intent to relinquish or not to renew
recognition. A recognized accreditation body must notify FDA
electronically, in English, at least 60 days before voluntarily
relinquishing recognition or before allowing recognition to expire
without seeking renewal. The recognized accreditation body must provide
the name and contact information of the custodian who will maintain the
records required under Sec. 1.625(a) after the date of relinquishment
or the date recognition expires, as applicable, and make them available
to FDA as required by Sec. 1.625(b). The contact information for the
custodian must include, at a minimum, an email address and the physical
address where the records required by Sec. 1.625(a) will be located.
(b) Notice to accredited third-party certification bodies of intent
to relinquish or not to renew recognition. No later than 15 business
days after notifying FDA under paragraph (a) of this section, the
recognized accreditation body must notify any currently accredited
third-party certification body that it intends to relinquish
recognition or to allow its recognition to expire, specifying the date
on which relinquishment or expiration will occur. The recognized
accreditation body must establish and maintain records of such
notification under Sec. 1.625.
(c)(1) Effect of voluntary relinquishment or expiration of
recognition on third-party certification bodies. The accreditation of a
third-party certification body issued prior to the relinquishment or
expiration of its accreditation body's recognition will remain in
effect, so long as the third-party certification body:
(i) No later than 60 days after the date of relinquishment or the
date of expiration of the recognition, conducts a self-assessment under
Sec. 1.655 and reports the results of the self-assessment to FDA under
Sec. 1.656(b); and
(ii) No later than 1 year after the date of relinquishment or the
date of expiration of recognition, or the original date of the
expiration of the accreditation, whichever comes first, becomes
accredited by another recognized accreditation body or by FDA through
direct accreditation.
(2) FDA may withdraw the accreditation of a third-party
certification body whenever FDA determines there is good cause for
withdrawal of accreditation under Sec. 1.664(c).
[[Page 74658]]
(d) Effect of voluntary relinquishment or expiration of recognition
of an accreditation body on food or facility certifications issued to
eligible entities. A food or facility certification issued by a third-
party certification body accredited by a recognized accreditation body
prior to relinquishment or expiration of its recognition will remain in
effect until the certification expires. If FDA has reason to believe
that a certification issued for purposes of section 801(q) or 806 of
the FD&C Act is not valid or reliable, FDA may refuse to consider the
certification in determining the admissibility of the article of food
for which the certification was offered or in determining the
importer's eligibility for participation in VQIP.
(e) Public notice of voluntary relinquishment or expiration of
recognition. FDA will provide notice on the Web site described in Sec.
1.690 of the voluntary relinquishment or expiration of recognition of
an accreditation body under this subpart.
Sec. 1.636 How do I request reinstatement of recognition?
(a) Application following revocation. An accreditation body that
has had its recognition revoked may seek reinstatement by submitting a
new application for recognition under Sec. 1.630. The accreditation
body must submit evidence that the grounds for revocation have been
resolved, including evidence addressing the cause or conditions that
were the basis for revocation and identifying measures that have been
implemented to help ensure that such cause(s) or condition(s) are
unlikely to recur.
(b) Application following relinquishment. An accreditation body
that previously relinquished its recognition under Sec. 1.635 may seek
recognition by submitting a new application for recognition under Sec.
1.630.
Accreditation of Third-Party Certification Bodies Under This Subpart
Sec. 1.640 Who is eligible to seek accreditation?
(a) A foreign government, agency of a foreign government, foreign
cooperative, or any other third party may seek accreditation from a
recognized accreditation body (or, where direct accreditation is
appropriate, FDA) to conduct food safety audits and to issue food and
facility certifications to eligible entities under this subpart. An
accredited third-party certification body may use documentation of
conformance with ISO/IEC 17021: 2011 or ISO/IEC 17065: 2012,
supplemented as necessary, in meeting the applicable requirements of
this subpart.
(b) A foreign government or an agency of a foreign government is
eligible for accreditation if it can demonstrate that its food safety
programs, systems, and standards meet the requirements of Sec. Sec.
1.641 through 1.645.
(c) A foreign cooperative or other third party is eligible for
accreditation if it can demonstrate that the training and
qualifications of its agents used to conduct audits (or, in the case of
a third-party certification body that is an individual, such
individual) and its internal systems and standards meet the
requirements of Sec. Sec. 1.641 through 1.645.
Sec. 1.641 What legal authority must a third-party certification body
have to qualify for accreditation?
(a) A third-party certification body seeking accreditation from a
recognized accreditation body or from FDA must demonstrate that it has
the authority (as a governmental entity or as a legal entity with
contractual rights) to perform such examinations of facilities, their
process(es), and food(s) as are necessary to determine compliance with
the applicable food safety requirements of the FD&C Act and FDA
regulations, and conformance with applicable industry standards and
practices and to issue certifications where appropriate based on a
review of the findings of such examinations. This includes authority
to:
(1) Review any relevant records;
(2) Conduct onsite audits of an eligible entity; and
(3) Suspend or withdraw certification for failure to comply with
applicable requirements.
(b) A third-party certification body seeking accreditation must
demonstrate that it is capable of exerting the authority (as a
governmental entity or as legal entity with contractual rights)
necessary to meet the applicable requirements of accreditation under
this subpart if accredited.
Sec. 1.642 What competency and capacity must a third-party
certification body have to qualify for accreditation?
A third-party certification body seeking accreditation must
demonstrate that it has:
(a) The resources necessary to fully implement its certification
program, including:
(1) Adequate numbers of employees and other agents with relevant
knowledge, skills, and experience to effectively examine for compliance
with applicable FDA food safety requirements of the FD&C Act and FDA
regulations, conformance with applicable industry standards and
practices, and issuance of valid and reliable certifications; and
(2) Adequate financial resources for its operations; and
(b) The competency and capacity to meet the applicable requirements
of this subpart, if accredited.
Sec. 1.643 What protections against conflicts of interest must a
third-party certification body have to qualify for accreditation?
A third-party certification body must demonstrate that it has:
(a) Implemented written measures to protect against conflicts of
interest between the third-party certification body (and its officers,
employees, and other agents involved in auditing and certification
activities) and clients seeking examinations or certification from, or
audited or certified by, such third-party certification body; and
(b) The capability to meet the conflict of interest requirements in
Sec. 1.657, if accredited.
Sec. 1.644 What quality assurance procedures must a third-party
certification body have to qualify for accreditation?
A third-party certification body seeking accreditation must
demonstrate that it has:
(a) Implemented a written program for monitoring and evaluating the
performance of its officers, employees, and other agents involved in
auditing and certification activities, including procedures to:
(1) Identify deficiencies in its auditing and certification program
or performance; and
(2) Quickly execute corrective actions that effectively address any
identified deficiencies; and
(b) The capability to meet the quality assurance requirements of
Sec. 1.655, if accredited.
Sec. 1.645 What records procedures must a third-party certification
body have to qualify for accreditation?
A third-party certification body seeking accreditation must
demonstrate that it:
(a) Implemented written procedures to establish, control, and
retain records (including documents and data) for a period of time
necessary to meet its contractual and legal obligations and to provide
an adequate basis for evaluating its program and performance; and
(b) Is capable of meeting the reporting, notification, and records
requirements of this subpart, if accredited.
[[Page 74659]]
Requirements for Third-Party Certification Bodies That Have Been
Accredited Under This Subpart
Sec. 1.650 How must an accredited third-party certification body
ensure its audit agents are competent and objective?
(a) An accredited third-party certification body that uses audit
agents to conduct food safety audits must ensure that each such audit
agent meets the following requirements with respect to the scope of its
accreditation under this subpart. If the accredited third-party
certification body is an individual, that individual is also subject to
the following requirements, as applicable:
(1) Has relevant knowledge and experience that provides an adequate
basis for the audit agent to evaluate compliance with applicable food
safety requirements of the FD&C Act and FDA regulations and, for
consultative audits, also includes conformance with applicable industry
standards and practices;
(2) Has been determined by the accredited third-party certification
body, through observations of a representative sample of audits, to be
competent to conduct food safety audits under this subpart relevant to
the audits they will be assigned to perform;
(3) Has completed annual food safety training that is relevant to
activities conducted under this subpart;
(4) Is in compliance with the conflict of interest requirements of
Sec. 1.657 and has no other conflicts of interest with the eligible
entity to be audited that might impair the audit agent's objectivity;
and
(5) Agrees to notify its accredited third-party certification body
immediately upon discovering, during a food safety audit, any condition
that could cause or contribute to a serious risk to the public health.
(b) In assigning an audit agent to conduct a food safety audit at a
particular eligible entity, an accredited third-party certification
body must determine that the audit agent is qualified to conduct such
audit under the criteria established in paragraph (a) of this section
and based on the scope and purpose of the audit and the type of
facility, its process(es), and food.
(c) An accredited third-party certification body cannot use an
audit agent to conduct a regulatory audit at an eligible entity if such
audit agent conducted a consultative audit or regulatory audit for the
same eligible entity in the preceding 13 months, except that such
limitation may be waived if the accredited third-party certification
body demonstrates to FDA, under Sec. 1.663, there is insufficient
access to audit agents in the country or region where the eligible
entity is located. If the accredited third-party certification body is
an individual, that individual is also subject to such limitations.
Sec. 1.651 How must an accredited third-party certification body
conduct a food safety audit of an eligible entity?
(a) Audit planning. Before beginning to conduct a food safety audit
under this subpart, an accredited third-party certification body must:
(1) Require the eligible entity seeking a food safety audit to:
(i) Identify the scope and purpose of the food safety audit,
including the facility, process(es), or food to be audited; whether the
food safety audit is to be conducted as a consultative or regulatory
audit subject to the requirements of this subpart, and if a regulatory
audit, the type(s) of certification(s) sought; and
(ii) Provide a 30-day operating schedule for such facility that
includes information relevant to the scope and purpose of the audit;
and
(2) Determine whether the requested audit is within its scope of
accreditation.
(b) Authority to audit. In arranging a food safety audit with an
eligible entity under this subpart, an accredited third-party
certification body must ensure it has authority, whether contractual or
otherwise, to:
(1) Conduct an unannounced audit to determine whether the facility,
process(es), and food of the eligible entity (within the scope of the
audit) comply with the applicable food safety requirements of the FD&C
Act and FDA regulations and, for consultative audits, also includes
conformance with applicable industry standards and practices;
(2) Access any records and any area of the facility, process(es),
and food of the eligible entity relevant to the scope and purpose of
such audit;
(3) When, for a regulatory audit, sampling and analysis is
conducted, the accredited third-party certification body must use a
laboratory that is accredited in accordance with:
(i) ISO/IEC 17025:2005; or
(ii) Another laboratory accreditation standard that provides at
least a similar level of assurance in the validity and reliability of
sampling methodologies, analytical methodologies, and analytical
results.
(4) Notify FDA immediately if, at any time during a food safety
audit, the accredited third-party certification body (or its audit
agent, where applicable) discovers a condition that could cause or
contribute to a serious risk to the public health and provide
information required by Sec. 1.656(c);
(5) Prepare reports of audits conducted under this subpart as
follows:
(i) For consultative audits, prepare reports that contain the
elements specified in Sec. 1.652(a) and maintain such records, subject
to FDA access in accordance with section 414 of the FD&C Act; and
(ii) For regulatory audits, prepare reports that contain the
elements specified in Sec. 1.652(b) and submit them to FDA and to its
recognized accreditation body (where applicable) under Sec. 1.656(a);
and
(6) Allow FDA and the recognized accreditation body that accredited
such third-party certification body, if any, to observe any food safety
audit conducted under this subpart for purposes of evaluating the
accredited third-party certification body's performance under
Sec. Sec. 1.621 and 1.662 or, where appropriate, the recognized
accreditation body's performance under Sec. Sec. 1.622 and 1.633.
(c) Audit protocols. An accredited third-party certification body
(or its audit agent, where applicable) must conduct a food safety audit
in a manner consistent with the identified scope and purpose of the
audit and within the scope of its accreditation.
(1) With the exception of records review, which may be scheduled,
the audit must be conducted without announcement during the 30-day
timeframe identified under paragraph (a)(1)(ii) of this section and
must be focused on determining whether the facility, its process(es),
and food are in compliance with applicable food safety requirements of
the FD&C Act and FDA regulations, and, for consultative audits, also
includes conformance with applicable industry standards and practices
that are within the scope of the audit.
(2) The audit must include records review prior to the onsite
examination; an onsite examination of the facility, its process(es),
and the food that results from such process(es); and where appropriate
or when required by FDA, environmental or product sampling and
analysis. When, for a regulatory audit, sampling and analysis is
conducted, the accredited third-party certification body must use a
laboratory that is accredited in accordance with paragraph (b)(3) of
this section. The audit may include any other activities necessary to
determine compliance with applicable food safety requirements of the
FD&C Act and FDA regulations, and, for consultative audits, also
includes conformance with
[[Page 74660]]
applicable industry standards and practices.
(3) The audit must be sufficiently rigorous to allow the accredited
third-party certification body to determine whether the eligible entity
is in compliance with the applicable food safety requirements of the
FD&C Act and FDA regulations, and for consultative audits, also
includes conformance with applicable industry standards and practices,
at the time of the audit; and for a regulatory audit, whether the
eligible entity, given its food safety system and practices would be
likely to remain in compliance with the applicable food safety
requirements of the FD&C Act and FDA regulations for the duration of
any certification issued under this subpart. An accredited third-party
certification body (or its audit agent, where applicable) that
identifies a deficiency requiring corrective action may verify the
effectiveness of a corrective action once implemented by the eligible
entity but must not recommend or provide input to the eligible entity
in identifying, selecting, or implementing the corrective action.
(4) Audit observations and other data and information from the
examination, including information on corrective actions, must be
documented and must be used to support the findings contained in the
audit report required by Sec. 1.652 and maintained as a record under
Sec. 1.658.
Sec. 1.652 What must an accredited third-party certification body
include in food safety audit reports?
(a) Consultative audits. An accredited third-party certification
body must prepare a report of a consultative audit not later than 45
days after completing such audit and must provide a copy of such report
to the eligible entity and must maintain such report under Sec. 1.658,
subject to FDA access in accordance with the requirements of section
414 of the FD&C Act. A consultative audit report must include:
(1) The identity of the site or location where the consultative
audit was conducted, including:
(i) The name, address and the FDA Establishment Identifier of the
facility subject to the consultative audit and a unique facility
identifier, if designated by FDA; and
(ii) Where applicable, the FDA registration number assigned to the
facility under subpart H of this part;
(2) The identity of the eligible entity, if different from the
facility, including the name, address, the FDA Establishment Identifier
and unique facility identifier, if designated by FDA, and, where
applicable, registration number under subpart H of this part;
(3) The name(s) and telephone number(s) of the person(s)
responsible for compliance with the applicable food safety requirements
of the FD&C Act and FDA regulations
(4) The dates and scope of the consultative audit;
(5) The process(es) and food(s) observed during such consultative
audit; and
(6) Any deficiencies observed that relate to or may influence a
determination of compliance with the applicable food safety
requirements of the FD&C Act and FDA regulations that require
corrective action, the corrective action plan, and the date on which
such corrective actions were completed. Such consultative audit report
must be maintained as a record under Sec. 1.658 and must be made
available to FDA in accordance with section 414 of the FD&C Act.
(b) Regulatory audits. An accredited third-party certification body
must, no later than 45 days after completing a regulatory audit,
prepare and submit electronically, in English, to FDA and to its
recognized accreditation body (or, in the case of direct accreditation,
only to FDA) and must provide to the eligible entity a report of such
regulatory audit that includes the following information:
(1) The identity of the site or location where the regulatory audit
was conducted, including:
(i) The name, address, and FDA Establishment Identifier of the
facility subject to the regulatory audit and a unique facility
identifier, if designated by FDA; and
(ii) Where applicable, the FDA registration number assigned to the
facility under subpart H of this part;
(2) The identity of the eligible entity, if different from the
facility, including the name, address, FDA Establishment Identifier,
and unique facility identifier, if designated by FDA, and, where
applicable, registration number under subpart H of this part;
(3) The dates and scope of the regulatory audit;
(4) The process(es) and food(s) observed during such regulatory
audit;
(5) The name(s) and telephone number(s) of the person(s)
responsible for the facility's compliance with the applicable food
safety requirements of the FD&C Act and FDA regulations;
(6) Any deficiencies observed during the regulatory audit that
present a reasonable probability that the use of or exposure to a
violative product:
(i) Will cause serious adverse health consequences or death to
humans and animals; or
(ii) May cause temporary or medically reversible adverse health
consequences or where the probability of serious adverse health
consequences or death to humans or animals is remote;
(7) The corrective action plan for addressing each deficiency
identified under paragraph (b)(6) of this section, unless corrective
action was implemented immediately and verified onsite by the
accredited third-party certification body (or its audit agent, where
applicable);
(8) Whether any sampling and laboratory analysis (e.g., under a
microbiological sampling plan) is performed in or used by the facility;
and
(9) Whether the eligible entity has made significant changes to the
facility, its process(es), or food products during the 2 years
preceding the regulatory audit.
(c) Submission of regulatory audit report. An accredited third-
party certification body must submit a completed regulatory audit
report as required by paragraph (b) of this section, regardless of
whether the certification body issued a food or facility certification
to the eligible entity.
(d) Notice and appeals of adverse regulatory audit results. An
accredited third-party certification body must notify an eligible
entity of a denial of certification and must establish and implement
written procedures for receiving and addressing appeals from eligible
entities challenging such adverse regulatory audit results and for
investigating and deciding on appeals in a fair and meaningful manner.
The appeals procedures must provide similar protections to those
offered by FDA under Sec. Sec. 1.692 and 1.693, including requirements
to:
(1) Make the appeals procedures publicly available;
(2) Use competent persons, who may or may not be external to the
accredited third-party certification body, who are free from bias or
prejudice and have not participated in the certification decision or be
subordinate to a person who has participated in the certification
decision, to investigate and decide appeals;
(3) Advise the eligible entity of the final decision on its appeal;
and
(4) Maintain records under Sec. 1.658 of the appeal, the final
decision, and the basis for such decision.
Sec. 1.653 What must an accredited third-party certification body do
when issuing food or facility certifications?
(a) Basis for issuance of a food or facility certification. (1)
Prior to issuing a food or facility certification to an eligible
entity, an accredited third-party
[[Page 74661]]
certification body (or, where applicable, an audit agent on its behalf)
must complete a regulatory audit that meets the requirements of Sec.
1.651 and any other activities that may be necessary to determine
compliance with the applicable food safety requirements of the FD&C Act
and FDA regulations.
(2) If, as a result of an observation during a regulatory audit, an
eligible entity must implement a corrective action plan to address a
deficiency, an accredited third-party certification body may not issue
a food or facility certification to such entity until after the
accredited third-party certification body verifies that eligible entity
has implemented the corrective action plan through methods that
reliably verify the corrective action was taken and as a result the
identified deficiency is unlikely to recur, except onsite verification
is required for corrective actions required to address deficiencies
that are the subject of a notification under Sec. 1.656(c).
(3) An accredited third-party certification body must consider each
observation and the data and other information from a regulatory audit
and other activities conducted under Sec. 1.651 to determine whether
the entity was in compliance with the applicable food safety
requirements of the FD&C Act and FDA regulations at the time of the
audit and whether the eligible entity, given its food safety system and
practices, would be likely to remain in compliance for the duration of
any certification issued under this subpart.
(4) A single regulatory audit may result in issuance of one or more
food or facility certifications under this subpart, provided that the
requirements of issuance are met as to each such certification.
(5) Where an accredited third-party certification body uses an
audit agent to conduct a regulatory audit of an eligible entity under
this subpart, the accredited third-party certification body (and not
the audit agent) must make the determination whether to issue a food or
facility certification based on the results of such regulatory audit.
(b) Issuance of a food or facility certification and submission to
FDA. (1) Any food or facility certification issued under this subpart
must be submitted to FDA electronically and in English. The accredited
third-party certification body may issue a food or facility
certification under this subpart for a term of up to 12 months.
(2) A food or facility certification must contain, at a minimum,
the following elements:
(i) The name and address of the accredited third-party
certification body and the scope and date of its accreditation under
this subpart;
(ii) The name, address, FDA Establishment Identifier, and unique
facility identifier, if designated by FDA, of the eligible entity to
which the food or facility certification was issued;
(iii) The name, address, FDA Establishment Identifier, and unique
facility identifier, if designated by FDA, of the facility where the
regulatory audit was conducted, if different than the eligible entity;
(iv) The scope and date(s) of the regulatory audit and the
certification number;
(v) The name of the audit agent(s) (where applicable) conducting
the regulatory audit; and
(vi) The scope of the food or facility certification, date of
issuance, and date of expiration.
(3) FDA may refuse to accept any certification for purposes of
section 801(q) or 806 of the FD&C Act, if FDA determines, that such
food or facility certification is not valid or reliable because, for
example:
(i) The certification is offered in support of the admissibility of
a food that was not within the scope of the certification;
(ii) The certification was issued by an accredited third-party
certification body acting outside the scope of its accreditation under
this subpart; or
(iii) The certification was issued without reliable demonstration
that the requirements of paragraph (a) of this section were met.
Sec. 1.654 When must an accredited third-party certification body
monitor an eligible entity that it has issued a food or facility
certification?
If an accredited third-party certification body has reason to
believe that an eligible entity to which it issued a food or facility
certification may no longer be in compliance with the applicable food
safety requirements of the FD&C Act and FDA regulations, the accredited
third-party certification body must conduct any monitoring (including
an onsite audit) of such eligible entity necessary to determine whether
the entity is in compliance with such requirements. The accredited
third-party certification body must immediately notify FDA, under Sec.
1.656(d), if it withdraws or suspends a food or facility certification
because it determines that the entity is no longer in compliance with
the applicable food safety requirements of the FD&C Act and FDA
regulations. The accredited third-party certification body must
maintain records of such monitoring under Sec. 1.658.
Sec. 1.655 How must an accredited third-party certification body
monitor its own performance?
(a) An accredited third-party certification body must annually,
upon FDA request made for cause, or as required under Sec.
1.631(f)(1)(i), Sec. 1.634(d)(1)(i), or Sec. 1.635(c)(1)(i), conduct
a self-assessment that includes evaluation of compliance with this
subpart, including:
(1) The performance of its officers, employees, or other agents
involved in auditing and certification activities, including the
performance of audit agents in examining facilities, process(es), and
food using the applicable food safety requirements of the FD&C Act and
FDA regulations;
(2) The degree of consistency among its officers, employees, or
other agents involved in auditing and certification activities,
including evaluating whether its audit agents interpreted audit
protocols in a consistent manner;
(3) The compliance of the accredited third-party certification body
and its officers, employees, and other agents involved in auditing and
certification activities, with the conflict of interest requirements of
Sec. 1.657;
(4) Actions taken in response to the results of any assessments
conducted by FDA or, where applicable, the recognized accreditation
body under Sec. 1.621; and
(5) As requested by FDA, any other aspects of its performance
relevant to a determination of whether the accredited third-party
certification body is in compliance with this subpart.
(b) As a means to assess its performance, the accredited third-
party certification body may evaluate the compliance of one or more of
eligible entities to which a food or facility certification was issued
under this subpart.
(c) Based on the assessments and evaluations conducted under
paragraphs (a) and (b) of this section, the accredited third-party
certification body must:
(1) Identify any deficiencies in complying with the requirements of
this subpart;
(2) Quickly implement corrective action(s) that effectively address
the identified deficiencies; and
(3) Under Sec. 1.658, establish and maintain records of such
corrective action(s).
(d) The accredited third-party certification body must prepare a
written report of the results of its self-assessment that includes:
(1) A description of any corrective action(s) taken under paragraph
(c) of this section;
[[Page 74662]]
(2) A statement disclosing the extent to which the accredited
third-party certification body, and its officers, employees, and other
agents involved in auditing and certification activities, complied with
the conflict of interest requirements in Sec. 1.657; and
(3) A statement attesting to the extent to which the accredited
third-party certification body complied with the applicable
requirements of this subpart.
(e) An accredited third-party certification body may use a report,
supplemented as necessary, on its conformance to ISO/IEC 17021: 2011 or
ISO/IEC 17065: 2012 in meeting the requirements of this section.
Sec. 1.656 What reports and notifications must an accredited third-
party certification body submit?
(a) Reporting results of regulatory audits. An accredited third-
party certification body must submit a regulatory audit report, as
described in Sec. 1.652(b), electronically, in English, to FDA and to
the recognized accreditation body that granted its accreditation (where
applicable), no later than 45 days after completing such audit.
(b) Reporting results of accredited third-party certification body
self-assessments. An accredited third-party certification body must
submit the report of its annual self-assessment required by Sec. 1.655
electronically to its recognized accreditation body (or, in the case of
direct accreditation, electronically and in English, to FDA), within 45
days of the anniversary date of its accreditation under this subpart.
For an accredited third-party certification body subject to an FDA
request for cause, or Sec. 1.631(f)(1)(i), Sec. 1.634(d)(1)(i), or
Sec. 1.635(c)(1)(i), the report of its self-assessment must be
submitted to FDA electronically, in English, within 60 days of the FDA
request, denial of renewal, revocation, or relinquishment of
recognition of the accreditation body that granted its accreditation.
Such report must include an up-to-date list of any audit agents it uses
to conduct audits under this subpart.
(c) Notification to FDA of a serious risk to public health. An
accredited third-party certification body must immediately notify FDA
electronically, in English, if during a regulatory or consultative
audit, any of its audit agents or the accredited third-party
certification body itself discovers a condition that could cause or
contribute to a serious risk to the public health, providing the
following information:
(1) The name, physical address, and unique facility identifier, if
designated by FDA, of the eligible entity subject to the audit, and,
where applicable, the registration number under subpart H of this part;
(2) The name, physical address, and unique facility identifier, if
designated by FDA, of the facility where the condition was discovered
(if different from that of the eligible entity) and, where applicable,
the registration number assigned to the facility under subpart H of
this part; and
(3) The condition for which notification is submitted.
(d) Immediate notification to FDA of withdrawal or suspension of a
food or facility certification. An accredited third-party certification
body must notify FDA electronically, in English, immediately upon
withdrawing or suspending any food or facility certification of an
eligible entity and the basis for such action.
(e) Notification to its recognized accreditation body or an
eligible entity. (1) After notifying FDA under paragraph (c) of this
section, an accredited third-party certification body must immediately
notify the eligible entity of such condition and must immediately
thereafter notify the recognized accreditation body that granted its
accreditation, except for third-party certification bodies directly
accredited by FDA. Where feasible and reliable, the accredited third-
party certification body may contemporaneously notify its recognized
accreditation body and/or the eligible entity when notifying FDA.
(2) An accredited third-party certification body must notify its
recognized accreditation body (or, in the case of direct accreditation,
FDA) electronically, in English, within 30 days after making any
significant change that would affect the manner in which it complies
with the requirements of this subpart and must include with such
notification the following information:
(i) A description of the change; and
(ii) An explanation for the purpose of the change.
Sec. 1.657 How must an accredited third-party certification body
protect against conflicts of interest?
(a) An accredited third-party certification body must implement a
written program to protect against conflicts of interest between the
accredited third-party certification body (and its officers, employees,
and other agents involved in auditing and certification activities) and
an eligible entity seeking a food safety audit or food or facility
certification from, or audited or certified by, such accredited third-
party certification body, including the following:
(1) Ensuring that the accredited third-party certification body and
its officers, employees, or other agents involved in auditing and
certification activities do not own, operate, have a financial interest
in, manage, or otherwise control an eligible entity to be certified, or
any affiliate, parent, or subsidiary of the entity;
(2) Ensuring that the accredited third-party certification body
and, its officers, employees, or other agents involved in auditing and
certification activities are not owned, managed, or controlled by any
person that owns or operates an eligible entity to be certified;
(3) Ensuring that an audit agent of the accredited third-party
certification body does not own, operate, have a financial interest in,
manage, or otherwise control an eligible entity or any affiliate,
parent, or subsidiary of the entity that is subject to a consultative
or regulatory audit by the audit agent; and
(4) Prohibiting an accredited third-party certification body's
officer, employee, or other agent involved in auditing and
certification activities from accepting any money, gift, gratuity, or
other item of value from the eligible entity to be audited or certified
under this subpart.
(5) The items specified in paragraph (a)(4) of this section do not
include:
(i) Money representing payment of fees for auditing and
certification services and reimbursement of direct costs associated
with an onsite audit by the third-party certification body; or
(ii) Lunch of de minimis value provided during the course of an
audit and on the premises where the audit is conducted, if necessary to
facilitate the efficient conduct of the audit.
(b) An accredited third-party certification body may accept the
payment of fees for auditing and certification services and the
reimbursement of direct costs associated with an audit of an eligible
entity only after the date on which the report of such audit was
completed or the date a food or facility certification was issued,
whichever is later. Such payment is not considered a conflict of
interest for purposes of paragraph (a) of this section.
(c) The financial interests of the spouses and children younger
than 18 years of age of accredited third-party certification body's
officers, employees, and other agents involved in auditing and
certification activities will be considered the financial interests of
such officers, employees, and other agents involved in auditing and
certification activities.
(d) An accredited third-party certification body must maintain on
its Web site an up-to-date list of the eligible
[[Page 74663]]
entities to which it has issued food or facility certifications under
this subpart. For each such eligible entity, the Web site also must
identify the duration and scope of the food or facility certification
and date(s) on which the eligible entity paid the accredited third-
party certification body any fee or reimbursement associated with such
audit or certification.
Sec. 1.658 What records requirements must a third-party certification
body that has been accredited meet?
(a) A third-party certification body that has been accredited must
maintain electronically for 4 years records created during its period
of accreditation (including documents and data) that document
compliance with this subpart, including:
(1) Any audit report and other documents resulting from a
consultative audit conducted under this subpart, including the audit
agent's observations, correspondence with the eligible entity,
verification of any corrective action(s) taken to address deficiencies
identified during the audit;
(2) Any request for a regulatory audit from an eligible entity;
(3) Any audit report and other documents resulting from a
regulatory audit conducted under this subpart, including the audit
agent's observations, correspondence with the eligible entity,
verification of any corrective action(s) taken to address deficiencies
identified during the audit, and, when sampling and analysis is
conducted, laboratory testing records and results from a laboratory
that is accredited in accordance with Sec. 1.651(b)(3), and
documentation demonstrating such laboratory is accredited in accordance
with Sec. 1.651(b)(3);
(4) Any notification submitted by an audit agent to the accredited
third-party certification body in accordance with Sec. 1.650(a)(5);
(5) Any challenge to an adverse regulatory audit decision and the
disposition of the challenge;
(6) Any monitoring it conducted of an eligible entity to which food
or facility certification was issued;
(7) Its self-assessments and corrective actions taken to address
any deficiencies identified during a self-assessment; and
(8) Significant changes to its auditing or certification program
that might affect compliance with this subpart.
(b) An accredited third-party certification body must make the
records of a consultative audit required by paragraph (a)(1) of this
section available to FDA in accordance with section 414 of the FD&C
Act.
(c) An accredited third-party certification body must make the
records required by paragraphs (a)(2) through (8) of this section
available for inspection and copying promptly upon written request of
an authorized FDA officer or employee at the place of business of the
accredited third-party certification body or at a reasonably accessible
location. If such records are requested by FDA electronically, the
records must be submitted electronically not later than 10 business
days after the date of the request. Additionally, if the records are
maintained in a language other than English, an accredited third-party
certification body must electronically submit an English translation
within a reasonable time.
Procedures for Accreditation of Third-Party Certification Bodies Under
This Subpart
Sec. 1.660 Where do I apply for accreditation or renewal of
accreditation by a recognized accreditation body and what happens once
the recognized accreditation body decides on my application?
(a) Submission of accreditation or renewal application to a
recognized accreditation body. A third-party certification body seeking
accreditation must submit its request for accreditation or renewal of
accreditation by a recognized accreditation body identified on the Web
site described in Sec. 1.690.
(b) Notice of records custodian after denial of application for
renewal of accreditation. An applicant whose renewal application was
denied by a recognized accreditation body must notify FDA
electronically, in English, within 10 business days of the date of
issuance of a denial of accreditation or denial of the renewal
application, of the name and contact information of the custodian who
will maintain the records required by Sec. 1.658(a) and make them
available to FDA as required by Sec. 1.658(b) and (c). The contact
information for the custodian must include, at a minimum, an email
address and the physical address where the records required by Sec.
1.658(a) will be located.
(c) Effect of denial of an application for renewal of accreditation
on food or facility certifications issued to eligible entities. A food
or facility certification issued by an accredited third-party
certification body prior to issuance of the denial of its renewal
application l will remain in effect until the certification expires. If
FDA has reason to believe that a certification issued for purposes of
section 801(q) or 806 of the FD&C Act is not valid or reliable, FDA may
refuse to consider the certification in determining the admissibility
of the article of food for which the certification was offered or in
determining the importer's eligibility for participation in VQIP.
(d) Public notice of denial of an application for renewal of
accreditation. FDA will provide notice on the Web site described in
Sec. 1.690 of the date of issuance of a denial of renewal of
accreditation of a third-party certification body that had previous
been accredited.
Sec. 1.661 What is the duration of accreditation by a recognized
accreditation body?
A recognized accreditation body may grant accreditation to a third-
party certification body under this subpart for a period not to exceed
4 years.
Sec. 1.662 How will FDA monitor accredited third-party certification
bodies?
(a) FDA will periodically evaluate the performance of each
accredited third-party certification body to determine whether the
accredited third-party certification body continues to comply with the
applicable requirements of this subpart and whether there are
deficiencies in the performance of the accredited third-party
certification body that, if not corrected, would warrant withdrawal of
its accreditation under Sec. 1.664. FDA will evaluate each directly
accredited third-party certification body annually. For a third-party
certification body accredited by a recognized accreditation body, FDA
will evaluate an accredited third-party certification body not later
than 3 years after the date of accreditation for a 4-year term of
accreditation, or by no later than the mid-term point for accreditation
granted for less than 4 years. FDA may conduct additional performance
assessments of an accredited third-party certification body at any
time.
(b) In evaluating the performance of an accredited third-party
certification body under paragraph (a) of this section, FDA may review
any one or more of the following:
(1) Regulatory audit reports and food and facility certifications;
(2) The accredited third-party certification body's self-
assessments under Sec. 1.655;
(3) Reports of assessments by a recognized accreditation body under
Sec. 1.621;
(4) Documents and other information relevant to a determination of
the accredited third-party certification body's compliance with the
applicable requirements of this subpart; and
(5) Information obtained by FDA, including during inspections,
audits,
[[Page 74664]]
onsite observations, or investigations, of one or more eligible
entities to which a food or facility certification was issued by such
accredited third-party certification body.
(c) FDA may conduct its evaluation of an accredited third-party
certification body through a site visit to an accredited third-party
certification body's headquarters (or other location that manages audit
agents conducting food safety audits under this subpart, if different
than its headquarters), through onsite observation of an accredited
third party certification body's performance during a food safety audit
of an eligible entity, or through document review.
Sec. 1.663 How do I request an FDA waiver or waiver extension for the
13-month limit for audit agents conducting regulatory audits?
(a) An accredited third-party certification body may submit a
request to FDA to waive the requirements of Sec. 1.650(c) preventing
an audit agent from conducting a regulatory audit of an eligible entity
if the audit agent (or, in the case that the third-party certification
body is an individual, the third-party certification body) has
conducted a food safety audit of such entity during the previous 13
months. The accredited third-party certification body seeking a waiver
or waiver extension must demonstrate there is insufficient access to
audit agents and any third-party certification bodies that are
comprised of an individual in the country or region where the eligible
entity is located.
(b) Requests for a waiver or waiver extension and all documents
provided in support of the request must be submitted to FDA
electronically, in English. The requestor must provide such translation
and interpretation services as are needed by FDA to process the
request.
(c) The request must be signed by the requestor or by any
individual authorized to act on behalf of the requestor for purposes of
seeking such waiver or waiver extension.
(d) FDA will review requests for waivers and waiver extensions on a
first in, first out basis according to the date on which the completed
submission is received; however, FDA may prioritize the review of
specific requests to meet the needs of the program. FDA will evaluate
any completed waiver request to determine whether the criteria for
waiver have been met.
(e) FDA will notify the requestor whether the request for a waiver
or waiver extension is approved or denied.
(f) If FDA approves the request, issuance of the waiver will state
the duration of the waiver and list any limitations associated with it.
If FDA denies the request, the issuance of a denial of a waiver request
will state the basis for denial and will provide the address and
procedures for requesting reconsideration of the request under Sec.
1.691.
(g) Unless FDA notifies a requestor that its waiver request has
been approved, an accredited third-party certification body must not
use the audit agent to conduct a regulatory audit of such eligible
entity until the 13-month limit in Sec. 1.650(c) has elapsed.
Sec. 1.664 When would FDA withdraw accreditation?
(a) Mandatory withdrawal. FDA will withdraw accreditation from a
third-party certification body:
(1) Except as provided in paragraph (b) of this section, if the
food or facility certified under this subpart is linked to an outbreak
of foodborne illness or chemical or physical hazard that has a
reasonable probability of causing serious adverse health consequences
or death in humans or animals;
(2) Following an evaluation and finding by FDA that the third-party
certification body no longer complies with the applicable requirements
of this subpart; or
(3) Following its refusal to allow FDA to access records under
Sec. 1.658 or to conduct an audit, assessment, or investigation
necessary to ensure continued compliance with this subpart.
(b) Exception. FDA may waive mandatory withdrawal under paragraph
(a)(1) of this section, if FDA:
(1) Conducts an investigation of the material facts related to the
outbreak of human or animal illness;
(2) Reviews the relevant audit records and the actions taken by the
accredited third-party certification body in support of its decision to
certify; and
(3) Determines that the accredited third-party certification body
satisfied the requirements for issuance of certification under this
subpart.
(c) Discretionary withdrawal. FDA may withdraw accreditation, in
whole or in part, from a third-party certification body when such
third-party certification body is accredited by an accreditation body
for which recognition is revoked under Sec. 1.634, if FDA determines
there is good cause for withdrawal, including:
(1) Demonstrated bias or lack of objectivity when conducting
activities under this subpart; or
(2) Performance that calls into question the validity or
reliability of its food safety audits or certifications.
(d) Records access. FDA may request records of the accredited
third-party certification body under Sec. 1.658 and, where applicable,
may request records under Sec. 1.625 of an accreditation body that has
been recognized under Sec. 1.625, when considering withdrawal under
paragraph (a)(1), (a)(2), or (c) of this section.
(e) Notice to the third-party certification body of withdrawal of
accreditation. (1) FDA will notify a third-party certification body of
the withdrawal of its accreditation through issuance of a withdrawal
that will state the grounds for withdrawal, the procedures for
requesting a regulatory hearing under Sec. 1.693 on the withdrawal,
and the procedures for requesting reaccreditation under Sec. 1.666.
(2) Within 10 business days of the date of issuance of the
withdrawal, the third-party certification body must notify FDA
electronically, in English, of the name of the custodian who will
maintain the records required by Sec. 1.658, and provide contact
information for the custodian, which will at least include an email
address, and the street address where the records will be located.
(f) Effect of withdrawal of accreditation on eligible entities. A
food or facility certification issued by a third-party certification
body prior to withdrawal will remain in effect until the certification
terminates by expiration. If FDA has reason to believe that a
certification issued for purposes of section 801(q) or 806 of the FD&C
Act is not valid or reliable, FDA may refuse to consider the
certification in determining the admissibility of the article of food
for which the certification was offered or in determining the
importer's eligibility for participation in VQIP.
(g) Effect of withdrawal of accreditation on recognized
accreditation bodies. (1) FDA will notify a recognized accreditation
body if the accreditation of a third-party certification body it
accredited is withdrawn by FDA. Such accreditation body's recognition
will remain in effect if, no later than 60 days after withdrawal, the
accreditation body conducts a self-assessment under Sec. 1.622 and
reports the results of the self-assessment to FDA as required by Sec.
1.623(b).
(2) FDA may revoke the recognition of an accreditation body
whenever FDA determines there is good cause for revocation of
recognition under Sec. 1.634.
(h) Public notice of withdrawal accreditation. FDA will provide
notice on the Web site described in Sec. 1.690 of its withdrawal of
accreditation of a third-party certification body and
[[Page 74665]]
provide a description of the basis for withdrawal.
Sec. 1.665 What if I want to voluntarily relinquish accreditation or
do not want to renew accreditation?
(a) Notice to FDA of intent to relinquish or not to renew
accreditation. A third-party certification body must notify FDA
electronically, in English, at least 60 days before voluntarily
relinquishing accreditation or before allowing accreditation to expire
without seeking renewal. The certification body must provide the name
and contact information of the custodian who will maintain the records
required under Sec. 1.658(a) after the date of relinquishment or the
date accreditation expires, as applicable, and make them available to
FDA as required by Sec. 1.658(b) and (c). The contact information for
the custodian must include, at a minimum, an email address and the
physical address where the records required by Sec. 1.658(a) will be
located.
(b) Notice to recognized accreditation body and eligible entities
of intent to relinquish or not to renew accreditation. No later than 15
business days after notifying FDA under paragraph (a) of this section,
the certification body must notify its recognized accreditation body
and any eligible entity with current certifications that it intends to
relinquish accreditation or to allow its accreditation to expire,
specifying the date on which relinquishment or expiration will occur.
The recognized accreditation body must establish and maintain records
of such notification under Sec. 1.625(a).
(c) Effect of voluntary relinquishment or expiration of
accreditation on food or facility certifications issued to eligible
entities. A food or facility certification issued by a third-party
certification body prior to relinquishment or expiration of its
accreditation will remain in effect until the certification expires. If
FDA has reason to believe that a certification issued for purposes of
section 801(q) or 806 of the FD&C Act is not valid or reliable, FDA may
refuse to consider the certification in determining the admissibility
of the article of food for which the certification was offered or in
determining the importer's eligibility for participation in VQIP.
(d) Public notice of voluntary relinquishment or expiration of
accreditation. FDA will provide notice on the Web site described in
Sec. 1.690 of the voluntary relinquishment or expiration of
accreditation of a certification body under this subpart.
Sec. 1.666 How do I request reaccreditation?
(a) Application following withdrawal. FDA will reinstate the
accreditation of a third-party certification body for which it has
withdrawn accreditation:
(1) If, in the case of direct accreditation, FDA determines, based
on evidence presented by the third-party certification body, that the
third-party certification body satisfies the applicable requirements of
this subpart and adequate grounds for withdrawal no longer exist; or
(2) In the case of a third-party certification body accredited by
an accreditation body for which recognition has been revoked under
Sec. 1.634:
(i) If the third-party certification body becomes accredited by
another recognized accreditation body or by FDA through direct
accreditation no later than 1 year after withdrawal of accreditation,
or the original date of the expiration of accreditation, whichever
comes first; or
(ii) Under such conditions as FDA may impose in withdrawing
accreditation.
(b) Application following voluntary relinquishment. A third-party
certification body that previously relinquished its accreditation under
Sec. 1.665 may seek accreditation by submitting a new application for
accreditation under Sec. 1.660 or, where applicable, Sec. 1.670.
Additional Procedures for Direct Accreditation of Third-Party
Certification Bodies Under This Subpart
Sec. 1.670 How do I apply to FDA for direct accreditation or renewal
of direct accreditation?
(a) Eligibility. (1) FDA will accept applications from third-party
certification bodies for direct accreditation or renewal of direct
accreditation only if FDA determines that it has not identified and
recognized an accreditation body to meet the requirements of section
808 of the FD&C Act within 2 years after establishing the accredited
third-party audits and certification program. Such FDA determination
may apply, as appropriate, to specific types of third-party
certification bodies, types of expertise, or geographic location; or
through identification by FDA of any requirements of section 808 of the
FD&C Act not otherwise met by previously recognized accreditation
bodies. FDA will only accept applications for direct accreditation and
renewal applications that are within the scope of the determination.
(2) FDA may revoke or modify a determination under paragraph (a)(1)
of this section if FDA subsequently identifies and recognizes an
accreditation body that affects such determination.
(3) FDA will provide notice on the Web site described in Sec.
1.690 of a determination under paragraph (a)(1) of this section and of
a revocation or modification of the determination under paragraph
(a)(1) of this section, as described in paragraph (a)(2) of this
section.
(b) Application for direct accreditation or renewal of direct
accreditation. (1) A third-party certification body seeking direct
accreditation or renewal of direct accreditation must submit an
application to FDA, demonstrating that it is within the scope of the
determination issued under paragraph (a)(1) of this section, and it
meets the eligibility requirements of Sec. 1.640.
(2) Applications and all documents provided as part of the
application process must be submitted electronically, in English. An
applicant must provide such translation and interpretation services as
are needed by FDA to process the application, including during an
onsite audit of the applicant.
(3) The application must be signed in the manner designated by FDA
by an individual authorized to act on behalf of the applicant for
purposes of seeking or renewing direct accreditation.
Sec. 1.671 How will FDA review my application for direct
accreditation or renewal of direct accreditation and what happens once
FDA decides on my application?
(a) Review of a direct accreditation or renewal application. FDA
will examine a third-party certification body's direct accreditation or
renewal application for completeness and notify the applicant of any
deficiencies. FDA will review applications for direct accreditation and
for renewal of direct accreditation on a first in, first out basis
according to the date the completed submission is received; however,
FDA may prioritize the review of specific applications to meet the
needs of the program.
(b) Evaluation of a direct accreditation or renewal application.
FDA will evaluate any completed application to determine whether the
applicant meets the requirements for direct accreditation under this
subpart. If FDA does not reach a final decision on a renewal
application before the expiration of the direct accreditation, FDA may
extend the duration of such direct accreditation for a specified
[[Page 74666]]
period of time or until the Agency reaches a final decision on the
renewal application.
(c) Notice of approval or denial. FDA will notify the applicant
that its direct accreditation or renewal application has been approved
through issuance of or denied.
(d) Issuance of direct accreditation. If an application has been
approved, the issuance of the direct accreditation that will list any
limitations associated with the accreditation.
(e) Issuance of denial of direct accreditation. If FDA issues a
denial of direct accreditation or denial of a renewal application, the
issuance of the denial of direct accreditation will state the basis for
such denial and provide the procedures for requesting reconsideration
of the application under Sec. 1.691.
(f) Notice of records custodian after denial of application for
renewal of direct accreditation. An applicant whose renewal application
was denied must notify FDA electronically, in English, within 10
business days of the date of issuance of a denial of a renewal
application, of the name and contact information of the custodian who
will maintain the records required by Sec. 1.658(a) and make them
available to FDA as required by Sec. 1.658(b) and (c). The contact
information for the custodian must include, at a minimum, an email
address and the physical address where the records required by Sec.
1.658(b) will be located.
(g) Effect of denial of renewal of direct accreditation on food or
facility certifications issued to eligible entities. A food or facility
certification issued by an accredited third-party certification body
prior to issuance of the denial of its renewal application will remain
in effect until the certification expires. If FDA has reason to believe
that a certification issued for purposes of section 801(q) or 806 of
the FD&C Act is not valid or reliable, FDA may refuse to consider the
certification in determining the admissibility of the article of food
for which the certification was offered or in determining the
importer's eligibility for participation in VQIP.
(h) Public notice of denial of renewal of direct accreditation. FDA
will provide notice on the Web site described in Sec. 1.690 of the
issuance of a denial of renewal application for direct accreditation
under this subpart.
Sec. 1.672 What is the duration of direct accreditation?
FDA will grant direct accreditation of a third-party certification
body for a period not to exceed 4 years.
Requirements for Eligible Entities Under This Subpart
Sec. 1.680 How and when will FDA monitor eligible entities?
FDA may, at any time, conduct an onsite audit of an eligible entity
that has received food or facility certification from an accredited
third-party certification body under this subpart. Where FDA determines
necessary or appropriate, the unannounced audit may be conducted with
or without the accredited third-party certification body or the
recognized accreditation body (where applicable) present. An FDA audit
conducted under this section will be conducted on an unannounced basis
and may be preceded by a request for a 30-day operating schedule.
Sec. 1.681 How frequently must eligible entities be recertified?
An eligible entity seeking recertification of a food or facility
certification under this subpart must apply for recertification prior
to the expiration of its certification. For certifications used in
meeting the requirements of section 801(q) or 806 of the FD&C Act, FDA
may require an eligible entity to apply for recertification at any time
FDA determines appropriate under such section.
General Requirements of This Subpart
Sec. 1.690 How will FDA make information about recognized
accreditation bodies and accredited third-party certification bodies
available to the public?
FDA will place on its Web site a registry of recognized
accreditation bodies and accredited third-party certification bodies,
including the name, contact information, and scope and duration of
recognition or accreditation. The registry may provide information on
third-party certification bodies accredited by recognized accreditation
bodies through links to the Web sites of such recognized accreditation
bodies. FDA will also place on its Web site a list of accreditation
bodies for which it has denied renewal of recognition, for which FDA
has revoked recognition, and that have relinquished their recognition
or have allowed their recognition to expire. FDA will also place in its
Web site a list of certification bodies whose renewal of accreditation
has been denied, for which FDA has withdrawn accreditation, and that
have relinquished their accreditations or have allowed their
accreditations to expire. FDA will place on its Web site determinations
under Sec. 1.670(a)(1) and modifications of such determinations under
Sec. 1.670(a)(2).
Sec. 1.691 How do I request reconsideration of a denial by FDA of an
application or a waiver request?
(a) An accreditation body may seek reconsideration of the denial of
an application for recognition, renewal of recognition, or
reinstatement of recognition no later than 10 business days after the
date of the issuance of such denial.
(b) A third-party certification body may seek reconsideration of
the denial of an application for direct accreditation, renewal of
direct accreditation, reaccreditation of directly accredited third-
party certification body, a request for a waiver of the conflict of
interest requirement in Sec. 1.650(b), or a waiver extension no later
than 10 business days after the date of the issuance of such denial.
(c) A request to reconsider an application or waiver request under
paragraph (a) or (b) of this section must be signed by the requestor or
by an individual authorized to act on its behalf in submitting the
request for reconsideration. The request must be submitted
electronically in English and must comply with the procedures described
in the notice.
(d) After completing its review and evaluation of the request for
reconsideration, FDA will notify the requestor through the issuance of
the recognition, direct accreditation, or waiver upon reconsideration
or through the issuance of a denial of the application or waiver
request under paragraph (a) or (b) of this section upon
reconsideration.
Sec. 1.692 How do I request internal agency review of a denial of an
application or waiver request upon reconsideration?
(a) No later than 10 business days after the date of issuance of a
denial of an application or waiver request upon reconsideration under
Sec. 1.691, the requestor may seek internal agency review of such
denial under Sec. 10.75(c)(1) of this chapter.
(b) The request for internal agency review under paragraph (a) of
this section must be signed by the requestor or by an individual
authorized to act on its behalf in submitting the request for internal
review. The request must be submitted electronically in English to the
address specified in the denial upon reconsideration and must comply
with procedures it describes.
(c) Under Sec. 10.75(d) of this chapter, internal agency review of
such denial must be based on the information in the administrative
file, which will include any supporting information submitted under
Sec. 1.691(c).
[[Page 74667]]
(d) After completing the review and evaluation of the
administrative file, FDA will notify the requestor of its decision to
overturn the denial and grant the application or waiver request through
issuance of an application or waiver request upon reconsideration or to
affirm the denial of the application or waiver request upon
reconsideration through issuance of a denial of an application or
waiver request upon reconsideration.
(e) Issuance by FDA of a denial of an application or waiver request
upon reconsideration constitutes final agency action under 5 U.S.C.
702.
Sec. 1.693 How do I request a regulatory hearing on a revocation of
recognition or withdrawal of accreditation?
(a) Request for hearing on revocation. No later than 10 business
days after the date of issuance of a revocation of recognition of an
accreditation body under Sec. 1.634, an individual authorized to act
on the accreditation body's behalf may submit a request for a
regulatory hearing on the revocation under part 16 of this chapter. The
issuance of revocation issued under Sec. 1.634 will contain all of the
elements required by Sec. 16.22 of this chapter and will thereby
constitute the notice of an opportunity for hearing under part 16 of
this chapter.
(b) Request for hearing on withdrawal. No later than 10 business
days after the date of issuance of a withdrawal of accreditation of a
third-party certification body under Sec. 1.664, an individual
authorized to act on the third-party certification body's behalf may
submit a request for a regulatory hearing on the withdrawal under part
16 of this chapter. The issuance of withdrawal under Sec. 1.664 will
contain all of the elements required by Sec. 16.22 of this chapter and
will thereby constitute the notice of opportunity of hearing under part
16 of this chapter.
(c) Submission of request for regulatory hearing. The request for a
regulatory hearing under paragraph (a) or (b) of this section must be
submitted with a written appeal that responds to the basis for the FDA
decision, as described in the issuance of revocation or withdrawal, as
appropriate, and includes any supporting information upon which the
requestor is relying. The request, appeal, and supporting information
must be submitted in English to the address specified in the notice and
must comply with the procedures it describes.
(d) Effect of submission of request on FDA decision. The submission
of a request for a regulatory hearing under paragraph (a) or (b) of
this section will not operate to delay or stay the effect of a decision
by FDA to revoke recognition of an accreditation body or to withdraw
accreditation of a third-party certification body unless FDA determines
that a delay or a stay is in the public interest.
(e) Presiding officer. The presiding officer for a regulatory
hearing for a revocation or withdrawal under this subpart will be
designated after a request for a regulatory hearing is submitted to
FDA.
(f) Denial of a request for regulatory hearing. The presiding
officer may deny a request for regulatory hearing for a revocation or
withdrawal under Sec. 16.26(a) of this chapter when no genuine or
substantial issue of fact has been raised.
(g) Conduct of regulatory hearing. (1) If the presiding officer
grants a request for a regulatory hearing for a revocation or
withdrawal, the hearing will be held within 10 business days after the
date the request was filed or, if applicable, within a timeframe agreed
upon in writing by requestor, the presiding officer, and FDA.
(2) The presiding officer must conduct the regulatory hearing for
revocation or withdrawal under part 16 of this chapter, except that,
under Sec. 16.5(b) of this chapter, such procedures apply only to the
extent that the procedures are supplementary and do not conflict with
the procedures specified for regulatory hearings under this subpart.
Accordingly, the following requirements of part 16 are inapplicable to
regulatory hearings under this subpart: Sec. 16.22 (Initiation of a
regulatory hearing); Sec. 16.24(e) (timing) and (f) (contents of
notice); Sec. 16.40 (Commissioner); Sec. 16.60(a) (public process);
Sec. 16.95(b) (administrative decision and record for decision); and
Sec. 16.119 (Reconsideration and stay of action).
(3) A decision by the presiding officer to affirm the revocation of
recognition or the withdrawal of accreditation is considered a final
agency action under 5 U.S.C. 702.
Sec. 1.694 Are electronic records created under this subpart subject
to the electronic records requirements of part 11 of this chapter?
Records that are established or maintained to satisfy the
requirements of this subpart and that meet the definition of electronic
records in Sec. 11.3(b)(6) of this chapter are exempt from the
requirements of part 11 of this chapter. Records that satisfy the
requirements of this subpart, but that also are required under other
applicable statutory provisions or regulations, remain subject to part
11 of this chapter.
Sec. 1.695 Are the records obtained by FDA under this subpart subject
to public disclosure?
Records obtained by FDA under this subpart are subject to the
disclosure requirements under part 20 of this chapter.
PART 11--ELECTRONIC RECORDS; ELECTRONIC SIGNATURES
0
3. The authority citation for 21 CFR part 11 continues to read as
follows:
Authority: 21 U.S.C. 321-393; 42 U.S.C. 262.
0
4. In Sec. 11.1, add paragraph (m) to read as follows:
Sec. 11.1 Scope.
* * * * *
(m) This part does not apply to records required to be established
or maintained by subpart M of part 1 of this chapter. Records that
satisfy the requirements of subpart M of part 1 of this chapter, but
that also are required under other applicable statutory provisions or
regulations, remain subject to this part.
PART 16--REGULATORY HEARING BEFORE THE FOOD AND DRUG ADMINISTRATION
0
5. The authority citation for 21 CFR part 16 continues to read as
follows:
Authority: 15 U.S.C. 1451-1461; 21 U.S.C. 141-149, 321-394,
467f, 679, 821, 1034; 28 U.S.C. 2112; 42 U.S.C. 201-262, 263b, 364.
0
6. In Sec. 16.1(b)(2), add the following entry in numerical order to
read as follows:
Sec. 16.1 Scope.
* * * * *
(b) * * *
(2) * * *
Sec. Sec. 1.634 and 1.664, relating to revocation of recognition
of an accreditation body and withdrawal of accreditation of third-party
certification bodies that conduct food safety audits of eligible
entities in the food import supply chain and issue food and facility
certifications.
* * * * *
Dated: October 30, 2015.
Leslie Kux,
Associate Commissioner for Policy.
[FR Doc. 2015-28160 Filed 11-13-15; 8:45 am]
BILLING CODE 4164-01-P