Skip to Content

Rule

Accreditation of Third-Party Certification Bodies To Conduct Food Safety Audits and To Issue Certifications

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 74570

AGENCY:

Food and Drug Administration, HHS.

ACTION:

Final rule.

SUMMARY:

The Food and Drug Administration (FDA or we) is adopting regulations to provide for accreditation of third-party certification bodies to conduct food safety audits of foreign food entities, including registered foreign food facilities, and to issue food and facility certifications, under the FDA Food Safety Modernization Act (FSMA). These certifications will be required for participation in the voluntary qualified importer program (VQIP) established under the Federal Food, Drug, and Cosmetic Act (FD&C Act). In addition, when the Agency has determined that an imported food is subject to certification under FSMA, the Agency may require a certification under this rule as a condition for admitting the food into the United States. FDA also expects that these regulations will increase efficiency by reducing the number of redundant food safety audits.

DATES:

This rule is effective January 26, 2016.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Charlotte A. Christin, Office of Foods and Veterinary Medicine, Food and Drug Administration, 10903 New Hampshire Ave., Silver Spring, MD 20993, 301-796-7526.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Table of Contents

Executive Summary

I. Introduction and Background

A. FDA Food Safety Modernization Act

B. Purpose of This Rulemaking

C. The Proposed Rule

D. Public Comments

II. Legal Authority

III. Comments on What Definitions Apply to This Subpart (§ 1.600)

A. Definitions, Generally

B. Assessment

C. Audit

D. Audit Agent

E. Consultative Audit

F. Eligible Entity

G. Facility

H. Facility Certification and Food Certification

I. Food

J. Food Safety Audit

K. Foreign Cooperative

L. Regulatory Audit

M. Self-Assessment

N. Third-Party Auditor

IV. Comments on Who Is Subject to This Subpart (§ 1.601)

A. Limiting the Scope of the Rule to Regulatory Audits and Certifications

B. Exemption for Alcoholic Beverages

C. USDA Regulated Products

V. Comments on Recognition of Accreditation Bodies Under This Subpart

A. Who is eligible to seek recognition? (§ 1.610)

B. What legal authority must an accreditation body have to qualify for recognition? (§ 1.611)

C. What competency and capacity must an accreditation body have to qualify for recognition? (§ 1.612)

D. What protections against conflicts of interest must an accreditation body have to qualify for recognition? (§ 1.613)

E. What quality assurance procedures must an accreditation body have to qualify for recognition? (§ 1.614)

F. What records procedures must an accreditation body have to qualify for recognition? (§ 1.615)

VI. Comments on Requirements for Accreditation Bodies That Have Been Recognized Under This Subpart

A. How must a recognized accreditation body evaluate third-party certification bodies seeking accreditation? (§ 1.620)

B. How must a recognized accreditation body monitor the performance of third-party certification bodies it accredited? (§ 1.621)

C. How must a recognized accreditation body monitor its own performance? (§ 1.622)

D. What reports and notifications must a recognized accreditation body submit to FDA? (§ 1.623)

E. How must a recognized accreditation body protect against conflicts of interest? (§ 1.624)

F. What records requirements must an accreditation body that has been recognized meet? (§ 1.625)

VII. Comments on Procedures for Recognition of Accreditation Bodies Under This Subpart

A. How do I apply to FDA for recognition or renewal of recognition? (§ 1.630)

B. How will FDA review my application for recognition or for renewal of recognition and what happens once FDA decides on my application? (§ 1.631)

C. What is the duration of recognition? (§ 1.632)

D. How will FDA monitor recognized accreditation bodies? (§ 1.633)

E. When will FDA revoke recognition? (§ 1.634)

F. What if I want to voluntarily relinquish recognition or do not want to renew recognition? (§ 1.635)

G. How do I request reinstatement of recognition? (§ 1.636)

VIII. Comments on Accreditation of Third-Party Certification Bodies Under This Subpart

A. Who is eligible to seek accreditation? (§ 1.640)

B. What legal authority must a third-party certification body have to qualify for accreditation? (§ 1.641)

C. What competency and capacity must a third-party certification body have to qualify for accreditation? (§ 1.642)

D. What protections against conflicts of interest must a third-party certification body have to qualify for accreditation? (§ 1.643)

E. What quality assurance procedures must a third-party certification body have to qualify for accreditation? (§ 1.644)

F. What records procedures must a third-party certification body have to qualify for accreditation? (§ 1.645)

IX. Comments on Requirements for Third-Party Certification Bodies That Have Been Accredited Under This Subpart

A. How must an accredited third-party certification body ensure its audit agents are competent and objective? (§ 1.650)

B. How must an accredited third-party certification body conduct a food safety audit of an eligible entity? (§ 1.651)

C. What must an accredited third-party certification body include in food safety audit reports? (§ 1.652)

D. What must an accredited third-party certification body do when issuing food or facility certifications? (§ 1.653)

E. When must an accredited third-party certification body monitor an eligible entity that it has issued a food or facility certification? (§ 1.654)

F. How must an accredited third-party certification body monitor its own performance? (§ 1.655)

G. What reports and notifications must an accredited third-party certification body submit? (§ 1.656)

H. How must an accredited third-party certification body protect against conflicts of interest? (§ 1.657)

I. What records requirements must a third-party certification body that has been accredited meet? (§ 1.658)

X. Comments on Procedures for Accreditation of Third-Party Certification Bodies Under This Subpart

A. Where do I apply for accreditation or renewal of accreditation by a recognized accreditation body and what happens once the recognized accreditation body decides on my application? (§ 1.660)

B. What is the duration of accreditation by a recognized accreditation body? (§ 1.661)

C. How will FDA monitor accredited third-party certification bodies? (§ 1.662)

D. How do I request an FDA waiver or waiver extension for the 13-month limit for audit agents conducting regulatory audits? (§ 1.663)

E. When would FDA withdraw accreditation? (§ 1.664)

F. What if I want to voluntarily relinquish accreditation or do not want to renew accreditation? (§ 1.665)

G. How do I request reaccreditation? (§ 1.666)Start Printed Page 74571

XI. Comments on Additional Procedures for Direct Accreditation of Third-Party Certification Bodies Under This Subpart

A. How do I apply to FDA for direct accreditation or renewal of direct accreditation? (§ 1.670)

B. How will FDA review my application for direct accreditation or renewal of direct accreditation and what happens once FDA decides on my application? (§ 1.671)

C. What is the duration of direct accreditation? (§ 1.672)

XII. Comments on Requirements for Eligible Entities Under This Subpart

A. How and when will FDA monitor eligible entities? (§ 1.680)

B. How frequently must eligible entities be recertified? (§ 1.681)

XIII. Comments on General Requirements of This Subpart

A. How will FDA make information about recognized accreditation bodies and accredited third-party certification bodies available to the public? (§ 1.690)

B. How do I request reconsideration of a denial by FDA of an application or a waiver request? (§ 1.691)

C. How do I request internal agency review of a denial of an application or waiver request upon reconsideration? (§ 1.692)

D. How do I request a regulatory hearing on a revocation of recognition or withdrawal of accreditation? (§ 1.693)

E. Are electronic records created under this subpart subject to the electronic records requirements of part 11? (§ 1.694)

F. Are the records obtained by FDA under this subpart subject to public disclosure? (§ 1.695)

G. May importers use reports of regulatory audits by accredited certification bodies for purposes of subpart L of this part? (§ 1.698)

XIV. Editorial and Conforming Changes

XV. Executive Order 13175

XVI. Analysis of Economic Impact

XVII. Paperwork Reduction Act of 1995

XVIII. Analysis of Environmental Impact

XIX. Federalism

XX. References

Executive Summary

Purpose and Coverage of the Final Rule

This rule is part of FDA's implementation of FSMA, which intends to better protect public health by, among other things, adopting a modern, preventive, and risk-based approach to food safety regulation. In this document, we establish a program for accreditation of third-party certification bodies [1] to conduct food safety audits and issue certifications of foreign food facilities and foods for humans and animals for purposes of sections 801(q) and 806 of the FD&C Act. We are also codifying certain limited exemptions to mandatory import certification under 801(q) of the FD&C Act (21 U.S.C. 381).

FSMA added section 808 to the FD&C Act (21 U.S.C. 384d), which directs FDA to establish a new program for accreditation of third-party certification bodies to conduct food safety audits and to certify that eligible foreign entities (including registered foreign food facilities) and food produced by such entities meet applicable FDA requirements for purposes of sections 801(q) and 806 of the FD&C Act. This rulemaking implements section 808 of the FD&C Act; we will recognize accreditation bodies to accredit third-party certification bodies, except for limited circumstances in which we may directly accredit third-party certification bodies.

FSMA specifies two uses for the food and facility certifications issued by accredited third-party certification bodies under this program. First, facility certifications will be used by importers to establish eligibility for VQIP under section 806 of the FD&C Act (21 U.S.C. 384b(a)). VQIP offers participating importers expedited review and entry of food that is part of VQIP. One condition of participation is importation of food from facilities audited and certified by third-party certification bodies accredited under this subpart. FDA issued draft guidance on VQIP on June 5, 2015 (80 FR 32136); the draft guidance may be accessed at http://www.fda.gov/​downloads/​Food/​GuidanceRegulation/​GuidanceDocumentsRegulatoryInformation/​UCM448558.pdf.

Second, section 801(q) of the FD&C Act gives FDA the authority to make a risk-based determination to require, as a condition of admissibility, that a food imported or offered for import into the United States be accompanied by a certification or other assurance that the food meets the applicable requirements of the FD&C Act. The authority to mandate import certification for food, based on risk, is one of the tools we can use to help prevent potentially harmful food from reaching U.S. consumers. When FDA has determined that a food import is subject to such certification under section 801(q) of the FD&C Act, FDA will require, as a condition of entry, a certification issued either by an accredited third-party certification body under this rule or by an agency or representative of the government of the country from which the food at issue originated, as designated by FDA.

In addition, facilities and importers may choose to use onsite audits conducted by third-party certification bodies accredited under the program set out in this rule in connection with meeting supplier verification requirements under FDA's final rules for Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for Human Food (final human preventive controls regulation) (80 FR55907, September 17, 2015); Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for Food for Animals (final animal preventive controls regulation) (80 FR 56169, September 17, 2015); and the Foreign Supplier Verification Programs (FSVP) for Importers of Food for Humans and Animals (published elsewhere in this edition of the Federal Register) (implementing sections 418 and 805 of the FD&C Act, respectively). Under those rules, in circumstances where an onsite audit is the appropriate supplier verification activity, such audit must be conducted by a “qualified auditor.” The definitions of “qualified auditor” in those rules make clear that an example of a potential qualified auditor includes, but is not limited to, an audit agent of a certification body that has been accredited in accordance with regulations in part 1, subpart M of this chapter (i.e., this rule implementing section 808 of the FD&C Act).

Summary of Major Provisions of the Final Rule

This rule establishes the framework, procedures, and requirements for accreditation bodies and third-party certification bodies for purposes of section 808 of the FD&C Act. The rule sets requirements for the legal authority, competency, capacity, conflict of interest safeguards, quality assurance, and records procedures that accreditation bodies must demonstrate to be eligible for recognition. Accreditation bodies also must demonstrate capability to meet the FDA requirements that would apply upon recognition. Additionally, the rule establishes requirements for the legal authority, competency, capacity, conflict of interest safeguards, quality assurance, and records procedures that third-party certification bodies must demonstrate to be eligible for accreditation. Third-party certification bodies also must demonstrate capability to meet the applicable requirements of the rule that would apply upon accreditation.

Pursuant to FSMA section 307 (21 U.S.C. 384d), the rule requires accredited third-party certification Start Printed Page 74572bodies to perform unannounced facility audits, to notify FDA upon discovering a condition that could cause or contribute to a serious risk to the public health, and to submit to FDA reports of regulatory audits conducted for certification purposes. The rule includes stringent requirements to prevent conflicts of interest from influencing the decisions of recognized accreditation bodies and accredited third-party certification bodies. The rule does not, however, establish the audit criteria that accredited third-party certification bodies will use in examining eligible entities for compliance with the applicable food safety requirements of the FD&C Act and FDA regulations, because those criteria appear elsewhere in FDA regulations and the FD&C Act.

Costs and Benefits

Costs of the Third-Party final rule include compliance costs of accreditation bodies and certification bodies that choose to participate in our third-party program, and user fees imposed by FDA on accreditation bodies and certification bodies for application review and monitoring of program participants.

Table 1—Summary User Fee, Compliance, Undiscounted and Annualized Costs of the Third-Party (TP) Program per Participant

Eligible entityAudited byTotal
Certification bodies (CBs) currently accredited under other programsCBs not accredited under any program
SCENARIO 1
Number of section 801(q) Entities106575
Cost of Compliance with Program Requirements (TP Compliance Cost)$694$2,569
Section 801(q) Compliance Cost$6,940$166,985$173,925
Number of section 806 Entities1459711,116
TP Compliance Cost$694$2,569
Section 806 Compliance Cost$100,630$2,494,499$2,595,129
Total TP Compliance Cost—Scenario 1$2,769,054
SCENARIO 2
Number of section 801(q) Entities106575
TP Compliance Cost$322$2,197
Section 801(q) Compliance Cost$3,220$142,805$146,025
Number of § 806 Entities4593,0683,527
TP Compliance Cost$322$2,197
Section 806 Compliance Cost$147,798$6,740,396$6,888,194
Total TP Compliance Cost—Scenario 2$7,034,219
SCENARIO 3
Number of section 801(q) Entities106575
TP Compliance Cost$227$2,102
Section 801(q) Compliance Cost$2,270$136,630$138,900
Number of section 806 Entities8015,3596,160
TP Compliance Cost$227$2,102
Section 806 Compliance Cost$181,827$11,264,618$11,446,445
Total TP Compliance Cost—Scenario 3$11,585,345

The costs that accreditation bodies and certification bodies incur in complying with the regulation are necessarily less than the private benefits they accrue by becoming recognized or accredited, respectively. Through the third-party accreditation program more effective regulatory oversight is achieved. FDA will recoup resources in managing its third-party accreditation program through user fees that FDA intends to impose on participating accreditation bodies and third-party certification bodies.

I. Introduction and Background

A. FDA Food Safety Modernization Act

FSMA (Pub. L. 111-353), signed into law by President Obama on January 4, 2011, is intended to allow FDA to better protect public health by helping to ensure the safety and security of the food supply. FSMA enables us to focus more on preventing food safety problems rather than relying primarily on reacting to problems after they occur. The law also provides new enforcement authorities to help achieve higher rates of compliance with risk-based, prevention-oriented safety standards and to better respond to and contain problems when they do occur. In addition, the law contains important new tools to better ensure the safety of imported foods and encourages partnerships with State, local, tribal, and territorial authorities and international collaborations with foreign regulatory counterparts. A top priority for FDA are those FSMA-required regulations that provide the framework for industry's implementation of preventive controls and enhance our ability to oversee their implementation for both domestic and imported food. To that end, we proposed the seven foundational rules listed in table 2 and Start Printed Page 74573requested comments on all aspects of these proposed rules.

Table 2—Published Foundational Proposed Rules for Implementation of FSMA

TitleAbbreviationPublication
Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for Human Food2013 proposed human preventive controls regulation78 FR 3646, January 16, 2013.
Standards for the Growing, Harvesting, Packing, and Holding of Produce for Human Consumption2013 proposed produce safety regulation78 FR 3504, January 16, 2013.
Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for Food for Animals2013 proposed animal preventive controls regulation78 FR 64736, October 29, 2013.
Foreign Supplier Verification Programs (FSVP) for Importers of Food for Humans and Animals2013 proposed FSVP regulation78 FR 45730, July 29, 2013.
Accreditation of Third-Party Auditors/Certification Bodies to Conduct Food Safety Audits and to Issue Certifications2013 proposed third-party certification regulation (also referred to in this document as the proposed rule)78 FR 45782, July 29, 2013.
Focused Mitigation Strategies To Protect Food Against Intentional Adulteration2013 proposed intentional adulteration regulation78 FR 78014, December 24, 2013.
Sanitary Transportation of Human and Animal Food2014 proposed sanitary transportation regulation79 FR 7006, February 5, 2014.

We also issued a supplemental notice of proposed rulemaking for the rules listed in table 3 and requested comments on specific issues identified in each supplemental notice of proposed rulemaking.

Table 3—Published Supplemental Notices of Proposed Rulemaking for the Foundational Rules for Implementation of FSMA

TitleAbbreviationPublication
Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for Human Food2014 supplemental human preventive controls notice79 FR 58524, September 29, 2014.
Standards for the Growing, Harvesting, Packing, and Holding of Produce for Human Consumption2014 supplemental produce safety notice79 FR 58434, September 29, 2014.
Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for Food for Animals2014 supplemental animal preventive controls notice79 FR 58476, September 29, 2014.
FSVP for Importers of Food for Humans and Animals2014 supplemental FSVP notice79 FR 58574, September 29, 2014.

We finalized two of the foundational rulemakings listed in table 4 in September 2015.

Table 4—Published Foundational Final Rules for Implementation of FSMA

TitleAbbreviationPublication
Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for Human Foodfinal human preventive controls regulation80 FR 55908, September 17, 2015.
Current Good Manufacturing Practice and Hazard Analysis and Risk-Based Preventive Controls for Food for Animalsfinal animal preventive controls regulation80 FR 56170, September 17, 2015.

As FDA finalizes these seven foundational rulemakings, we are putting in place a modern, risk-based framework for food safety that is based on the most recent science, that focuses efforts where the hazards are reasonably likely to occur, and that is flexible and practical given our current knowledge of food safety practices. To achieve this, FDA has engaged in a significant amount of outreach to the stakeholder community to find the right balance between flexibility and accountability in these regulations.

After FSMA was enacted in 2011, we have been involved in approximately 600 stakeholder engagements on FSMA and the proposed rules, including public meetings, webinars, listening sessions, farm tours, and extensive presentations and meetings with various stakeholder groups (Refs. 1, 2, 3). As a result of this stakeholder dialogue, FDA decided to issue the four supplemental notices of proposed rulemaking to share our current thinking on key issues and get additional stakeholder input on those issues. As we move forward into the next phase of FSMA implementation, we intend to continue this dialogue and collaboration with our stakeholders, through guidance, education, training, and assistance, to ensure that stakeholders understand and engage in their respective roles in food safety. FDA believes these seven foundational final rules, when implemented, will affect the paradigm shift toward prevention that was envisioned in FSMA and be a major step forward for food safety that will help protect consumers into the future.Start Printed Page 74574

B. Purpose of This Rulemaking

FSMA added section 808 to the FD&C Act which directs FDA to establish a new voluntary program for accreditation of third-party certification bodies to conduct food safety audits and to issue food and facility certifications to eligible foreign entities (including registered foreign food facilities) that meet our applicable requirements for purposes of sections 801(q) and 806 of the FD&C Act. This rulemaking implements section 808 of the FD&C Act; we will recognize accreditation bodies to accredit third-party certification bodies, except for limited circumstances in which we may directly accredit third-party certification bodies.

FSMA specifies two uses for the food and facility certifications issued by accredited third-party certification bodies under this program. First, facility certifications will be used by importers to establish eligibility for VQIP under section 806 of the FD&C Act. VQIP offers participating importers expedited review and importation for food from facilities audited and certified by third-party certification bodies accredited under this subpart. FDA issued draft guidance on VQIP on June 5, 2015 (80 FR 32136); the draft guidance may be accessed at http://www.fda.gov/​downloads/​Food/​GuidanceRegulation/​GuidanceDocumentsRegulatoryInformation/​UCM448558.pdf.

Second, section 801(q) of the FD&C Act gives FDA the authority to make a risk-based determination to require, as a condition of admissibility, that a food imported or offered for import into the United States be accompanied by a certification or other assurance that the food meets the applicable requirements of the FD&C Act. The authority to mandate import certification for food, based on risk, is one of the tools we can use to help prevent potentially harmful food from reaching U.S. consumers. When FDA has determined that a food import is subject to such certification under section 801(q) of the FD&C Act, FDA will require, as a condition of entry, a certification issued either by an accredited third-party certification body under this rule or by an agency or representative of the government of the country from which the food at issue originated, as designated by FDA.

This final rule will help FDA ensure the competence and independence of third-party certification bodies who are accredited to conduct foreign food safety audits to examine compliance with the applicable food safety requirements of the FD&C Act and FDA regulations, among other things. The document also will help ensure the validity and reliability of certifications offered to FDA for purposes of VQIP eligibility under section 806 of the FD&C Act and admissibility of an imported food subject to an FDA risk determination under section 801(q) of the FD&C Act.

The third-party certification program is part of FSMA's paradigm shift toward a modern, preventive, and risk-based approach to food safety regulation and new programs to facilitate global trade in safe food. Specifically, FSMA requires FDA to issue new preventive controls and produce safety standards that apply to domestic and foreign processors and producers. In addition, FSMA directs FDA to issue an FSVP regulation requiring importers to implement FSVPs that provide adequate assurances that their foreign suppliers produce food that is in compliance with processes and procedures, including risk-based preventive controls, that provide the same level of public health protection as those required under section 418 (concerning hazard analysis and preventive controls) or 419 (concerning produce safety) of the FD&C Act, as appropriate, and that is in compliance with sections 402 (concerning adulteration) and 403(w) (concerning misbranding regarding allergen labeling) of the FD&C Act. We emphasize that facilities and importers are not required to use third-party certification bodies accredited under this rule in meeting their supplier verification requirements under the final human or animal preventive controls or FSVP regulations. See section XIII.G.

By contrast, the third-party certification program established under section 808 of the FD&C Act focuses on food safety audits to certify that eligible foreign entities and the food produced by such entities meet applicable FDA requirements for purposes of sections 801(q) and 806 of the FD&C Act. Although importers must obtain facility certifications from accredited third-party certification bodies under this rule in order to be eligible for VQIP, we note that importers seeking to satisfy a requirement for certification as a condition of admissibility for an article of food under section 801(q) of the FD&C Act may offer a certification issued either by foreign governments designated by FDA to issue such certifications or by third-party certification bodies accredited under this rule.

Through FSMA we are transforming our role in the global food safety system, by building ever stronger partnerships with our foreign regulatory counterparts and by exploring opportunities to leverage private food safety activities to benefit of our system of public food safety assurances. We value the role that private audits can play in enhancing food safety when done properly, and we share common purpose with the food industry in ensuring the rigor and objectivity of those audits.

The final rule on accreditation of third-party certification bodies reflects the results of significant stakeholder engagement to help ensure that the rule achieves its public health goal, reflects industry best practices, and strikes the right balance between flexibility and accountability.

C. The Proposed Rule

FDA published a proposed rule for “Accreditation of Third-Party Auditors/Certification Bodies to Conduct Food Safety Audits and to Issue Certifications” (the proposed rule) on July 29, 2013. The proposed rule included eligibility requirements for accreditation bodies to qualify for recognition and requirements that accreditation bodies choosing to participate in the FDA program must meet, once recognized. We also proposed eligibility requirements for third-party certification bodies to qualify for accreditation and requirements that third-party certification bodies choosing to participate in the FDA program must meet, once accredited. We intended the proposed requirements to ensure the competency and independence of the accreditation bodies and third-party certification bodies participating in the program.

We also proposed procedures for recognition and accreditation, as well as requirements relating to monitoring and oversight of participating accreditation bodies and third-party certification bodies. These included procedures that we would follow when removing a third-party certification body or an accreditation body from the program. Further, we proposed requirements relating to auditing and certification of foreign eligible entities under the program, and for notifying us of conditions in an audited facility that could cause or contribute to a serious risk to the public health. In response to several requests, we extended the proposed rule comment period until January 27, 2014.

D. Public Comments

We received over 150 comments from accreditation bodies, certification bodies, members of the food industry, industry associations, foreign governments, State governments, public health organizations, public advocacy Start Printed Page 74575groups, individual consumers, consumer groups, and others. Some submissions included signatures and statements from multiple individuals. Taken as a whole, the comments address virtually every provision of the proposed rule. In the remainder of this document, we describe the comments that are within the scope of this rulemaking, respond to them, and explain any revisions we made from the proposed rule.

A number of comments focus on the overarching issues of: (1) Alignment with voluntary consensus standards; (2) the use of private food safety schemes; (3) the relationship between the third-party certification program, foreign competent authorities, and FDA's international activities; and (4) the possible implications of the lack of qualified auditors on the third-party certification program. We address these comments generally below.

We received several comments on the overarching issue of the use of voluntary international consensus standards issued by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), including the following ISO/IEC standards: ISO/IEC 17000:2004 Conformity assessment—Vocabulary and general principles (ISO/IEC 17000:2004) (Ref. 4); ISO/IEC 17011:2004, Conformity assessment—General requirements for accreditation bodies accrediting conformity assessment bodies (ISO/IEC 17011:2004) (Ref. 5); ISO/IEC 17021:2011, Conformity assessment—Requirements for bodies providing audit and certification of management systems (ISO/IEC 17021:2011) (Ref. 6); ISO/IEC 17065:2012, Conformity assessment—Requirements for bodies certifying products, processes and services (ISO/IEC 17065:2012) (Ref. 7); and ISO/IEC 19011:2011, Guidelines for auditing management systems (ISO/IEC 19011:2011) (Ref. 8).

Some comments support the approach to ISO/IEC standards that we used when developing the proposed rule; some comments state that the process for developing these standards makes them unbiased. Other comments suggest we should place greater reliance on ISO/IEC standards, including some comments asserting that we should incorporate ISO/IEC standards by reference into the final rule. These comments encourage us to follow the example of a proposed rule issued by the Environmental Protection Agency and entitled, “Formaldehyde; Third-Party Certification Framework for the Formaldehyde Standards for Composite Wood Products” (78 FR 34795, June 10, 2013), which proposed to incorporate by reference certain international standards. These comments assert that by placing greater reliance on ISO standards, we could allow ISO's broader oversight program to complement FDA's management of these bodies.

Implementation of section 808 of the FD&C Act occurs against the backdrop of the broader Federal policies on consensus standards and conformity assessment under the National Technology Transfer and Advancement Act of 1995 (NTTAA) (Pub. L. 104-113). The NTTAA, together with the Office of Management and Budget (OMB) Circular A-119, revised February 10, 1998 (63 FR 8546, February 19, 1998), directs Federal Agencies to use voluntary consensus standards in lieu of government-unique standards except where inconsistent with law or otherwise impractical. OMB CircularA-119 states that the use of voluntary standards, whenever practicable and appropriate, is intended to eliminate the cost to government of developing its own standards and decrease the cost of goods procured and the burden of complying with Agency regulation; provide incentives and opportunities to establish standards that serve national needs; encourage long-term growth for U.S. enterprises and promote efficiency and economic competition through harmonization of standards; and further the policy of reliance upon the private sector to supply government needs for goods and services.

As directed by OMB in CircularA-119, the National Institute of Standards and Technology (NIST), in the Federal Register of August 10, 2000 (65 FR 48894), issued policy guidance on Federal conformity assessment activities (defined as activities concerned with determining directly or indirectly that requirements for products, services, systems, and organizations are fulfilled) (15 CFR 287.2). The Federal conformity assessment guidance is codified at 15 CFR part 287 and applies to all Federal Agencies that set policy for, manage, operate, or use conformity assessment activities or results, domestically and internationally (except for activities conducted pursuant to treaties) and is intended to eliminate unnecessary duplication and complexity in conformity assessment requirements. (We note that OMB has announced it is currently revising Circular A-119, and NIST is revising the Federal conformity assessment guidance.)

We agree with comments on the value of promoting international consistency and tapping into an existing framework of consensus standards that is familiar to industry, which may make it easier for accreditation bodies, third-party certification bodies, and eligible entities to comply with this rule. Therefore, we are revising the rule to allow for accreditation bodies and third-party certification bodies to use documentation of their conformance with ISO/IEC standards in meeting the program requirements under this rule, supplemented as necessary. We are not, however, incorporating these standards by reference into the rule as further discussed in our responses to comments in sections III. to XIII., except that we are not further responding to comments citing specific requirements of ISO/IEC Guide 65:1996, Conformity assessment—Requirements for bodies providing audit and certification of management systems (ISO/IEC Guide 65:1996) (Ref. 9) in sections III. to XIII., because that standard has been withdrawn and replaced by ISO/IEC 17065:2012 (Ref. 7) in September 2015. Comments referring to ISO/IEC 17020:2012, Conformity assessment—Requirements for the operation of various types of bodies performing inspection (ISO/IEC 17020:2012) (Ref. 10) are outside the scope of this rulemaking, because that standard relates to inspections and not the auditing and certification activities that will be performed under this rule. Therefore, we are not responding to comments citing to ISO/IEC 17020:2012, Conformity assessment—Requirements for the operation of various types of bodies performing inspection (ISO/IEC 17020:2012) (Ref. 10) in sections III. to XIII.

We also received several comments on the overarching issue of using private food safety schemes as audit criteria for regulatory audits conducted under the third-party certification program. Some comments suggest that FDA should rely on private food safety schemes, particularly those that have been benchmarked by the Global Food Safety Initiative (GFSI), as the audit criteria for regulatory audits of eligible entities under the third-party certification program. Other comments suggest that FDA should establish requirements for accreditation bodies and third-party certification bodies that are similar to those required by GFSI, such as GFSI requirements relating to accreditation under relevant ISO/IEC product certification or management system standards.

By way of background, a group of international retailers established GFSI in 2000 with the goal of reducing the need for duplicative third-party audits by benchmarking private food safety schemes against a harmonized set of Start Printed Page 74576criteria for food safety and management systems (see 78 FR 45782 at 45788; July 29, 2013). Under current GFSI criteria, a food safety scheme must have a commitment with one or more accreditation bodies for certification bodies that operate in conformance with either the product certification standard, ISO/IEC Guide 65, or the management system standard, ISO/IEC 17021:2006 (supplemented by ISO/TS 22003). GFSI describes these standards as having similar requirements for how a certification body must operate—e.g., in addressing issues of preventing conflict of interest, managing customer information, properly qualifying personnel, auditor calibration, and many other aspects involved with the certification process. However, as GFSI noted in a 2011 White Paper (Ref. 11), there is a distinct difference between the two. ISO 17021/ISO 22003 is not product specific. ISO/IEC Guide 65, on the other hand, is concerned with verifying that particular products or services meet specified requirements. The type and scope of GFSI benchmarked scheme selected, determines the accreditation standard which applies. The majority of GFSI recognized schemes fall under ISO/IEC Guide 65 accreditation requirements, whereas only two currently recognized schemes are management system schemes accredited to ISO 17021/ISO 22003.

Comments suggesting that we should rely on GFSI-benchmarked food safety schemes or other private food safety schemes as the criteria for certification under the third-party program are outside the scope of this rulemaking. This rule establishes the framework for the third-party certification program, and not the food safety standards that accredited third-party certification bodies will use to determine an eligible entity's compliance with the applicable food safety requirements of the FD&C Act and FDA regulations. We are however responding to relevant comments that address audit quality and auditor competency, consistency, and capacity, including comments referencing GFSI's work in these areas.

Other overarching comments ask how the FSMA third-party certification program relates to the roles of foreign competent authorities and to FDA's international activities. Some comments assert that competent authorities should be allowed to participate in the third-party certification program purely by administrative procedures without a formal review process. Other comments suggest that government agencies with both regulatory and trade promotion missions face inherent conflicts of interest.

Some comments recommend that we should establish a different structure for accrediting third-party certification bodies that already have been approved by a foreign government accreditation body. Other comments suggest that FDA should reserve the role of accreditation body or third-party certification body for a national competent authority that requests it. The comments argue that the responsibility for monitoring the safety of food exports should remain with the national competent authorities in each country.

Some comments ask whether a national competent authority has a role in auditing and certification activities occurring in the country, including in countries where an FDA foreign office is located. Other comments ask whether the competent authority may perform other activities in the third-party certification program, such as authentication of audit information before it is submitted to FDA. Still other comments suggest that FDA require accredited third-party certification bodies to review correspondence between an audited eligible entity and the competent authorities in the country where the eligible entity is located.

Section 808 of the FD&C Act expressly provides for both public and private accredited third-party certification bodies. Public accreditation bodies and third-party certification bodies, as well as private accreditation bodies and third-party certification bodies that meet the eligibility requirements for recognition and accreditation under section 808 of the FD&C Act and this rule are equally eligible to participate in the third-party certification program. This includes government accreditation bodies and certification bodies in countries where FDA has a foreign office, as well as government agencies with the dual missions of food safety and trade promotion. We believe that both public and private third-party certification bodies and accreditation bodies are capable of exhibiting the competency, capacity, and impartiality necessary to meet the letter and spirit of the law and this regulation.

By becoming an accredited third-party certification body or a recognized accreditation body, a competent authority for food safety or a foreign accreditation body would establish a role in the third-party certification program. Only if competent authorities are accredited under this rule, may they issue food and facility certifications under section 808 of the FD&C Act. (We note, however, that FDA may require certifications from competent authorities under section 801(q) of the FD&C Act for foods that FDA determines meet the criteria set forth in that section (see 801(q)(3)(A) of the FD&C Act), regardless of whether the competent authorities are accredited.) We acknowledge that the third-party certification program that is the subject of this rule is narrowly tailored and only a small piece of the much larger modernized, prevention-oriented food safety system we are establishing under FSMA. Broader FSMA activities are outside the scope of this rulemaking, as are matters covered by FDA's information sharing arrangements with foreign competent authorities.

We received other comments on the overarching issue of how the third-party certification program fits into FDA's international activities. Some comments assert that, for countries with a systems recognition agreement with FDA, there should be no need for a (direct or indirect) role for FDA in monitoring accredited third-party certification bodies. Other comments encourage us to recognize their national food safety system as equivalent to that of the United States.

The systems recognition initiative is a food safety regulatory cooperation program that allows FDA to take into account the role of food safety systems of exporting countries in our risk-based decisionmaking. We are using systems recognition as a tool to determine when we can rely on the implementation of science-based food safety programs by foreign regulatory authorities and take action based on information provided by such authorities.

We note that a competent authority with whom FDA has a systems recognition agreement must apply for recognition to make accreditation decisions and apply for accreditation to issue certifications under section 808 of the FD&C Act. If the competent authority applies for recognition or direct accreditation by FDA (assuming that the statutory criteria have been met for FDA to begin direct accreditation), FDA's review will be informed by the data, experiences, and insights into the foreign system that FDA gained through the systems recognition review. Except as described above, systems recognition activities are outside the scope of this rulemaking, as are equivalency determinations.

We also received several overarching comments noting that the lack of qualified food safety auditors is a problem in many countries. Some comments suggest that we may face similar problems with the availability of accredited third-party certification Start Printed Page 74577bodies in our program. The comments assert that we should prioritize the review of applications from foreign countries with significant volumes of exports to the United States because of the cost and inconvenience to foreign suppliers and the likely trade disruption that would result if the only accredited third-party certification bodies were located in other countries. Some comments predict that rapid expansion in the field of food safety auditing may result in shortcuts in auditing. Other comments contend that because of the limited availability of qualified auditors we should adjust the timeframes for accredited third-party certification bodies to submit information to FDA under the regulations. The comments specifically request that we lengthen the 45-day timeframe for submitting regulatory audit reports.

We acknowledge the concerns about cost, inconvenience, and disruption resulting from auditor capacity issues. We are encouraging broad program participation to minimize the likelihood that capacity issues might emerge, because certifications issued by accredited third-party certification bodies under this program are intended to facilitate trade. The certifications are used in meeting the eligibility requirements of VQIP for expedited entry of food under section 806 of the FD&C Act and in satisfying a condition of admissibility for a food subject an FDA determination under section 801(q) of the FD&C Act.

Revisions have been made to this rule made in response to comments, such as allowing accreditation bodies and third-party certification bodies to use documentation of their conformance with ISO/IEC standards in support of their applications. We also are modifying our “first in, first out” approach to processing applications, as comments request, to allow for prioritizing specific applications and requests based on program needs. We are unable to accommodate the request to lengthen the timeframe for submission of regulatory audit reports to FDA, because the 45-day deadline for submission is established in section 808(c)(3)(A) of the FD&C Act. Audit protocols and other requirements of the rule are designed to prevent audit agents (auditors) and third-party certification bodies from taking shortcuts that would jeopardize audit results.

Some comments addressed the Model Accreditation Standards that FDA is required to develop under section 808(b)(2) of the FD&C Act for use in qualifying third-party certification bodies for accreditation. Some of these comments suggest various criteria to be included in the model standards. Other comments suggest the proposed rule was ambiguous with respect to the form of, and manner by which, FDA will establish the Model Accreditation Standards.

While the substance of the Model Accreditation Standards is outside the scope of this rulemaking, we note that on July 24, 2015, FDA published a draft guidance on Model Accreditation Standards. The draft guidance can be accessed at: http://www.fda.gov/​Food/​GuidanceRegulation/​GuidancevDocumentsRegulatoryInformation/​ucm455328.htm. Additionally, a notice was published in the Federal Register (80 FR 44137, July 24, 2015) of the availability of the draft guidance and of the opening of a docket for public comments on the document. As explained in the draft guidance, section 808(b)(2) of the FD&C Act requires FDA to develop Model Accreditation Standards that recognized accreditation bodies shall use to qualify third-party certification bodies for accreditation, and in so doing, to look to existing standards for certification bodies (as of the date of enactment of FSMA) to avoid unnecessary duplication of efforts and costs. The draft guidance contains FDA recommendations on third-party certification body qualifications, including recommendations based on relevant provisions in the proposed rule. This final rule will serve as a framework for the Model Accreditation Standards final guidance, which will include more detailed recommendations on third-party certification body qualifications.

Some comments respond to our request for input on the question about the value of, and possible need for, FDA to establish a program for use of accredited third-party certification bodies to conduct domestic food safety audits (78 FR 45782 at 45823). We received comments on all sides, expressing various views. We are taking these comments under advisement at this time, as the focus of this final rule is on establishing and implementing the third-party certification program set forth in section 808 of the FD&C Act.

Other comments addressed the substance of VQIP, import certification, laboratory accreditation, and provisions in the proposed FSVP rule and/or other FMSA rules that are outside the scope of this rulemaking; accordingly we will not be responding to those comments here. Other comments that fall outside the scope of this rulemaking, and to which we will therefore not be responding, include comments on the value of a universal, mandatory food safety system; comments advocating for policies promoting locally grown produce; comments addressing the information technology infrastructure needs of the third-party certification program; comments suggesting the value of student interns to the food safety system; and comments on factors beyond the use of third-party audits that FDA should consider in setting inspection priorities.

We also received a few comments concerning the rulemaking process. Comments suggest that we devise a new process for regularly updating the rule; they state that FDA has cumbersome requirements for modifying rules. FDA's current rulemaking process is consistent with FDA's obligations under the Administrative Procedure Act (5 U.S.C. 551-559).

II. Legal Authority

Section 307 of FSMA, Accreditation of Third-Party Auditors, amends the FD&C Act to create a new provision, section 808, under the same name. Section 808(b)(1)(A) of the FD&C Act requires us to establish a system, within 2 years of the enactment of FSMA, for the recognition of accreditation bodies that accredit third-party certification bodies to conduct food safety audits and to issue certifications for eligible foreign food entities and their products for purposes of sections 801(q) and 806 of the FD&C Act.

Section 808(c)(5)(C) of the FD&C Act directs us to issue implementing regulations for section 808 of the FD&C Act. The regulations must require audits to be unannounced and must contain protections against conflicts of interest between accredited third-party certification bodies (and their audit agents) and the entities they audit or certify, including requirements on timing and public disclosure of fees and appropriate limits on financial affiliations (21 U.S.C. 384d(c)(5)(C)(i), (ii), and (iii)).

This final rule establishes regulations implementing section 808 of the FD&C Act. The authority for the requirements in this rule comes primarily from section 808 of the FD&C Act. However, FDA also derives authority for this final rule from other sections of the FD&C Act, including section 701(a) of the FD&C Act (21 U.S.C. 371(a)), which authorizes us to issue regulations for the efficient enforcement of the FD&C Act. The regulations in this final rule ensure the competency and independence of recognized accreditation bodies and of accredited third-party certification bodies, which will help ensure the validity and reliability of certifications and other information resulting from the food safety audits conducted by Start Printed Page 74578accredited third-party certification bodies. These features of the final rule are essential to the operation of the third-party program. This rule also is consistent with section 404 of FSMA (21 U.S.C. 2252), which states that nothing in FSMA should be construed in a manner that is inconsistent with the agreement establishing the World Trade Organization or any other treaty or international agreement to which the United States is a party.

This rule establishes requirements for accreditation bodies and third-party certification bodies seeking recognition and accreditation, respectively. These requirements will help ensure that any accreditation bodies that we recognize, and any certification bodies that are accredited, are capable of meeting all of the requirements of this program. This includes requirements, for example, for legal authority and competency and capacity. It also includes provisions for the direct accreditation of third-party certification bodies by FDA in accordance with section 808(b)(1)(A)(ii) of the FD&C Act. This rule also establishes requirements for accreditation bodies that have been recognized, and third-party certification bodies that have been accredited. This includes requirements designed to decrease the potential for conflicts of interest in accordance with section 808(c)(5)(C)(ii) of the FD&C Act. Additionally, this rule establishes requirements for eligible entities that want to be certified under this program. This includes requirements for onsite audits by FDA for the purpose of monitoring in accordance with section 808(f)(3) of the FD&C Act. Finally, this rule establishes general requirements related to the operation of this program. These include requirements for requesting a regulatory hearing on revocation of recognition or withdrawal of accreditation.

Some of the requirements under this final rule are also established, in part, under the authority in sections 806 and 801(q) of the FD&C Act. Section 806 of the FD&C Act describes a voluntary program to provide for the expedited review and importation of food offered for importation from certified facilities (VQIP). Section 801(q) of the FD&C Act gives FDA authority to require certifications for imported food in certain situations. This final rule does not set up the framework for participation in the program described under section 806 of the FD&C Act, nor does it describe the circumstances under which FDA might require certification under section 801(q) of the FD&C Act. However, this rule does describe circumstances under which FDA might refuse to consider a certification issued under this program in determining the admissibility of an article of food for which the certification was offered under section 801(q) of the FD&C Act, or in determining eligibility for participation in VQIP under section 806 of the FD&C Act. Additionally, this rule creates limited exemptions from the certification requirements of section 801(q) of the FD&C Act for certain alcoholic beverages, including certain raw materials and ingredients that are used to manufacture/process alcoholic beverages. The exemptions are being promulgated consistent with section 116 of FSMA (21 U.S.C. 2206). Section 116(a) of FSMA states that, except as provided by certain listed sections in FSMA, nothing in FSMA, or the amendments made by FSMA, will be construed to apply to a facility that: (1) Under the Federal Alcohol Administration Act (27 U.S.C. 201 et seq.) or chapter 51 of subtitle E of the Internal Revenue Code of 1986 (26 U.S.C. 5001 et seq.) is required to obtain a permit or to register with the Secretary of the Treasury as a condition of doing business in the United States and (2) under section 415 of the FD&C Act (21 U.S.C. 350d) is required to register as a facility because such facility is engaged in manufacturing, processing, packing, or holding one or more alcoholic beverages (with respect to the activities of such facility that relate to the manufacturing, processing, packing, or holding of alcoholic beverages). This rule also creates exemptions from the certification requirements of section 801(q) of the FD&C Act for products subject to the requirements of the U.S. Department of Agriculture (USDA) under the Federal Meat Inspection Act (FMIA) (21 U.S.C. 601 et seq.), the Poultry Products Inspection Act (PPIA) (21 U.S.C. 451 et seq.), or the Egg Products Inspection Act (EPIA) (21 U.S.C. 1031 et seq.) at the time of importation. We conclude that this provision is consistent with section 403 of FSMA, entitled “Rule of Construction,” which states that nothing in FSMA shall be construed to alter or limit the jurisdiction of the Secretary of the Department of Agriculture.

III. Comments on What Definitions Apply to This Subpart (§ 1.600)

We proposed to codify definitions of several terms used in the third-party certification regulations. We received several comments on this section. As discussed in the following paragraphs, we have revised many of the proposed definitions in response to comments as well as on our own initiative. Where we disagree with comments or decline a suggested revision, we offer an explanation in response. Some definitions were finalized as proposed.

The definitions for terms used in the third-party certification regulations are codified in 21 CFR 1.600.

A. Definitions, Generally

(Comment 1) Several comments encourage us to more closely align the definitions in § 1.600 with international standards to promote consistency and common understanding of the rule. The comments explain that the terms and definitions used in section 808 of the FD&C Act and in the proposed rule convey a different meaning for accreditation bodies, certification bodies, and the standards community. To that end, some comments encourage us to avoid using the term “third-party auditor” synonymously with “certification body,” to be consistent with international standards, which use the term “certification body” (e.g., ISO/IEC 17065:2012 (Ref.7).

Similarly, some comments indicate that, the language of the statute notwithstanding, it is not correct to use the term “third-party auditor” when describing the activities of a “third-party certification body.” The comments explain that auditors are individuals contracted or employed by certification bodies to conduct audits, and they urge us to clarify the rule by substituting “certification body” for “third-party auditor.”

(Response 1) We agree that alignment with the terminology used in international standards is preferable, wherever possible. Congress recognized the value of international standards in accreditation and certification, having instructed us in section 808(b)(2) of the FD&C Act to look to existing standards in developing our model accreditation standards to avoid unnecessary duplication of efforts and costs. We believe it is particularly useful to rely on definitions and terminology from international consensus standards when possible where, as here, the rule is establishing a voluntary program with an international focus. In addition, we agree that, notwithstanding the use of the term “third-party auditor” in the statute, the use of the term “third-party certification body” instead of the term “third-party auditor” provides some clarity for purposes of referring to bodies that employ or contract individuals to perform audits.

Therefore, in response to the comments suggesting the term “third-party auditor” is confusing and inconsistent with international standards, we are using the term “third-party certification body” in the Start Printed Page 74579remainder of the preamble and in the codified of this final rule, except in the definitions of “Accredited third-party certification body” and “Third-party certification body” in § 1.600(c) and in the preamble discussion of those definitions.

On our own initiative, we are including the descriptor “third-party” before “certification body” throughout this final rule. We did not use that descriptor in the proposed rule when referring to a third-party auditor/certification body once accredited. We are doing so now in order that the term accurately reflects that, under this subpart, only third-party certification bodies are eligible for accreditation. We are making corresponding changes to the term “accredited auditor/certification body;” and in this final rule we will instead use the term, “accredited third-party certification body.”

Accordingly, we have revised the proposed definitions of “accreditation,” “accreditation body,” “accredited auditor/certification body,” “audit,” “audit agent,” “certification body,” “direct accreditation,” “eligible entity,” “facility certification,” “food certification,” “recognized accreditation body,” “relinquishment,” and “self-assessment,” to replace the term “third-party auditor” with the term “third-party certification body,” or “third-party certification bodies,” and to remove “auditor/” from in the term “third-party auditor/certification body” or “third-party auditors/certification bodies” that was used in the proposed rule.

On our own initiative, we added a sentence to the definition of “accredited third-party certification body” in § 1.600 of this final rule to explain that the term has the same meaning as “accredited third-party auditor” as defined in section 808(a)(4) of the FD&C Act. Similarly, we added language to the definition of “third-party certification body” in § 1.600 of this final rule explaining that the term has the same meaning as “third-party auditor” as defined in section 808(a)(3) of the FD&C Act.

(Comment 2) Some comments encourage us to make the definitions in this rule consistent with the definitions in other FSMA proposed rules, such as the 2013 proposed FSVP regulation, the 2013 proposed human preventive controls regulation, the 2013 proposed animal preventive controls regulation, and the 2012 proposed produce safety regulation, where feasible.

(Response 2) We agree with the comments on the overarching goal of alignment across regulations and accepted suggested revisions, where feasible and appropriate. However, it is not always possible to develop uniform definitions due to the distinct statutory requirements and the framework of each program. In such cases where it was not feasible or appropriate, we declined the suggested revisions from comments. We discuss such comments and our responses under each relevant term.

B. Assessment

We did not define “assessment” in the proposed rule.

(Comment 3) Some comments recommend adding a definition of “assessment” based on ISO/IEC 17011:2004 (Ref. 5), clause 3.7, which describes the process for evaluating certification bodies. The comments explain that defining such evaluations as “audits,” as we had proposed, is inconsistent with international standards. The comments suggest consulting with other ISO/IEC standards for relevant terminology.

(Response 3) We agree that the term “assessment” should be used, in part, to refer to the activity undertaken to assess the competency and capacity of a third-party certification body under the rule. We reviewed ISO/IEC 17011:2004 (Ref. 5) (clause 3.7 and NOTE) and ISO/IEC 17000:2004 (Ref. 4), ISO/IEC 17040:2005 Conformity assessment—General requirements for peer assessment of conformity assessment bodies and accreditation bodies (ISO/IEC 17040:2005) (Ref. 12), and an International Accreditation Forum (IAF) document entitled, “IAF Endorsed Normative Documents” (Ref. 13).

After considering the comments and reviewing the referenced documents, we developed a definition of “assessment” that describes, with respect to accreditation bodies, the activity undertaken by FDA to evaluate the competency and capacity of the accreditation body under the applicable requirements of this rule. With respect to certification bodies, “assessment” describes the activity undertaken by a recognized accreditation body (or, in the case of direct accreditation, FDA) to evaluate the competency and capacity of a certification body under the applicable requirements of this rule. We also made corresponding changes to the definition of “audit” from proposed § 1.600(c) by removing clauses (1) and (2).

C. Audit

We proposed a definition of “audit” describing the examination of accreditation bodies, third-party certification bodies, and eligible entities. We proposed to define an audit of an accreditation body as an examination by FDA of the accreditation body's authority, qualifications, resources, policies, procedures, and performance, as well as of its capability to meet the requirements of the proposed rule. We proposed to define an audit of a third-party certification body as an examination by a recognized accreditation body (or, by FDA, for direct accreditation) of the third-party certification body's authority, qualifications, resources, policies, procedures, and performance, as well as of its capability to meet the requirements of the proposed rule. We proposed to define an audit of an eligible entity as an examination by an accredited third-party certification body of the eligible entity to assess the entity, its facility, system(s), and food using audit criteria for consultative or regulatory audits, and, for consultative audits, also including an assessment of compliance with applicable industry standards and practices.

We received some comments on the proposed definition of “audit,” and the related definitions of “consultative audit” and “regulatory audit.” Comments specific to the definition of “consultative audit” are discussed in section III.E., and comments on the definition of “regulatory audit” are discussed in section III.L. As described in Response 3, we also removed clauses (1) and (2) from the proposed definition of “audit” because those evaluations are “assessments” as the term is defined in § 1.600(c).

On our own initiative, we are revising the definition of “audit” to clarify that an audit conducted under this subpart is not an inspection under section 704 of the FD&C Act (21 U.S.C. 374).

(Comment 4) Several comments encourage us to align our definition of audit with relevant international standards, and some comments request that we use the definition of “audit” from the Codex “Principles for Food Import and Export Inspection and Certification” (CAC/GL 20-1995) (Ref. 14), which defines “audit” as a “systematic and functionally independent examination to determine whether activities and related results comply with planned objectives.”

(Response 4) We agree with the general principle of creating consistency with international standards and have revised the definition of “audit” in § 1.600(c) accordingly. Rather than describing the determination of whether activities comply with “planned objectives” that appears in the Codex definition of “audit” (Ref. 14), we inserted a brief description of the objectives of consultative and regulatory audits from the definitions in section 808(a)(5) and (7) of the FD&C Act (i.e., Start Printed Page 74580the examination of an eligible entity under this rule).

(Comment 5) Some comments encourage us to remove the proposed definition of “audit” in § 1.600(c) and substitute the FSVP definition of “audit” instead, to promote consistency and a common understanding of terminology.

(Response 5) We disagree. We believe that it is more important for the definition in this rule to reflect international standards that are generally well known to the parties subject to this rule than it is for the definition to mirror the definition in FSVP, which has different applicability. FSVP applies to importers; this rule applies to accreditation bodies, third-party certification bodies, and eligible entities. Therefore, we are rejecting the suggestion to use the FSVP definition of “audit” as the definition of “audit” in § 1.600(c).

(Comment 6) We received some comments on the definition of “audit” regarding its relationship to the related definitions of “consultative audit” and “regulatory audit” in § 1.600(c). Some comments recommend that we revise the definition of “audit” to mean only regulatory audits, and not consultative audits, asserting that is how the word “audit” is used in the statute. These comments contend that the statute must be interpreted in light of the fact that section 808 of the FD&C Act is directed to food and facility certifications, which are only accomplished through regulatory audits. Other comments ask us to clarify that the services of an accredited third-party certification body that fall short of the definition of an “audit” (e.g., informal consulting, continuous improvement programs, and limited purpose audits) under this rule, are not subject to the requirements of the rule.

(Response 6) We decline the suggestion to interpret section 808 of the FD&C Act in a manner that would equate “audit” with “regulatory audit.” Section 808 of the FD&C Act defines two types of audits used under the program, consultative audits and regulatory audits, and contains requirements relating to each. (See, e.g., section 808(a)(5), (7), and (c)(3)(A) of the FD&C Act). In addition, section 808(c)(4)(B) of the FD&C Act expressly allows an accredited third-party certification body or an audit agent of such auditor to perform consultative and regulatory audits of eligible entities.

To the extent that other comments suggest creating a list of exceptions from the definition of “audit” in the codified for this rule, we decline to do so. To the extent that these comments were seeking clarification of the definition of “consultative audit” in § 1.600(c), and what types of activities might fall outside of that definition as well as outside of this program, please see the discussion in Response 9 in section III.E.

(Comment 7) Some comments express confusion about the criteria that accredited third-party certification bodies will be using in conducting audits under subpart M and ask us to more clearly describe the “applicable requirements” against which compliance will be evaluated. Some comments are concerned that eligible entities might be audited against requirements that do not apply to their operations. For example, some comments note that firms subject to the final animal preventive controls regulation should not be assessed for compliance with the allergen cross contamination requirements of the final human preventive controls regulation. Other comments ask us to clarify whether the “applicable requirements” are limited to requirements that appear in the FD&C Act or FDA regulations, or both.

(Response 7) During regulatory and consultative audits, accredited third-party certification bodies will examine compliance with applicable food safety requirements of the FD&C Act and FDA regulations within the scope of the audit. In consultative audits, the third-party certification bodies also may be conducting an examination to determine conformance with applicable industry standards and practices.

The applicable requirements that accredited third-party certification bodies and their audit agents will use relate to the food safety standards under the FD&C Act, such as the adulterated food provisions in section 402 of the FD&C Act and the provisions on the misbranding of food allergens in section 403(w) of the FD&C Act. The applicable requirements of the FD&C Act and FDA regulations would depend on the type of eligible entity being audited. To use the example given by one of the comments, an eligible entity that is subject to the requirements of the final animal preventive controls regulation, but not the final human preventive controls regulation, would not be subject to an audit examining its practices relating to cross-contamination by food allergens under the final human preventive controls regulation because those are not “applicable food safety requirements” for such an entity.

To help clarify this rule for eligible entities, third-party certification bodies, and accreditation bodies who may be interested in participating in the program and who may not yet be familiar with U.S. laws and regulations, we are using the phrase “applicable food safety requirements of the FD&C Act and FDA regulations” in place of the phrase “applicable requirements” in the definition of “audit” in § 1.600(c) and elsewhere throughout the rule where we are discussing the requirements that will be used in auditing eligible entities.[2]

D. Audit Agent

We proposed to define an “audit agent” as an individual who is an employee or other agent of an accredited third-party certification body who, although not individually accredited, is qualified to conduct food safety audits on behalf of an accredited third-party certification body. Under the proposed rule we also defined an audit agent to include a contractor of the accredited third-party certification body.

(Comment 8) Some comments express concern about our proposal to allow a contractor of an accredited third-party certification body to serve as an audit agent, asserting that “[w]ith each step that is further removed in this process, institutional control is lost exponentially.” The comments point out that a subcontractor conducted the audit and gave a passing audit score to a cantaloupe farm and packing facility that used “improper and unsafe processing equipment” and subsequently was linked to a deadly outbreak caused by Listeria monocytogenes. Other comments mentioning the incident cite to an article in Bloomberg News explaining that auditors often outsource to independent contractors over whom they do not have direct management control (Ref. 15). Still other comments offer the cantaloupe outbreak as an example of why auditors must be competent and accountable for their activities.

(Response 8) We understand that third-party certification bodies currently work with individual auditors under many different types of arrangements. We acknowledge concerns raised by comments about recent outbreaks at some domestic facilities that had received satisfactory scores in food safety audits. Further, we agree with the comments on the importance of an accredited third-party certification body exercising adequate control over an audit agent conducting audits on its Start Printed Page 74581behalf. We believe that principle is equally true whether the audit agent is an employee or a contract auditor.

International standards, such as ISO/IEC 17021:2011 (Ref. 6), specifically allow accredited third-party certification bodies to use contractors to perform audits if certain conditions are met. Among other conditions, contract auditors must meet the same level of qualifications (e.g., knowledge, skills, and experience) and the same requirements for impartiality and objectivity as do the auditors the third-party certification body employs. The third-party certification body must exercise adequate control and oversight over a contractor such that the third-party certification body accepts the result of the contractor's audit as its own.

When we proposed to define “audit agent” to include a contractor, we were contemplating arrangements such as those described in ISO/IEC 17021:2011 (Ref. 6) that involve a direct relationship between the accredited third-party certification body and its auditors. We are revising the definition of “audit agent” to clarify that we are excluding subcontractors and other types of outsourcing arrangements; we have concluded that such arrangements fail to provide the degree of control and oversight necessary for an accredited third-party certification body to ensure that its audit agents are competent and objective. An accredited third-party certification body exercises direct supervision over the activities of its employees, and has a direct relationship with a contractor; but the relationship between the third-party certification body and a subcontractor or other type of outsourced staff is attenuated—the third-party certification body may not even choose such persons and may not have any direct authority over them. We do not believe such diminished oversight is appropriate, given the important role of audit agents in this program.

By revising the definition of “audit agent” we are not preventing an accredited third-party certification body from subcontracting for services in areas other than the conduct of audits. For example, an accredited third-party certification body may use subcontractors or other outsourcing arrangements to deliver annual training to its audit agents under § 1.650 or may use subcontractors or other outsourcing arrangements to investigate and decide on appeals of adverse regulatory audit results under § 1.651. However, we are limiting the role of “audit agent” to employees and contractors of the accredited third-party certification body.

E. Consultative Audit

We proposed to define a “consultative audit” as an audit of an eligible entity: (1) To determine whether such entity is in compliance with applicable requirements of the FD&C Act and industry standards and practices and (2) the results of which are for internal purposes only and cannot be used to determine eligibility for a food or facility certification issued under this subpart or in meeting the requirements for an onsite audit of a foreign supplier under subpart L of this part.

(Comment 9) We received several comments on the definition of “consultative audit.” Many comments express concern that the definition of “consultative audit” is overly broad and that some of the requirements that would apply to consultative audits under the proposed rule might create a disincentive to using accredited third-party certification bodies. Some comments urge FDA to remove all requirements associated with consultative audits from the rule. Other comments identify two requirements of particular concern: (1) Proposed § 1.656, requiring an accredited third-party certification body conducting a consultative audit or regulatory audit under the rule to notify FDA immediately upon discovering a condition that could cause or contribute to a serious risk to public health (the notification requirement) and (2) proposed § 1.652, requiring an accredited third-party certification body to provide FDA access to a consultative audit report when the criteria for records access under section 414 of the FD&C Act (21 U.S.C. 350c) are met (the records access requirement). The comments explain that many firms use certification bodies (and/or their consulting divisions) to help establish, maintain, and improve their food safety practices. For example, some firms use certification bodies (and/or their consulting divisions) to help in identifying root causes and remediating food safety problems. Comments also note that certification bodies (and/or their consulting divisions) provide informal counseling, perform preliminary evaluations, limited purpose audits, and activities in support of firms' continuous improvement programs.

Comments express concern that if these types of activities are subject to notification, records access, and other requirements of the rule, firms located outside the United States might not use accredited third-party certification bodies, instead choosing unaccredited third-party certification bodies to avoid the requirements of this rule. The comments assert that unaccredited third-party certification bodies are less likely to have qualified auditors and their independence and objectivity is less certain, than third-party certification bodies that have been evaluated and issued accreditation.

Comments also argue that the definition of “consultative audit,” which states that the results of such an audit are “for internal purposes only,” is inconsistent with the requirements for notification and records access that would apply to consultative audits under the proposed rule. Other comments ask us to clarify that audits conducted for external purposes—for example, an audit for purposes of compliance with FSVP—do not satisfy the definition of a consultative audit because consultative audits are for internal purposes only.

Some comments suggest that the proposed definition of “consultative audit,” taken together with the proposed definitions of “food safety audit” and “regulatory audit,” could preclude third-party certification bodies from conducting any audits that are outside the scope of subpart M, once accredited. Based on that interpretation, the comments predict that few if any third-party certification bodies would want to participate in the program.

Many of the comments that express concern about disincentives also suggest that Congress intended the third-party program to be much narrower than our proposed definition of “consultative audit” would suggest. These comments suggest that the FSMA third-party certification program was intended to be focused on regulatory audits and the issuance of certifications to be used for two limited purposes: i.e., in establishing an importer's eligibility for VQIP and in satisfying a condition of admissibility for a food subject to an FDA safety determination under section 801(q) of the FD&C Act. These comments argue further that Congress inserted the term “consultative audit” in the statute to be used only in reference to the conflicts of interest provisions in section 808(c)(4)(C) and (c)(5) of the FD&C Act; therefore, a broad interpretation of “consultative audit” is inconsistent with Congressional intent. The comments urge us to construe the term “consultative audit” as narrowly as possible.

(Response 9) We recognize that food firms use accredited third-party certification bodies (and their consulting divisions) in various Start Printed Page 74582capacities that serve the ultimate goal of improving food safety. We do not want, nor do we believe Congress intended, for our third-party certification program to create disincentives for food firms seeking to use accredited third-party certification bodies for various purposes to improve food safety practices in their operations. Nevertheless, we decline the request to remove all requirements relating to consultative audits from this final rule. Section 808(c)(5)(C) of the FD&C Act directs us to issue implementing regulations for section 808 of the FD&C Act, which includes some specific provisions relating to consultative audits (e.g., section 808(c)(3)(A) and (C) on consultative audit reports and section 808 (c)(4)(C) of the FD&C Act on audit agents performing regulatory audits of eligible entities of which they performed consultative or regulatory audits within the preceding 13 months). We have, however, revised the definition of “consultative audit” as explained below and have made other revisions to the rule to clarify the scope of such audits and help mitigate possible disincentives to conduct consultative audits, while fulfilling the letter and spirit of the law.

With regard to the comments expressing concerns about an overly broad interpretation of “consultative audit,” we remind readers that the statute endows both regulatory and consultative audits with certain characteristics. For example, section 808(a)(6) of the FD&C Act indicates that an eligible entity must choose to be audited by an accredited third-party certification body, and section 808(c)(5)(C)(i) of the FD&C Act states that audits under this program must be unannounced. We understand these provisions to mean that, at the time the audit services are arranged, an eligible entity must specifically request from an accredited third-party certification body a food safety audit under this rule—that is the only way the accredited third-party certification body would know that the eligible entity is requesting an unannounced subpart M audit to determine compliance with the applicable food safety requirements of the FD&C Act and FDA regulations. Further, the eligible entity would need to specify whether it is seeking a regulatory or consultative audit. (In addition to determining whether the eligible entity is in compliance with the food safety requirements of the FD&C Act, consultative audits under section 808 of the FD&C Act also determine whether the eligible entity is in compliance with applicable industry standards and practices). Audits that fall outside the purview of this rule—for example, audits that are conducted by third-party certification bodies that are not accredited under this program, audits that determine compliance with standards other than the food safety requirements of the FD&C Act and FDA regulations (e.g., audits that determine compliance with private standards), audits that are announced, and audits conducted solely for the purposes of supplier verification under the final human or animal preventive controls regulations or the final FSVP regulations—are not covered by, or subject to, the requirements of this rule.

It is impossible to describe or predict all of the audit scenarios that may occur. We emphasize that an accredited third-party certification body can continue to offer auditing and certification services that are outside the scope of this rule, such as on-site supplier verification audits under the final human or animal food preventive controls regulations or the final FSVP regulation. Such audits would not be subject to the requirements of this rule, including the reporting and notification requirements.

In response to comments, we revised the proposed definition of “consultative audit” to clarify that it is an audit conducted in preparation for a regulatory audit under the third-party certification program. A consultative audit would thus be a pre-examination or pre-assessment type of activity imbued with certain characteristics. We further clarify the characteristics of a consultative audit, as well as of a regulatory audit (the results of which can form the basis for issuance of certification under the rule), in the definition of “food safety audit” discussed in section III.J.

F. Eligible Entity

We proposed to define an “eligible entity” as a foreign entity that chooses to be subject to a food safety audit by an accredited third-party certification body. We further proposed that eligible entities include foreign facilities subject to the registration requirements in FDA regulations.

(Comment 10) We received several comments on the definition of “eligible entity.” Some comments request that we provide examples of specific types of entities that satisfy the definition. Some comments offer examples of “eligible entities,” including orchards or farms, packing houses, processing plants, and storage facilities. Other comments suggest we add “and foreign farms” to the end of the definition, to clarify that such entities are eligible to receive audits under subpart M. Some comments encourage us to adjust the definition of “eligible entity” to make it mandatory for foreign food facilities to undergo food safety audits by accredited third-party certification bodies.

(Response 10) The proposed definition of “eligible entity” was based on the statutory definition, which includes facilities subject to the registration requirements in section 415 of the FD&C Act that choose to be audited under the program. At our own initiative we are revising the definition of “eligible entity” in the codified to more accurately track the statute, and we decline the suggestion to add specific examples, such as orchards or farms, that are not included in the statutory definition of “eligible entity.” However, as explained in Response 12 we are revising the definition of “facility” in § 1.600(c) to clarify that entities that grow, harvest, or raise animals for food for consumption in the United States are facilities that are eligible for auditing and certification under this subpart.

We disagree with the comment suggesting that we should make audits under this program mandatory for all foreign food firms by modifying the definition of “eligible entity.” The statute clearly indicates that participation in this program is intended to be voluntary, and only entities that choose to be audited under the program are subject to its requirements (see section 808(a)(6) of the FD&C Act).

(Comment 11) In the proposed rule, we specifically asked for comment on whether to allow for food or facility certification to be issued to a producer group, offering as an example the criteria for groups under the National Organic Program (NOP)—i.e., having multiple sites operating under a single management system and whose farms are “uniform in most ways.” Several comments responded to this inquiry in relation to the definition of “eligible entity.”

Comments in support of certification of a group (e.g., a cooperative being audited as a single eligible entity) note that some producers are very small and might find it difficult on their own to obtain third-party certification, but taken as a group the task would likely be more manageable. Other comments note that treating multiples sites with a single management system as a single eligible entity could be particularly helpful in sectors or regions where there is a scarcity of accredited third-party certification bodies. Some comments argue in support of groups functioning as a single eligible entity as long as the central management system functions effectively, providing oversight to the Start Printed Page 74583members. Comments also note that some multisite sampling protocols have been developed by international organizations, such as ISO.

Other comments encourage us to ensure that cooperatives are subject to this rule, so that all the links in a foreign supply chain are appropriately inspected, and so that they are subject to any applicable regulations before their product is exported to the United States.

Comments not in support of cooperatives being classified as eligible entities note that food safety practices and conditions are site-specific and can vary significantly even if the individual farms are located in the same geographic area (for example, due to soil composition, agricultural water runoff, or the manner in which the land was used in the past). They also note that organic production standards and scientifically-based food safety standards are not the same, so what works for the NOP may not be appropriate here

Some comments encourage us to provide guidance on the acceptable parameters of a cooperative. Some comments encourage us to consider guidance available from other sources beyond the NOP, such as the International Federation of Organic Agriculture Movements.

(Response 11) We decline to revise the definition of eligible entities to include a group. We acknowledge that some very small producers might be daunted by the prospect of working individually with an accredited third-party certification body, and there would be obvious economies in banding together with other very small producers to gain certification. We also acknowledge that some sets of producers do currently function as a unit under a centralized management system, and that group certification may make it easier for entities to access accredited third-party certification bodies in areas or regions where they may be scarce. Nevertheless, after reviewing the NOP, the International Federation of Organic Agricultural Movements, the Canada Organic Office Operation Manual, the USDA Agricultural Marketing Service pilot program on group certification, and other recommended sources, we conclude that it would not be appropriate to allow groups to be certified under this program. Group certification raises a myriad of complicated issues such as establishing who may act as a group, determining the requisites of a central management system, and delineating the minimum requirements for accredited third-party certification body audits of a group.

With regard to the comments contending that certifications from individual eligible entities that might otherwise act as a group would create redundant and unnecessary paperwork for FDA, we will take that sort of information into account as we gain experience with the program. Finally, with regard to the comments encouraging us to define “eligible entity” to include groups to ensure that all their members are examined for compliance with applicable food safety regulations before their food is exported to the United States, we note that this rule does not create audit obligations for all foreign suppliers or for all importers. The third-party certification program created by this rule is a voluntary program for eligible entities who wish to participate.

G. Facility

We proposed to define “facility” as any structure, or structures of an eligible entity under one ownership at one general physical location, or, in the case of a mobile facility, traveling to multiple locations, which manufactures/processes, packs, or holds food for consumption in the United States. The definition went on to state that: (1) Transport vehicles are not facilities if they hold food only in the usual course of business as carriers; (2) a facility may consist of one or more contiguous structures, and a single building may house more than one distinct facility if the facilities are under separate ownership; (3) the private residence of an individual is not a facility; and (4) non-bottled water drinking water collection and distribution establishments and their structures are not facilities.

On our own initiative, we are clarifying that facilities for the purposes of this subpart are not limited to facilities required to be registered under Subpart H.

(Comment 12) Some comments encourage us to align the proposed definition of “facility” to the definition of “facility” in the human and animal preventive controls, produce safety, and FSVP regulations, to promote consistency and common understanding of the rules.

(Response 12) As previously noted, we agree with the comments on the importance of consistency across regulations, where feasible and appropriate. We reviewed the definitions of “facility” in the final FSVP and final human preventive controls regulations, and found those definitions to be too narrow in light of the purpose of this rule to establish a voluntary program for certification of foods and facilities and the broad definition of “eligible entity” in section 808(a)(6) of the FD&C Act. Of our own initiative, in order to preserve the option for broad participation in the third-party program, we are expressly including in the definition of “facility” those entities that grow, harvest, or raise animals for food for consumption in the United States.

H. Facility Certification and Food Certification

We proposed to define “facility certification” as an attestation, issued for purposes of section 806 of the FD&C Act by an accredited third-party certification body, after conducting a regulatory audit and any other activities necessary to establish that a facility meets the applicable requirements of the FD&C Act. We proposed to define “food certification” as an attestation, issued for purposes of section 801(q) of the FD&C Act by an accredited third-party certification body, after conducting a regulatory audit and any other activities necessary to establish that a food meets the applicable requirements of the FD&C Act.

(Comment 13) We received some comments on the definitions of “facility certification” and “food certification.” Some of these comments raise group certification issues which we address above, in connection with the definition of “foreign cooperative.” Some comments state that “food certification” is improper terminology, because it implies a product certification model, whereas audits of eligible entities—particularly in the produce sector—generally assess processes and/or management systems.

(Response 13) The term “food certification” appears in the statute and is specifically discussed in the statute as a type of certification that may be used in meeting a condition of admissibility under section 801(q) of the FD&C Act. Under section 808(c)(2)(C) of the FD&C Act, food certifications may only issue upon conduct of a regulatory audit. In light of the statutory language, we decline to revise the term “food certification” in response to the comments on this rule.

We also note that section 801(q)(1) of the FD&C Act allows for FDA to accept “a listing of certified facilities that manufacture, process, pack, or hold food, or other assurances deemed appropriate by FDA” to satisfy the condition of admissibility. Of our own initiative, in light of this statutory language, we are clarifying in the definition of “facility certification” that Start Printed Page 74584a facility certification may be issued for purposes of 801(q) of the FD&C Act.

I. Food

In proposed § 1.600(b), we stated unless otherwise defined in § 1.600(c) of the proposed rule, definitions of terms in section 201 of the FD&C Act would apply to terms used in this subpart. Section 201 of the FD&C Act defines “food” as “(1) articles used for food or drink for man or other animals, (2) chewing gum, and (3) articles used for components of any such article.” Proposed § 1.600(c) did not define the term “food.”

(Comment 14) Some comments request that we define “food” consistent with how it was defined in the FSVP proposed rule for consistency and to indicate that producers of food contact substances are eligible entities.

(Response 14) The proposed definition of “food” under § 1.600 would include pesticides when they meet the definition of “food” under section 201 of the FD&C Act. By contrast, the FSVP rule's proposed definition of food explicitly does not include pesticides, as defined in 7 U.S.C. 136(u), consistent with the definition of “food” used in the rulemaking on the Prior Notice of Imported Food Under the Public Health Security and Bioterrorism Preparedness Act of 2002 (prior notice rule). FDA received comments during that rulemaking questioning the applicability of the rule to pesticides, so FDA clarified that “food” for the purposes of that rule did not include pesticides.

The final FSVP regulation, which is publishing elsewhere in this issue of the Federal Register, retains the exclusion of pesticides from the definition of “food.”

In response to comments suggesting revision of the definition of “food” in this rule to be consistent with the final FSVP regulation, we considered the purposes that certifications serve under this program and the nature of comments we received on the third-party proposed rule, including general comments requesting alignment across the FSMA rules and comments specifically requesting that we use the FSVP definition of “food.” Certifications issued by accredited third-party certification bodies may be used in establishing an importer's eligibility to participate in VQIP and in satisfying a condition of admissibility for an imported food that we determine poses a safety risk under section 801(q) of the FD&C Act.

While certifications may be useful in addressing pesticide contamination of food (e.g., pesticide levels in food that exceed established tolerances), we have not identified a need for certifications to address pesticides as articles of food, nor do we anticipate a role for food safety audits in pesticide manufacturing facilities. Accordingly, we are revising the final rule by adding to § 1.600(c) a definition of “food” that excludes pesticides.

We also agree with the comment that producers of food contact substances could be eligible entities under this rule and that food contact substances should be considered food for the purposes of this rule. Third-party food safety audits and certifications for food contact substances could potentially be useful given the possibility of migration of harmful food contact substances into food or contamination of food contact materials that directly contact food. Accordingly, we are revising the proposed definition of “food” to exclude pesticides and retain “food contact substances” in the definition of “food” in this final rule, consistent with the definition of “food” in the final FSVP regulation.

J. Food Safety Audit

We proposed to define “food safety audit” as a regulatory audit or a consultative audit.

(Comment 15) We received a few comments on the definition of “food safety audit.” Some comments request that we remove consultative audits from the definition of “food safety audit,” asserting that consultative audits should not be subject to the reporting and notification requirements associated with “food safety audits.” Other comments say we should replace the term “food safety audit” with “regulatory audit,” as a matter of statutory construction and sound policy. Finally, some comments suggest that we delete the definition of “food safety audit” altogether.

(Response 15) We are retaining the definition of “food safety audit” as a useful definition to describe regulatory and consultative audits that fall under the requirements of this rule. As described in Response 9, we have revised the definition of “consultative audit” to clarify that it is an audit conducted in preparation for a regulatory audit under the third-party certification program. Although an audit meeting that definition would be subject to certain reporting and notification requirements, there are many types of audits/arrangements that would not fall within the definition of “consultative audit” or “regulatory audit,” and would therefore not be subject to the requirements of this rule, including the reporting and notification requirements. Therefore, including consultative audits in the definition of “food safety audit” will not prevent eligible entities from using accredited third-party certification bodies for auditing arrangements that fall outside of the scope of this rule and do not trigger the requirements of this rule. To further address comments' concerns, we are modifying the definition of “food safety audit” to provide clarification regarding what types of audits/activities would fall outside of the scope of this rule. Specifically, we clarify that a food safety audit must be declared by an eligible entity at the time of audit planning and must be conducted on an unannounced basis consistent with sections 808(b)(6) and 808(c)(5)(C) of the FD&C Act.

K. Foreign Cooperative

We proposed to define “foreign cooperative” as an entity that aggregates food from growers or processors that is intended for export to the United States.

On our own initiative, we are replacing the phrase “entity that aggregates” with “autonomous association of persons, identified as members, who are united through a jointly owned enterprise to aggregate” for clarification purposes.

(Comment 16) Some comments suggest that we add a definition for “consolidator.” The comments contrast consolidators with cooperatives and argue that consolidators act essentially as brokers that purchase products from several sources and then export the total set to the United States. According to these comments, consolidators do not own or manage the individual sites and generally do not have control over or even knowledge of the processing procedures.

(Response 16) We agree with the comment that an entity without a single management system that exercises control over the manner in which individual sites meet the applicable food safety requirements of the FD&C Act and FDA regulations would not be an eligible entity. However, we disagree that adding a definition of “consolidator” would be helpful because whether an entity is a “consolidator” has no bearing on the requirements of this rule.

(Comment 17) Some comments point out that while the proposed rule indicates a foreign cooperative could be an accreditation body or a third-party certification body, in their countries the government is the accreditation body. Also, in some places the government authorizes certain parties to conduct audit activities and those parties are under the control and supervision of the Start Printed Page 74585government. Accordingly, the comments suggest that we indicate in which countries and in which cases a foreign cooperative could be an accreditation body or a third-party certification body. Other comments recommend more detail on how cooperatives are defined, and how they would conform to FDA requirements for third-party certification bodies.

(Response 17) We currently are not in a position to be able to determine which countries or which foreign cooperatives may be adequately qualified to become accredited under the third-party certification program. We note that section 808 of the FD&C Act expressly allows foreign cooperatives to serve as accredited third-party certification bodies if they are adequately qualified and independent of the eligible entities they audit or certify under the third-party certification program. Therefore, we are not categorically excluding foreign cooperatives from the third-party certification program, nor are we making any categorical decisions on whether governmental accreditation bodies have conflicts that would preclude them from accrediting such foreign cooperatives under the program.

L. Regulatory Audit

We proposed to define a “regulatory audit” as an audit of an eligible entity to determine whether such entity is in compliance with the provisions of the FD&C Act and the results of which are used in determining eligibility for food certification under section 801(q) of the FD&C Act or facility certification under section 806 of the FD&C Act, and may be used by an importer in meeting the requirements for an onsite audit of a foreign supplier under the FSVP program.

(Comment 18) Some comments request that we clarify the definition of “regulatory audit.”

(Response 18) The comments requesting clarification failed to mention specific characteristics in the definition needing clarification and did not offer suggestions for clarification. Therefore, we decline to modify the definition based on these comments. However, on our own initiative we have revised the definition of “regulatory audit” by removing the clause “, and may be used by an importer in meeting the requirements for an onsite audit of a foreign supplier under subpart L of this part” that does not appear in the statute. We did this in part to avoid confusion. We emphasize that an audit conducted for the purposes of FSVP would not need to be conducted by a third-party certification body under this subpart. See section XIII.G. Nor are facilities required to use third-party certification bodies accredited under this rule in meeting their supplier verification requirements under the final human or animal preventive controls regulations. On our own initiative, we are revising the definition of “regulatory audit” to clarify that the results of a regulatory audit may be used to determine eligibility for any certifications that may be used for purposes of section 801(q) or section 806 of the FD&C Act.

M. Self-Assessment

We proposed to define “self-assessment” as a systematic assessment conducted by an accreditation body or by a third-party certification body to determine whether it meets the applicable requirements of this subpart.

We received no adverse comments about our proposed definition. However, on our own initiative, we are revising the definition of “self-assessment” to improve clarity and to specify what is required of a recognized accreditation body and an accredited third-party certification body when performing these evaluations.

N. Third-Party Auditor

We proposed to define a “third-party auditor” as a foreign government, agency of a foreign government, foreign cooperative, or any other third-party that is eligible to be considered for accreditation to conduct food safety audits and to certify that eligible entities meet the applicable requirements of the FD&C Act. We further proposed that a third-party auditor may be a single individual or an organization and may use audit agents to conduct food safety audits. Finally, we proposed that “third-party auditor” has the same meaning as “certification body” as that term was defined in the proposed rule.

(Comment 19) As described in Comment 1, we received several comments urging us to align our definitions and terminology with international standards. Some comments state that the term “third-party auditor,” the language of the statute notwithstanding, is not correct terminology to use interchangeably with “third-party certification body.”

(Response 19) As discussed previously, we agree that it is beneficial to use terminology in this rule that is consistent with terminology used in international standards when feasible and appropriate. Therefore, we are deleting the definition of “third-party auditor” in the final rule and will use the term “third-party certification body” in this rule except that we will use the term “third-party auditor” in the definitions of “Accredited third-party certification body” and “Third-party certification body” in § 1.600(c) and in the preamble discussion of those definitions in section III.A. We are clarifying in the definition of “third-party certification body” in § 1.600(c) that the term has the same meaning as “third-party auditor” as defined in section 808(a)(3) of the FD&C Act.

IV. Comments on Who Is Subject to This Subpart (§ 1.601)

We proposed in § 1.601 that this rule would apply to those accreditation bodies, third-party certification bodies, and eligible entities that seek to participate in this voluntary third-party certification program. We proposed two limited exemptions from section 801(q) of the FD&C Act: One related to alcoholic beverages from an eligible entity that is a facility that meets certain conditions, and another related to certain food constituting not more than 5 percent of the overall sales of a facility meeting the conditions of the first exemption.

A. Limiting the Scope of the Rule to Regulatory Audits and Certifications

Under proposed § 1.601(b), we proposed that subpart M would apply to third-party certification bodies seeking accreditation to conduct food safety audits and issue certifications for purposes of sections 801(q) and 806 of the FD&C Act.

(Comment 20) Some comments suggest we modify the language in § 1.601(b) regarding third-party certification bodies seeking accreditation to clarify that requirements of the rule apply only to imported foods that are subject to a condition of admissibility under section 801(q) of the FD&C Act and imported foods offered by an importer seeking to establish eligibility to participate in VQIP. In this view, the requirements of the rule (e.g., the notification requirements) should not apply to audits other than regulatory audits that are conducted for certification purposes.

(Response 20) We decline to make the suggested revisions to § 1.601(b) because § 1.601(b)(2) already describes the two types of certifications that may be issued by accredited third-party certification bodies under the final rule and the types of audits that they would conduct under this program (i.e., food safety audits, which include both consultative and regulatory audits). Audits conducted by third-party certification bodies that are outside of the scope of this program, and eligible entities receiving audits outside of the scope of this program, would not be Start Printed Page 74586subject to the requirements of this final rule. With respect to the suggestion that the final rule should apply only to regulatory audits, and therefore not to consultative audits, we note, as previously discussed, that section 808 of the FD&C Act specifically defines “consultative audit” and contains requirements for the conduct of both regulatory and consultative audits (see, e.g., section 808(a)(5) and (c)(4)(B) of the FD&C Act). Therefore, this final rule establishes requirements for consultative audits that are consistent with the provisions on consultative audits in the statute.

B. Exemption for Alcoholic Beverages

Under proposed § 1.601(d), we proposed to exempt from the certification requirements under section 801(q) of the FD&C Act alcoholic beverages that are imported from an eligible entity that is a facility that meets the following two conditions:

  • Under the Federal Alcohol Administration Act or chapter 51 of subtitle E of the Internal Revenue Code of 1986, the facility is a foreign facility of a type that, if it were a domestic facility, would require obtaining a permit from, registering with, or obtaining approval of a notice or application from the Secretary of the Treasury as a condition of doing business in the United States; and
  • Under section 415 of the Federal Food, Drug, and Cosmetic Act, the facility is required to register as a facility because it is engaged in manufacturing/processing one or more alcoholic beverages.

We also proposed that the certification requirements under section 801(q) of the FD&C Act would not apply to food other than alcoholic beverages that is imported from a facility described in § 1.601(d)(1) provided that such food:

(i) Is in prepackaged form that prevents any direct human contact with such food; and

(ii) Constitutes not more than 5 percent of the overall sales of the facility, as determined by the Secretary of the Treasury.

We tentatively concluded that these provisions were consistent with the provisions on alcohol-related facilities in section 116 of FSMA.

(Comment 21) Some comments support the proposed exemption of imported beverage alcohol products, but encourage us to clarify and amplify the exemption to cover the raw materials and ingredients (e.g., grapes, grains, hops, flavors) used to produce alcoholic beverages. The comments assert that the requested exemption would provide for consistency between domestic and foreign facilities and would be consistent with Congressional intent regarding section 116 of FSMA. The comments assert that the expanded exemption would be consistent with the regulations on preventive controls for human food. The comments urge us to consult their comments on the FSVP proposed rule.

(Response 21) As requested, we consulted comments submitted on proposed § 1.501(e) in the FSVP proposed rule, requesting an exemption from the FSVP requirements for the importation of the raw materials and ingredients (e.g., grapes, grains, hops, flavors) used to produce alcoholic beverages, and asserting that such an exemption would be consistent with Congressional intent regarding section 116 of FSMA.

We considered the comments' request in light of the risk-based public health principles generally underlying FSMA and have concluded that Congress did not intend for FSMA's core requirements to apply to the manufacture/processing, packing, and holding of alcoholic beverages. Congress may have made such a conclusion in light of the potential antimicrobial function of the alcohol content in such beverages and the concurrent regulation of alcoholic beverage-related facilities by both FDA and the Alcohol and Tobacco Tax and Trade Bureau. In light of this context, we have concluded that section 116 of FSMA should be interpreted to mean that the manufacturing, processing, packing, or holding of alcoholic beverages at most alcohol-related facilities should not be subject to this rule.

We believe the same rationale supports the comments' request. Accordingly, and consistent with the final FSVP regulation, we are expanding the exemption from certification under section 801(q) of the FD&C Act in § 1.601(d) to cover raw materials or other ingredients that are used to manufacture/process, pack or hold alcoholic beverages by an importer required to be registered under section 415 of the FD&C Act, when such facilities are exempt from the preventive controls regulations under 21 CFR 117.5(i).

Also in this final rule, we are replacing the term “food other than alcoholic beverages,” to describe the applicability of the exemption, with the term “food that is not an alcoholic beverage.”

C. USDA Regulated Products

(Comment 22) Some comments suggest we explicitly exempt products under USDA jurisdiction from the requirements of this rule.

(Response 22) We agree that an exemption to 801(q) is appropriate with respect to meat, poultry, and egg products regulated by USDA at the time of importation. The final rule adds a new § 1.601(d)(2) which states that any certification under 801(q) does not apply to meat, poultry, and egg products that at the time of importation are subject to the requirements of the USDA under FMIA (21 U.S.C. 601 et seq.), PPIA (21 U.S.C. 451 et seq.), or EPIA (21 U.S.C. 1031 et seq.). We conclude that this provision is consistent with section 403 of FSMA, entitled “Rule of Construction,” which states that nothing in FSMA shall be construed to alter or limit the jurisdiction of the Secretary of the Department of Agriculture. For many decades, USDA has exercised authority and responsibility over the import of such meat, poultry, and egg products, and has detailed regulations and procedures implementing this authority. In light of USDA's role with respect to the importation of these products, and also in light of section 403 of FSMA, we believe that Congress did not intend for an FDA determination under section 801(q) of the FD&C Act to apply to meat, poultry, and egg products that at the time of importation are subject to USDA requirements under the MPIA, PPIA, and EPIA, respectively. We therefore conclude that final § 1.601(d)(2) is consistent with Congress's intent in promulgating section 403 of FSMA.

With respect to the third-party program, we note that the program establishes a voluntary system of certification by accredited third-party certification bodies that food and facilities meet applicable requirements of the FD&C Act and FDA regulations. Certifications issued under this program will not be used to facilitate entry of meat, poultry, and egg products that are regulated by USDA at the time of importation, as defined above.

V. Comments on Recognition of Accreditation Bodies Under This Subpart

A. Who is eligible to seek recognition? (§ 1.610)

Proposed § 1.610 states that an accreditation body would be eligible for recognition if it could demonstrate that it meets the requirements related to legal authority, competency, capacity, conflicts of interest, quality assurance, and records in §§ 1.611 through 1.615. In our discussion of this section in the preamble of the proposed rule we stated our tentative conclusions that key Start Printed Page 74587elements of ISO/IEC 17011:2004 (Ref. 5) would form a basis for our requirements, and that documented conformance to that standard would be relevant in demonstrating that an accreditation body is qualified for recognition.

(Comment 23) Some comments recommend that we require accreditation bodies to be signatories to IAF multilateral recognition agreements (IAF-MLAs) (which requires signatories, among other things, to conform to ISO/IEC 17011:2004) as a condition of recognition, and some contend it should be the sole criterion. Comments in favor of including signatory status as a requirement note that the process of becoming a signatory involves a thorough peer-review process, which helps ensure quality outcomes (e.g., signatories have to demonstrate conformance to ISO/IEC 17011:2004 as part of the peer review process). Comments note other aspects of IAF-MLA signatory status that would be beneficial to the program, such as periodic reevaluation by peer signatories to ensure continued compliance. These comments argue that when a foreign government is the accreditation body, it may be difficult for FDA to regulate a peer agency, so reliance on IAF-MLA signatory status would be helpful, in part because it would give an independent organization (IAF) a role in managing the accreditation body.

Some comments discourage us from requiring IAF-MLA signatory status as a condition of recognition. Some comments suggest that we consider signatory status as a factor in favor of recognition, noting many of the same advantages touted by proponents of requiring signatory status, but suggest that we not make IAF-MLA signatory status a condition of program participation.

Other comments explain that it would be premature to make IAF signatory status the sole requirement. The comments note that at the time of these comments the IAF-MLA does not yet include subscopes for specific food safety standards or schemes. Still other comments recommend that FDA study the issues surrounding signatory status further before making it a requirement, pointing out that some countries may not have signatory IAF-MLA members representing them.

Some comments cite to third-party food safety audit programs administered by other governments, noting those programs do not require IAF-MLA status as a condition for program participation. These comments argue that it is more important to require conformance to ISO/IEC 17011:2004.

(Response 23) The comments uniformly agree on the value of an accreditation body's conformance to ISO/IEC 17011:2004 in establishing its qualifications for recognition. As discussed in section I.D., we agree that an accreditation body may use its documented conformance to ISO/IEC 17011:2004 to support its eligibility for recognition under this rule, supplemented as necessary (for example, to demonstrate capability to meet FDA requirements for reporting and notification under § 1.623, if recognized). We also agree that additional documentation relating to IAF-MLA signatory status may be useful in supporting an accreditation body's application for recognition under this program. However, we disagree with comments suggesting that we require IAF-MLA signatory status as the sole criterion or one of several criteria for recognition to accredit third-party certification bodies to conduct food safety audits and to certify that eligible entities meet the applicable food safety requirements of the FD&C Act and FDA regulations at this time. We currently lack (and the comments did not provide) adequate information to conclude that IAF-MLA signatory status should be the sole factual basis or one of several criteria for determining whether an accreditation body can fulfill the roles and responsibilities of a recognized accreditation body under this subpart. Further, we also want to allow accreditation bodies that are not signatories to participate in the program if they meet the statutory and regulatory criteria.

(Comment 24) As explained in section I.D., several comments support FDA's reliance on ISO/IEC 17011:2004 (Ref. 5) in developing the proposed rule. Other comments suggest FDA should place greater reliance on ISO/IEC 17011:2004 (Ref. 5), including some comments recommending that we incorporate the standard by reference into the rule.

(Response 24) We agree with comments on the value of promoting international consistency and tapping into an existing framework that is familiar to accreditation bodies, third-party certification bodies, and the food industry. Accordingly, in § 1.610 we are adding new language to state that an accreditation body may use documentation of conformance with ISO/IEC 17011:2004 (Ref. 5), supplemented as necessary, to demonstrate that it is eligible for recognition. This new language may make it easier for accreditation bodies that already conform to ISO/IEC 17011:2004 (Ref. 5) to apply for the program. We are also making conforming changes to §§ 1.622(d) and 1.623(b), 1.640(a), and 1.655(e).

We decline to incorporate ISO/IEC 17011:2004 (Ref. 5) by reference as the sole criterion or one of several criteria for recognition, because the standard contains some provisions that are inconsistent with section 808 of the FD&C Act or impractical for use in our program. For example, ISO/IEC 17011:2004 (Ref. 5), clause 4.3.7, allows an accreditation body to have “related bodies” that provide conformity assessment services (e.g., auditing and certification) in areas the accreditation body accredits. (A “related body” is linked to the accreditation body by common ownership or contractual arrangement, under clause 4.3.7 NOTE 1.) The only safeguards that a related body is expressly required to meet are as follows: (1) It must have different top management than the accreditation body's top management; (2) different personnel from those involved in the accreditation decisionmaking processes; (3) no possibility to influence the outcome of an assessment for accreditation; and (4) distinctly different names, logos, and symbols. While clause 4.3.7 of ISO/IEC 17011 (Ref. 5) speaks to issues of common management and control of the accreditation body and its related body, the standard does not expressly prohibit the accreditation body from accrediting its related body with which it shares common ownership or financial interests. For example, an accreditation body that provides financial support (directly or indirectly) to a related body could be viewed as lacking the impartiality necessary to make an objective decision about whether the related body it supports is appropriately qualified. The impartiality provisions in ISO/IEC 17011:2004 (Ref. 5) are impractical for our purposes because they fail to address the range of possible conflicts associated with shared financial interests and ownership between a recognized accreditation body and a “related” third-party certification body under this rule. To help ensure the credibility of our program, § 1.624 requires a recognized accreditation body to implement a program to ensure that the accreditation body and its officers, employees, and other agents involved in accreditation activities do not own or have a financial interest in a third-party certification body seeking its accreditation. Accordingly, it would be inappropriate for us to rely on the conflict of interest safeguards contained in ISO/IEC Start Printed Page 7458817011:2004 (Ref. 5), in the third-party certification program we are establishing.

For the foregoing reasons, we decline the suggestion to incorporate ISO/IEC 17011:2004 (Ref. 5) by reference into this rule.

(Comment 25) Several comments express concern about our proposal to allow both public and private accreditation bodies to seek recognition. Some comments discourage us from allowing private entities to be accreditation bodies because of the concern that allowing for private accreditation bodies may cause conflicts of interest. Similarly, some comments contend that accreditation bodies must uphold public confidence and perform their duties objectively, which is the purview of governmental entities.

Other comments take a contrary view, suggesting that some government agencies have missions that may undermine the objectivity and independence required of a recognized accreditation body. Some comments encourage us to consider which government agency/ministry in a given country may be eligible for recognition, and to solicit input from stakeholders as to which agencies/ministries are best positioned to perform this function.

Still other comments assert that private and government entities are sufficiently different such that we should establish different conflict of interest provisions and requirements for each.

(Response 25) Comments on both sides of this issue express concern that any accreditation body we recognize must be independent and objective in the performance of its duties. We share that concern. However, none of the comments offered substantiation that would lead us to bar public or private accreditation bodies, as a class, from seeking recognition because of conflicts of interest inherent in the class.

Section 808 of the FD&C Act defines an “accreditation body” as an authority that accredits third-party certification bodies and makes no distinction between public and private accreditation bodies. We have concluded that both public and private accreditation bodies are potentially capable of exhibiting the impartiality necessary for recognition under this rule. Therefore in light of the broad definition of “accreditation body” and to maximize the opportunities for qualified accreditation bodies to participate in the program, FDA does not consider it to be appropriate to limit the program to only certain types of accreditation bodies.

With respect to the comments that suggest we apply different conflict of interest requirements to different types of accreditation bodies, none of these comments offered an adequate explanation to justify different requirements for public and private accreditation bodies. Again, we note that section 808 of the FD&C Act does not make distinctions for different types of accreditation bodies.

(Comment 26) Some comments request that we provide additional explanation regarding how an accreditation body that does not have experience accrediting third-party certification bodies for food safety scopes would become eligible for recognition under this program.

(Response 26) An accreditation body of the type described in the comments' hypothetical might face practical difficulties in providing adequate substantiation demonstrating that it meets the requirements described in § 1.610. However, we will consider each application on its own merits and do not foreclose the possibility for such an accreditation body to make the showing necessary to be granted recognition under this rule.

B. What legal authority must an accreditation body have to qualify for recognition? (§ 1.611)

We proposed to require an accreditation body seeking recognition to demonstrate that it has adequate legal authority (as a governmental entity or through contractual rights) to assess a third-party certification body for accreditation, including authority to review records and conduct performance assessments (e.g., authority to witness the performance of a statistically significant number of employees and other agents conducting assessments). We proposed to require that the accreditation body have adequate authority to remove or modify an accreditation status, once granted. We also proposed to require the accreditation body to demonstrate that it would be capable of exercising the legal authority necessary to meet the program requirements, if we granted recognition.

On our own initiative, in § 1.611(a)(2) we replaced, “personnel and other agents,” with, “audit agents, or the third-party certification body in the case of a third-party certification body that is an individual” for clarity and consistency with section 808(a)(4) of the FD&C Act. We have also made corresponding changes throughout this subpart.

(Comment 27) Some comments provide support for this provision, and others encourage us to ensure that a private accreditation body seeking recognition could have adequate legal authority to operate.

(Response 27) We agree with the comment urging us to ensure that a private accreditation body could have the necessary authority to act as a recognized accreditation body under this rule. As noted previously, we see no inherent reason why private entities could not theoretically meet the eligibility requirements for accreditation bodies under this rule. Therefore, we are revising § 1.611(a) and (b) to clarify that an accreditation body can be a legal entity with contractual rights. By the words “legal entity,” we mean that the accreditation body must be duly authorized to operate as an accreditation body by governmental authorities responsible for such authorizations in any country or countries in which the accreditation body seeks to perform accreditation of third-party certification bodies under this rule.

(Comment 28) Some comments ask us to clarify what we mean by “statistically significant” as used in § 1.611(a)(2) and elsewhere in the proposed rule to provide adequate confidence in the results of an analysis of the sample. The comments encourage us to abandon the phrase “statistically significant” in favor of the language of ISO/IEC 17011:2004 (Ref. 5), which requires an accreditation body to witness the performance of a representative number of third-party certification body staff.

(Response 28) We understand from the comments that a body of knowledge and experience has developed among accreditation bodies conforming to ISO/IEC 17011: 2004 (Ref. 5) on the meaning of “representative” numbers of observations and that no similar body of knowledge or experience exists on the meaning of “statistically significant” numbers of observations in this context. Accordingly, we are revising § 1.611 to require observations of a “representative sample” of audit agents and food safety audits. We are making similar revisions to other sections of the rule that require onsite observations.

For purposes of an accreditation body's observations of a third-party certification body under this rule, what constitutes a “representative sample” will be decided on a case-by-case basis, depending on various factors. These factors include the scope of accreditation, whether the third-party certification body is an individual who will conduct audits and make certification decisions, or whether the third-party certification body uses agents to conduct audits and, if so, whether such agents are centrally managed, conducting similar types of Start Printed Page 74589audits, under a single set of operating procedures or whether the agents are managed from various locations, perform different types of audits, or follow different procedures such that these various locations, activities, or practices must be observed to ensure that the sample is sufficiently representative. A representative sample also must provide adequate confidence in the results of an analysis of the sample.

C. What competency and capacity must an accreditation body have to qualify for recognition? (§ 1.612)

We proposed to require an accreditation body seeking recognition to demonstrate that it has the resources required to adequately implement its accreditation program, including adequate numbers of qualified employees and other agents, adequate financial resources for its operations, and the capability to meet the resource demands of a recognized accreditation body, in the event the accreditation body is recognized.

(Comment 29) We received some comments on this provision, which also support the proposed rule's requirement that accreditation bodies demonstrate their competence and capacity based on the requirements of ISO/IEC 17011:2004 (Ref. 5). However, these comments disagree with our statement in the preamble that liability coverage requirements should not apply to this rule. The comments argue that we should include a requirement for accreditation bodies to carry liability coverage, noting that it is one of the requirements in ISO/IEC 17011:2004 (Ref. 5) and describing it as especially important because of the risks associated with food safety.

(Response 29) We agree with the comments that liability insurance may be useful in demonstrating the adequacy of an accreditation body's resources, for example, under ISO/IEC 17011:2004 (Ref. 5); however, FDA lacks experience in evaluating the adequacy of liability coverage for accreditation activities and we do not believe it would be appropriate for FDA to make recognition decisions primarily on this basis. We believe an accreditation body can demonstrate that it is adequately resourced in a number of different ways, including providing documentation of liability coverage as part of the information submitted to help to demonstrate that accreditation body is adequately resourced.

D. What protections against conflict of interest must an accreditation body have to qualify for recognition? (§ 1.613)

Proposed § 1.613 requires accreditation bodies to demonstrate that they have written measures to protect against conflicts of interest with third-party certification bodies and the capability to meet the rule's other conflict of interest requirements.

On our own initiative, we are clarifying that the scope of conflict of interest provisions in § 1.613(a) is limited to individuals involved in accreditation, auditing, and certification activities and not, for example, employees involved in purely administrative functions, such as payroll, or in positions that support administrative functions, such as computer technicians. Therefore, § 1.613(a) of this rule applies to interests between the officers, employees, and other agents of the accreditation body that are involved in accreditation activities and the officers, employees, and other agents of the third-party certification body involved in auditing and certification activities. We are making corresponding changes in the subsequent provisions for recognized accreditation bodies under § 1.624(a).

(Comment 30) Some comments take issue with our decision not to include the requirements of clause 4.3.2 of ISO/IEC 17011:2004 (Ref. 5), which requires the accreditation body to have documented and implemented a structure relating to conflicts of interest that provides for effective involvement by interested parties with balanced representation ensured.

(Response 30) We decline to require that recognized accreditation bodies establish and implement a structure for involving interested parties in matters relating to the conflict of interest requirements for recognized accreditation bodies. It would be administratively burdensome for FDA to establish a mechanism for monitoring the activities of interested parties that the accreditation body elects to involve to comply with such requirements. In our third-party certification program, impartiality will be protected by the conflict of interest provisions for accreditation bodies in § 1.624, the appeals provisions in § 1.620(d), and FDA's oversight activities.

E. What quality assurance procedures must an accreditation body have to qualify for recognition? (§ 1.614)

Proposed § 1.614 requires accreditation bodies to implement a written quality assurance program and have the capability to meet the rule's other quality assurance requirements.

(Comment 31) Some comments encourage FDA to more closely align § 1.614 with established international standards on quality assurance programs. Some ask us to rely on the relevant provisions in ISO/IEC 17011:2004 (Ref. 5) in particular.

(Response 31) We agree with the comments and as described in section I.D., we are revising § 1.610 to allow accreditation bodies to use their demonstrated conformance to ISO/IEC 17011:2004 (Ref. 5), supplemented as necessary, in meeting the requirements for recognition.

(Comment 32) Some comments ask us to clarify the language in § 1.614(a)(1) and (2) regarding food safety problems and corrective actions.

(Response 32) We agree and have revised § 1.614(a)(1) and (2) to clarify that an accreditation body must demonstrate that it has procedures to identify deficiencies and procedures to execute corrective actions for such deficiencies, using language that better aligns with international standards (see, e.g., clause 5.5 in ISO/IEC 17011:2004 (Ref. 5)).

F. What records procedures must an accreditation body have to qualify for recognition? (§ 1.615)

Proposed § 1.615 would require accreditation bodies seeking recognition to demonstrate that they have developed and implemented adequate written procedures for establishing, controlling, and retaining records and to demonstrate the capability to meet the program's records, reporting, and notification requirements, if recognized.

(Comment 33) Some comments voice general concerns about confidentiality. Others state their concern with how confidentiality of third-party certification body records would be preserved when third-party certification bodies must share information with recognized accreditation bodies and FDA. Noting that such information can be sensitive in nature and sometimes includes confidential business information, these comments urge us to place certain limits—i.e., only information related to food safety would be collected during audits of third-party certification bodies and such information would be shared only with the recognized accreditation body and FDA. Some comments suggest FDA require strict protective measures for information handled by third-party certification bodies and accreditation bodies, because the release of an eligible entity's confidential business information could have detrimental Start Printed Page 74590effects on U.S. businesses and their foreign suppliers. These comments suggest the use of confidentiality protections such as “confidential disclosure agreements” so that the audit climate remains conducive to robust scrutiny and open dialogue.

Some comments also express concern with the proposed use of electronic records, because of the opportunity for sensitive electronic information to be compromised. Such comments recommend that the final rule include requirements for both third-party certification bodies and accreditation bodies to ensure that electronic records remain secure in transit and during storage.

(Response 33) We decline the suggestions to require confidential disclosure agreements between recognized accreditation bodies and third-party certification bodies under our program and to establish data protection requirements for electronic records and communications of recognized accreditation bodies and accredited third-party certification bodies. We understand that many accreditation bodies and third-party certification bodies have contractual agreements regarding confidentiality and disclosure by those parties. We expect accreditation bodies that become recognized under our program may elect to establish contracts that incorporate language on information sharing with FDA for third-party certification bodies seeking accreditation under this program. For such accreditation bodies, how they choose to accomplish this—e.g., whether by establishing a separate confidentiality agreement or through revision of current contract language or creation of a new contract addendum—is a decision best made by the parties to those contracts. Accreditation bodies and third-party certification bodies will have common interests in safeguarding the electronic records they store and transmit to each other; therefore, we have no reason to believe that any separate agreements will lack adequate protections for confidentiality of information, including information stored and shared among the parties electronically.

This rule focuses on confidentiality and disclosure with respect to information shared with FDA. As explained in section XIII.F., FDA will protect the confidentiality of information accessed by or submitted to the Agency in accordance with § 1.695 of this subpart. With respect to the storage of electronic records and electronic transmission of information by FDA, we note that we are working the FDA IT security professionals in establishing the electronic portal for the third-party certification program to apply adequate and appropriate controls to ensure the confidentiality and integrity of data submitted to FDA through the portal.

(Comment 34) In the proposed rule preamble discussion of this section we stated that, “[a]ccreditation bodies applying for recognition must demonstrate their capacity, if recognized, to grant us access to confidential information, including information contained in records, without prior written consent of the third-party certification body involved. Having access to records relating to accreditation activities (including confidential information) under this subpart is necessary to ensure the rigor, credibility, and independence of the program.” Some comments take issue with this point, arguing that accreditation bodies would not be able to grant such access—they would only be able to grant access to confidential information with prior written consent. That is, the accreditation body would first need to make arrangements for FDA access to confidential records with the third-party certification bodies it accredits and the eligible entities certified by those third-party certification bodies. Comments that express doubt about private sector foreign accreditation bodies actually granting FDA access to confidential records contend that such access is particularly unlikely without the prior written consent of the third-party certification body whose records are sought.

(Response 34) We agree with the comments that the contracts accreditation bodies currently use with their third-party certification body clients do not contemplate the program we are establishing. As comments suggest, we would expect that confidentiality provisions in standard contracts would need to be revised such that, in signing a contract for accreditation under the FDA program, the third-party certification body would be giving the accreditation body its prior consent to perform any reporting or notification necessary for the recognized accreditation body to fulfill its obligations under the rule. Indeed, we expect that accreditation bodies seeking recognition will demonstrate their ability to comply with the reporting and notification provisions of this rule by providing us examples of standard contract language that has been suitably revised as comments describe.

VI. Comments on Requirements for Recognized Accreditation Bodies Under This Subpart

A. How must a recognized accreditation body evaluate third-party certification bodies seeking accreditation? (§ 1.620)

Proposed § 1.620 would establish the criteria and procedures that a recognized accreditation body must use in assessing third-party certification bodies for accreditation. Paragraph (a) broadly addresses the different requirements for foreign governments and foreign cooperatives or other third parties. Paragraph (b) requires the accreditation body to require third-party certification bodies to satisfy the rule's reporting and notification requirements. Paragraph (c) requires the accreditation body to maintain certain records, such as those related to withdrawal or suspension of a third-party certification body. Paragraph (d) requires an accreditation body to have written procedures for handling appeals from third-party certification bodies, and requires certain minimal appeal procedures.

On our own initiative, we are revising § 1.620(a)(2) and (3) to apply to accredited third-party certification bodies that are comprised of a single individual, as applicable. We are also removing, “and any requirements specified in FDA model accreditation standards regarding qualifications for accreditation, including legal authority, competency, capacity, conflicts of interest, quality assurance, and records” to follow good guidance practice. We are making corresponding changes to §§ 1.620(a)(1), 1.640(b), and 1.640(c). We are also revising § 1.620(c) to specify that recognized accreditation bodies must also include the date of the action in their records relating to any denial of accreditation or the withdrawal, suspension, or reduction in scope of accreditation of a third-party certification body. In addition, we are revising § 1.620(d) to clarify that the recognized accreditation body must notify any third-party certification body of an adverse decision associated with its accreditation under the subpart, including denial of accreditation or the withdrawal, suspension, or reduction in the scope of its accreditation.

(Comment 35) In paragraph (a)(3) of this proposed section we stated that a recognized accreditation body must observe “a statistically significant number of onsite audits” conducted by the third-party certification body seeking accreditation. Some comments request clarification of what we meant by “statistically significant,” so that accreditation bodies would know what Start Printed Page 74591would be an adequate number of audits to observe to provide adequate confidence in the results of an analysis of such observations. The comments suggest that we should explain the criteria for determining the number of witness audits to be conducted under proposed § 1.620 and ask whether site-specific issues such as geographic factors should be considered. Other comments encourage us to abandon the phrase “statistically significant” in favor of the language of ISO/IEC 17011:2004 (Ref. 5), which requires an accreditation body to witness the performance of a representative number of third-party certification body staff.

(Response 35) We have removed the phrase “statistically significant” in § 1.620(a)(3) and inserted the phrase “representative sample.” We explain in Response 28 that comments presented compelling arguments that a significant body of knowledge and experience has developed around the meaning of a “representative” number of observations under ISO/IEC 17011:2004 (Ref. 5) to achieve an adequate level of confidence in the results. We have revised § 1.620(a)(3) accordingly. Site-specific issues may be relevant in determining the representative number of witness assessments to conduct, for example, where audit agents are located in remote offices or where food safety audits are managed by remote offices. The accrediting body, either a recognized accreditation body or FDA in the case of direct accreditation, will be best positioned to determine whether geographic issues are relevant for purposes of § 1.620(a)(3).

(Comment 36) Some comments ask us to revise § 1.620(d)(2) to clarify that the individuals used to hear appeals of adverse decisions by a recognized accreditation body could be individuals external to the accreditation body.

(Response 36) We agree with the comments and have revised this provision to clarify that individuals used to hear appeals may be external to the accreditation body, as well as a similar provision applying to appeals by eligible entities of adverse decisions by an accredited third-party certification body. We have also revised this provision to use language similar to language that is used in § 16.42(b), which describes the characteristics of a presiding officer that may be used for FDA regulatory hearings.

(Comment 37) In the preamble to the proposed rule we stated that we were not proposing to review the decisions of recognized accreditation bodies nor were we proposing to hear appeals from third-party certification bodies aggrieved by an accreditation body's decision(s). We sought comment on these matters. In response, some comments state their understanding that FDA would retain the authority to challenge a recognized accreditation body's decisions, because we have authority over the entire program.

(Response 37) We agree with comments that our oversight extends to any accreditation body or third-party certification body participating in the program, including the authority to withdraw accreditation from a third-party certification body even if the accreditation was granted by a recognized accreditation body. However, FDA does not intend to serve as an appellate body for aggrieved third-party certification bodies, as this would be unworkable and unnecessary. Withdrawing the accreditation of a third-party certification body to remove it from our program is quite different than, for example, overturning an accreditation body's decision to deny accreditation to a third-party certification body in the first place. Our program is designed to ensure the competency and independence of accreditation bodies. As part of this program, FDA will be recognizing accreditation bodies to make accreditation decisions based on a determination that the accreditation body is qualified to do so. FDA involvement in accreditation decisions would defeat the purpose of the program. Additionally, FDA retains the authority to revoke the recognition of accreditation bodies for good cause under § 1.634(a)(4) for failure to comply with this rule. For all of these reasons, FDA declines to codify a process to review appeals challenging recognized accreditation body decisions under this program.

(Comment 38) Several comments encourage us to expand on the requirement to use “independent” person(s) to hear an appeal of an adverse accreditation body decision. Some comments suggest that we clarify that an independent person is one who was not involved in the decision that is the subject of the appeal. A few comments suggest we further require the accreditation body to use person(s) who are external to the organization.

(Response 38) We agree with the suggestions to clarify § 1.620(d)(2) and are revising it to align with the impartiality provisions in 21 CFR part 16, which contains the regulations for regulatory hearings that we will generally apply under § 1.693 to an appeal of a revocation or withdrawal. Under the part 16 regulations, the person presiding over the hearing must be free from bias or prejudice and must not have participated in the action that is the subject of the hearing or be subordinate to a person who participated in the action. We believe that the credibility of the third-party certification program will be enhanced by requiring recognized accreditation bodies to afford similar protections when considering appeals by certification bodies under this rule. While we decline the suggestion to require the use of external parties in deciding appeals, we note that a recognized accreditation body has flexibility to use an external party under § 1.620(d)(2).

B. How must a recognized accreditation body monitor the performance of third-party certification bodies it accredited? (§ 1.621)

We proposed to require a recognized accreditation body to conduct an annual evaluation of each of its accredited certification bodies that includes a review of the certification body's self-assessments, its regulatory audit reports, notifications to FDA, and any other information reasonably available. We requested comment on whether the information we proposed to require would provide a solid basis for an evaluation. We asked stakeholders whether we should include a requirement in § 1.621 for onsite monitoring of accredited certification bodies and, if so, whether we should require the accreditation body to observe or visit the certification body's headquarters.

(Comment 39) We received several comments on the annual assessment requirements of proposed § 1.621. Some comments agree with the requirement for an annual assessment. Some comments mention a Government Accountability Office (GAO) report entitled, “FDA Can Better Oversee Food Imports by Assessing and Leveraging Other Countries' Oversight Resources” (GAO 12-933) and dated September 2012, which notes ongoing challenges with ensuring the competency of third parties to consistently apply standards and argues that annual assessments would improve certification body reliability and competency. Some of these comments state they would even support more frequent certification body evaluations.

In contrast, some comments argue that annual assessments would be burdensome. Comments variously focus on the burden on accreditation bodies, certification bodies, and eligible entities. Some comments disapprove of the cumulative burden of all the assessments (e.g., self-assessments and monitoring assessments) required Start Printed Page 74592throughout the rule. Some comments suggest biennial assessments, and note that such a requirement would be consistent with ISO/IEC 17011:2004 (Ref. 5). Still others argue that when the accreditation body or certification body is a government entity we should allow for flexibility around the timing of assessments.

(Response 39) We agree with comments that express the view that annual assessments of certification bodies will help build confidence in the third-party certification program. Annual assessments will help accreditation bodies ensure certification bodies' continued compliance with the program requirements and quickly identify and address any deficiencies with a certification body before a situation escalates.

We also acknowledge the concerns about the efforts needed to comply with the monitoring and self-assessment requirements of the rule. Section 1.621 is part of a set of proposed monitoring and self-assessment requirements intended to work together in helping to ensure that the recognized accreditation bodies and accredited third-party certification bodies maintain compliance with the rule's requirements. The certification body self-assessment in § 1.655 is intended to serve, in part, as information for use in the accreditation body monitoring in § 1.621, the results of which we intend the accreditation body to use in its self-assessment under § 1.622. We do not intend for the assessments to require duplicative efforts, with each section requiring a discrete set of activities with no opportunity to use the results of one set of activities when performing another. As explained in the preamble to the proposed rule, the accreditation body assessments of certification bodies will not only help ensure that the certification bodies continue to comply with our requirements, but also can help the accreditation body identify trends and any deficiencies in its own performance. The proposed monitoring and self-assessment activities are an essential part of the program's safety net.

With respect to § 1.621, in particular, we believe this section will be far less burdensome in practice than some of the comments anticipate, because of the convergence between the ISO/IEC standards and this rule. The activities required by § 1.621 are similar in substance to surveillance activities under ISO/IEC 17011:2004 (Ref. 5), which includes review of audit reports, results of internal quality control, and management review records identified in clause 3.18 NOTE, and thus are likely to be activities many accreditation bodies already perform. In light of the foregoing, we have concluded that requiring accreditation bodies to perform annual evaluations of each certification body they accredit under the program is not unduly burdensome. We disagree with comments suggesting that monitoring should be more frequent than once a year, because requiring assessments to be performed and reported twice each year, for example, would result in a nearly continuous cycle of assessments and reports. Semiannual assessments are likely to produce limited data sets that would be less helpful for evaluation purposes than would larger data sets, such as compilations of 12 months of data, which allow for tracking and trending performance over time. Requiring assessments to be performed more frequently than once a year also risks creating significant disruption of the operations of accredited third-party certification bodies and eligible entities and might have the unintended effect of serving as a disincentive to participation in the program. For these reasons, we have determined that an annual monitoring requirement is appropriate to verify the overall effectiveness of the accredited third-party certification body's operations and performance in activities relevant to the third-party certification program and the validity of its certification decisions. Accordingly, we are not revising the annual certification body monitoring requirements we proposed in § 1.621.

(Comment 40) We received some comments on proposed § 1.621(b) specifically, which would require an accreditation body to consider any other “reasonably available” information relevant to a determination of whether a certification body is in compliance with this rule. Comments encourage us to set limits around assessments conducted in the wake of an incident, noting that a problem involving one certification/type of product should not involve review of all certifications/products. These comments did not want an incident in one sector (e.g., human food) to unnecessarily jeopardize an accreditation in a separate sector (e.g., animal food). Some comments express concern that proposed § 1.621(b) would require an accreditation body to review every certificate issued by a certification body if one of the eligible entities it certified was placed on FDA import alert.

(Response 40) We decline the suggestions to narrow the scope of proposed § 1.621(b) or to direct how recognized accreditation bodies should consider other “reasonably available” relevant information, because it will depend on the facts of a particular situation. In the wake of incidents, we expect the accreditation body to take appropriate steps to determine whether the certification body is in compliance with this subpart. Such steps may include a review of certifications for product areas other than the subject of the incident if the accreditation body deems it needed to assess the certification body's compliance. We reiterate, as we explained in the preamble to the proposed rule, we do not expect a recognized accreditation body launch investigations of each certification body it accredited absent cause, but we do expect the accreditation body to actively monitor public information about their certification bodies and not ignore public information about problems that might be associated with a certification body it accredited.

(Comment 41) In response to our preamble questions about whether to require observations and certification body headquarters visits in § 1.621, some comments state that observations are a useful tool and should be required. Similarly, some comments support a requirement for visiting the key location of the certification body. Some comments state that the accreditation body should visit any location of the accredited third-party certification body where the certification body manages its staff or agents conducting audits under this program, which the comments note may not be the certification body's headquarters. Other comments agree that onsite visits can be a useful tool, but encourage the use of remote assessments in certain circumstances (e.g., after the certification body has successfully completed a set number of accreditation cycles).

Some comments suggest that we follow the requirements of relevant ISO/IEC standards in establishing requirements for observations and site visits under § 1.621. Some comments express concern about the cumulative burden of the monitoring and self-assessments we proposed to require of accreditation bodies and certification bodies. A few comments express concern we might impose duplicative requirements for observations under §§ 1.621 and 1.622(b). Some comments request guidance on how an eligible entity would be selected as a site for an observation.

(Response 41) We agree with the comments that state that observations are useful and should be required as part of accredited third-party certification body monitoring. Likewise, we agree with the comments that state Start Printed Page 74593a recognized accreditation body should visit any location of the certification body where the certification body manages its staff or agents conducting audits under this program, if different than the certification body's headquarters, to get a better understanding of how different locations operate. While we acknowledge that some accreditation bodies may be successfully using remote assessments in certain circumstances (e.g., after the certification body has successfully completed a set number of accreditation cycles), we decline the suggestion to allow for remote assessments in this rulemaking.

In establishing requirements in § 1.621 for observations and accredited third-party certification body visits, we considered comments' concerns that such requirements might be duplicative of the observation requirements in § 1.622(b), might pose practical difficulties in arranging to observe audits, and might pose difficulties if a certification body had several “key” locations. We also considered comments' concerns about the cumulative burden of the monitoring and self-assessment requirements of the rule and the comments that urge us to align the requirements of § 1.621 with the relevant international standards.

Accordingly, in the final rule we are combining all of the paragraphs in proposed § 1.621 into new § 1.621(a), and we are adding a new paragraph (b) that requires the accreditation body to perform a representative sample of onsite observations of regulatory audits conducted by each accredited third-party certification body, as explained in Response 28, and visit the certification body's headquarters (or other certification body location if its audit agents are managed by the certification body at a location other than its headquarters). The observed audits and site visits must be performed by no later than 12 months after the certification body's initial accreditation and again every 2 years thereafter for the duration of its accreditation, including renewals. The requirements for the frequency of observed audits and site visits under § 1.621(b) are similar to the intervals for surveillance onsite assessments in one of the options under clause 7.11.3 of ISO/IEC 17011:2004 (Ref. 5). We are also requiring the accreditation body to consider information from activities conducted under paragraph (b) in the annual performance report of the accredited third-party certification body.

We also are making a corresponding revision to § 1.622(b) to clarify that the accreditation body should consider the results of onsite observations and site visits conducted under § 1.621(b) as part of its self-assessment under § 1.622.

C. How must a recognized accreditation body monitor its own performance? (§ 1.622)

Proposed § 1.622 would require recognized accreditation bodies to conduct self-assessments on an annual basis, and as required under proposed § 1.664(g) (following FDA withdrawal of accreditation of a certification body it accredited). Under the proposed rule, the accreditation body's self-assessment would include evaluating the performance of its officers, employees, or other agents; observing regulatory audits by a statistically significant number of certification bodies it accredited under this program, and creating a written report of results.

(Comment 42) Some comments encourage a broader self-assessment. They contend that, in addition to requiring that accreditation bodies assess the consistency of their performance and their compliance with conflict of interest provisions, we should also require accreditation bodies to compare their performance against competitors, compare the certification bodies they accredit to other certification bodies, and look at industry best practices and benchmarks to set improvement objectives.

(Response 42) The self-assessments are intended to help the accreditation body determine whether it is in compliance with the requirements of this rule. While the report elements suggested by comments might be useful for an accreditation body to consider, we do not believe those elements are necessary to a determination of compliance with the rule. Therefore, we decline to revise the rule in response to these comments.

(Comment 43) Some comments question whether the requirements for accreditation body self-assessment would fit the government-to-government model. Other comments suggest that the different nature of private operators and public administration warrant different requirements for each. The comments further contend that the workload associated with the program would be significant for any government agency; therefore, the time limits and frequencies of reporting should be more flexible in the case of government agencies.

(Response 43) FDA uses self-assessment tools in various government-to-government programs. As one comment notes, we require State governments to conduct annual self-assessments for their work under the Manufactured Food Regulatory Program Standards (MFRPS) and the Animal Feed Regulatory Program Standards. We also require a foreign government seeking a systems-recognition agreement with FDA to begin the process by completing the International Comparability Assessment Tool, which is a self-assessment tool that we developed based on the approach of the MFRPS self-assessment. Our experience in using self-assessment tools with foreign and State governments suggests to us that self-assessments would be feasible and appropriate in the context of this program as well.

We decline the suggestion to afford more flexibility in deadlines for government agencies serving as recognized accreditation bodies than we afford to other recognized accreditation bodies. Section 808 of the FD&C Act makes no distinction between public and private accreditation bodies, and the proposed rule would place the same workload burden on private accreditation bodies as it would on public accreditation bodies. The comments fail to explain why the differences in nature of public and private accreditation bodies justify flexible deadlines for governmental accreditation bodies but not private accreditation bodies.

(Comment 44) Some comments suggest that accreditation body self-assessments under proposed § 1.622 should be done in concert with its monitoring of certification bodies under proposed § 1.621, because it would be more efficient and would reduce the burden on eligible entities that were observed during regulatory audits. Other comments question the need for accreditation body self-assessments to include requirements for observations, because they read our preamble discussion of proposed § 1.621 as a signal that we would be requiring accreditation bodies to conduct annual onsite observations of each certification body under that provision.

(Response 44) We agree that self-assessments under § 1.622 can be done in concert with monitoring under § 1.621. As described in Response 39, we do not intend the self-assessment and monitoring requirements of the rule to be duplicative. Having added requirements for observations and certification body site visits to certification body monitoring requirements in the final rule, we are revising § 1.622(b) to clarify that accreditation bodies may consider the results of any observations or visits conducted under § 1.621(b) in its self-assessments.Start Printed Page 74594

(Comment 45) Comments also suggest that international standards could provide guidance on improving the efficiency and effectiveness of an accreditation body's self-assessment. Some comments specifically suggest that FDA could rely on the internal audits and management reviews that are required under ISO/IEC 17011:2004 (Ref. 5) instead of requiring its own self-assessments.

(Response 45) We agree that documentation of internal audits and management reviews required under ISO/IEC 17011:2004 (Ref. 5) could be useful to help demonstrate compliance with the requirement for self-assessments under this program. We have revised § 1.622(d) and made a conforming change to § 1.623(b) to specifically allow a recognized accreditation body to use reports of internal audits and management reviews prepared for conformance with ISO/IEC 17011:2004 (Ref. 5), supplemented as necessary, to demonstrate compliance with the accreditation body self-assessment requirements of § 1.622.

D. What reports and notifications must a recognized accreditation body submit to FDA? (§ 1.623)

Proposed § 1.623 would require recognized accreditation bodies to submit to FDA reports of its self-assessments and annual re-assessments of certification bodies within 45 days of completing the assessment. The proposed rule also would require notification to FDA of matters affecting recognition and accreditation status; notice of denials of accreditation and any significant change that would affect how the accreditation body complies with this rule would be required within 30 days, while immediate notification would be required for other matters (e.g., grant or withdrawing accreditation). Under the proposed rule the reports and notifications would have to be submitted electronically and in English.

On our own initiative, we are revising § 1.623(c)(1)(i) and (d)(1)(i) to require the recognized accreditation body to provide FDA the email address of any third-party certification body that was granted or denied accreditation (respectively) under our program. Having the email address will facilitate FDA's communications with such third-party certification bodies. We also are revising § 1.623(c)(1)(iv) on our own initiative to specify that a recognized accreditation body must also notify FDA of the expiration date of accreditation upon granting accreditation to a third-party certification body under this subpart.

(Comment 46) Some comments ask whether FDA intends to provide feedback in response to self-assessment reports.

(Response 46) While FDA will not be providing formal responses to the self-assessment reports, we will use the information in the reports in our oversight of the third-party certification program and will address any specific items of concern we identify in an accreditation body-self-assessment report directly with the accreditation body.

(Comment 47) We received several comments related to our proposal to require all reports and notifications to be submitted in English. Some comments agree that both the notifications and the reports should be submitted in English. Some comments agree that notifications should be in English, but suggested that reports of self-assessments and re-assessments of certification bodies could remain in their native language, and if FDA had any questions about such reports the accreditation body could furnish English translations.

Some comments note the difficulty and others the expense for recognized accreditation bodies in countries that do not officially or routinely conduct business in English. Some comments request a longer period of time (e.g., up to 4 months) to submit documents that must be translated into English. Other comments note that if we require documents to be in English, and the translations are not done well, the documents may be difficult to understand.

Some comments propose alternative solutions, including comments that suggest that FDA explore technical translation and recognition software, which in combination with standardized report/notification templates, might facilitate submission in languages other than English. Other comments suggest that if reports and notifications are submitted in languages other than English, the recognized accreditation body should be responsible for all translation costs.

Some comments ask whether supporting documents that accompany reports also would have to be in English. Other comments inquire whether there is any flexibility in the language requirement for governmental accreditation bodies that do not maintain their records in English.

(Response 47) We decline the suggestion to remove the requirement to submit reports and notifications in English. While allowing submissions in multiple languages might be helpful to some interested parties, the accreditation body reports and notifications required by § 1.623 are essential to our oversight and management of the third-party certification program and the programs that rely on certifications issued by accredited third-party certification bodies, and thus, must be in English in order for FDA to properly review and evaluate. Some comments ask to have up to 4 months to prepare an English translation of a submission under proposed § 1.623. Such delays would be unworkable. For example, we cannot afford delays in translating an accreditation body's notification of withdrawal of accreditation, or an accreditation body's notification that a certification body has issued a food or facility certification without meeting the requirements of this rule. We are requiring immediate notification of these and other matters under § 1.623(c) because of the implications for the program and possibly for our acceptance of certifications issued by the certification body. Unless the notification is submitted in English, our actions will be delayed until the information is translated. Although the annual certification body monitoring reports and the accreditation body self-assessments reports are not required to be submitted until 45 days after completion under § 1.623(a) and (b)(i) (and 60 days following certification body withdrawal for self-assessment reports submitted under § 1.623(b)(ii)), we will use these reports to identify areas where FDA may need to promptly engage with an accreditation body or a certification body to address apparent misunderstandings or confusion about our program requirements. We plan to use these reports to identify emerging issues that need intervention. Therefore any additional time allotted for translation purposes would delay and possibly hinder our ability to use these reports for program evaluation and management.

(Comment) 48) Some comments address the proposed timeframes for submitting reports and notifications, and suggest that instead of requiring reports within 45 days of completing the assessment/re-assessment, we should require submission every 6 months or annually.

(Response 48) We disagree with comments suggesting that we modify the timeframe for submission of reports of annual self-assessments and annual certification body monitoring reports from 45 days after completion to every 6 months or every year. We are concerned that the information could be outdated and our ability to use the Start Printed Page 74595reports for early intervention would be significantly diminished.

(Comment 49) Some comments contend that the volume of reports and notifications we proposed to require would be burdensome to FDA to review and maintain. They suggest that instead we require recognized accreditation bodies and their certification bodies to maintain reports of self-assessment/re-assessment, and provide prompt access to FDA upon request.

(Response 49) We disagree. We are establishing an electronic portal for submission of applications, reports, notifications, and other information under this rule and an electronic repository of this information, which will allow us to access and use the information as needed. Therefore, we decline to revise § 1.623 is response to these comments.

(Comment 50) Some comments ask if all reports and notifications submitted to FDA will be subject to the Freedom of information Act (FOIA) or if these submissions will be considered confidential information with reasonable protections from disclosure. Other comments suggest the importance of striking the appropriate balance between disclosure and confidentiality and note the following statements in ISO/IEC 17021:2011 (Ref. 6), clause 4.1.3 and NOTE: “Principles for inspiring confidence include: Impartiality, competence, responsibility, openness, confidentiality, and responsiveness to complaints . . . An appropriate balance between the principles of openness and confidentiality, including responsiveness to complaints, is necessary in order to demonstrate integrity and credibility to all users of certification.”

(Response 51) We agree with comments suggesting the importance of striking the appropriate balance between providing transparency to the public and maintaining the confidentiality of any trade secrets and confidential commercial information included in the applications, reports, notifications, and other information submitted to FDA. We are guided in this effort by FOIA as well as laws that protect trade secrets and confidential commercial information from disclosure. In response to comments, we are adding new § 1.695 on public disclosure, which is discussed in section XIII.F.

(Comment 51) Some comments urge us to eliminate or reduce the proposed reporting requirements in proposed § 1.623(a) and (b), for various reasons. Some of these comments suggest that we should only require regular submission of a report or other document that shows the third-party certification bodies are maintaining their accreditation. Other comments recommend that when a certification body is first accredited, it should submit translated accreditation documents within 3 to 4 months of the accreditation body's decision. Then, as long as the accreditation is unchanged, it should not be necessary for the accreditation body to submit its—assessment reports under § 1.623(a).

Some comments suggest it should not be necessary for accreditation bodies to submit their self-assessment reports under § 1.623(b) if there is no significant change in their recognition. Other comments assert that signatories to IAF MLAs should not have to submit self-assessment reports to FDA, because IAF monitors accreditation bodies for continued compliance with ISO/IEC 17011:2004 (Ref. 5).

(Response 51) We disagree. As described in Response 47, the reports of annual certification body monitoring and accreditation body self-assessments are essential to our oversight and management of the third-party certification program and the programs that rely on certifications issued by accredited third-party certification bodies. We are not requiring accredited third-party certification bodies to submit their self-assessments to FDA (except for directly accredited third-party certification bodies); therefore, the reports that we receive of the recognized accreditation bodies' assessments of accredited third-party certification bodies are a fundamental piece of the monitoring system we are establishing, as are the self-assessment reports submitted by accreditation bodies we have recognized. Reducing or eliminating either of these reporting requirements would hinder our ability to properly oversee the program.

(Comment 52) We received some requests for clarification regarding required content of the accreditation self-assessment reports and reports of certification body annual monitoring. Some comments request that FDA either suggest a format for the reports, provide an opportunity for accreditation bodies to propose a format, or at least indicate the minimum required elements.

(Response 52) We believe we provided minimum requirements on the content of these reports in this rule and plan to provide additional information on the format and submission of these reports on our Web site.

(Comment 53) Comments suggest that to be consistent with ISO/IEC 17011:2004 (Ref. 5), a recognized accreditation body only would need to notify FDA of the approval, suspension, or withdrawal of accreditation of a third-party certification body, as well as any changes in its scope of the accreditation scope or reduction of authorization. The comments assert that the notification should not need to include such details as the address and name of third-party certification body employees under § 1.624(c)(1).

(Response 53) We agree that submission of the information described in the comment and required by clause 8 of ISO/IEC 17011:2004 (Ref. 5) is necessary for our program management and oversight. For example, it will help us verify the identity of any certification body before taking an action to affect its status in the program based on a notification submitted under § 1.623. However, the notifications required under § 1.623(c)(3) and (d) are also necessary for our program management and oversight. Under § 1.623(c)(3), a recognized accreditation body would have to notify FDA if one of its accredited third-party certification bodies issued a food or facility certification without complying with the requirements of this rule. This notification will allow FDA to refuse to accept those improperly issued certifications and to coordinate with the accreditation body in determining appropriate next steps. Having information on a denial of accreditation under § 1.623(d) will allow FDA to monitor accreditation activities across the program, including any repeat denials of a third-party certification body.

With respect to providing the names of the audit agents of the accredited third-party certification body, we note that section 808(b)(1)(B) of the FD&C Act requires a recognized accreditation body to submit to FDA a list of all third-party certification bodies it accredited under the program and the audit agents of such accredited certification bodies. The list of audit agents we proposed to require a recognized accreditation body to submit under § 1.623(c)(1)(iii) is necessary for verification of compliance with the conflict of interest requirements by audit agents under section 808(c)(5)(A)(iii) and (B) of the FD&C Act and by proposed § 1.657, among other things. With respect to the proposed requirement to provide the address and name of one or more of the officers of the accredited third-party certification body, this information will be helpful in communicating with the accredited third-party certification body.

For the foregoing reasons, we decline the suggestion to eliminate the requirements for the recognized Start Printed Page 74596accreditation body to provide FDA the name of one or more officers of the accredited third-party certification body under § 1.623(c)(1)(ii) and a list of audit agents of the accredited third-party certification body under § 1.623(c)(1)(iii).

E. How must a recognized accreditation body protect against conflicts of interest? (§ 1.624)

Proposed § 1.624 would require a recognized accreditation body to take certain steps to safeguard against conflicts of interest, including the requirement to implement a written conflict of interest program. The accreditation body would be prohibited from owning, having a financial interest in, or managing/controlling a certification body. Under the proposed rule, accreditation body employees would be unable to accept money, gifts or other items of value from the certification body, though we did exempt meals of de minimis value onsite where the assessment occurs. We also proposed to require that a recognized accreditation body maintain on its Web site a list of certification bodies it accredited under this program, the duration and scope of accreditation, and the date on which the certification bodies paid their fee or reimbursement associated accreditation. We sought comment on alternative approaches for public disclosure of payments.

On our own initiative, we are adding new provision § 1.624(b) to clarify when a recognized accreditation body can accept the payment of fees for its services so that the payment is not considered a conflict of interest for purposes of § 1.624(a).

(Comment 54) Some comments agree that a recognized accreditation body should be required to have a written program to protect against conflict of interest. Comments suggest that the written plans should include assurances of independence and safeguards to address any possibility of conflicts. Some comments state FDA should require accreditation bodies to make their conflict of interest policies public.

(Response 54) We agree with comments about the importance of a recognized accreditation body having a written program to safeguard against conflicts of interest that meets the requirements of this rule. While a recognized accreditation body may choose to make its conflicts of interest program publicly available, we are not imposing that as a program requirement because we do not believe it is necessary to ensure that accreditation bodies safeguard against conflicts of interest.

(Comment 55) We received several comments related to allowing certification bodies to provide onsite meals of de minimis value to accreditation body representatives conducting an audit. Several comments agree with the general concept of allowing meals of de minimis value. Some supporting comments state that allowing such meals would expedite the assessment, and could be necessary if the certification body is distant from meal service providers. With respect to the question of what constitutes “de minimis” value for these purposes, some comments endorse the idea of defining de minimis value in accordance with U.S. Government employee limits on accepting gifts or gratuities. Others simply encourage us to define it in some way that ensures consistency and clarity. Some comments state that we should not set a fixed amount for the de minimis value, because costs vary in different locations.

Some comments disagree with the proposal to allow meals of de minimis value, and contend that the financial relationship between the accreditation body and the certification body should be strictly limited to the fee paid for the accreditation audit/services.

(Response 55) We agree with the comments that suggest that allowing the certification body to provide meals of a de minimis value during an assessment and at the site where the assessment is being conducted might help facilitate the assessment, particularly for remote sites. We also agree with comments that state we should not set a fixed amount for the de minimis value because costs vary in different locations.

We disagree with comments suggesting that by providing meals of a de minimis value, a certification body might influence the outcome of an accreditation body assessment, particularly if the only allowable meals are ones of minimal value that are provided during the course of an activity and with the purpose of facilitating timeliness and efficiency. FDA follows a similar approach for investigators conducting foreign inspections—that is, FDA investigators performing foreign inspections are allowed to accept lunches (of little cost) provided by the firm during the course of a foreign inspection. We also note that the U.S. government allows its employees to accept meals, within per diem limits, when on official business in a foreign country, as an exception to the prohibition on the acceptance of gifts or gratuities from outside sources (5 CFR 2635.204(i)(1)), though we believe the FDA's practices for foreign inspections serve as a better model because foreign inspections are more analogous to foreign assessments than are the range of activities that covered by the general requirements applicable to all U.S. government employees on official business in foreign countries. Accordingly, in light of the comments received and analogous FDA guidelines, we have concluded that it is reasonable and appropriate to limit the meal exception in § 1.624(a)(3)(ii) to only lunches of de minimis value provided during the course of an assessment, on site at the premises where the assessment is being conducted, and only if necessary to facilitate the efficient conduct of the assessment. We believe these revisions help to address concerns regarding the threats to impartiality, while accommodating the practical considerations that apply to foreign assessments.

We offer the following additional input to recognized accreditation bodies seeking guidance on the application of § 1.624(a)(3)(ii). In considering whether a meal is allowable under this provision, we recommend that the assessor first consider whether accepting the lunch is necessary to facilitate the efficient conduct of the assessment. We recommend the assessor consider: (1) Whether the circumstances surrounding the travel would allow the assessor to pack a lunch to bring on site; (2) Whether the meal is being provided during the midday or early afternoon. A lunch provided in the midst of an assessment is different than a lunch or other meal provided at the completion of the audit; (3) Whether the site of the assessment is in close proximity to a retail food establishment, or is at a remote location far from a retail food establishment; (4) What is the estimated value (or cost) of the lunch in light of the costs associated with the area where the assessment is being conducted; and (5) other similar considerations.

For assessors seeking additional guidance on determining what constitutes a “de minimis” amount for purposes of complying with § 1.624(a)(3)(ii), we offer the following guidance that is based on the requirements applicable to U.S. government employees who accept certain meals while on official travel in foreign countries. Such employees must deduct from the per diem the value of that meal, calculated using a two-step process.

First, the individual must determine the per diem applicable to the foreign area where the lunch was provided, as specified in the U.S. Department of State's Maximum Per Diem Allowances for Foreign Areas, Per Diem Supplement Start Printed Page 74597Section 925 to the Standardized Regulations (GC,FA) available from the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402, and available on the Department of State Web site at https://aoprals.state.gov/​Web920/​per_​diem.asp. (Foreign per diem rates are established monthly by the Department of State's Office of Allowances as maximum U.S. dollar rates for reimbursement of U.S. Government civilians traveling on official business in foreign areas.)

Second, the individual must determine the appropriate allocation for the meal within the daily per diem rate which is broken down into Lodging and M&IE (Meals & Incidental Expenses) that are reported separately in Appendix B of the Federal Travel Regulation and available on the Department of State's Web site at https://aoprals.state.gov/​content.asp?​content_​id=​114&​menu_​id=​78.

(Comment 56) Our proposal to require accreditation bodies to maintain a Web site listing of certification bodies, and information about each, drew several comments. Most comments agree with the Web site listing in principle. Some comments encourage us to require additional information in the Web site listing, such as requiring accreditation bodies to include in their Web site listing those certification bodies whose accreditations have been suspended or revoked. Some comments advise that the “scope” information required on the Web site should be specific (e.g., whether the accreditation is for human food, animal food, or for specific rules).

Additionally, many comments address the proposed requirement to include fee information in the Web site listing. Some comments suggest that we require recognized accreditation bodies to specify what is included in the fee payment and what costs are reimbursable. We also received comments arguing that requiring payment schedules to be posted online is not sufficient to ensure that potential conflicts of interest will be identified; they suggested we require accreditation bodies to submit payment schedule information directly to FDA.

Some comments disagree with the proposed requirement to require the Web site posting of payment schedules contending, among other things, that such information is proprietary. Some suggest that, instead, FDA should require accreditation bodies to keep records of payments which would be available to FDA if we have reason to examine them. Others suggest it would be sufficient for the financial payment information to be maintained such that FDA could review it during the recognition/renewal process. Still other comments seek clarification as to whether we would be requiring, in addition to the date of payment, the dollar value of payment. These comments are not in favor of such a requirement; they state such payment details constitute sensitive information and argue that FDA should instead require the amount of payment to be in the records required under § 1.625.

(Response 56) We agree with comments that state that an accreditation body's Web site posting under § 1.624(c), finalized as § 1.624(d), must include specific information about the scope(s) of accreditation, for example by relevant part of 21 CFR or by a designation, such as “part 123” or “Seafood HACCP” (Hazard Analysis Critical Control Point). We also are revising final § 1.624(d) to state that an accreditation body's Web site must identify a certification body whose accreditation was suspended, withdrawn, or reduced in scope, because we believe that this information would be important to eligible entities seeking information on accredited certification bodies. The suspension or withdrawal information must be maintained on the Web site for 4 years (the maximum duration of an accreditation under the rule) or until the suspension is lifted or the certification body is reaccredited by that accreditation body, whichever occurs first.

In the interest of transparency, we are maintaining the requirement for accreditation bodies to post information on the timing of fee payments and direct reimbursements by certification bodies. This posting requirement is similar to the posting requirements that apply to certification bodies under § 1.657(d) and will help build confidence in the impartiality of accreditation body accreditation decisions. We are not requiring posting of the amount of fees or reimbursement paid, because we do not think it is necessary to help build confidence in the impartiality of accreditation body accreditation decisions. We agree with the suggestion to specifically require fee payment records to be maintained and are revising § 1.625 accordingly.

(Comment 57) Some comments contend that § 1.624 is seriously flawed because it is inconsistent with “the latest science on the issue” and a 2009 Institute of Medicine (IOM) Report, “Conflicts of Interest in Medical Research, Education, and Practice.” They encourage FDA to evaluate the most recent scientific research on conflicts of interest and consult with leading academicians involved in such work. They contend that the fact of payment by the certification body to the accreditation body creates a conflict of interest that cannot be avoided so we should aim our regulation to minimize it. They recommend that we prohibit any financial relationship between the accreditation body and a certification body it audits for at least 1 year before accreditation was sought and 1 year after the last accreditation expires or was denied.

(Response 57) While we agree with the comments' suggestion to remain vigilant in ensuring that our conflict of interest protections represent current best practices, we disagree with the assertion that § 1.624 is seriously flawed and have concluded that the suggested revision would be infeasible and impractical. Third-party certification bodies currently accredited for food safety auditing by accreditation bodies that become recognized by FDA would have to apply to another recognized accreditation body to join our program if the comments' suggestion were adopted. This would create a disincentive to participation by experienced third-party certification bodies and would pose difficulties when the availability of recognized accreditation bodies is limited.

In response to comments citing the 2009 IOM report on financial conflicts of interest between medical researchers and medical products companies, we note that it identified some conflict of interest issues that also are relevant to our third-party certification program, such as the need to disclose payments from industry and to place limits on meals and gifts. However, the differences between the context of medical research and practice and the context of our third-party certification program pose difficulties in identifying practical implications of the analysis for our purposes—i.e., the analysis of data suggesting that the acceptance of meals and gifts and other relationships may influence physicians to prescribe a company's medicines. Nor are the IOM recommendations readily adaptable to conflicts of interest in the third-party certification program. The “best practices” we employ must be suitable for the third-party certification program and may differ from the state of the art best practices for conflict of interests in medical research. For example, the recommendations to place limits on the use of drug samples for patients who lack financial access to medications and to prohibit the claiming of authorship for ghost-written publications are not applicable to this program. For the foregoing reasons, we decline the Start Printed Page 74598suggestion to prohibit any financial relationship, such as the payment of fees, between a recognized accreditation body and a certification body for at least 1 year before seeking accreditation and 1 year after the last accreditation expires or is denied.

(Comment 58) Some comments reject the notion that there could be effective protections against conflict of interest. Such comments consider third-party food safety audits to possess inherent shortcomings and believe that FDA itself should conduct any food safety inspections required by FSMA.

(Response 58) We disagree with the notion that it is not possible to effectively protect against conflicts of interest. Currently, accreditation bodies and certification bodies operate under a number of private schemes successfully, with reasonably effective protections against conflicts of interest. We note that the primary regulatory functions of the third-party certification program are to facilitate participation in VQIP and to provide certifications for the purposes of section 801(q) of the FD&C Act. At this time, we do not intend for private third-parties to conduct food safety inspections required by FSMA.

F. What records requirements must an accreditation body that has been recognized meet? (§ 1.625)

Proposed § 1.625 identifies specific types of documents a recognized accreditation body would be required to establish, control, and maintain to document compliance with applicable requirements (including applications for accreditation and for renewal; regulatory audit reports and supporting information from its accredited auditors/certification bodies; reports and notifications required under proposed § 1.623, along with any supporting information). The recognized accreditation body would be required to provide FDA access to such records. The rule also proposed to require records to be maintained electronically and in English for 5 years.

In the proposed rule we acknowledged that the contracts between accreditation bodies and certification bodies frequently include confidentiality provisions that might otherwise prevent disclosure of certain records to FDA without prior approval of the certification body. We noted that any such contract provisions would need to be changed to allow the accreditation body to furnish FDA with the records identified in this section.

On our own initiative, we are including fee payment records as another type of record that an accreditation body that has been recognized must maintain under § 1.625(a)(8).

(Comment 59) Several comments disagree with the proposed requirement for records to be maintained in English. Some comments, while noting their support for submission of reports and notifications in English under proposed § 1.623, disagree with our proposal to require that records maintained by the accreditation body be kept in English as well. Some comments, noting the cost of translating all records, request that we allow records to be maintained in the language of the country. They propose we could require the accreditation body to provide the records in English upon our request within a reasonable time; some suggest a reasonable time might be a week, depending on the volume of records requested. Other comments argue that the food industry is global and in recognition of that fact FDA should accept records in other languages. Some comments suggest that we allow three or four additional widely-used languages.

(Response 59) We agree with the recommendation to allow records held by the accreditation body to be maintained in a language other than English, coupled with a requirement that, upon FDA request, the accreditation body must provide an English translation of the records within a reasonable time.

The records required by § 1.625 are necessary to document the accreditation body's accreditation activities, and we expect to request access to the accreditation body's records as necessary to verify the accreditation body's continuing compliance with the requirements of this rule, such as when we are considering whether to renew its recognition. The accreditation body records also will be useful in helping to verify the compliance of certification bodies it accredited under the program. However, the records required by § 1.625 are generally distinguishable from the reports and notifications that must be directly submitted to us under § 1.623, which we are requiring to be submitted to FDA in English because the reports and notifications submitted directly to us are time sensitive in nature and essential to our management and oversight of the third-party certification program. For example, under § 1.623(c) we are requiring immediate notification, in English, of an accreditation body's withdrawal of accreditation from a certification body. We cannot afford delays in translating this information, because of its implications for the program and possibly for our acceptance of certifications issued by the certification body. Unless the notification is submitted in English, our actions will be delayed until the information is translated.

By contrast, the records required under § 1.625 typically contain information that is less time sensitive; therefore, reasonable delays for translation purposes will not compromise our ability to manage or oversee the program. Accordingly, we are revising § 1.625 to allow other accreditation body records to be maintained and submitted to FDA in languages other than English, provided that an English language translation of such records is provided within a reasonable time thereafter. The circumstances surrounding each request will differ; therefore, we decline to set a specific (numerical) deadline for submission of the translation.

(Comment 60) We received several comments expressing confidentiality concerns. Some comments note that documents that are part of an audit process may contain critical business information that warrants some level of proprietary protection.

(Response 60) We acknowledge comments' concerns and note that we are including § 1.695 on public disclosure in section XIII.F. The new section explains that records obtained by FDA under this subpart are subject to the disclosure requirements under 21 CFR part 20.

(Comment 61) With regard to the proposed requirement that records must be maintained electronically, some comments discourage us from requiring compliance with 21 CFR part 11, which are regulations setting certain electronic records criteria. Comments contend that imposing part 11 requirements would be disproportionate to the need under this rule without an appreciable improvement in food safety and would create a tremendous and costly burden. They encourage FDA to explicitly exclude records under this rule from part 11. Comments propose that instead of imposing part 11 requirements, we require documentation of the chain of custody by requiring records to be signed and dated when created or modified.

(Response 61) We acknowledge comments' concerns and note that we are establishing § 1.694 on electronic records in section XIII.E. This new section will generally exempt records that are established or maintained to satisfy the requirements of this subpart from the requirements of part 11.

(Comment 61) Some comments express concern that our proposed record keeping requirement was too broad; and others express concern about Start Printed Page 74599how we might use our authority to request records. Some comments request clarification of our proposed requirement that accreditation bodies' records include any supporting information for the reports and notifications required under § 1.623. Other comments suggest that our records requests should be narrower when the recognized accreditation body is a foreign government than a records request to a recognized, nonprofit accreditation body. Still other comments encourage us to clarify the circumstances under which FDA staff could request records and to include a method for an accreditation body to object to an FDA records request.

(Response 62) The records we are requiring an accreditation body to maintain under § 1.625 are necessary to document the accreditation body's accreditation activities and its compliance with the requirements of this rule. We expect to request access to the accreditation body's records in verifying an accreditation body's continuing compliance with the requirements of this rule. While the details of each records request will vary depending on its circumstances, we will tailor our records requests under § 1.625 as narrowly as possible to reach program-related records and exclude records that are irrelevant or insignificant to this program. For example, the information an accreditation body reports under § 1.623 may prompt us to request the underlying record to supplement the report as needed. Or, when an accreditation body is requesting renewal of its recognition, we may request records to supplement information provided in the application.

Therefore, we believe it is unnecessary to develop administrative procedures for accreditation body challenges to FDA records requests. We recommend accreditation bodies to fully consider the program requirements before deciding to pursue recognition under the voluntary third-party certification program.

(Comment 63) We proposed that if FDA requests records electronically, the recognized accreditation body provide the requested records within 10 days. Some comments contend that 10 days is insufficient time, and instead request a period of 3 months.

(Response 63) We believe that 10 days is ample time for accreditation bodies to electronically submit any requested records they are already required to maintain under this subpart. We note that we are revising the final rule to allow accreditation bodies to maintain and submit records in languages other than English, provided that they electronically submit an English translation within a reasonable time thereafter. By allowing records to be submitted in a language other than English, accreditation bodies should be able to provide requested records electronically within 10 days.

VII. Comments on Procedures for Recognition of Accreditation Bodies Under This Subpart

A. How do I apply to FDA for recognition or renewal of recognition? (§ 1.630)

We proposed to establish procedures for accreditation bodies to follow when applying to FDA for recognition or for renewal of recognition. We proposed that the accreditation body must submit a signed application, accompanied by any supporting documents, electronically and in English, demonstrating that it meets the eligibility requirements in proposed § 1.610. We also proposed to require an applicant to provide any translation or interpretation services we need to process the application.

(Comment 64) Some comments assert that the proposed rule does not differentiate adequately between foreign governments and private entities that are serving as accreditation bodies and suggest that we provide a separate path for recognition of foreign government accreditation bodies that prioritizes their applications over those submitted by private accreditation bodies. The comments recommend that we draft additional rules to specifically cover recognition of foreign government accreditation bodies and/or direct accreditation of foreign government certification bodies.

(Response 64) We disagree with the recommendation to create a bifurcated system for recognition, because the line between governmental and private accreditation bodies is not always clear. Private accreditation bodies comprise approximately one third of the 72 accreditation bodies that accredit food safety certification bodies around the world, according to a report prepared by the Research Triangle Institute (RTI) (Ref. 16). In the report, RTI found that the distribution of accreditation bodies by private versus government agency is as follows: 24 private accreditation bodies, 38 governmental accreditation bodies, and 10 accreditation bodies with unknown private or government agency status. RTI found that the vast majority of the private accreditation bodies were non-profit entities. Many of the private accreditation bodies identified by RTI operate under government sanction or in quasi-governmental roles. For example, the American National Standards Institute (ANSI) is a private, non-profit accreditation body that serves as the official U.S. representative to ISO (Ref. 17); the United Kingdom Accreditation Services is appointed as the national accreditation body for the United Kingdom, though it is independent of the government (Ref. 18); and the Danish Accreditation and Metrology Fund is a self-described “business fund” that is appointed by the Danish Safety Technology Authority as the national accreditation body for Denmark (Ref. 19). Additionally, we note that section 808 of the FD&C Act makes no distinction in the requirements or process for recognizing public or private accreditation bodies. Furthermore, we do not believe it practical to engage in additional rulemaking for foreign government accreditation bodies and certification applications, as the comments suggest.

(Comment 65) Some comments ask us to accept applications in other languages common to the major production areas exporting product to the United States. These comments assert that due to the global nature of produce supply chains allowing applications in other languages would encourage supply chain participation in third-party auditing programs as a tool to improve food safety. These comments suggest that we could develop a phased process where we only accept English applications initially, but increase flexibility to accept applications/renewal documents in other languages as the program builds up.

(Response 65) We acknowledge that accepting applications for recognition in languages other than English might be beneficial to some interested parties. However, requiring applications for recognition to be submitted in English will help us make well-informed and timely decisions. Further, FDA does not have the resources to translate or review documentation in other languages and generally requires documents submitted in other languages to be translated to English. Therefore, we decline the suggestion to develop long-term plans for accepting applications for recognition in languages other than English.

(Comment 66) Some comments ask what costs are associated with getting recognized as an accreditation body.

(Response 66) Pursuant to section 808(c)(8) of the FD&C Act, we issued proposed regulations to establish a reimbursement (user fee) program to assess fees and require reimbursement for the work performed to establish and administer the third-party certification Start Printed Page 74600program. The proposed rule provides details on how user fees would be computed (80 FR 43987, July 24, 2015).

B. How will FDA review my application for recognition or for renewal of recognition and what happens once FDA decides on my application? (§ 1.631)

We proposed to establish procedures for reviewing and deciding on applications for recognition and for renewal of recognition. We proposed to order the application queue on a first in, first out basis and to only place complete applications in the queue.

On our own initiative, we are revising paragraph (a) to clarify that FDA will review submitted applications for completeness and will notify applicants of any identified deficiencies. We also are revising paragraph (b) to clarify that FDA's evaluation of any completed recognition or renewal application may include an onsite assessment of the accreditation body. In addition, we are redesignating proposed paragraph (e) as part of paragraph (b) for clarity.

On our own initiative we are adding new paragraphs (e) through (h) to § 1.631 to explain what happens when an accreditation body's renewal application is denied. We are adding provisions to clarify what the applicant must do, the manner in which FDA will notify accredited third-party certification bodies and the public of the denial, the effect of denial of an application for renewal of recognition on accredited third-party certification bodies, and the effect of denial of an application for renewal of recognition on food or facility certifications issued to eligible entities.

(Comment 67) Some comments ask us to clarify how we will recognize an accreditation body. Some comments ask that we clearly and comprehensively lay out the conditions and requirements governing the application for recognition, to ensure transparency, certainty, and predictability of the procedures and criteria governing recognition. Some comments specifically recommend that we use the IAF/ILAC/International Laboratory Accreditation Cooperation (ILAC) (A-series) documents as the foundation upon which to base our process for recognition of accreditation bodies.

(Response 67) This rule establishes the framework for the third-party certification program and generally describes procedures involved in the submission and processing of applications for recognition and will be supplemented by additional instructions. For example, we are developing an electronic portal that accreditation bodies will use in submitting their applications for recognition, and we will be issuing directions for using the portal. We also are developing internal operational procedures for recognition of accreditation bodies and will consult the IAF/ILAC (A-series) documents in considering the types of materials that may be useful to accreditation bodies and other stakeholders interested in learning more about our program.

(Comment 68) Some comments express concern that we are limiting ourselves to a “first in, first out” review process that gives us no discretion to recognize foreign governments before we consider other applications from private accreditation bodies that apply. These comments recommend that we use guidance to industry or internal management documents, rather than this rule, to describe how we will establish the queue of applications for review.

(Response 68) For the reasons described in Response 64, we decline the suggestion to prioritize applications submitted by government accreditation bodies over applications submitted by private accreditation bodies. However, we are modifying the first in, first out approach to application review in proposed § 1.631(a) to allow FDA to prioritize an application for review based on program needs. We will consider the suggestion to use an internal management document to establish our procedures for reviewing applications for recognition as part of our operational planning.

(Comment 69) We received several comments on the timeliness of application review and decisionmaking. Some comments assert that our application review process must be comprehensive but also expedient. Some comments ask that our communications with applicants be timely. Other comments ask us to establish review timeframes by which accreditation bodies and other interested parties may expect a response to applications, asserting this will foster enhanced confidence and transparency with the review process. Some comments suggest that we review and act upon an accurately completed recognition application within 90 days and a completed recognition renewal application within 45 days.

(Response 69) We agree with the comments suggesting that our application review must be comprehensive and as expedient as possible. We decline the suggestion to establish review timelines in this rule because we lack the experience and data that would allow us to reasonably estimate review timeframes. We also recognize that each review will differ depending on the circumstances, and we expect to become more efficient in application review as we gain experience in the program.

(Comment 70) Some comments express concern about the length of time it will take us to recognize and notify an applicant of any deficiencies in the application. These comments also assert that requiring applicants with deficiencies to resubmit their applications and sending them to the bottom of the review list would make for significant delays in the recognition and renewal processes.

(Response 70) FDA agrees that an application for recognition should be checked for completeness promptly after submission. The Agency intends to notify the submitter in a timely manner if the submission is not complete. FDA anticipates that this completeness determination could generally be made within 15 business days, because this is not a decision on the merits of the application. However, given the competing demands on Agency resources, including staff available to conduct review, the Agency declines to add a time restriction in the final rule for notifying an applicant of deficiencies that cause its application to be considered incomplete and thus not ready for processing.

(Comment 71) Some comments assert that we should include a mechanism for stakeholders to provide feedback to the Agency concerning the capacity and functioning of accreditation bodies and auditors/certification bodies because stakeholders have firsthand experience with such entities. These comments suggest that we modify § 1.631(b) to specify that FDA will also “solicit and consider information provided by stakeholders, including importers and foreign suppliers subject to the accreditation body's jurisdiction, to assist in the recognition or renewal application review process.”

(Response 71) To the extent the comments suggest that the Agency's review and decisionmaking process on recognition applications should include a solicitation of comments from the public we disagree, as this would create unnecessary delay in the recognition process. FDA believes that the information it gains through the application process will be sufficient to make a recognition determination, and that this process and subsequent monitoring by FDA ensures robust oversight of the program. Nevertheless, stakeholders are always free to share with FDA any information relevant to the Agency's food safety programs. We Start Printed Page 74601note that information shared with FDA is subject to the information disclosure regulations in part 20, as stated in § 1.695.

(Comment 72) Some comments note that there are no circumstances or conditions in the proposed rule that allow for an accreditation body to question or object to an FDA action or request if they believe it is not reasonable or relevant to the recognition and performance of the accreditation body.

(Response 72) We do not expect to make requests or actions of an accreditation body that are not relevant to the requirements of the third-party certification program. FDA's evaluation of accreditation bodies, as expressed in §§ 1.631(b), 1.633(a), and 1.634(a), is premised on the accreditation body's compliance with the applicable requirements of this rule.

We note that in this rulemaking, FDA has established a number of mechanisms to address challenges to FDA's decisions, including § 1.691 (for requests for reconsideration of the denial of an application for recognition, renewal, or reinstatement of recognition); § 1.692 (for internal Agency review of the denial of an accreditation body application upon reconsideration); and § 1.693 (for regulatory hearings on revocation of recognition).

We recommend accreditation bodies to fully consider the program requirements before deciding to pursue recognition under the voluntary third-party certification program.

(Comment 73) Some comments ask that we provide training and education documents regarding the application process as quickly as possible to ensure that accreditation bodies are clear on the process and its requirements. These comments assert that training and education would minimize the need for second reviews due to inaccurate or incomplete applications.

(Response 73) As indicated in Response 67, we are developing additional instructions for applications for recognition that will be useful to accreditation bodies interested in pursuing recognition.

C. What is the duration of recognition? (§ 1.632)

We proposed to grant recognition to an accreditation body for up to 5 years, though we will determine the length of recognition on a case-by-case basis.

(Comment 74) Some comments support our proposal to recognize accreditation bodies for a duration of up to 5 years, with shorter durations awarded early in the program for accreditation bodies with little experience in accrediting third-party certification bodies.

(Response 74) We agree with comments suggesting that the duration of recognition may vary depending on a number of factors, including the accreditation body's history (or lack of history) in accrediting certification bodies. We believe the proposal allows FDA to consider such factors.

(Comment 75) Some comments express concern that we are not proposing a fixed duration of recognition and ask us to establish a specific time limit of 5 years. These comments assert that having a standardized duration of recognition for all accreditation bodies is administratively more viable for FDA to plan its resource needs and would provide consistency across the industry. Additionally, these comments assert that 5 years is a reasonable duration given the other reporting and monitoring requirements built into the system.

(Response 75) We acknowledge the advantages that certainty provides and, where appropriate, the Agency will grant recognition for the maximum duration of 5 years. However, as noted in our previous response, we also recognize it may be appropriate for the duration of recognition to vary depending on a number of factors. Where, for example, an accreditation body has little or no experience in accrediting food safety certification bodies, we may decide the initial grant of recognition should be less than 5 years.

(Comment 76) Some comments suggest that the duration of recognition for an accreditation body should be 4 years to be consistent with the duration proposed for accreditation of certification bodies in § 1.661. Other comments request clarification about the difference in durations proposed for recognition of accreditation bodies and accreditation of certification bodies.

(Response 76) We decline the suggestion to shorten the maximum duration of accreditation body recognition to 4 years and note that the comments suggesting it should be the same maximum duration as third-party certification body accreditation offered no information that would provide an adequate basis for shortening recognition such that an accreditation body could be recognized for no longer than a certification body's accreditation. Further, as stated in the proposed rule, we noted that other government programs such as the Substance Abuse and Mental Health Services Administration program for accredited programs that use opioid agonist treatment medications approves accreditation bodies for up to 5 years (42 CFR 8.3). Under the FDA mammography program, we may approve accreditation bodies for terms up to 7 years (21 CFR 900.3(g)). As stated previously, FDA may establish a period of recognition of less than 5 years if appropriate for a particular applicant.

(Comment 77) Some comments assert that accreditation bodies that maintain their IAF signatory status should not be limited to a 5-year duration.

(Response 77) We decline the suggestion, noting that the comment lacks information demonstrating that a longer term of recognition is warranted for an accreditation body that is an IAF signatory.

D. How will FDA monitor recognized accreditation bodies? (§ 1.633)

We proposed to establish the frequency and manner for formal evaluations of recognized accreditation bodies. Specifically, we proposed to evaluate each recognized accreditation body by at least 4 years after the date of recognition of an accreditation body granted a 5-year term of recognition and by no later than the mid-term point for an accreditation body granted a term of recognition of less than 5 years. Proposed § 1.633 also notes that FDA may conduct additional assessments of recognized accreditation bodies at any time.

(Comment 78) While the comments generally support FDA performance assessments of recognized accreditation bodies, the comments express a wide range of views on how frequently such assessments should occur. Some comments support the proposed reevaluation frequency for recognized accreditation bodies. Some comments assert that we need to have a more suitable monitoring mechanism. Other comments suggest we incorporate a random, unannounced performance review for recognized accreditation bodies as a supplement to the proposed frequency. Some comments take a contrary view, asking us to clarify in the final rule the circumstances under which we may perform additional performance assessments of recognized accreditation bodies. These comments assert that FDA's ability to conduct additional audits, assessments, and investigations without the requirement to justify such actions creates the potential for a confrontational relationship and lack of trust. The comments question whether, without such clarification, any refusal by an accreditation body to grant FDA access or information would trigger revocation Start Printed Page 74602of their recognition. Still other comments request clarification on the frequency of audits that will be conducted on accreditation bodies.

(Response 78) Monitoring assessments of accreditation bodies are one of several tools we will use for program oversight. Section 1.633(a) implements section 808(f) of the FD&C Act, which states that FDA must reevaluate a recognized accreditation body periodically, or at least once every 4 years, and take any other measures FDA deems necessary to ensure compliance. We anticipate that information gleaned from other monitoring tools, such as an accreditation body's self-assessment, may prompt additional performance assessments in certain instances. Although we decline to specifically codify random, unannounced performance reviews as a supplement to the proposed frequency as suggested by the comment, we note that under § 1.633(a) FDA may conduct additional assessments of recognized accreditation bodies, including unannounced assessments, at any time as it deems appropriate. We need to retain flexibility to conduct additional audits, assessments and investigations to support the credibility of the program.

With respect to the request to clarify whether any refusal to grant FDA access or information for a performance assessment would trigger revocation, under section § 1.634(a), refusal to allow FDA to conduct an assessment to ensure the accreditation body's continued compliance with the requirements of this subpart is grounds for revocation.

(Comment 79) Some comments assert that we should provide additional detail on our monitoring procedures under § 1.633(b). Some comments express concern about the ambiguity of the term “statistically significant” as well as the scope of onsite assessments and onsite audits for performance evaluation purposes. These comments assert that we must provide clear guidance to industry as to what we expect would be involved in such onsite assessments and make this guidance available for public comment. Other comments specifically request that we outline the procedures under which we will conduct audits on accreditation bodies and third-party certification bodies and specify a timeframe for when we will issue the results of the audits. Still other comments assert that we must provide guidance on how an eligible entity might be selected for an audit/inspection that relates to an accreditation body's reassessment of a certification body.

(Response 79) The objective of an assessment under § 1.633 will be to determine an accreditation body's compliance with the requirements of this rule. When planning an assessment, we will establish the time period of activities covered by the assessment and may request records of an accreditation body under § 1.625. We also will develop plans for any locations to be visited, which may include the accreditation body's headquarters and any other locations where employees and other agents who conduct activities under this program are managed.

In conducting the assessment, we may review records, such as records relating to conflicts of interest and may interview officers, employees, and other agents of the accreditation body. We also may observe regulatory audits by certification bodies the accreditation body has accredited. For the reasons explained in Response 28, we have removed the phrase, “statistically significant” and revised the sentence to explain that we may observe a “representative sample” of certification body regulatory audits when conducting an assessment of its accreditation body. We will decide what constitutes a “representative sample” for purposes of § 1.633 on a case-by-case basis, based on factors such as how many certification bodies the accreditation body has accredited under the program, the scope of accreditation of the certification bodies accredited by the accreditation body, how many years the accreditation body has been in the program, how many prior assessments of the accreditation body we have performed, and the length of time since any prior assessments.

(Comment 80) Some comments ask that we inform recognized accreditation bodies prior to doing onsite assessments of accredited certification bodies and eligible entities as part of our performance evaluations.

(Response 80) In planning an assessment with onsite observations of certification bodies or an audit of certified eligible entities, we will consider whether to provide notice to the accreditation body and/or invite the accreditation body to be present. In some circumstances we may determine that it would be necessary or appropriate to conduct the assessment or audit without notice to the accreditation body.

(Comment 81) Some comments assert that to carry out performance evaluations for the purpose of monitoring recognized accreditation bodies, we must have an agreement directly with the certification bodies or request that recognized accreditation bodies include these requirements in their agreements with certification bodies they have accredited.

(Response 81) We disagree that we must have an agreement directly in place with each accredited certification body for us to carry out performance evaluations, as § 1.633(b) states that FDA may include onsite assessments of a representative sample of third-party certification bodies the recognized accreditation body accredited and onsite audits of a representative sample of eligible entities certified by such third-party certification bodies under this subpart. We recommend that third-party certification bodies fully consider the program requirements before deciding to pursue accreditation under this voluntary third-party certification program. We also encourage recognized accreditation bodies to include language in their standard contracts with third-party certification bodies they accredit under this program that acknowledges FDA's ability to conduct such evaluations.

(Comment 82) Some comments ask who will cover the costs of audits on recognized accreditation bodies.

(Response 82) As discussed in Response 66, we are proposing in a separate rulemaking (80 FR 43987) the costs of FDA monitoring of recognized accreditation bodies will be covered by user fees that we will establish by regulation.

E. When will FDA revoke recognition? (§ 1.634)

Proposed § 1.634 establishes the criteria and procedures for revocation of recognition of an accreditation body, including requests for records and notifications. It describes several circumstances that warrant revocation of recognition and describes the effects (if any) of revocation on accreditations and certifications occurring prior to the revocation.

On our own initiative, we are revising § 1.634(c)(2) to require the accreditation body to notify FDA of the name and contact information of the custodian who will maintain the records required by § 1.625 instead of just providing us with a location to increase flexibility. We are making corresponding changes to §§ 1.635(a), 1.664(e)(2), and 1.665(a). We also are revising paragraphs (d) through (f) to clarify the manner of FDA's notice to affected third-party certification bodies and the public of the revocation, as well as the effect of such revocation on the accredited third-party certification bodies and certifications they issued prior to issuance of the revocation of recognition.

(Comment 83) Some comments recommend that when an accreditation Start Printed Page 74603body's recognition is revoked, the information on the Web site includes the cause or causes of the revocation.

(Response 83) We agree and will include on the FDA Web site a brief description of the grounds whenever revoking the recognition of an accreditation body.

(Comment 84) Some comments agree that providing the certification body 1 year to transition and become accredited with another accreditation body is a reasonable concept, but express concerns that in many countries a limited number of accreditation bodies may make meeting that timeframe difficult. They also note that although audited entities' certifications may remain in effect until its expiration, it may be difficult for them to maintain their certifications beyond that date due to lack of accreditation bodies, or there may be instances in which their certification is set to expire in weeks or months following the revocation. These comments note a similar concern about the impact of a lack of capacity on scheduling certification audits should the certification body have to be reaccredited within 1 year. Comments recommend that FDA address this issue by performing an assessment of accreditation capacity in key production regions around the world and using that information as a baseline to inform timeframes on re-accreditation of third-party certification bodies. Other comments suggest that either FDA be required to renew the recognition of the recently revoked accreditation body or recognize a new accreditation body in time for any affected accredited certification body to comply, or FDA would be required to solicit applications for a new accreditation body after an accreditation body's recognition is revoked. Comments also recommend that certifications issued by a certification body accredited by the accreditation body whose recognition was revoked remain in effect for 1 year from the date of the revocation of the accreditation body in order to reduce the likelihood of a lapse in certification of eligible facilities.

(Response 84) We acknowledge that revocation of the recognition of an accreditation body may present difficulties for the certification bodies accredited by the accreditation body (and for the eligible entities those certification bodies certified), particularly in countries that have a single national accrediting authority. In such circumstances, we intend to work with recognized accreditation bodies and the certification bodies to identify opportunities and challenges. We believe 1 year is sufficient time for a certification body to be reaccredited in such circumstances. The requirement for an eligible entity to become recertified after a certificate terminates by expiration is based on section 808(d) of the FD&C Act, which requires an eligible entity to apply for annual recertification. In light of the foregoing, we are declining the requests to extend the deadlines for reaccreditation and for recertification in the case of revocation of recognition of an accreditation body.

(Comment 85) Some comments request FDA provide specific provisions to address potential questions that may arise if recognition of an accreditation body is revoked, with particular emphasis on the validity of certificates or other documentation already issued when revocation occurs.

(Response 85) Section 1.634(d) specifically describes the impact of revocation of recognition of an accreditation body on the certification bodies that it accredited under this program, including that a certification body's accreditation will remain in effect if it provides a self-assessment to FDA within 60 days of issuance of the revocation and it is accredited by another recognized accreditation body or FDA no later than 1 year after the revocation or the original date of expiration of the accreditation, whichever comes first. Section 1.634(e) explains that in the case of revocation of an accreditation body's recognition, a food or facility certification issued by a certification body accredited by the accreditation body prior to the revocation of its recognition will remain in effect until the certification terminates by expiration.

(Comment 86) Some comments request that FDA clarify how individual holders of certifications would be made aware of the revocation of recognition. For example, they ask if FDA would contact certification holders directly or if the certification holder would be required to monitor the recognition status of the accreditation and certification bodies.

(Response 86) We will provide notice on the FDA Web site when we revoke the recognition of an accreditation body. We also will notify certification bodies that have been accredited by the accreditation body that has had its recognition revoked through the electronic portal we are establishing. Because revocation of recognition will not affect the duration of previously issued certificates, we will not directly contact eligible entities to inform them of the revocation. If the revocation of recognition results in the withdrawal of accreditation of a certification body, FDA will provide notice of such withdrawal on our Web site as provided in § 1.664(h).

(Comment 87) Some comments recommend that FDA refer to the provisions in ISO/IEC 17011:2004 and ISO/IEC 17021:2011 to inform the provisions revocation of recognition in § 1.634 and withdrawal of accreditation in § 1.664 and to distinguish those actions from reduction in scope of recognition and accreditation and to establish the specific grounds and effects for those actions.

(Response 87) Neither of the ISO/IEC standards cited in the comments relate to revocation of recognition of an accreditation body; however, we reviewed ISO/IEC 17011:2004 (Ref. 5) for terminology, procedures, and grounds that might have relevance for revocation of recognition in § 1.634. We decline the suggestion to consider ISO/IEC 17021:2012 (Ref. 6), which applies to certification bodies, for purposes of this analysis as it is inapplicable.

Having reviewed ISO/IEC 17011:2004, we note that ISO/IEC 17011:2004 (Ref. 5) gives an accreditation body the flexibility to establish its own procedures for suspension, withdrawal, or reduction of the scope of an accreditation as explained in clause 7.13.1 and NOTE. FDA's procedures for revocation of recognition are thus not inconsistent with the ISO standards in this respect. Regarding the grounds for withdrawal of accreditation, ISO/IEC 17011:2004 (Ref. 5), clause 7.13, provides that an accreditation body must make decisions to suspend and/or withdraw accreditation when an accredited conformity assessment body (i.e., third-party certification body) has persistently failed to meet the requirements of accreditation or to abide by the rules for accreditation. The standard for revocation of recognition under this program is established by section 808(b)(1)(C) of the FD&C Act, which requires FDA to “promptly revoke the recognition of any accreditation body found not to be in compliance with the requirements of this section,” which is the standard that is used in proposed § 1.634. Therefore, we cannot incorporate this standard for withdrawal for purposes of this program.

(Comment 88) Some comments suggest FDA revise § 1.634(a)(3) and (4) to provide that FDA can make a decision to revoke recognition or withdraw accreditation only when it has objective evidence to demonstrate that the recognized accreditation body committed fraud or submitted material with significant false statements, demonstrated a significant bias or significant lack of objectivity when Start Printed Page 74604conducting activities, or significantly failed to adequately support one or more decisions to grant accreditation.

(Response 88) We disagree. Section 808(b)(1)(C) requires FDA to promptly revoke the recognition of any recognized accreditation body found not to be in compliance with section 808 of the FD&C Act, which establishes the third-party program. This program is a system of assurances that begins with the recognition of qualified accreditation bodies, which in turn accredit certification bodies to make judgments about the compliance of eligible entities and the food they produce with the applicable food safety requirements of the FD&C Act and FDA regulations. FDA's ability to have swift recourse when a recognized accreditation fails to comply with the requirements of the third-party program is essential. Limiting FDA's ability to revoke the recognition of accreditation bodies to instances of “significant” fraud, bias, or lack of competence as the comment suggests would render the program unreliable to provide the assurance of food safety intended by this section.

F. What if I want to voluntarily relinquish recognition or do not want to renew recognition? (§ 1.635)

Proposed § 1.635 describes the procedures that an accreditation body must follow when it intends to relinquish its recognition.

FDA received comments in support of the proposed procedures for voluntary relinquishment of recognition. FDA received no adverse comments on this section. On our own initiative, we are revising the voluntary relinquishment provisions in § 1.635 to also address situations where a recognized accreditation body decides it does not want to renew its recognition once it expires. In addition we are including procedures for the certification bodies to follow after their accreditation bodies' recognitions are relinquished or not renewed.

G. How do I request reinstatement of recognition? (§ 1.636)

Proposed § 1.636 describes the procedures that an accreditation body would have to follow when seeking reinstatement of its recognition.

FDA received comments in support of the proposed procedures for reinstatement of recognition. FDA received no adverse comments on this section and is not making any substantive changes to this section in this final rule.

VIII. Comments on Accreditation of Third-Party Certification Bodies Under This Subpart

A. Who is eligible to seek accreditation? (§ 1.640)

Proposed § 1.640 states that a foreign government, agency of a foreign government, foreign cooperative, or other third-party would be eligible for accreditation from a recognized accreditation body (or, where direct accreditation is appropriate, FDA) to conduct food safety audits and issue food and facility certifications under the program. Proposed § 1.640(b) is based on section 808(c)(1)(A) of the FD&C Act and would require a foreign government/agency seeking accreditation to demonstrate that its food safety programs, systems, and standards would meet the requirements of proposed §§ 1.641 to 1.645, as specified in FDA's model standards on qualifications for accreditation, including legal authority, competency, capacity, conflicts of interest, quality assurance, and records. Proposed § 1.640(c) is based on section 808(c)(1)(B) of the FD&C Act and would require a foreign cooperative or other third-party certification body seeking accreditation to demonstrate that the training and qualifications of its audit agents and the internal systems used by the certification body would meet the requirements of proposed §§ 1.641 to 1.645, as specified in FDA's model standards on qualifications for accreditation, including legal authority, competency, capacity, conflicts of interest, quality assurance, and records.

At our own initiative, we revised § 1.640(c) to apply to accredited third-party certification bodies that are comprised of a single individual, as applicable.

(Comment 89) Some comments suggest that FDA should require third-party certification bodies conducting regulatory audits to be accredited to either: (1) ISO 17021:2011 (Ref. 6), with the complementary requirements of ISO/TS 22003:2007, Food safety management systems—Requirements for bodies providing audit and certification of food safety management systems (Ref. 20) or (2) ISO 17065:2012 (Ref. 7), with conformance to ISO 17021:2011 (Ref. 6) and ISO 22000:2005, Food safety management systems—Requirements for any organization in the food chain (Ref. 21).

Other comments suggest that ISO/IEC 17000:2004 (Ref. 4) and ISO/IEC 17021:2011 (Ref. 6) provide a common framework for managing the effectiveness of third-party certification activities and recommend incorporating the standards by reference into the final rule. The comments assert that FDA's proposed rule, by failing to incorporate by reference the ISO standards, appears to unnecessarily establish a unique standard in contravention of the NTTAA and OMB Circular A-119 (63 FR 8546) without adequate justification. The comments include recommended revisions to § 1.640. Other comments note that ISO/IEC Guide 65:1996 (Ref. 9) will be phased out by September 2015; therefore, the wording in the final rule should be changed to reflect the successor standard, ISO/IEC 17065:2012 (Ref. 7). Some comments express concern about the additional costs to exporters from third-party audits and private interests over and above official systems.

(Response 89) As explained in section I.D., we have revised the rule to allow a third-party certification body to offer documentation of conformance to ISO/IEC 17021:2011 (Ref. 6) or ISO/IEC 17065:2013 (Ref. 7) in support of its application for accreditation, supplemented as necessary. However, we decline the suggestion to incorporate the standards by reference into this rule.

ISO/IEC ISO 17021:2011 (Ref. 6) and ISO/IEC 17065:2012 (Ref. 7), the successor to ISO Guide 65:1996 (Ref. 9), contain requirements that are inconsistent with section 808 of the FD&C Act and impractical for our program. For example, ISO/IEC 17021:2011 (Ref. 6), clause 5.2.6, prohibits a certification body, including a governmental certification body, from providing internal audits to its certified clients. Under this same clause, a certification body that has provided internal auditing services to a client must wait for 2 years before conducting an audit for certification purposes. Clause 5.2.5 of the standard also prohibits the certification body from offering or providing any management systems consultancy (defined as participation in designing, implementing, or maintaining a management system). We note that ISO/IEC 17065:2012 (Ref. 7), clause 4 contains similar requirements, e.g., in clauses 4.2.6 and 4.2.10 NOTE 1, as the requirements of clauses 5.2.5 and 5.2.6 of ISO/IEC 17011:2004 (Ref. 5).

The requirements of our third-party program are markedly different, because section 808 of the FD&C Act expressly allows an accredited third-party certification body to conduct both regulatory audits for certification purposes and consultative audits for internal purposes. Further, section 808(c)(4)(C) of the FD&C Act allows an accredited certification body to use the same audit agent in auditing the same Start Printed Page 74605eligible entity, subject only to a limitation (that FDA may waive) on using the agent for a regulatory audit when the agent had conducted a consultative audit of the eligible entity in the preceding 13 months.

As another example, we note that ISO/IEC 17021:2011, clauses 6.2.1 to 6.2.3 (Ref. 6), require a certification body to establish an external committee for safeguarding impartiality that includes representation of key interests, such as audited firms. Clause 5.3.2 of the standard requires the certification body to demonstrate to the external committee that commercial, financial, or other pressures do not compromise its impartiality. Under clause 6.2.2(c), the committee has the right to take “independent action” if the top management of the certification body “does not respect the advice of this committee.” ISO/IEC 17065:2012 (Ref. 7), clause 5, contains similar requirements—e.g., clause 5.2.1 NOTE 1 (committee) and 5.2.3 (right to take independent action).

It would be inappropriate and impractical for FDA to require an accredited third-party certification body to assemble a committee representing interests outside those of this program, and would be impractical for FDA to properly manage the program under such circumstances. We also are concerned about the disincentive these requirements of ISO/IEC 17011:2004 (Ref. 5) and ISO/IEC 17065:2012 (Ref. 7) might create, for example, for foreign competent authorities who have their own processes for stakeholder engagement.

Based on our review of the standard and explained in the examples provided above, we have determined that ISO/IEC 17011:2004 (Ref. 5) and ISO/IEC 17065:2012 (Ref. 7) are inconsistent with section 808 of the FD&C Act and impractical for purposes of this program and therefore deny the suggestion to incorporate by reference into this rule.

With respect to the suggestion to incorporate ISO/IEC 17000:2004 (Ref. 4) into this rule, we note that this standard uses terminology that is inconsistent with section 808 of the FD&C Act. We are concerned that incorporating the terms used in ISO/IEC 17000:2004 (Ref. 4) in this rule would create unnecessary confusion as to how the rule relates to the statute. For example, clause 7.5 of the standard uses the term “recognition” for the “acknowledgement of the validity of a conformity assessment result provided by another person or body,” while recognition is used in section 808 of the FD&C Act when describing FDA's determination that an accreditation body meets the requirements of this rule.

Based on our review of the standard and explained in the example provided above, we have determined that ISO/IEC 17000:2004 (Ref. 4) is inappropriate for incorporation by reference into this rule.

Although we decline to incorporate the standards mentioned in the comments, we are revising § 1.640 to allow a third-party certification body to offer documentation of its conformance to ISO/IEC 17021:2011 (Ref. 6) or ISO/IEC 17065: 2013 (Ref. 7), supplemented as necessary, in support of its application for accreditation under the final rule. We conclude that this will serve to promote international consistency and allow third-party certification bodies to use a framework that is familiar to them when it can be used to meet the requirements of this rule.

(Comment 90) Some comments suggest the rule should impose different requirements on foreign government certification bodies and on other third-party certification bodies (i.e., foreign cooperatives and other third-party certification bodies), because of the different nature of private operators and public administration.

(Response 90) Under section 808(a)(3) of the FD&C Act third-party certification bodies include Foreign government certification bodies, foreign cooperatives, and other third-party certification bodies. Section 808 of the FD&C Act for the most part does not distinguish between public and private certification bodies and states that both are subject to the same model accreditation standards discussed in 808(b)(2). The only difference in treatment of public and private certification bodies is set forth in section 808(c)(1) of the FD&C Act, describing what elements of oversight be assessed for accreditation. This difference is reflected in the eligibility criteria set forth in § 1.640(b) and (c). In all other areas, we decline the suggestion to impose different requirements on foreign government certification bodies and other third-party certification bodies.

(Comment 91) Some comments express skepticism about private auditing companies. Some comments note that foreign cooperatives have rarely if ever been engaged in true accredited third-party auditing/certification activities and are thus unproven in that role.

(Response 91) As stated above, section 808 of the FD&C Act expressly provides for both public and private accredited third-party certification bodies. FDA believes the system of oversight established under this rulemaking will be sufficient to ensure the reliability of private certification bodies that are able to participate in the program. Foreign cooperatives are specifically listed in section 808 of the FD&C Act as a third party that could be a certification body, and must meet the same rigorous criteria to qualify for accreditation.

B. What legal authority must a third-party certification body have to qualify for accreditation? (§ 1.641)

Proposed § 1.641 would require third-party certification bodies to demonstrate that they have adequate legal authority, which may include authority established by contract or as a government entity to evaluate eligible entities for compliance with the applicable requirements of the FD&C Act and FDA regulations.

FDA received no adverse comments specific to this section. However, as discussed in Response 27, we have revised § 1.641 to specify that a third-party certification body has to be a legal entity.

C. What competency and capacity must a third-party certification body have to qualify for accreditation? (§ 1.642)

Proposed § 1.642 would require a third-party certification body to demonstrate it has adequate resources to fully implement its auditing and certification program and the capacity to implement the requirements of this program, if accredited.

(Comment 92) Some comments suggest that we require certification bodies to be bonded, to cover any Agency costs should the firm go bankrupt.

(Response 92) We decline the suggestion to require certification bodies to be bonded to cover any Agency costs if a certification body goes bankrupt. This requirement is unnecessary because the program is designed to operate using user fees. Additionally, § 1.642 of the final rule requires a third-party certification body to demonstrate that it has adequate resources to fully implement its auditing and certification program.

(Comment 93) Some comments recommend that we clearly define the necessary competencies of certification body staff and auditors. Some comments suggest that we require auditors to have at least 1 year of work experience in testing and assessing the conditions for food safety of certain food manufacturer(s) and to have attended at least 20 audits for management systems using hazards analysis and critical control point requirements.Start Printed Page 74606

(Response 93) Section 1.640 of this rule establishes the eligibility requirements for third-party certification bodies seeking to participate in the third-party certification program. Specific recommendations on qualifications such as the years and types of work experience in food safety and in conducting audits will be contained in FDA's Model Accreditation Standards final guidance, as explained in section I.D.

(Comment 94) Some comments emphasize the importance of having certification bodies accredited to the specific areas in which they will be conducting audits and issuing certifications. The comment explains that accredited auditors/certification bodies auditing pet food facilities must be adequately qualified and knowledgeable in pet food requirements. The comments express concern that human food standards might be misapplied to a facility producing raw materials, ingredients or finished food for pet food (e.g., cross-contact for allergens, ingredients destined for further processing).

(Response 94) A recognized accreditation body assessing a certification body for accreditation (or FDA under direct accreditation) must ensure that the certification body is qualified to conduct audits under the food safety requirements of the FD&C Act and FDA regulations that apply to the scope of accreditation sought. Therefore, a third-party certification body that is accredited to conduct audits under part 117 would not be accredited to perform audits under 21 CFR part 507, unless the accrediting body has assessed the certification body's qualifications and accredited it to perform audits under part 507 as well.

D. What protections against conflict interest must a third-party certification body have to qualify for accreditation? (§ 1.643)

Proposed § 1.643 would require third-party certification bodies to have established programs to safeguard against conflicts of interest that might compromise their objectivity and independence.

On our own initiative, we are clarifying in § 1.643(a) that the conflict of interest provisions of this section apply to officers, employees, and other agents that are involved in auditing and certification activities, as relevant. We are making corresponding changes in the subsequent provisions for accredited third-party certification bodies under § 1.657(a) and (c).

(Comment 95) Some comments recommend that FDA ensure that auditors are competent and accountable and that there are adequate protections against conflicts of interest, with maximum transparency related to auditors' activities. The comments support requirements for documented safeguards against conflicts of interest to help ensure that decisions are accurate and unbiased and that auditors are independent.

(Response 95) We agree and are requiring third-party certification bodies seeking accreditation to demonstrate they have written conflict of interest measures and that they have the capacity to meet the requirements of the final rule, if accredited.

E. What quality assurance procedures must a third-party certification body have to qualify for accreditation? (§ 1.644)

Proposed § 1.644 would require a third-party certification body to have a written program for monitoring and assessing its performance, identifying deficiencies in its program or performance and quickly executing corrective actions.

FDA received no adverse comments specific to this section. However, as discussed in Response 32, we revised § 1.644(a) to clarify that a certification body must demonstrate that it has procedures to identify deficiencies and procedures to execute corrective actions for such deficiencies, which would better align with international standards (see, e.g., clause 5.5 in ISO/IEC 17011:2004 (Ref. 5)).

F. What records procedures must a third-party certification body have to qualify for accreditation? (§ 1.645)

Proposed § 1.645 would require a third-party certification body to have developed and implemented written procedures to establish, control, and retain the records. Such records are necessary to provide the recognized accreditation body (or FDA under direct accreditation) an adequate basis for assessing the certification body for accreditation under this program.

We received no adverse comments specific to § 1.645 and are making no substantive revisions to this section.

IX. Comments on Requirements for Third-Party Certification Bodies That Have Been Accredited Under This Subpart

A. How must an accredited third-party certification body ensure its audit agents are competent and objective? (§ 1.650)

Proposed § 1.650 would require an accredited third-party certification body that uses audit agents to ensure that each audit agent meets certain requirements for competency and objectivity under the final rule. Under paragraph (a), the audit agent would need to have knowledge and experience relevant to determining an eligible entity's compliance with the applicable food safety requirements of the FD&C Act and FDA regulations and, for consultative audits, conformance with industry standards and practices. The accredited certification body would have to determine the audit agent's competency to conduct food safety audits in part by observing a representative number of audits performed by the audit agent. The audit agent would have to complete annual food safety training under the accredited third-party certification body's training plan, comply with the conflict of interest requirements for audit agents, and agree to notify its certification body immediately upon discovering, during a food safety audit, any condition that could cause or contribute to a serious risk to the public health.

Under proposed § 1.650(b), the accredited third-party certification body would have to assign an audit agent qualified to conduct the food safety audit, based on the scope and purpose of the audit and the type of facility, its processes, and food. Proposed § 1.650(c) would prevent an accredited third-party certification body from using an audit agent to conduct a regulatory audit of an eligible entity if the agent had conducted a regulatory or consultative audit of the same eligible entity during the preceding 13 months, except FDA could waive the 13-month limitation for an accredited certification body that could demonstrate insufficient access to accredited third-party certification bodies in the country or region where the eligible entity is located.

Of our own initiative, we are revising § 1.650(a) to apply to accredited third-party certification bodies that are comprised of a single individual, as applicable. Section 808(a)(3) of the FD&C Act specifically allows an accredited third-party certification body to be an individual, which would not fall within the definition of “audit agent” in the statute or this rule. Start Printed Page 74607Therefore, as part of establishing eligibility under § 1.640, an individual seeking accreditation must fulfill the requirements of § 1.650(a)(1) to become accredited under this rule and, once accredited, must comply with the annual food safety training requirements of § 1.650(a)(3). Pursuant to § 1.650(a)(4), an accredited third-party certification body also must comply with the conflict of interest provisions applicable to audit agents under § 1.657(a)(3).

We note that a recognized accreditation body that is assessing an individual seeking accreditation under this program also must assess the individual's knowledge and experience under § 1.650(a)(1) for the scope of accreditation requested and must consider the results of such assessment in determining the individual's eligibility for accreditation under § 1.640. The onsite observations of an individual seeking accreditation that are performed under § 1.620(a)(3) must be sufficient to determine competency consistent with § 1.650(a)(2).

(Comment 96) Some comments strongly support the proposed requirements of § 1.650, which would require an accredited certification body to ensure that the audit agents it uses have the knowledge and experience, within the scope of its accreditation, to examine facilities, processes, and foods for compliance with the FD&C Act and FDA regulations. The comments assert that audits are only as good as the education, training, and experience of the auditor. Other comments recommend that food safety audits under this rule should be performed by individuals that have training equivalent to FDA investigator training standards.

(Response 96) We agree with comments emphasizing the importance of ensuring that audit agents an accredited third-party certification body uses to conduct audits under the program are appropriately qualified within the scope of the third-party certification body's accreditation. Proposed § 1.650 would comprise the elements of a comprehensive assessment that an accredited third-party certification body would need to perform for each audit agent it would use to conduct a food safety audit under this rule. We further agree with comments suggesting that an auditor determined by a third-party certification body to be competent to conduct audits under private food safety schemes must nonetheless be assessed by the accredited third-party certification body for competency to conduct audits using the applicable food safety requirements of the FD&C Act and FDA regulations as the audit criteria. Therefore, under § 1.650(a), an audit agent would need to demonstrate substantive knowledge of the applicable food safety requirements of the FD&C Act and FDA regulations relevant to the scope and purpose of the food safety audits the agent would conduct under the program. We do not agree to go so far as to require that all audit agents or individuals accredited as third-party certification bodies must have training equivalent to FDA investigator training standards, as we acknowledge that some investigator training would not be necessary to conduct audits under this program (e.g., evidence collection for enforcement purposes). Such a requirement would impose unnecessary costs and might serve as a disincentive to participation in the program.

(Comment 97) Some comments specifically endorse proposed § 1.650(a)(2), which would require each audit agent to be observed conducting audits to examine compliance with the FD&C Act in a representative number of facilities and foods. Other comments recommend that an accredited third-party certification body should observe an audit agent before the agent begins to conduct food safety audits of a different type of food, followed by random, periodic spot audits to confirm that the audit agent is applying the audit criteria consistently. The comments interpret proposed § 1.650(a)(2) to mean that the accredited third-party certification bodies would be required to “continually witness” each audit agent they use.

(Response 97) We agree that observations of audit agents under proposed § 1.650(a)(2) are essential in determining the competency of audit agents. We are revising proposed § 1.650(a)(2) to require the observation of a representative “sample” of audits, instead of a representative “number” of audits, because the focus of this provision was not intended to be on the number of audits the audit agents would be expected to conducted. Rather, we intend for the accredited third-party certification body to observe a sample of audits that are representative of the range of audits the audit agent might be assigned.

In determining what would constitute a “representative sample” for purposes of final § 1.650(a)(2), the accredited third-party certification body should consider the various types of food facilities that might be audited and the range of FDA regulations that would apply to such facilities. An accredited third-party certification body would need to observe the audit agent conducting a number of audits across the range of facilities identified by the certification body, and the range of FDA regulations that would apply to those facilities, such that, taken together, the observed audits would be adequately representative of the facilities, processes, and foods the audit agent may be assigned to conduct. Generally, the more complex the regulations or the more complex the processes used by the facility, the greater the sample size should be, to help ensure the audit agent can apply the audit criteria consistently and reliably in various situations. The accredited third-party certification also should gather sufficient information to provide confidence in its determination of the audit agent's competency to conduct audits under this rule.

Contrary to the interpretation suggested by some comments, proposed § 1.650(a)(2) would not require an accredited third-party certification body to “continually witness” each of its audit agents. Such an approach is not practical, efficient, or necessary. However, we are clarifying in § 1.650(a)(2) that before an audit agent is used to conduct food safety audits under this rule the audit agent must be observed by the accredited third-party certification body and found to be competent to conduct food safety audits relevant to the audits they will be assigned to perform under this program. Such observations also must be performed whenever an audit agent will be assigned to perform food safety audits to determine compliance with additional food safety requirements under the FD&C Act and FDA regulations beyond what the certification body has previously observed.

Under this approach, once an accredited third-party certification body has determined an audit agent's competency and objectivity under § 1.650, the audit agent can be assigned to conduct audits for which they are qualified under § 1.650(a)(1) and (2), subject to requirements such as the annual training requirements in § 1.650(a)(3) and the accredited third-party certification body's self-assessment under § 1.655. Although we decline to require periodic observations of audit agents, once the accredited certification body has determined the competency of its audit agents under § 1.650(a)(2), we acknowledge the value of such observations in verifying audit agent competency and the rigor of the certification body's program for evaluating its audit agents.

(Comment) 98) Some comments recommend that we include Start Printed Page 74608requirements focusing on the performance of individual audit agents because, the comments assert, many audit complaints arise from individual auditor conduct and focusing on individual performance may help create more consistency in the process.

(Response 98) We agree, and have received similar input from other stakeholders during our public meetings. The comments and other stakeholder input underscore the importance of the requirements for an accredited third-party certification body to observe a representative sample of audits conducted by each audit agent under § 1.650(a)(2), to ensure that any audit agent it assigns to an audit is appropriately qualified under § 1.650(b), and to assess the performance of its audit agents and the consistency of performance across all its audit agents as part of the certification body's self-assessment under § 1.655.

(Comment 99) Some comments support the proposed requirement for annual food safety training under proposed § 1.650(a)(3), noting the importance of ensuring that audit agents have up-to-date training in areas relevant to their audit activities. The comments also suggest that FDA should communicate to training institutions any general audit agent training needs FDA identifies through its program management and oversight. Other comments recommend that the annual training requirement should relate to relevant food safety provisions of the FD&C Act and FDA regulations.

(Response 99) We agree and are revising § 1.650(a)(3) to clarify that an audit agent, or an individual accredited as a third-party certification body, must have annual food safety training that is relevant to activities conducted under this program. FDA works with a number of Alliances and other organizations to ensure training needs for regulatory requirements are met. For instance, having identified the need to train regulators and industry in the new FSMA preventive controls rules, FDA is working in collaboration with the Food Safety Preventive Controls Alliance (FSPCA) to develop training materials and establish training and technical assistance programs for the preventive controls rules. The Alliance includes members from FDA, state food protection agencies, the food industry, and academia and is funded by a grant to the Illinois Institute of Technology's Institute for Food Safety and Health. For more information about the FSPCA, see e.g., http://www.iit.edu/​ifsh/​alliance/​.http://www.iit.edu/​ifsh/​alliance/​.

(Comment 100) Some comments suggest that in addition to the requirements of the proposed rule, we should require conformance to ISO/IEC 19011:2011 (Ref. 8) on auditor competency.

(Response 100) FDA's recommendations on auditor competency, among other things, will be contained in FDA's Model Accreditation Standards. As noted in section I.D., comments that address matters covered by FDA's Model Accreditation Standards are outside the scope of this rulemaking.

The issuance of the Model Accreditation Standards draft guidance was announced through publication of a notice of availability in the Federal Register of July 24, 2015. We plan to finalize the Model Accreditation Standards after receiving public comments on the draft guidance.

(Comment 101) Some comments note that the audit agent's education, training, and experience must be specific to the industry or industries being audited. Some comments, for example, recommend that audit agents who examine eligible entities for compliance with food additive requirements should have industry experience with food additives and relevant knowledge, experience or training in auditing these types of facilities and processes.

(Response 101) We agree that a certification body must consider an audit agent's competency whenever assigning the audit agent to a specific audit. Therefore, § 1.650(b) requires the accredited third-party certification body to ensure that an audit agent it assigns to a specific audit is appropriately qualified, based on the audit scope and purpose, the specific type of facility, processes, and foods the audit agent would be required to examine, and the food safety requirements of the FD&C Act and FDA regulations that would apply.

We note that an accredited third-party certification body that is an individual would be determined during the accreditation process to be appropriately qualified to conduct audits within the scope of its accreditation.

(Comment 102) Some comments agree with proposed § 1.650(c) and assert that it is needed to protect against conflicts of interest. Some comments assert that, under current practices, auditors in many countries frequently conduct consecutive audits at the same premises. Other comments suggest that the 13-month limit is unnecessary because adequate mechanisms already exist to manage conflicts of interest and objectivity in ISO/IEC standards. Still other comments express concern that the proposed limit of 13 months would be too short to avoid a conflict of interest. These comments contend a short interval between consultative audits and regulatory audits that are conducted by the same audit agent could create the appearance that the audit agent is auditing the results of the prior consultation. Other comments assert we should impose a 2-year limit, rather than a 13-month limit on audit agents conducting regulatory audits of the same eligible entity.

(Response 102) We disagree with comments opposed to proposed § 1.650(c). Proposed § 1.650(c) would implement the requirements of section 808(c)(4)(C) of the FD&C Act, which limits an accredited third-party certification body's ability to use an audit agent to conduct a regulatory audit of an eligible entity if the agent conducted a consultative or regulatory audit for the same eligible entity in the preceding 13 months, unless FDA waives the limitation under criteria described in the statute. While we recognize this requirement may differ from some international standards, it balances the concern of an audit agent auditing their own prior results if the subsequent audit happens too soon with auditor capacity concerns through a waiver provision. Under proposed § 1.663, FDA would issue waivers where we determine there is insufficient access to in the country or region where the eligible entity is located.

We note that the proposed rule was unclear with respect to whether the showing of insufficient access to support a waiver was based on a lack of certification bodies or individual audit agents in a country or region, and have therefore clarified in the final rule that the showing of insufficient access necessary for FDA to grant a waiver request is based on lack of audit agents (or in cases where individuals are accredited as third-party certification bodies, those individuals). Although we are finalizing additional conflict of interest requirements in § 1.657 of this rule, these provisions do not implement the 13-month limit in section 808(c)(4) of the FD&C Act. Section § 1.650(c) complements the requirements in § 1.657 to provide additional conflict of interest protections. Note that though this response uses the term “audit agent” this provision also applies to accredited third-party certification bodies that are individuals.

(Comment 103) Several comments assert that proposed § 1.650(c) and the waiver process FDA proposes to establish would be impractical. The comments note that there is currently a significant shortage of experienced food Start Printed Page 74609safety auditors around the world. Describing it as a “capacity” issue, the comments suggest that implementation of the FSMA rules will further exacerbate the problem. Some comments suggest that proposed § 1.650(c) would be impractical for small countries due to auditor capacity issues.

(Response 103) We acknowledge the concerns about the possible shortage of skilled food safety auditors to meet current global demand and are aware of efforts by GFSI, the food industry, scheme owners, and third-party food safety certification bodies to address auditor capacity, as described in section I.D. We also understand that FSMA implementation is likely to create further demand for auditors. Nonetheless, as explained in Response 102, we are required by section 808(c)(4)(C) of the FD&C Act to limit an accredited third-party certification body's ability to use an audit agent; we have clarified in the final rule that the showing of insufficient access necessary for FDA to grant a waiver request is based on lack of audit agents (or in cases where individuals are accredited as third-party certification bodies, those individuals).

We disagree with comments suggesting that the waiver process we propose would be impractical. We are developing an IT portal that includes the capability for accepting electronic submissions of requests and electronic issuance of waivers, which will help facilitate the submission of waiver requests by accredited third-party certification bodies and FDA's processing of such requests.

(Comment 104) Some comments contend that the proposal to require accredited third-party certification bodies to show insufficient accredited third-party certification body resources to obtain an FDA waiver of proposed § 1.650(c) would be unnecessarily burdensome because the proposed conflict of interest requirements adequately protect against concerns about “industry capture.” Some comments recommend that FDA research global food safety auditor capacity and proactively issue waivers of proposed § 1.650(c), absent waiver request(s). Still other comments suggest that eligible entities should be able to seek waivers of the 13-month limit on behalf of an accredited third-party certification body.

(Response 104) Under section 808(c)(4)(C) of the FD&C Act, the 13-month limit on audit agents conducting regulatory audits may be waived if FDA determines there is insufficient access to audit agents in a country or region. While acknowledging capacity concerns raised in comments, we decline the suggestion that FDA should gather information to support waivers absent a request for a waiver under section 808(c)(4)(C)(ii) of the FD&C Act. We believe gathering such information would not be the best use of our limited resources, and that third-party certification bodies would be better positioned to inform FDA of audit agent capacity issues in their country or region of operation. Moreover, the final rule clarifies that accredited third-party certification bodies must demonstrate that there is insufficient access to audit agents in the country or region where the eligible entity is located in order to obtain a waiver. Because the 13-month limit is on individual audit agents, and not third-party certification bodies, this limitation is likely to be less burdensome than anticipated by the comments.

We decline the suggestion to allow eligible entities to request a waiver of proposed § 1.650(c) on behalf of an accredited third-party certification body, because we believe the accredited third-party certification body will be better suited to assess auditor capacity on a national or regional basis. Periodic rotation of audit agents is intended to help ensure that audits remain objective and do not become compromised by familiarity. The requirement to ensure an audit agent's objectivity is placed on the accredited third-party certification body, not an eligible entity, under proposed § 1.650(a). Further, given that the accredited third-party certification body would ultimately need to agree to conduct an audit for an eligible entity, requiring the accredited third-party certification body to request the waiver would ensure that they are willing to accept the request for a food safety audit in the first place. In light of the foregoing, we have concluded that it is the accredited third-party certification body, not the eligible entity, who should seek a waiver of the 13-month limit in proposed § 1.650(c).

We disagree with comments suggesting waiver requests will be unduly burdensome or time-consuming for accredited third-party certification bodies. The IT portal we are developing for the third-party certification program includes the capability for accepting electronic submissions of requests and electronic issuance of waivers, which we believe will help minimize the administrative burden on certification bodies and FDA.

B. How must an accredited third-party certification body conduct a food safety audit of an eligible entity? (§ 1.651)

Proposed § 1.651 would establish requirements for planning and conducting consultative and regulatory audits in a manner that fulfills the purposes of section 808 of the FD&C Act. Under paragraph (a) on audit planning, the accredited third-party certification body would require the eligible entity to identify whether it was seeking a consultative or regulatory audit subject to the requirements of this subpart under the third-party certification program. The eligible entity would indicate the scope and purpose of the requested audit and, in the case of a regulatory audit, would indicate the type of certification sought. The accredited third-party certification body would also require the eligible entity to provide a 30-day operating schedule for the facility that would provide information relevant to scope and purpose of the audit. The accredited third-party certification body would then consider whether the requested audit is within the scope of its accreditation.

Proposed § 1.651(b) would require the accredited third-party certification body to ensure it would have adequate authority to conduct the requested audit, including authority to: (1) Conduct an unannounced audit; (2) access any area of the facility or any of its records relevant to the scope of the audit; (3) use an accredited laboratory in accordance with section 422 of the FD&C Act, (21 U.S.C. 350k), where FDA requires sampling and analysis; (4) notify FDA immediately upon discovering, during a consultative or regulatory audit, a condition that could cause or contribute to a serious risk to the public health; (5) prepare audit reports that would contain certain elements and, for regulatory audits, that would be submitted to FDA; and (6) allow FDA and its recognized accreditation body to observe any food safety audit under the program.

Proposed § 1.651(c) would require an unannounced audit to be conducted in a manner consistent with its scope and purpose and would include records review as well as an onsite examination of the facility, process(es), and food to determine compliance with the applicable food safety requirements of the FD&C Act and FDA regulations, and for consultative audits, conformance with include industry standards and practices. Proposed § 1.651(c) would require the audit agent to document observations and corrective actions and, where appropriate, would include Start Printed Page 74610environmental or product sampling and analysis using validated methodologies and a laboratory accredited in accordance with the requirements of section 422 of the FD&C Act.

At our own initiative, we are removing the requirement to use a laboratory consistent with section 422 of the FD&C Act and inserting a requirement in § 1.651(b)(3) to use a laboratory accredited under ISO/IEC 17025:2005 or another laboratory accreditation standard that provides at least a similar level of assurance in the validity and reliability of sampling methodologies, analytical methodologies, and analytical results.

On our own initiative, we are also revising § 1.651(c)(1) to clarify that the audit must be focused on determining whether the facility, its process(es), and food are in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations, and for consultative audits, also includes conformance with applicable industry standards and practices. Based on comments received on § 1.653 and for the reasons described in Comment/Response 112 in section IX.C., we are revising § 1.651(c)(3) to clarify that an accredited third-party certification body (or its audit agent, where applicable) that identifies a deficiency requiring corrective action may verify the effectiveness of a corrective action once implemented by the eligible entity but must not recommend or provide input to the eligible entity in identifying, selecting, or implementing the corrective action.

(Comment 105) Some comments suggest that we should incorporate ISO/IEC 19011:2011 (Ref. 8), which contains guidelines on auditing management systems, by reference into the rule.

(Response 105) We disagree, because ISO/IEC 19011:2011 (Ref. 8) is inconsistent with the requirements of section 808 of the FD&C Act and this rule. For example, ISO/IEC 19011:2011 (Ref. 8) is premised on announced audits that are scheduled with the client, as described in clauses 6.2.2, and 6.2.3 of the standard; however, section 808(c)(5)(C)(i) of the FD&C Act requires audits conducted under this rule to be unannounced. As another example, clause 6.4.9 of ISO/IEC 19011:2011 (Ref. 8) suggests that an audit team should attempt to resolve any “diverging opinions” between the team and the audited entity regarding the audit conclusions, such as the extent of conformity with audit criteria (clause 6.4.8), during the closing meeting. We acknowledge that differences of opinions regarding audit conclusions are likely to occur between eligible entities and accredited third-party certification bodies or audit agents. However, the credibility of our program rests in large part on the independence and objectivity of accredited third-party certification bodies and audit agents. This rule is intended to help ensure they are free from the influence of the eligible entities and any appearance that their judgment is compromised by eligible entities. Audit conclusions regarding an eligible entity's compliance with the applicable food safety requirements of the FD&C Act and FDA regulations are the purview of the accredited third-party certification body and any audit agents it uses. The appropriate mechanism for an eligible entity seeking to challenge adverse decisions would be the accredited third-party certification body's appeals process.

For the foregoing reasons, we decline to incorporate ISO/IEC 19011:2011 (Ref. 8) by reference into this rule.

(Comment 106) Some comments assert the guidelines for management systems auditing in ISO/IEC 19011:2011 (Ref. 8) would provide a useful guide for audits conducted under the program. Other comments suggest the audit agents should be conducting food safety audits using a quality systems approach. Citing the production of food additives as an example, these comments note that while it would be preferable to conduct an audit while a food additive is being produced it is not always feasible. The comments suggest that as long as the audit focuses on quality systems it should not be necessary for production of the food additive to occur during the audit.

(Response 106) As explained in Response 105, some elements of ISO/IEC 19011:2011 (Ref. 8) are inconsistent with the requirements of section 808 of the FD&C Act and this rule, thereby limiting its applicability for food safety audits conducted under this rule. We agree, however, with the general principle that a “systems” approach to food safety audits with a correctly identified scope and purpose, using appropriate audit criteria, and properly executed by a competent audit agent (or individual accredited as third-party certification body), should be sufficient to cover the food within the audited system(s) of the facility, without requiring direct observation of each type of food produced. We note that it is essential that the scope of the audit covers the appropriate physical locations, activities, and processes that are part of the management system to be audited, and information collected during the audit must be relevant to the audit scope, purpose, and criteria, including information relating to interfaces between functions, activities, and processes of the food safety system.

We use the term “systems audits” generally, acknowledging that “management systems” audits, “product certification” audits, and “quality systems” audits have specific meanings in some contexts, such as ISO/IEC standards, but may have different meanings in different contexts. To the extent that the comments referencing a “quality systems” approach are suggesting that food safety audits should be conducted using a “systems auditing” approach, we agree. Accordingly, we are revising § 1.651(c)(1) to better align with the language of section 808 of the FD&C Act and this rule, as well as “systems” auditing principles.

Our goal is to ensure the rigor of the food safety audits conducted under our program, which will be accomplished through compliance with the requirements of this rule. It is intended to help ensure that food safety audits are conducted by competent audit agents (or individuals accredited as a third-party certification bodies), in accordance with a properly defined audit scope and purpose, using the applicable audit criteria required by this rule. As such, any food safety audit conducted under the rule should provide the information necessary for the accredited third-party certification body to make a determination on compliance with the applicable food safety requirements of the FD&C Act and FDA regulations. Whether or not a particular audit does, in fact, provide such information, with an appropriate level of confidence, is dependent on a number of factors, among them:

1. At the time that the food safety audit is procured, the eligible entity must declare the scope and purpose of the audit consistent with the requirements of this rule (and any additional criteria established in VQIP guidance for facility certifications for use in that program or, for certifications to be used for purposes of section 801(q) of the FD&C Act any additional criteria that may be established by FDA relating to the safety determination).

2. The accredited third-party certification body must assign an audit agent that is competent to perform the audit (or, for an accredited third-party certification body that is an individual, such audit must be within the scope of accreditation).

3. The audit agent (or individual accredited as a third-party certification body) must:

a. Develop and successfully execute an audit plan that includes a records Start Printed Page 74611review, which may be scheduled, and a subsequent onsite facility examination performed on an unannounced basis within a 30-day window of time according to the facility's operating schedule for the requested audit purpose and scope and using the appropriate audit criteria; and

b. during the audit collect and verify information that is relevant to the audit purpose, scope, and criteria and that will form the basis for the audit findings and conclusions.

We note that this rule establishes the requirements for the third-party certification program but does not establish requirements relating to the use of these certifications for purposes of sections 801(q) and 806 of the FD&C Act. To that end, we urge an eligible entity seeking a regulatory audit for certification to be used for VQIP purposes or for purposes of satisfying a requirement for certification under section 801(q) to ensure that the scope of the regulatory audit it procures, and any food and facility certifications that are issued as a result, will be sufficient to meet FDA requirements under sections 801(q) and 806 of the FD&C Act.

Under section 806 of the FD&C Act, FDA will require facility certifications issued by accredited third-party certification bodies under section 808 as a condition of an importer's eligibility for VQIP. We encourage eligible entities, importers, and accredited third-party certification bodies to consult the VQIP guidance, when finalized, to ensure the proper scope has been established for any regulatory audit conducted to obtain facility certification for VQIP purposes.

Any requirement for certification to satisfy a condition of admissibility under section 801(q) of the FD&C Act would be based on an FDA safety determination relating to specific circumstances, as described in section 801(q)(2). An eligible entity seeking certification from an accredited third-party certification body to meet the admissibility requirements under section 801(q) of the FD&C Act must ensure the proper scope has been established for the regulatory audit it procures to address the circumstances behind the 801(q) determination.

(Comment 107) Some comments assert that the audit requirements in proposed § 1.651 are overly detailed and inflexible, contending that accreditation bodies have their own requirements for good auditing practices. The comments also suggest that proposed § 1.651, would be problematic to implement and cite as an example the proposed requirement for unannounced audits, which the comments say would be inconsistent with the requirements associated with planned audits that apply in other programs.

(Response 107) We understand that some of the requirements in proposed § 1.651 differ from the audit protocols currently used in conducting many third-party audits of food facilities. The comments do not identify the good auditing practices they assert accreditation bodies already require certification bodies to use; however, we are not incorporating ISO/IEC 17021:2011, ISO/IEC 17065:2012, or ISO/IEC 19011:2011 by reference into this rule for the reasons explained in section I.D. We are unable to identify a voluntary consensus standard that would encompass the audit practices required by section 808 of the FD&C Act (e.g., unannounced audits and notification of conditions that could cause or contribute to a serious risk to public health) as well as other practices the statute allows (e.g., audit agents conducting both consultative and regulatory audits). In the absence of existing standards that would adequately address the food safety audit requirements of section 808 of the FD&C Act, § 1.651 offers accredited third-party certification bodies and audit agents the requirements needed to conduct food safety audits in the manner the statute contemplates and requires.

The comment asserting that proposed § 1.651, would be problematic to implement cited as an example the proposed requirement for unannounced audits in § 1.651(c)(1). We acknowledge that most audits are scheduled, and a program involving unannounced audits will require changes in the current usual practices of accredited third-party certification bodies and eligible entities. However, section 808(c)(5)(C)(i) of the FD&C Act specifically requires audits performed under this rule to be unannounced. As described in Response 106, proposed § 1.651(c)(1) was designed to provide flexibility to accredited third-party certification bodies and eligible entities, while fulfilling this statutory requirement. Without additional examples or other details in the comments to explain why the other audit protocols in proposed§ 1.651(a) would be problematic to implement, we decline to revise § 1.651(a)(2) to (4) in response to the comments.

(Comment 108) In addition to comments described in section III.E. regarding the impracticality of unannounced audits, some comments contend that unannounced audits would be impractical and inefficient for any food safety audit (e.g., regulatory audits) conducted under this rule. Other comments express concern about implementing unannounced audits at farms that may be geographically isolated, while offering support for unannounced audits in principle.

Other comments note that unannounced audits are conducted for operations participating in the Leafy Greens Marketing Agreements (LGMAs) in California and Arizona and in the California Cantaloupe Marketing Order (CCMO), asserting it is feasible to conduct audits of seasonal operations during harvest activities, observing practices and programs in the field and facility. Some comments suggest that unannounced audits provide a more realistic view of the entity's compliance status than planned audits do.

Some comments endorse the approach of a planned records review prior to an unscheduled site audit occurring at any point during a 30-day operating window. Other comments ask us to clarify in the final rule which parts of a food safety audit may be performed on a scheduled basis and which parts must be performed on an unannounced basis within a 30-day window.

(Response 108) We decline to revise our approach to unannounced audits under § 1.651, as section 808(c)(5)(C)(i) of the FD&C Act explicitly requires that audits be unannounced. We are, however, adding language to § 1.651(c)(1) to clarify that the records review portion of a food safety audit may be scheduled with an eligible entity and, through revisions to § 1.651(c)(2), are requiring the records review to occur before the onsite facility examination portion of the audit, consistent with the description in the preamble to the proposed rule (78 FR 45782 at 45811 to 45812). We are retaining the requirement in § 1.651(c)(1) to conduct an unannounced audit through an unscheduled onsite facility examination at any time during the 30-day timeframe identified pursuant to § 1.651(a)(1)(ii).

As discussed in the preamble to the proposed rule (78 FR 45782 at 45811), when developing the audit protocols to implement the statutory requirement for unannounced audits, we considered the British Retail Consortium (BRC) Global Standard for Food Safety (Ref. 22) unannounced audit option to help us ensure that our approach to unannounced audits would be practical and feasible to implement. The BRC unannounced audit option provides for a “Good Manufacturing Practices-type audit” to be unannounced, while a separate records review could occur during a planned visit. We have concluded that it is reasonable and appropriate to interpret the statutory Start Printed Page 74612requirement for unannounced audits to allow a record review to be conducted during a planned visit to the eligible entity, provided that the onsite audit is conducted on an unannounced basis. In addition, as discussed previously, we have revised § 1.651(c)(2) to require that the records review must precede the onsite examination to facilitate the facility visit.

We agree with comments suggesting that unannounced audits are feasible and note, for example, that another GFSI-benchmarked scheme, the Safe Quality Food Code in July 2014 began implementing an unannounced audit component, wherein unannounced audits are mandatory for every third audit (Ref. 23). Additionally, while we appreciate the concern expressed by comments regarding the implementation of unannounced audits at farms that may be geographically isolated, we believe the examples cited by comments of unannounced audits of participants that are performed at least once each year under the LGMA and the CCMO are persuasive in demonstrating the feasibility of unannounced audits for primary production. Moreover, the requirements for audits specified in the statute and our experiences planning foreign inspections lead us to believe that the requirement for a 30-day operating window will assist in preventing logistic problems associated with unannounced audits in geographically isolated areas. For the foregoing reasons, we have concluded that the unannounced audit protocol in § 1.651(a)(1) is practical and efficient to implement, while meeting the requirements of section 808(c)(5)(C)(i) of the FD&C Act.

(Comment 109) Some comments suggest that FDA increase the window of time between the records review, which informs the audit planning, and the unannounced site audit, which examines the facility, its process(es), and food for compliance with the applicable food safety requirements of the FD&C Act and FDA regulations. To maximize the element of surprise while ensuring the relevance of the records review to the conduct of the site audit, the comments suggest we should expand the timeframe to allow the audit agent to conduct the site audit any time during a 90-day period.

(Response 109) Food safety audits conducted under this program, particularly regulatory audits for certification purposes, often are time sensitive in nature, because they are necessary for issuance of certifications that are used facilitate trade. Establishing a lengthy window of time during which an unannounced audit could occur could have significant implications, for example, where certification is used in satisfying a condition of admissibility for a food subject an FDA safety determination under section 801(q) of the FD&C Act. A lengthy window of time for an unannounced audit to be conducted also could hinder participation in the VQIP program under section 806 of the FD&C Act, which requires an importer to provide facility certification as a condition of participation. In light of the foregoing, we do not believe it would be reasonable to extend the length of time between records review and the site audit from 30 to 90 days.

C. What must an accredited third-party certification body include in food safety audit reports? (§ 1.652)

Proposed § 1.652 would implement section 808(c)(3)(A) of the FD&C Act, which authorizes FDA to establish the requirements for audit reports that an accredited third-party certification body would need to prepare as a condition of its accreditation. The statute specifies that such report of an audit must include: (1) The identity of the persons at the eligible entity responsible for compliance with food safety requirements; (2) the dates and scope of the audit; and (3) any other information FDA requires that relates to or may influence an assessment of compliance.

Proposed § 1.652(a) would specify the form of consultative audit reports, which would include: The name, address, and unique facility identifier (UFI) of the facility subject to audit; the name, address, and UFI of the eligible entity (if it differs from the facility); the contact information for the person(s) responsible for food safety compliance at the facility; the dates and scope of the consultative audit; and any deficiency(ies) observed during the audit that require corrective action(s) and the date on which such corrective action(s) were completed. Proposed § 1.652(a) would require that a consultative audit report be prepared by no later than 45 days after completing the audit and would require preparing the report in English and maintaining it as a record under proposed § 1.658.

Proposed § 1.652(b) would specify the form of regulatory audit reports, which would include: (1) The name, address, and UFI of the facility subject to audit; (2) the FDA food facility registration number (where applicable); (3) the name, address, and UFI of the eligible entity (if it differs from the facility); (4) the contact information for the person(s) responsible for food safety compliance at the facility; (5) the dates and scope of the regulatory audit; (6) the process(es) and food(s) observed during the audit; (7) whether sampling and laboratory analysis is used in the facility; (8) recent food recalls; (9) recent significant changes at the facility; and (10) any food or facility certifications recently issued to the entity. With respect to deficiencies and corrective actions, proposed § 1.652(b) would require the accredited third-party certification body to include in the regulatory audit report any deficiency(ies) observed during the audit that meet FDA's Class I and Class II recall standards—i.e., the deficiency(ies) present(s) a reasonable probability that the use of or exposure to the violative product will cause serious adverse health consequences or death; or may cause temporary or medically reversible adverse health consequences or where the probability of serious adverse health consequences is remote, and the corrective action plan for any identified deficiency unless the corrective action was implemented immediately and verified onsite by the accredited third-party certification body. Proposed § 1.652(b) also would require that a regulatory audit report be submitted to FDA electronically, in English, by no later than 45 days after completing the audit.

Under proposed § 1.652(c), an accredited third-party certification body would have to submit to FDA an audit report for any regulatory audit it conducts, regardless of whether the certification body issued a certification based on the results of the regulatory audit. Proposed § 1.652(d) would require an accredited third-party certification body to implement written procedures for receiving and addressing challenges from eligible entities contesting adverse regulatory audit results and would require them to maintain records of such challenges under proposed § 1.658.

On our initiative, we revised paragraphs (a) and (b) of § 1.652 to clarify that an accredited third-party certification body must provide a copy of a consultative audit report or regulatory audit report (respectively) to the eligible entity. We also on our own initiative added a requirement for the accredited third-party certification body to include in the audit report the FDA Establishment Identifier (FEI) of the facility audited and the FEI of the eligible entity, if different than the FEI for the audited facility to help verify the identity of the facility and eligible entity based on information contained in FDA's database of FEIs. Further, we aligned the elements of the consultative audit report and regulatory audit report; for example, we redesignated proposed paragraph (a)(5) as (a)(6) and added a Start Printed Page 74613new paragraph (a)(5) to require that the consultative audit report include the processes and foods observed during the consultative audit. Additionally, on our own initiative we revised § 1.652(d) to clarify that an accredited third-party certification body must notify an eligible entity of a denial of certification.

(Comment 110) Several comments raise concerns regarding the requirements that would apply to consultative audit reports under proposed § 1.652(a). The comments assert that because consultative audits are specifically intended to be for internal purposes, FDA should delete proposed § 1.652(a) and should not propose any requirements for consultative audit reports. Other comments suggest that we remove the proposed requirement to prepare a consultative audit report no later than 45 days after conducting the audit, asserting the deadline is infeasible. Still other comments suggested we should allow consultative audit reports to be prepared and maintained in languages other than English.

Some comments interpret proposed § 1.652(a) to require consultative audit reports to be submitted to FDA. Other comments urge us to emphasize to industry that proposed § 1.652(a) would only require accredited third-party certification bodies to maintain consultative audit reports in their records and not submit them to FDA, and that FDA could only access consultative audit reports in circumstances meeting the serious adverse health conditions or death to humans or animals (SAHCODHA) standard for records access under section 414 of the FD&C Act. Other comments note that the proposed rule was silent on the protection of proprietary information in audit reports.

(Response 110) We disagree with comments suggesting that because consultative audits are for internal purposes only, FDA is precluded from imposing any requirements for consultative audit reports prepared by accredited third-party certification bodies under this rule. Section 808(c)(3)(A) of the FD&C Act requires certain elements to be included in reports for all food safety audits. This includes both consultative audits and regulatory audits, which are the two types of audits described in section 808(c)(4)(B) of the FD&C Act. Section 808(c)(3)(A) sets a 45-day deadline for the preparation of all audit reports, including consultative audit reports, and sets a separate requirement that the audit reports for regulatory audits be submitted. Section 808(c)(3)(A) of the FD&C Act also gives FDA discretion to designate the form and manner of audit reports and to require accredited third-party certification bodies to include in audit reports other information that relates to or may influence an assessment of compliance with the FD&C Act. In light of these statutory provisions, we decline the suggestions to delete proposed § 1.652(a) or to remove the proposed 45-day deadline for preparation of a consultative audit report.

We are, however, removing the proposed requirement in § 1.652(a) that consultative audit reports would need to be prepared and maintained in English in the accredited third-party certification body's records. As explained in Response 59, we are removing the proposed requirements for recognized accreditation bodies and accredited third-party certification bodies to create and maintain records that do not need to be submitted to FDA, outside of a specific request, under this rule in English.

We disagree with comments suggesting that § 1.652(a) should require accredited third-party certification bodies to submit consultative audit reports to FDA. We note that section 808(c)(3)(A) only requires the submission of regulatory audit reports. Because consultative audits are for internal purposes, we consider it appropriate to require the maintenance of these reports, but not the submission of the reports. Under section 808(c)(3)(C) of the FD&C Act, we could only access consultative audit reports in circumstances meeting the standard for records access under section 414 of the FD&C Act.

With respect to protection of proprietary information in consultative audit reports submitted to or obtained by FDA, we note that the final rule includes new provision § 1.695, which addresses disclosure and the protection of trade secrets and confidential commercial information under applicable law.

(Comment 111) Some comments support our proposal to require that consultative audit reports under proposed § 1.652(a)(2) and regulatory audit reports under proposed § 1.652(b)(1)(i) and (b)(2) include UFIs for audited facilities and for eligible entities (where different from audited facilities). In the preamble to the proposed rule (78 FR 45782 at 45812), we solicited comment on whether a UFI should comprise a Data Universal Numbering System (DUNS®) number and Global Positioning System (GPS) coordinates for an audited facility and for the eligible entity (if different from the audited facility).

Some comments support using DUNS® numbers in UFIs for eligible entities and audited facilities, asserting that approximately 230 million establishments around the world have DUNS® numbers. The comments assert that DUNS® numbers are easy to obtain and free to the establishment. Comments also emphasize that the use of DUNS® numbers would be particularly helpful under the third-party certification rule, because the numbers help to determine corporate “families”—e.g., related establishments.

Other comments oppose using DUNS® numbers as UFIs, contending that DUNS® numbers are not widely used outside the United States and frequently have errors. Some of these comments propose alternatives to DUNS® numbers, including: GPS coordinates, FDA's food facility registration numbers, or the U.S. Internal Revenue Service taxpayer identification numbers which comments suggest foreign companies can request from U.S. Customs and Border Protection.

(Response 111) We received valuable input in response to our solicitation of comments on UFIs for audited facilities and eligible entities. Having a UFI for eligible entities (and audited facilities if different) would be useful to FDA in identifying an eligible entity that does not already have a numerical identifier in one of FDA's databases. For example, farms generally are not required to register with FDA under section 415 of the FD&C Act, so they would not have an FDA Food Facility Registration Number, unless they conduct activities for which such registration is required, and some eligible entities may not have been assigned an FDA Facility Establishment Identifier.

We note that FDA currently is considering whether to require UFIs for regulated establishments, such as facilities as defined in 21 CFR 1.227, and the types of numbering systems that might be used for UFIs. Under this final rule, an accredited third-party certification body will be required to include a UFI for an audited facility and for an eligible entity (if different from the audited facility) in a consultative audit report under § 1.652(a)(1)(i) and (a)(2), and a regulatory audit report under § 1.652(b)(1)(i) and (b)(2), if FDA designates a UFI system.

(Comment 112) Some comments focus on proposed § 1.652(a)(5), which would require a consultative audit report to include any deficiencies observed that require corrective action, the corrective action plan, and the date corrective Start Printed Page 74614actions were completed. Some comments ask us to clarify what information about deficiencies should be included in consultative audit reports. The comments distinguish between FDA investigators who collect physical evidence during inspections and third-party certification bodies who typically observe process(es), review records, and cite nonconformity to standards—e.g., “Canning retort time did not meet x temperature for y time of the scheduled process.” Other comments ask FDA to clarify that the eligible entity, not the audit agent, would be responsible for corrective actions, including analyzing the cause of the nonconformity and developing corrective actions to address the nonconformity. These comments support the proposed requirement to require documentation and verification of corrective actions, whether through document review or onsite audits.

(Response 112) As the comments suggest, third-party certification bodies commonly describe their audit findings in terms of conformity or nonconformity with audit criteria, such as a GFSI-benchmarked food safety scheme or the ISO/TS 22003:2013 series of food safety standards (Ref. 24). Under section 808 of the FD&C Act, accredited third-party certification bodies examine eligible entities and their foods for compliance with the applicable food safety requirements of the FD&C Act and FDA regulations and, for consultative audits, also assess conformity with applicable industry standards and practices.

Under proposed § 1.652(a)(5), a consultative audit report would identify any deficiencies observed by audit agent, which we intended would encompass any deficiency that relates to or may influence the accredited third-party certification body's determination of whether the eligible entity is in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations. We were not proposing to require that consultative audit reports include information on an observation solely related to a nonconformity with industry standards or practices that FDA does not implement or enforce. An observation relating to both a nonconformity with an industry standard or practice and a deficiency that relates to or may influence a compliance determination would need to be included in the audit report as a deficiency under proposed § 1.652(a)(5). In response to comments, we are revising § 1.652(a)(5), renumbered as § 1.652(a)(6), to clarify that a consultative audit report must include any deficiency that relates to or may influence a determination of compliance with the applicable food safety requirements of the FD&C Act and FDA regulations and information on the corrective action(s) to address such deficiency.

We agree with comments distinguishing between the roles of eligible entities (who must identify and implement effective corrective actions) and accredited third-party certification bodies and their audit agents (who identify deficiencies and verify that effective corrective actions have been implemented). After identifying deficiencies that will require corrective action, accredited third-party certification bodies and their audit agents must maintain their impartiality by allowing eligible entities to select the appropriate corrective actions to employ. To recommend or suggest corrective actions to eligible entities during consultative or regulatory audits would undermine the objectivity of the third-party certification bodies or audit agents in performing their critical task of verifying the effectiveness of the corrective actions once implemented. To address this concern, we have elected to revise § 1.651(c)(3) as described in section IX.B., because we believe this issue is better addressed as part of the protocols for audits conducted under subpart M.

(Comment 113) Some comments assert that proposed § 1.652(b) is unnecessary, because many of the elements of regulatory audit reports that we propose already are commonly included in audit reports. The comments contend that listing specific elements to be included in a regulatory audit report would be too prescriptive and would stifle creativity. Other comments suggest that proposed § 1.652(b) is overly broad, and the comments object to the elements of the audit reports. Some comments assert that reporting of recent recalls is unnecessary because this is information already in FDA's possession. Still other comments note that documents that are routinely part of an audit process may contain critical business information. These comments suggest that FDA should consider a “tiered” approach, by requiring only summary reports on audit results to be submitted to FDA, not proprietary information.

Other comments support proposed § 1.652(b) and the data elements we proposed to require in regulatory audit reports. Some of these comments seek additional information on the form and manner of submitting this information to FDA. The comments also ask whether the regulatory audit reports will be publicly released.

(Response 113) We disagree with comments suggesting that proposed § 1.652(b) is unnecessary because the information we proposed to require in regulatory audit reports already is included in the audit reports prepared by third-party certification bodies. Although many of the elements required to be included in the reports under this rule are currently being included in audit reports prepared by third-party certification bodies, it is important that we require the elements included in this final rule because they are essential to the preparation of audit reports that are consistent with the purpose of this program.

We disagree with the comments asserting that proposed § 1.652(b) is overly broad and the comments contending that the provision is overly prescriptive. Section 808(c)(3)(A) of the FD&C Act requires that audit reports include the dates and scope of the audit and the identity of the persons at the audited eligible entity responsible for compliance with food safety requirements. Section 808(c)(3)(A) of the FD&C Act also gives FDA discretion to require that audit reports include other information that relates to or may influence an assessment of compliance with the FD&C Act. Under proposed § 1.652(b), a regulatory audit report would include the elements required by the statute, as well as the following information: Identifying information for the eligible entity (and for the facility, if different from the eligible entity); the food(s) and process(es) observed; any deficiencies observed during the audit that relate to an FDA Class I or Class II recall situation; and the corrective action plan for such deficiencies. We also proposed to require the regulatory audit report to indicate whether any sampling and laboratory analysis is used in the facility and whether in the 2 years preceding the audit the entity: Issued a food safety-related recall; made significant changes in the facility, its process(es), or products; or was issued any food or facility certifications.

As to the elements of the regulatory audit report in proposed § 1.652, we note that paragraphs (b)(1) and (2) provide identifying information for the eligible entity (and the facility audited, if different than the eligible entity) and paragraphs (b)(3) and (5) contain the elements required by section 808(c)(3)(A) of the FD&C Act. We agree with comments asserting that it is not be necessary to include information in regulatory audit reports that is already in FDA records; therefore, we are removing the proposed requirements in § 1.652(b)(9) and (11) to report information on food-safety related Start Printed Page 74615recalls conducted by the eligible entity and food and facility certifications issued to the eligible entity in the 2 years preceding the audit. We are retaining the other elements of the regulatory audit report under proposed § 1.652(b)(4), (6) to (8), and (10)—i.e., whether the facility uses sampling and laboratory analysis, whether the entity has made significant changes to the facility, its process(es), or products during the 2 years preceding the audit; the foods and process(es) that were observed, as well as any deficiencies related to a Class I or Class II recall situation and the corrective action plans for deficiencies—because they are related to or influential to a determination of compliance with the applicable food safety standards of the FD&C Act and FDA regulations.

As discussed in Response 67, we intend to provide additional instructions relating to the form and manner of submitting information to FDA. We also acknowledge comments' concerns about the protection of proprietary information in regulatory audit reports submitted to FDA. Information submitted to FDA is subject to public disclosure and under part 20, and we are including new § 1.695 on public disclosure in section XIII.F of this final rule.

(Comment 114) Some comments contend that the submission of regulatory audit reports under proposed § 1.652 would “empower” accredited third-party certification bodies as “de facto” regulatory authorities.

(Response 114) We disagree. Nothing in section 808 of the FD&C Act or in the proposed rule would empower accredited third-party certification bodies to implement or enforce the FD&C Act or FDA regulations. Further, section 808(h) of the FD&C Act clearly states that audits performed under this section shall not be considered inspections under section 704 of the FD&C Act, which governs FDA inspections.

(Comment 115) Some comments assert that regulatory audit reports should be submitted to FDA only when there are questions about product safety. Some comments suggest that proposed § 1.652(b) could be onerous because it would require regulatory audit reports to be submitted to FDA in English by no later than 45 days after the audit was completed. The comments assert that a lack of auditor capacity in countries that export food to the United States could make it difficult for accredited third-party certification bodies to meet the 45-day deadline and suggest that FDA should consider adjusting the deadline for regulatory audit report submission in light of factors such as auditor capacity and the needs of seasonal producers. Other comments support the proposed 45-day deadline for audit report submission, noting that many audit reports currently take more than 45 days to complete, some taking nearly a year to be issued. Still other comments focus on the proposed requirement in § 1.652(b) to submit regulatory audit reports in English, urging us to accept reports in various languages, including Spanish.

(Response 115) Section 808(c)(3)(A) of the FD&C Act requires as a condition of accreditation that regulatory audit reports to be submitted to FDA within 45 days after conducting the audit. Accordingly, we decline the suggestion to limit the submission of regulatory audit reports to circumstances where there are questions about product safety. We also decline to extend the statutory 45-day deadline for submission of a regulatory audit report.

We believe that allowing regulatory audit reports to be submitted in languages other than English, as some comments suggest, would create unnecessary obstacles to our program management and oversight. For example, we may review a regulatory audit report to assist us in deciding whether to accept a certification or to reject the certification after determining that is not valid or reliable. If we were to allow regulatory audit reports to be submitted in languages other than English, we might have to wait weeks for a translation. Such a delay would postpone our decision on whether to accept or refuse the certification and might have negative effects on the flow of trade.

(Comment 116) Some comments oppose a proposal to use DUNS® numbers in UFIs for audited facilities and eligible entities that would be required to be submitted to FDA in regulatory audit reports under proposed § 1.652(b)(1)(i) and (b)(2). The comments suggest that using DUNS ® numbers in UFIs would create a monopoly for Dun and Bradstreet (D&B) and give D&B an unfair competitive advantage. The comments also express concern that establishments will face increased pressure to buy other D&B products. Other comments suggest that DUNS ® numbers are not used outside the United States because, for example, DUNS® numbers require data such as street names, telephone numbers and other data points that small producers located outside the United States might not have. Instead, these comments suggest, FDA should use GPS latitude and longitude coordinates as UFIs.

Some other comments express support for UFI requirements that would include the use of DUNS® numbers in UFIs for audited facilities and eligible entities. The comments assert that because DUNS® numbers are widely used, it would be reasonable for FDA to require DUNS® numbers to be used in UFIs under the third-party certification program.

(Response 116) As explained in Response 111, FDA currently is considering whether to require regulated establishments to have UFIs and, if so, whether DUNS® numbers should be included in UFIs. As explained previously, under this final rule, an accredited third-party certification body will be required to include a UFI for an audited facility and for an eligible entity (if different from the audited facility) in a regulatory audit report under § 1.652(b)(1)(i) and (b)(2), if FDA designates a UFI system.

(Comment 117) Some comments agree with proposed § 1.652(b)(4), which would require regulatory audit reports to include information on the process(es) and food(s) observed during the audit. Some comments request clarification of what process(es) and food(s) would need to be observed in a facility with several processes, and other comments ask what information FDA is seeking about the process(es) that were observed during a regulatory audit.

(Response 117) As explained in Response 106, we do not believe that direct observation of each type of food produced under a management system is necessary when an audit covers the appropriate physical locations, activities, and processes that are part of the management system to be audited, and information collected during the audit must be relevant to the audit scope, purpose, and criteria, including information relating to interfaces between functions, activities, and processes of the management system. Therefore, information on the process(es) and food(s) observed by the audit agent (or accredited third-party certification body that is an individual) is useful in light of the scope of the audit and the management system(s) audited.

(Comment 118) Some comments endorse proposed § 1.652(b)(8), which would require the regulatory audit report to include information on whether sampling and analysis is used at the facility being audited. Of the comments that support proposed § 1.652(b)(8), some would further require regulatory audit reports to include reporting of sampling and analytical results of sampling by the Start Printed Page 74616eligible entity. Others suggest including analytical results relating to any deficiencies observed during an audit and the effectiveness of corrective actions taken to address the deficiency.

(Response 118) We agree that it is useful for FDA to have information on whether an eligible entity uses sampling and analysis as a tool for verifying the effectiveness of its controls. Section 1.652 does not require sampling or analysis on a routine basis; however, analytical reports must be included in regulatory audit reports if the certification body finds them to be relevant to the any elements of an audit report, such as a verification of corrective actions or in support of a decision not to certify. We note that sampling or analytical reports that are collected as part of a regulatory audit must be maintained as required under § 1.658(a)(3).

(Comment 119) Some comments support proposed § 1.652(b)(9), which would require information on recent recalls to be included in regulatory audit reports. Other comments suggest that requiring recall information to be included in a regulatory audit report might lead to questions about the validity of a certification that the accredited third-party certification body might issue based on the results of its regulatory audit of the eligible entity. Some other comments suggest that requiring an accredited third-party certification body to include information on recent recalls in a regulatory audit report would be duplicative, because FDA should already have information on any recalls of regulated product exported to the United States, and recalls of product that was not exported to the United States would not be relevant to the regulatory audit report.

(Response 119) We agree with comments suggesting that it would be duplicative to require accredited third-party certification bodies to include information on recent recalls in regulatory audit reports and are removing proposed § 1.652(b)(9) in the final rule.

(Comment 120) Some comments ask for clarification on proposed § 1.652(b)(11), which would require information on recent certifications to be included in regulatory audit reports. The comments ask whether a certification issued outside of the third-party certification program should be included in a regulatory audit report and if so, should the report identify the standards under which the certification was issued.

(Response 120) Requiring information on certifications issued under the third-party certification program would be duplicative because certifications previously issued by the accredited third-party certification body under the program already would have been submitted to FDA. Further, we see no benefit to requiring the submission of information on certifications issued outside of this program. Accordingly, we are removing proposed § 1.652(b)(11) from the final rule.

(Comment 121) Some comments urge us to create a clear mechanism for eligible entities to appeal adverse audit results.

(Response 121) Under proposed § 1.652(d) an accredited third-party certification body would have to implement written procedures for receiving, evaluating, and deciding on eligible entity challenges to adverse regulatory audit results. We believe this section provides a clear mechanism for eligible entities to be able to appeal adverse regulatory audit results. As explained in Response 36, we are clarifying that persons presiding over such appeals may be internal or external to the accredited third-party certification body.

D. What must an accredited third-party certification body do when issuing food or facility certifications? (§ 1.653)

The proposed rule describes the activities that an accredited third-party certification body would have to perform when issuing food and facility certifications. Proposed § 1.653 would require the certification body to have conducted a regulatory audit under proposed § 1.651 and to conduct any other activities necessary to determine compliance under the applicable food safety requirements of the FD&C Act and FDA regulations.

No certificate could be issued until the eligible entity took corrective actions to address any deficiencies reported under proposed § 1.652(b)(6), and the corrective actions were verified by the accredited third-party certification body. The verification would need to occur onsite, unless the deficiency was a minor issue. A single audit could result in food and facility certifications or multiple food certifications only if the regulatory audit requirements were met as to each.

Where a certification body uses audit agents, the certification body, not the audit agent, would make the determination whether to issue certification. However, the statute allows for individuals to be accredited as certification bodies; in that circumstance, the same individual would conduct the audit and also determine whether to issue certification.

On our own initiative, we are revising § 1.653(a)(3) to replace the phrase “assessment made during” with “the data and other information” to clarify what an accredited third-party certification body must consider when determining whether an eligible entity is in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations.

On our own initiative, we are making a number of revisions § 1.653(b). We are revising paragraph (b)(1) to clarify that the accredited third-party certification body may issue a food or facility certification under this subpart for a term of up to 12 months. Throughout paragraph (b)(2) we are specifying that the food or facility certification must contain information about regulatory audits. At our own initiative, we are revising § 1.653(b)(2)(ii) and (iii) to require accredited third-party certification bodies to provide the FEI of the audited facility and the FEI of the eligible entity, if different from the audited facility, and we revised § 1.653(b)(2) (iv) to require accredited third-party certification bodies to assign numbers to certifications they issue under the program. We are revising paragraph (b)(3) to clarify that FDA may refuse to accept any certification for purposes of section 801(q) or 806 of the FD&C Act if we determine that the certification is not valid or reliable. We are also adding new subparagraph (b)(3)(iii) to specify that if the certification was issued without reliable demonstration that the requirements of paragraph (a) were met, we may determine that the certification is not valid or reliable.

(Comment 122) Some comments contend that proposed § 1.653(a)(2) would require accredited third-party certification bodies to perform onsite verifications of corrective actions in situations where other methods of verification would be adequate. The comments assert that, by requiring onsite verification for any corrective action (other than an action taken to address recordkeeping deficiencies), the proposed rule would impose undue costs on eligible entities and would exacerbate issues of auditor capacity.

The comments suggest that we allow for remote verification of corrective actions through photographs, live web-cam transmissions, and any other means that would provide evidence that corrective action has been taken and the eligible entity is in compliance with the FD&C Act. The comments suggest that FDA may, in its discretion, require onsite visits to confirm that corrective actions were taken in extraordinary situations where efforts short of onsite Start Printed Page 74617observation would be insufficient to protect the public, such as in Class I recall situations. Some comments urge us to follow the requirements of ISO/IEC 17021:2011 (Ref. 6) for verification of corrective actions.

(Response 122) We agree that onsite verification of corrective actions would not be necessary to address every deficiency identified in a regulatory audit report under proposed § 1.652(b)(6). ISO/IEC 17021:2011 (Ref. 6) (clauses 9.1.12-9.1.13) describes a range of activities—from document review to onsite verification to additional full audits—that a third-party certification body may use verifying the effectiveness of corrective actions. Remote verification may be appropriate where it would provide an adequate basis for the accredited third-party certification body to determine that the eligible entity had implemented effective corrective action(s) to address the identified deficiency or deficiencies. Accordingly, we are revising § 1.653(a)(2) to expand the methods of verification an accredited third-party certification body may use to verify corrective actions for deficiencies identified in § 1.652(b)(6), except that corrective actions in a facility that was the subject of a notification under § 1.656(c) must be verified onsite.

(Comment 123) Some comments urge FDA to establish qualifications for the individuals accredited third-party certification bodies would use to make certification decisions. The comments suggest that an accredited third-party certification body should use a panel of experts with appropriate industry or regulatory experience to make certification decisions on behalf of the body. Other comments urge FDA to identify the criteria an accredited third-party certification body should use in determining whether to issue certification under section 808 of the FD&C Act.

(Response 123) We agree with the comments suggesting that individuals involved in compliance determinations and certification decisions under section 808 of the FD&C Act must be appropriately qualified for those responsibilities. We agree that decisions on certification should be made by individuals other than audit agents who conducted the regulatory audits that would form the basis for the decisions on certification, except individuals accredited as third-party certification bodies may perform regulatory audits and issue certifications based on the results of regulatory audits they performed. An assessment for accreditation of a third-party certification body under § 1.642 would focus not only on its competency and capacity for auditing food facilities but also on its capacity to review audit results to determine compliance with applicable food safety requirements for purposes of certification. While an accredited third-party certification body may wish to use a panel of experts for certification decisions, it is not necessary under this rule.

(Comment 124) Some comments suggest that certifications issued under section 808 of the FD&C Act should clearly delineate the scope of products and processes covered by the certification.

(Response 124) Proposed § 1.653(b)(2)(iv) and (vi) would require the certification to include both the scope of the audit and the scope of the food or facility certification. We believe the concern about the scope of products and processes covered by the food or facility certification is adequately addressed by the proposed rule, and we are retaining these provisions in the final rule.

E. When must an accredited third-party certification body monitor an eligible entity that it has issued a food or facility certification? (§ 1.654)

Proposed § 1.654 would require an accredited third-party certification body to conduct monitoring of an eligible entity if the certification body has reason to believe that an eligible entity to which it issued a certification may no longer be in compliance with the FD&C Act.

(Comment 125) Comments endorsing proposed § 1.654 suggest that FDA establish criteria for the “reason to believe” standard—that is, the circumstances FDA believes would trigger a requirement for an accredited third-party certification body to monitor an eligible entity. The comment further suggests that FDA should make these criteria available for public comment.

(Response 125) FDA declines to codify specific criteria that would trigger the need for an accredited third-party certification body to conduct monitoring of an eligible entity to determine whether the entity is still in compliance with applicable requirements, as such criteria would be fact-specific and FDA cannot contemplate all situations that would require such monitoring. FDA envisions that the circumstances that might trigger monitoring under § 1.654 are ones that may affect the eligible entity's capability to continue to comply with the applicable food safety requirements of the FD&C Act and FDA regulations, such as: (1) Significant changes to the audited facility, such as capital improvements; (2) major changes to the eligible entity's management system and processes; or (3) changes to the scope of operations, such as changes in manufacturing processes, that may affect the compliance status of an eligible entity.

(Comment 126) Other comments urge FDA to require an accredited third-party certification body to notify an eligible entity immediately upon determining that monitoring of the eligible entity prior to recertification would be necessary.

(Response 126) We decline the suggestion to require notification of an eligible entity prior to monitoring under § 1.654, as we believe it is more appropriate for the accredited third-party certification body to decide based on the circumstances whether it should alert an eligible entity it has certified that monitoring is necessary or conduct unannounced monitoring activities. An accredited third-party certification body may choose to notify an eligible entity before conducting monitoring activities that are unrelated to the eligible entity's annual audit for recertification purposes, which must be conducted on an unannounced basis pursuant to § 1.651(c)(1).

F. How must an accredited third-party certification body monitor its own performance? (§ 1.655)

Proposed § 1.655 would require an accredited third-party certification body to conduct self-assessments annually and in the case of revocation of the recognition of its accreditation body and prepare a report of the results of each self-assessment.

On our own initiative, we are revising § 1.655(a)(1) to clarify that as part of the self-assessment, an accredited third-party certification body must evaluate the performance of its audit agents in examining facilities, process(es), and food using the applicable food safety requirements of the FD&C Act and FDA regulations, which will conform with other changes being made to the final rule.

(Comment 127) Some comments support the proposal to require accredited third-party certification bodies to conduct self-assessments. Other comments recommend that FDA should be more explicit in the requirements for self-assessments.

(Response 127) We decline the suggestion to be more explicit in the requirements for self-assessments, as the requirements in § 1.655 include sufficient details for conducting self-assessments. Comments did not provide adequate justification for adding Start Printed Page 74618additional elements to the self-assessment.

(Comment 128) Some comments request that accredited governmental certification bodies be allowed to conduct self-assessments at a frequency different than other accredited third-party certification bodies.

(Response 128) We decline to create different timeframes for self-assessments for governmental versus private certifications bodies. As explained in Response 39, § 1.655 is part of a set of proposed monitoring and self-assessment requirements intended to work together in helping to ensure that the recognized accreditation bodies and accredited third-party certification bodies maintain compliance with the rule's requirements. The certification body self-assessment in § 1.655 is intended to serve, in part, as information for use in the annual accreditation body monitoring in § 1.621, the results of which we intend the accreditation body to use in its annual self-assessment under § 1.622. This system of assessments takes place on an annual basis and is an essential part of the program's safety net. Allowing different timeframes for assessments by different participants would undermine the credibility of the program and create undue administrative complexity. We believe this section will be far less burdensome in practice than some of the commenters may have anticipated. We note that to address general concerns about the burden of these requirements, similar to other sections of the final rule, FDA is adding a new § 1.655(e) to allow an accredited third-party certification body to use documentation of its conformance to ISO/IEC 17021:2011 or ISO/IEC 17065:2012, supplemented as necessary, to meet the requirements of this section.

(Comment 129) Some comments assert that accredited third-party certification bodies should not be required to be prepare self-assessment reports in English under proposed § 1.655(d).

(Response 129) In response to comments and consistent with revisions made elsewhere in the final rule, we are removing the English language requirement in § 1.655(d) for self-assessment reports prepared by third-party certification bodies accredited by a recognized accreditation body. However, we are now including a requirement in § 1.656(b) of submission in English for self-assessment reports prepared by third-party certification bodies directly accredited by FDA and self-assessments submitted to FDA as a result of an FDA request for cause or due to the termination of an accreditation body's recognition due to denial of renewal, revocation, or relinquishment/failure to renew under § 1.631(f)(1)(i), 1.634(d)(1)(i), or 1.635(c)(1)(i), respectively.

G. What reports and notifications must an accredited third-party certification body submit? (§ 1.656)

Proposed § 1.656 would establish requirements for various reports and notifications that accredited third-party certification bodies would have to submit to FDA and, as appropriate, recognized accreditation bodies. Proposed § 1.656(a) would establish the requirements for submission of regulatory audit reports, and proposed § 1.656(b) would establish the requirements for submission of reports of accredited third-party certification body self-assessments.

Proposed § 1.656(c) would require an accredited third-party certification body to immediately notify us, in English, of a condition that could cause or contribute to a serious risk to the public health (notifiable condition) that the certification body (or its audit agent) discovered while conducting a regulatory or consultative audit of an eligible entity. In the preamble discussion of proposed § 1.656(c) (78 FR 45782 at 45815), we solicited examples of conditions that might and might not meet the standard in section 808(c)(4)(A) of the FD&C Act for notifying FDA. We asked for input on whether the FDA Class I and Class II recall standards, taken together, might adequately address any condition covered by section 808(c)(4)(A) of the FD&C Act.

Proposed § 1.656(d) would require an accredited third-party certification body to immediately notify us electronically, in English, upon withdrawing or suspending the food or facility certification of an eligible entity. Proposed § 1.656(e)(1) would require an accredited third-party certification body that notified FDA under proposed § 1.656(c) also to notify the eligible entity where the condition was discovered. Proposed § 1.656(e)(2) would require the accredited third-party certification body to notify its accreditation body (or, in the case of direct accreditation, to us) electronically, in English, within 30 days after making any significant change that may affect its compliance with the requirements of §§ 1.640 through 1.658.

On our own initiative we are revising § 1.656(c)(1) and (2) to clarify if a condition that could cause or contribute to a serious public risk to the public health is discovered, that in addition to the name of the eligible entity and/or facility, an accredited third-party certification body must also provide the physical address, unique facility identifier (if designated by FDA), and the registration number under subpart H of this part (where applicable).

(Comment 130) Some comments support proposed § 1.656(a), which would require submission of regulatory audit reports to FDA, but would not require reports of consultative audits to be submitted. Other comments interpret the proposed rule as requiring submission of consultative audit reports to FDA and the reporting of laboratory analytical results under section 422 of the FD&C Act.

(Response 130) Under section 808(c)(3)(A) of the FD&C Act, an accredited third-party certification body or an audit agent of a third-party certification body, where applicable, “shall prepare, and, in the case of a regulatory audit, submit, the audit report for each audit conducted . . .” Based on the statutory language, it is clear that Congress only desired reports of regulatory audits to be submitted to FDA. We also note that section 808(c)(3)(C) of the FD&C Act limits the ability for FDA to access the results of consultative audits to circumstances described in the records access standard of section 414 of the FD&C Act. Some comments incorrectly interpreted the proposed rule to require the submission of the certification bodies' laboratory records and results. We are only requiring maintenance of such records and results under § 1.658.

(Comment 131) Some comments contend that we are interpreting the notification standard in section 808(c)(4)(A) of the FD&C Act too broadly, because the statute only requires accredited third-party certification bodies to notify FDA of notifiable conditions discovered during a regulatory audit. The comments assert that Congress did not intend us to require notification of conditions found during consultative audits, because those audits are for internal purposes; therefore, we should revise proposed § 1.656(c) to remove the reference to a consultative audit. Other comments assert that notifications submitted for conditions found during a consultative audit could overwhelm FDA with data that could make it difficult to identify the most serious risks to public health. Still other comments support our proposal to require notification of conditions found during consultative and regulatory audits.

Some comments describe a range of activities that generally may be referred to as consultative audits and suggest Start Printed Page 74619that requiring notification to FDA of conditions found during these types of consultative audits may have unintended consequences. The comments note the important role of third-party audits (and consultative audits, in particular) in assisting the food industry identify and fix internal problems and drive continuous improvements. The comments suggest that requiring notification during consultative audits might create disincentives for firms who might otherwise use accredited third-party certification bodies to perform consultative audits and for third-party certification bodies who might otherwise be interested in participating in the program.

(Response 131) We decline the suggestion to limit § 1.656(c) to require notification only of conditions found during a regulatory audit, because section 808(c)(4)(A) and (B) of the FD&C Act require notification based on conditions found “at any time during an audit” and identifies “audits” as both consultative and regulatory audits.

Although we decline to limit § 1.656(c) as the comment suggests we believe that many of the concerns about notification during a consultative audit are mitigated by revisions that clarify the scope of the consultative audits that are, and are not, covered by the rule (see Sections III.E and III.J). Under the final rule, an accredited third-party certification body would only be required to notify FDA of a condition that could cause or contribute to a serious risk to the public health if the condition was discovered during an audit that an eligible entity has specifically declared to be a regulatory audit for certification purposes or a consultative audit in preparation for a regulatory audit under this rule.

(Comment 132) Several comments contend that “serious risk to the public health” has the same meaning as “serious adverse health conditions or death to humans or animals” (SAHCODHA) as that phrase is used throughout the FD&C Act. Specifically, the comments assert that FDA should only require accredited third-party certification bodies to notify FDA of conditions that pose a risk of SAHCODHA, as that standard is interpreted for purposes of the Reportable Food Registry (RFR) under section 417 of the FD&C Act (21 U.S.C. 350f).

The comments reject our tentative conclusion that the range of conditions that require notification under section 808(c)(4)(A) of the FD&C Act is broader than SAHCODHA, because the statute describes notifiable conditions as ones that “could” cause or contribute to a serious risk to public health. In response to our request for input, the comments specifically reject an interpretation of “serious risk to the public health” that might include, for example, conditions that pose a risk of temporary or medically reversible adverse health consequences or where the probability of adverse health consequences is remote. Some comments suggest that accredited third-party certification bodies and audit agents would be more readily able to identify conditions that pose a SAHCODHA risk but would find it more difficult to identify other conditions that would need to be notified to FDA under proposed § 1.656(c). Other comments support our tentative conclusion that a “condition that could cause or contribute to a serious risk to the public health” is broader than a condition relating to a SAHCODHA risk.

(Response 132) We disagree with comments suggesting that the phrase “serious risk to public health” in section 808(c)(4)(A) of the FD&C Act should be interpreted as a risk of SAHCODHA. We note that Congress chose to incorporate SAHCODHA in section 808(c)(6)(A) to describe outbreak situations that would lead to withdrawal of accreditation, but did not use SAHCODHA in describing the conditions that must be notified to FDA under section 808(c)(4)(A) of the FD&C Act. Additionally, Congress chose to incorporate SAHCODHA in other sections of FSMA, such as in provisions on suspension of registration in section 102(b) amending section 415 of the FD&C Act. In light of the foregoing, we believe that Congress intended for a “serious risk to the public health” to be distinct from a risk of SAHCODHA and, therefore, reject the suggestion that accredited third-party certification bodies would only need to notify FDA of conditions that pose a risk of SAHCODHA under proposed § 1.656(c). We conclude that notifiable conditions include not only those that present a risk of SAHCODHA, but also other conditions that “could cause or contribute to a serious risk to the public health.”

Although it is difficult to predict the range of conditions or circumstances that accredited third-party certification bodies and audit agents might encounter, we offer some factors that may be useful in identifying whether a condition would need to be notified under § 1.656(c), such as whether the condition relates to incoming ingredients that will be subject to control within the facility, or an area of the facility where pre-production materials are held; whether the condition relates to the post-processing environment or where finished product is held prior to distribution; and whether the condition relates to food, process(es), or areas of the facility associated with food that is destined for export to the United States, and not if it relates solely to food, process(es), or areas of the facility associated with food for consumption other than in the United States.

(Comment 133) Some comments urge us to revise proposed § 1.656(c) to incorporate the limitations on reporting that apply to the RFR under section 417(d)(2) of the FD&C Act, such that notification would only be submitted if food adulterated as a result of the notifiable condition had left the control of the eligible entity. The comments assert it would be reasonable for FDA to interpret section 808(c)(4)(A) of the FD&C Act such that an accredited third-party certification body would not need to alert FDA immediately upon discovering a notifiable condition if the eligible entity reworked adulterated product or destroyed it before the adulterated food was transferred to another person. Other comments suggest that proposed § 1.656(c) is redundant because such conditions are subject to RFR reporting.

(Response 133) We decline the suggestion to revise § 1.656(c) to incorporate an exception similar to section 417(d) of the FD&C Act as there is no exception to the notification requirement in section 808(c)(4) as there is in section 417(d). Further, we believe the notification requirement in section 808(c)(4) serves not only to inform FDA of potential risks to the public, but also enhances credibility of the program by giving FDA, accredited certification bodies, and recognized accreditation bodies information that may be relevant to our oversight of the food safety and third-party programs. We believe that given the statutory language and goals of the third-party certification program, it is appropriate for the notification requirement in this rule to have different requirements and exceptions than other notification provisions in the FD&C Act.

As such, we also disagree with comments suggesting the obligation of a responsible party to submit a report to FDA through the RFR makes proposed § 1.656(c) redundant. Among other things, RFR requirements only apply to facilities that are required to register with FDA under section 415 of the FD&C Act. An eligible entity that is a farm, for example, would not be subject to RFR requirements. Additionally, as discussed previously, the reporting Start Printed Page 74620requirement under this rule contains no exception for circumstances when the food adulterated as a result of the notifiable condition has not left the control of the eligible entity. In light of the foregoing, we are retaining § 1.656(c) without the revisions suggested by the comments.

(Comment 134) Some comments urge us to revise proposed § 1.656(e)(1) to allow for concurrent notification of FDA and the eligible entity where the notifiable condition was discovered.

(Response 134) We agree and are adding to § 1.656(e)(1) a provision that allows, where feasible and reliable, for the accredited third-party certification body to contemporaneously notify its recognized accreditation body and/or the eligible entity when notifying FDA. We note that this provision does not affect the obligation for the accredited third-party certification body to notify FDA immediately of a notifiable condition under § 1.656(c).

H. How must an accredited third-party certification body protect against conflicts of interest? (§ 1.657)

Proposed § 1.657 sets out the elements of a conflict of interest program that an accredited third-party certification body would be required to have. Proposed § 1.657(a) would require the accredited third-party certification body to have a written program that covers the certification body itself and any of its officers, employees, or other agents (e.g., audit agents) conducting audits or certification activities under this program. Proposed § 1.657(b) would address the requirement, in section 808(c)(5)(C) of the FD&C Act, to issue implementing regulations that include a structure to decrease the potential for conflicts of interest, including timing and public disclosure, for fees paid by eligible entities to accredited third-party certification bodies. Proposed § 1.657(c) would impute to an accredited third-party certification body's officer, employee, or other agent the financial interests of his or her spouse and minor children, if any. Proposed § 1.657(d) would require an accredited third-party certification body to maintain on its Web site an up-to-date list of eligible entities to which it issued certifications under this subpart, the duration and scope of each such certifications, and the date on which the eligible entity paid any fee or reimbursement under proposed § 1.657(c).

On our own initiative, we are revising the accredited third-party certification body conflict of interest provisions in § 1.657(a)(1) to clarify that the certification body, its officers, employees, and other agents involved in auditing and certification activities cannot own, operate, have a financial interest in, manage, or otherwise control an eligible entity to be certified. We also are redesignating proposed paragraphs (a)(2) to (4) as (a)(3) to (5) and adding a new paragraph (a)(2) to conform to section 808(c)(5)(A)(i) of the FD&C Act. Additionally, we are revising redesignated § 1.657(a)(3) to add financial interests, management, or control to the proposed list of prohibited interests for audit agents.

(Comment 135) Some comments support proposed § 1.657, asserting that it strikes the right balance between ensuring rigorous protections against conflicts of interest and protection of trade secrets and confidential commercial information. Other comments oppose the third-party certification program that is the subject of this rulemaking because private auditors are inherently conflicted and food safety inspections should be conducted only by FDA.

Other comments suggest various additional conflict of interest restrictions that should be placed, such as requiring an individual audit agent or an individual accredited as a third-party certification body to divest of all interests in FDA-regulated food firms; prohibiting such individual from conducting a regulatory audit of an eligible entity where the individual previously conducted a consultative audit or where the individual was previously employed; and prohibiting the individual from accepting an offer of employment from an audited eligible entity for 1 year following an audit. Still other comments urge FDA to prohibit meals or beverages from being provided during an audit or to define the de minimis value of meals and beverages that may be provided onsite during an audit.

(Response 135) We believe the accredited third-party certification program that Congress directed us to establish under section 808 of the FD&C Act will provide a valuable complement to FDA inspections and will allow us to leverage rigorous, independent third-party audits in helping to ensure the safety of the U.S. food supply. We disagree with comments contending that third-party certification programs are so inherently conflicted that such a program is not worthwhile.

We believe the conflict of interest restrictions for accredited third-party certification bodies and for their audit agents that are established by section 808 of the FD&C Act for public and private third-party certification bodies, as implemented by this rule, provide the safeguards necessary for a credible third-party certification program. Accordingly, we decline suggestions to revise § 1.657 to place additional conflict of interest limitations that would be impractical and unnecessary, such as requiring: (1) Requiring full divestment by audit agents of interests in any FDA-regulated food firm; (2) prohibiting an individual who conducted a consultative audit of an eligible entity from ever conducting a regulatory audit of the same eligible entity; (3) prohibiting an individual who audited an eligible entity from accepting an offer of employment from the eligible entity for 1 year following the audit; and (4) prohibiting an individual conducting an audit from accepting a beverage or a meal of de minimis value that is provided onsite during audit.

We disagree with comments suggesting that by providing meals of a de minimis value, an eligible entity or facility might influence the outcome of an audit by an accredited third-party certification body, particularly if the only allowable meals are ones of minimal value that are provided during the course of an activity and with the purpose of facilitating timeliness and efficiency. As explained in Response 55, FDA follows a similar approach for investigators conducting foreign inspections—that is, FDA investigators performing foreign inspections are allowed to accept lunches (of little cost) provided by firms during the course of foreign inspections. We also note that the U.S. government allows its employees to accept meals, within per diem limits, when on official business in a foreign country, as an exception to the prohibition on the acceptance of gifts or gratuities from outside sources (5 CFR 2635.204(i)(1)), though we believe the FDA's practices for foreign inspections serve as a better model because foreign inspections are more analogous to foreign audits than are the range of activities that covered by the general requirements applicable to all U.S. government employees on official business in foreign countries. Accordingly, in light of the comments received and analogous FDA guidelines, we have concluded that it is reasonable and appropriate to limit the meal exception in § 1.657(a)(4)(ii) to only lunches of de minimis value provided during the course of an audit, on site at the premises where the assessment is being conducted, and only if necessary to facilitate the efficient conduct of the audit. We believe these revisions help to address concerns regarding the threats to impartiality, while accommodating the practical considerations that apply to foreign audits.Start Printed Page 74621

Consistent with our guidance to recognized accreditation bodies under Response 55, we offer the following additional input to accredited third-party bodies seeking guidance on the application of § 1.657(a)(4)(ii). In considering whether a meal is allowable under this provision, we recommend first considering whether accepting the lunch is necessary to facilitate the efficient conduct of the audit. We recommend considering: (1) Whether the circumstances surrounding the travel would allow a lunch to be packed bring on site; (2) Whether the meal is being provided during the midday or early afternoon. A lunch provided in the midst of an audit is different than a lunch or other meal provided at the completion of the audit; (3) Whether the site of the audit is in close proximity to a retail food establishment, or is at a remote location far from a retail food establishment; (4) What is the estimated value (or cost) of the lunch in light of the costs associated with the area where the audit is being conducted; and (5) other similar considerations.

For accredited third-party certification bodies or audit agents seeking additional guidance on determining what constitutes a “de minimis” amount for purposes of complying with § 1.624(a)(3)(ii), we offer the following guidance that is based on the requirements applicable to U.S. government employees who accept certain meals while on official travel in foreign countries. Such employees must deduct from the per diem the value of that meal, calculated using a two-step process.

First, the individual must determine the per diem applicable to the foreign area where the meal was provided, as specified in the U.S. Department of State's Maximum Per Diem Allowances for Foreign Areas, Per Diem Supplement Section 925 to the Standardized Regulations (GC,FA) available from the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402, and available on the Department of State Web site at https://aoprals.state.gov/​Web920/​per_​diem.asp. (Foreign per diem rates are established monthly by the Department of State's Office of Allowances as maximum U.S. dollar rates for reimbursement of U.S. Government civilians traveling on official business in foreign areas.)

Second, the individual must determine the appropriate allocation for the meal within the daily per diem rate which is broken down into Lodging and M&IE that are reported separately in Appendix B of the Federal Travel Regulation and available on the Department of State's Web site at https://aoprals.state.gov/​content.asp?​content_​id=​114&​menu_​id=​78.

Accordingly, under § 1.657(a)(4)(ii), an accredited third-party certification body that is an individual or an audit agent of an accredited third-party certification body who is conducting a food safety audit of an eligible entity may accept lunch provided during an audit and on the premises where the audit is conducted, if necessary to facilitate the efficient conduct of the audit.

(Comment 136) Some comments raise concerns about possible conflicts of interests. Some comments urge us to attach additional controls to the accreditation of foreign cooperatives to prevent them from auditing and certifying their members' facilities and food. Other comments recommend we further consider the difficulties involved with foreign governments demonstrating impartiality of their processes in auditing and certifying facilities owned by the foreign government.

(Response 136) We note that under proposed § 1.657, foreign cooperatives accredited as third-party certification bodies would not be able to audit or certify their members' facilities or foods under the program, because of their shared financial interests.

We decline the suggestion to develop special sets of controls for one or more types of third-party certification bodies eligible to be considered for accreditation under section 808 of the FD&C Act. We note that the conflict of interest requirements in section 808(c)(5) of the FD&C Act apply equally to the foreign governments, agencies of foreign governments, foreign cooperatives, and other third-parties. That is, a foreign government accreditation body that is recognized by FDA under this program may accredit government auditors (i.e., the competent authority for food safety) from the same nation, provided that the conflict of interest requirements in § 1.657 are met. Consistent with the approach taken in the statute, we believe that this comprehensive, rigorous set of conflict of interest requirements make it unnecessary for us to create a different or special controls for certain types of certification bodies.

(Comment 137) Some comments support the proposal to require accredited third-party certification bodies to maintain up-to-date lists of eligible entities to which food or facility certification were issued, together with the duration and scope of each such certification. The comments suggest that having this information readily available would be helpful to importers seeking to participate in VQIP and those seeking to import food that is subject to import certification under section 801(q) of the FD&C Act.

Other comments suggest that requiring an accredited third-party certification body to maintain a list of certified eligible entities on its Web site, together with the dates each eligible entity paid certification fees, could create an unfair competition. The comments contend that the statute does not require disclosure of the date of payment of fees and seek clarification on the basis for disclosing the timing of fee payments. Other comments suggest that information on payment of fees should remain confidential between the accredited third-party certification body and the eligible entities it audited and suggest the information could be made available to FDA on request. Still other comments contend that FDA should only have access to information on fee payments by eligible entities upon a showing of cause.

(Response 137) We agree with comments suggesting that Web site listings of eligible entities to which food or facility certification were issued will be helpful to importers. We disagree that such information would create unfair competition, and the comment did not provide an explanation as to why this would be the case. To the contrary, publicizing this information will increase transparency and accountability of the program. We are not proposing to require disclosure of the amount of fees paid by eligible entities, because we are concerned that publicizing the amounts of fee payments may lead to certification bodies using this information to gain a competitive advantage by offering audits at discount rates. However, we believe proposed § 1.657(c) meets the requirement of section 808(c)(5)(C)(ii) of the FD&C Act to provide information on the timing of fee payments and will help build confidence in the third-party certification program by providing assurances that payments are not related to the results of regulatory audits. We decline to adopt the alternative approach suggested by comments—i.e., such information should be disclosed to FDA only when needed to investigate problems if they occur, and publicly released only if disclosure would improve public health—as inadequate to satisfy the requirements of section 808(c)(5)(C)(ii) of the FD&C Act. In light of the foregoing, we are retaining § 1.657(c), redesignated as § 1.657(d), as proposed.Start Printed Page 74622

I. What records requirements must a third-party certification body that has been accredited meet? (§ 1.658)

Proposed § 1.658 would require accredited third-party certification bodies to maintain the following documents and data electronically, in English, for 4 years, to document compliance with the rule: (1) Requests for regulatory audits; (2) audit reports and other documents resulting from a consultative or regulatory audit; (3) any notification of a condition under proposed § 1.650(a)(5) or by the accredited third-party certification body to FDA under proposed § 1.656(c); (4) any food or facility certification issued under this program; (5) any challenge to an adverse regulatory audit decision and its disposition; (6) any monitoring it conducted of a certified eligible entity; (7) the auditor's/certification body's self-assessments and corrective actions; and (8) any significant change to the auditing and certification program that might affect compliance with this rule.

On our own initiative, we are requiring under § 1.658(a)(3) the maintenance of any laboratory testing records and results and documentation demonstrating that such laboratory is accredited in accordance with § 1.651(b)(3).

(Comment 138) Some comments recommend that we allow accredited third-party certification bodies to maintain their records in languages other than English, coupled with a requirement to provide an English language translation upon FDA request. Some comments suggest that we should allow for flexibility in the timeline for submission of translated records in the regulations, rather than establishing a specific deadline, because the circumstances of each records request will dictate what would be appropriate—e.g., where there is a recall involving a certified facility, then the timeframe for providing translations should be very stringent, but where records are requested for routine verification purposes, the accredited third-party certification body should have more time to comply. Other comments note that a minimum of 5 business days would be required for English language translations of records.

(Response 138) We agree that records should not be required to be maintained in English, for the same reasons as we explained in Response 64 (regarding the records of recognized accreditation bodies) and are revising § 1.658 accordingly. We further agree with comments suggesting that we should have a flexible, rather than a fixed timeline for providing English language translations of requested records to FDA and are requiring translations to be provided within a reasonable time after an FDA request.

(Comment 139) Some comments urge us ensure that § 1.658 fully incorporates the limitation on access to reports and documents relating to consultative audits in section 808(c)(3)(C) of the FD&C Act.

(Response 139) Section 808(c)(3)(C) of the FD&C Act states that reports or other documents resulting from a consultative audit are accessible to us only under circumstances that meet the requirements for records access under section 414 of the FD&C Act. Proposed § 1.658(a)(1) utilizes the language of section 808(c)(3)(C) of the FD&C Act in describing the types of records of consultative audits that an accredited third-party certification body must maintain, and proposed § 1.658(b) states that those records must be made available to FDA in accordance with 21 CFR part 1, subpart J, which implements section 414 of the FD&C Act. Therefore, the requirements in § 1.658 do fully incorporate the limitation on access to reports and documents relating to consultative audits as specified in section 808(c)(3)(C) of the FD&C Act.

(Comment 140) Some comments urge us to ensure that trade secrets and confidential commercial information contained in any records submitted to FDA would be adequately protected. The comments note that the proposed rule does not contain language on the protection of trade secrets, such as the language in 21 CFR parts 120 and 123 indicating that HACCP plans are trade secrets exempt from disclosure. Other comments suggest that FDA should consider examining accredited third-party certification body records without taking custody of them. The comments further suggest that FDA should establish an administrative process for requesting records from accredited third-party certification bodies participating in the program.

Some comments urge us to clarify that we will not be applying the records access and submission requirements of subpart M to audits that are not conducted under the rule or to records of the audited food facilities.

(Response 140) We acknowledge concerns about protecting proprietary information and are adding § 1.695 to address disclosure issues (see Section XIII.F).

We decline the suggestion to review records of accredited third-party certification bodies without taking custody of the records, because such an approach would be inconsistent with the records provisions in section 808(c)(3)(B) of the FD&C Act and would undermine the credibility of the program. We also decline the suggestion to establish separate administrative processes for handling records requests that might include, for example, procedures for challenges to records requests and appealing adverse decisions on records requests. Establishing and administering a process for FDA records requests would hinder our program oversight and would be overly burdensome. We note that in this rulemaking, FDA has established a number of mechanisms to address challenges to FDA's decisions, including § 1.691 (for requests for reconsideration of the denial of an application of waiver request); § 1.692 (for internal agency review of the denial of an application or waiver request upon reconsideration); and § 1.693 (for regulatory hearings on withdrawal of accreditation).

We recommend third-party certification bodies to fully consider the program requirements before deciding to pursue recognition under the voluntary third-party certification program. Once accredited a certification body may voluntarily relinquish its accreditation under § 1.665.

We note that the records maintenance and access requirements of subpart M apply only to records relating to an accreditation of a third-party certification body under this rule and to the audits and certification activities conducted under this program. Records of audits or certifications issued by an accredited third-party certification body for any other purpose outside of the scope of the program under subpart M are not covered by § 1.658. We also note that the rule does not affect the records maintenance and access requirements that apply to facilities under subpart J of this part.

X. Comments on Procedures for Accreditation of Third-Party Certification Bodies Under This Subpart

A. Where do I apply for accreditation or renewal of accreditation by a recognized accreditation body and what happens once the recognized accreditation body decides on my application? (§ 1.660)

Proposed § 1.660 states that auditors/certification bodies must apply directly to a recognized accreditation body for accreditation (except for circumstances meeting the requirements of § 1.670 for direct accreditation).

On our own initiative, we are adding new provisions (b) through (d) to § 1.660 to explain what happens when a third-party certification body's renewal Start Printed Page 74623application is denied. We are adding provisions to clarify what the applicant must do, the effect of denial of an application for renewal of accreditation on food or facility certifications issued to eligible entities, and how FDA will notify the public.

(Comment 141) Some comments propose that we include a time limit for recognized accreditation bodies to issue an accreditation decision. They argue a time limit would set measurable standards for the process and would also help ensure an adequate supply of accredited auditors/certification bodies. Comments suggest the timeframe be 90 days. Some comments suggest the timeframe could be stipulated in the Model Accreditation Standards.

(Response 141) We acknowledge the interest in having timely accreditation decisions. However, the comments failed to provide an adequate basis to support a decision to impose a 90-day deadline for decisions on accreditation. No other information available to FDA provides an adequate basis for us to establish such a deadline, nor do we think it would be appropriate to do so at this time. We expect that the time required to perform various actions in the program will be longer in the early days of the program than it will when FDA, the accreditation bodies, and the third-party certification bodies gain experience with the program.

We decline to revise these regulations to impose a deadline for accreditation decisions, but may consider addressing the issue of deadlines for accreditation decisions in guidance, if we later determine it would be appropriate. We are mindful that section 808(c)(1)(C) of the FD&C Act requires revocation of recognition for failure to comply with the applicable requirements of the FD&C Act and FDA regulations. We would not want an accreditation body to take shortcuts in accreditation assessments to ensure that it could meet a regulatory deadline for its accreditation decisions out of concern for revocation for failure to comply with the deadline. The final rule reflects our view that the rigor of the accreditation assessment is essential in helping to ensure the credibility and success of the third-party certification program.

(Comment 142) Some comments ask whether the processes for accreditation are the same for governmental and private bodies.

(Response 142) Section 808(c)(1)(A) and (B) of the FD&C Act establishes different requirements for public certification bodies and for private certification bodies by specifying different criteria for the assessment of foreign governments/agencies than it does for foreign cooperatives and other private third-party certification bodies seeking accreditation. However, the statute makes no distinction between public and private certification bodies in procedural matters for accreditation. Therefore, we are establishing a single set of accreditation procedures in this rule that apply to both public and private third-party certification bodies.

(Comment 143) Some comments ask how a third-party certification body could apply for accreditation under this program.

(Response 143) Third-party certification bodies seeking to apply for accreditation under our program may wish to review § 1.660 of this final rule, which describes the general procedures for applying for accreditation from a recognized accreditation body, as well as the eligibility requirements for certification bodies seeking accreditation in §§ 1.640 through 1.645. We will post on the FDA Web site a list of all recognized accreditation bodies and will include a description of the scope of recognition of each.

As provided in § 1.670(a)(3), FDA will announce on our Web site if we determine that the conditions for direct accreditation by FDA in section 808(b)(1)(A)(ii) of the FD&C Act have been met. We will accept applications for direct accreditation or renewal of direct accreditation only if we determine that we have not identified and recognized an accreditation body to meet the requirements of section 808 of the FD&C Act within 2 years after establishing the program. Unless and until FDA makes such a determination, third-party certification bodies must apply for accreditation from an accreditation body that FDA has recognized.

(Comment 144) Some comments suggest that third-party certification bodies who receive an adverse decision on accreditation from a recognized accreditation body should have access to a competent, independent person outside the recognized accreditation body to whom they could appeal.

Other comments contend that we have the authority to challenge the decisions of an accreditation body.

(Response 144) As explained in Response 36, we are revising § 1.620(d)(2) to require a recognized accreditation body must use competent persons, who may be external to the accreditation body, for investigating and deciding on certification body challenges to an adverse accreditation body decision. Such competent persons must meet the following criteria: (1) Are free from bias or prejudice; (2) did not participate in the accreditation decision being appealed; and (3) are not subordinate to a person who participated in such accreditation decision. Although we are not requiring the accreditation body to use an external party for certification body appeals, we believe the enhanced requirements of § 1.620(d)(2) will be adequate to ensure any person the accreditation body would select for investigating and deciding on appeals—whether internal or external—would be objective and independent.

With respect to comments suggesting that we should exercise our authority over recognized accreditation bodies to challenge their accreditation decisions, we note that the enhanced requirements in § 1.620(d) align with the impartiality provisions in part 16, which contains the regulations for FDA regulatory hearings that we will generally apply under § 1.693 to an appeal of a revocation or withdrawal. We also note that FDA retains the authority to revoke the recognition of accreditation bodies for good cause under § 1.634(a)(4) for failure to comply with this rule. For these reasons, we decline to establish a process appealing recognized accreditation body decisions to FDA.

B. What is the duration of accreditation by a recognized accreditation body? (§ 1.661)

Proposed § 1.661 states that the accreditation of a third-party certification body may be granted for a period up to 4 years.

(Comment 145) Most comments agree with our proposed maximum 4-year accreditation timeframe. In this regard, some comments state they are comfortable with this length of time as long as accreditation bodies annually review the accreditation. Some comments contend that instead of allowing accreditation to last “up to 4 years,” we should establish a definite duration period and it should be 5 years. These comments contend that would align the duration of accreditation with the duration of recognition. They also argue that having a definite duration period would be more viable administratively.

(Response 145) We agree with the comments supporting our proposal to allow accreditation to be issued for a term of up to 4 years. The comments suggesting accreditation should be granted for 5 years offered no information that would provide an adequate basis for extending accreditation such that a third-party certification body could be accredited for as long as a recognized accreditation body. We note that the rigor and credibility of the program rests, in part, Start Printed Page 74624on the extent of oversight of accredited third-party certification bodies. Through the renewal process, recognized accreditation bodies (and FDA, for directly accredited third-party certification bodies) look closely at all aspects of a certification body's and performance and have the opportunity to decide anew whether the certification body meets the eligibility requirements.

With respect to comments suggesting that we establish a definite duration of accreditation that would apply to any third-party certification body accredited under the program, we acknowledge the advantages that certainty provides and, where appropriate, we expect that recognized accreditation bodies will issue accreditation for the maximum duration of 4 years. Where, for example, a certification body has little or no experience conducting audits assessing the safety of food, a recognized accreditation body (or FDA under direct accreditation) may decide the initial grant of accreditation should be less than 4 years. A recognized accreditation body (or FDA under direct accreditation) will make its own decision on whether to approve a third-party's application for accreditation and has the flexibility to issue accreditation for a duration it believes appropriate, up to a 4-year maximum established by this rule.

C. How will FDA monitor accredited third-party certification bodies? (§ 1.662)

We proposed in § 1.662 to monitor directly accredited certification bodies annually; we proposed to evaluate certification bodies accredited by a recognized accreditation body by not later than 3 years after the date of accreditation for a 4-year accreditation term or by no later than the mid-term point of a less-than-4-year accreditation term. We proposed to review a variety of records and information such as assessments by a recognized accreditation body, information regarding the auditor's/certification body's qualifications, and information obtained during onsite observations. We proposed to conduct our evaluation through onsite observations of performance during a food safety audit of an eligible entity or through document review.

(Comment 146) Some comments advocate for more clarity on the frequency and methods by which we'll be providing oversight of accredited third-party certification bodies. Some comments question whether we have sufficient resources to conduct onsite observation at any specific frequency. They advise that we further explain how we are going to provide oversight and how compliance will be reported.

(Response 146) Monitoring assessments of accredited third-party certification bodies are one of several tools we will use for program oversight. Section 1.662(a) implements section 808(f) of the FD&C Act, which states that FDA must evaluate an accredited third-party certification body periodically, or at least once every 4 years, and take any other measures FDA deems necessary to ensure compliance. We anticipate that information gleaned from other monitoring tools, such as the accreditation body's annual assessment of the certification body, will also aid in program oversight and may perform additional assessments of certification bodies in certain instances.

The objective of an assessment under § 1.662 will be to determine the accredited third-party certification body's compliance with the requirements of this rule. FDA may conduct an assessment through a site visit of the third-party certification body's headquarters, onsite observation of an accredited third-party body's performance during a food safety audit, document review, or a combination of these activities. We will develop plans for assessing accredited third-party certification bodies based on risk and informed by data and other information available to FDA regarding their programs and performance in our program. The starting point for each assessment will be document review, and any additional assessment activities (e.g., site visits or onsite observations) will be conducted where circumstances may warrant or for spot-checks of randomly selected third-party certification bodies. When planning an assessment, we will establish the time period of activities covered by the assessment. We may request records of the certification body under § 1.658. We also may develop plans for any site visits or onsite observations, including locations to be visited. As part of the assessment, we may review records relating to conflicts of interest, and interview officers, employees, and audit agents, and other agents who participate in decisions on issuance of certification under this program. We are revising this section to explicitly state that FDA may visit the certification body's headquarters or other locations where audit agents are managed.

(Comment 147) Some comments propose alternative schedules for FDA monitoring of accredited third-party certification bodies. Some comments propose that if we revise the final rule to establish a fixed, 5-year duration for accreditation, we should monitor accredited third-party certification bodies not later than 4 years after the date of accreditation. Other comments state that we should conduct our own assessments of certification bodies accredited by recognized accreditation bodies every 3 years. Still other comments ask who will cover the costs of such assessments.

(Response 147) As explained in Response 145, we decline the suggestion to lengthen the maximum duration of accreditation from 4 years to 5 years. We will use annual performance assessments by recognized accreditation bodies and information submitted to FDA as part of our ongoing monitoring of accredited third-party certification bodies. The FDA monitoring assessment under § 1.662 will occur at least once every 4 years and may occur more frequently depending on circumstances, including available resources. We are proposing that costs for FDA monitoring will be included in the user fees that are assessed under section 808(c)(8) of the FD&C Act to recover FDA's costs in administering the program (80 FR 43987).

(Comment 148) Some comments propose that FDA monitoring of accredited third-party certification bodies should periodically focus on compliance with food additive requirements.

(Response 148) Our monitoring will be tailored to the scope of accreditation under which the accredited third-party certification body may conduct food safety audits under this program. We will prioritize our monitoring activities to ensure compliance with the requirements of section 808(f)(2) based on factors such as our risk-based program priorities.

(Comment 149) Some comments suggest that, in addition to conducting onsite observations of accredited certification bodies when conducting a food safety audits, we could also do so when the recognized accreditation body assesses the auditor/certification body.

(Response 149) We agree and will do so as appropriate and as circumstances allow.

(Comment 150) Comments suggest that when FDA selects an accredited certification body for onsite observation, we should notify it 2 months in advance, to allow time to make the arrangements.

(Response 150) At this time, we have no basis for determining that we would be able to provide 2 months' notice prior to each certification body onsite observation; therefore, we decline the suggestion. We note that we may begin working with an accredited third-party Start Printed Page 74625certification body well before we perform onsite observations, as feasible.

D. How do I request an FDA waiver or waiver extension for the 13-month limit for audit agents conducting regulatory audits? (§ 1.663)

Proposed § 1.663 would allow accredited third-party certification bodies to seek an FDA waiver of the limit on audit agents conducting regulatory audits of an eligible entity where they conducted a regulatory or consultative audit in the preceding 13 months. Under section 808(c)(4)(C)(ii) of the FD&C Act, we may waive the limit, which appears in § 1.650(c), where there is insufficient access to accredited certification bodies in the country or region where an eligible entity is located.

Of our own initiative, we are clarifying in the final rule that the showing of insufficient access is based on lack of audit agents (or in case where accredited third-party certification bodies are comprised of an individual, that individual), consistent with changes made to § 1.650 (see Section IX.A).

(Comment 151) Some comments note that capacity issues are currently problematic, even in regions with highly developed third-party food safety auditing systems, and are likely to increase once the FSMA rules are implemented. Some comments contend that we should allow the request for the waiver to come from other affected parties in addition to accredited certification bodies. In particular, comments suggest we should allow the requests to come from a foreign supplier and/or the importer. Some comments estimate that, with the increased demand from FSMA for audit services, it will take time for capacity to expand sufficiently to satisfy the increased demand. Accordingly, they urge us to act expeditiously on waiver and waiver extension requests. Other comments express concern that FDA will be overwhelmed with waiver requests and urge FDA to develop a process for expedited issuance of waivers.

(Response 151) We acknowledge the concerns and are aware capacity is an issue the food industry and certification bodies currently face. However, we decline the suggestion to allow importers and foreign suppliers to seek waivers on behalf of an accredited certification body, because we believe the certification body is better positioned to determine its own capacity than an importer or foreign supplier would be. Further, it would ultimately be the certification body's choice regarding whether to take on additional auditing work. If an accredited third-party certification body concluded it needed a waiver to be able to perform a particular audit, the certification body would be motivated to seek a waiver.

We agree with the comments suggesting it will take time to build adequate food safety auditing capacity around the world and will be prepared to act on waiver requests as expeditiously as possible. It is difficult to estimate the amount of the time required to process waiver requests, because the program has not launched. We anticipate that we will be able to process most waiver requests within 15 business days, as permitted by resources and other program activities. In response to comments suggesting that we should prioritize certain types of waiver requests, we have modified the first-in, first-out rule of § 1.663(d) to allow specific waiver requests to be prioritized based on program needs.

We also note that as we gain experience with the program and with information offered in support of waiver requests, we expect to be able to process waiver requests more quickly and may reevaluate whether FDA has adequate information to support issuance of a waiver for a particular country or region.

E. When would FDA withdraw accreditation? (§ 1.664)

Proposed § 1.664 would establish the conditions under which we could withdraw accreditation from a third-party certification body, regardless of whether it was directly accredited or accredited by a recognized accreditation body. This section would implement section 808(c)(6)(A) of the FD&C Act, which requires us to withdraw accreditation in certain outbreak situations, whenever we find that an accredited third-party certification body is no longer meeting the requirements for accreditation, or following a refusal to allow U.S. officials to conduct audits and investigations to ensure compliance with these requirements. The statute directs us to withdraw accreditation if a food or facility certified by an accredited third-party certification body under our program is linked to an outbreak of foodborne illness that has a reasonable probability of causing serious adverse health consequences or death in human or animals. There is an exception if we conduct an investigation of the material facts of the outbreak, review the steps and actions taken by the third-party certification body, and determine that the accredited third-party certification body satisfied the requirements for issuance of certification under this rule.

Section 808(c)(6)(B) of the FD&C Act allows us to withdraw accreditation from an accredited third-party certification body whose accrediting body had its recognition revoked, if we determine there is good cause for withdrawal. This statutory provision is reflected in proposed § 1.664(c), which also provides two examples of circumstances we believe provide good cause for withdrawal, including bias or lack of objectivity and performance calling into question the validity or reliability of its food safety audits and certifications.

In proposed § 1.664(d) we provide for records access when considering possible withdrawal of accreditation. In proposed § 1.664(e) we provide for notice of withdrawal of accreditation and describe the processes to challenge such withdrawal.

Proposed § 1.664(f) describes the effect of withdrawal on eligible entities. Proposed § 1.664(g)(1) explains that FDA will notify the recognized accreditation body that accredited the third-party certification body whose accreditation was withdrawn by FDA. Proposed § 1.664(g)(2) explains that FDA may revoke recognition of an accreditation body whenever FDA determines there is good cause for revocation under proposed § 1.634. Proposed § 1.664(h) provides for public notice of withdrawal of accreditation on FDA's Web site.

At our own initiative, we revised proposed § 1.664(c) on discretionary withdrawal of accreditation to allow for partial withdrawal of accreditation. For example, if FDA reviews a self-assessment submitted by an accredited third-party certification body following revocation of its accreditation body's recognition and determines the third-party certification body has failed to perform food safety audits consistent with this rule in some but not all areas for which it is accredited, FDA may partially withdraw the third-party certification body's accreditation as to those areas in which it has failed to comply with this rule.

(Comment 152) Some comments contend that FDA's interpretation of the statutory mandatory withdrawal provisions in section 808(c)(6)(A) of the FD&C Act is overly strict. The comments focus specifically on mandatory withdrawal when an eligible entity that was issued certification by an accredited third-party certification body is linked to a foodborne illness outbreak that meets the SAHCODHA standard. The comments argue that one adverse event does not necessarily mean the Start Printed Page 74626third-party certification body should lose its accreditation, emphasizing that a single certification body might conduct hundreds of audits in various regions of the world and in diverse product areas. The comments propose that we limit mandatory withdrawal following an SAHCODHA outbreak to the country, region, type of food product and process involved in the event.

Some comments agree that, as described in proposed § 1.664(f), certifications issued by a third-party certification body prior to withdrawal of its accreditation should remain in effect until they expire. Other comments assert that withdrawal of accreditation might result in unfairly revoking a significant number of certifications at tremendous cost, adversely affect other eligible entities that depend on the certification body and its certifications, and disrupt the marketplace. Still other comments request greater detail on the withdrawal procedures.

(Response 152) We believe the concerns about mandatory withdrawal of accreditation in the outbreak situation described above or similar situations are satisfactorily in addressed in § 1.664(b), codifying section 808(c)(6)(C) of the FD&C Act, which allows FDA to waive mandatory withdrawal if FDA investigates the material facts of the outbreak, reviews the steps and actions taken by the certification body, and determines that the certification body satisfied the criteria for issuance of certification under this subpart.

Regarding the comments expressing concerns about the possible adverse effects of withdrawal of accreditation on certifications issued by the certification body to other eligible entities, we note that § 1.664(f) states that certifications issued by an accredited third-party certification body prior to withdrawal of accreditation by FDA will remain in effect until they expire, except that FDA may refuse to consider a certification under sections 801(q) or 806 of the FD&C Act if FDA has reason to believe such certification is not valid or reliable.

The comments seeking additional detail on our withdrawal procedures did not specify what areas of § 1.664 required further explanation. We believe the procedures described in § 1.664 offer sufficient detail for interested parties to understand the standards for withdrawal of accreditation by FDA and the processes involved.

(Comment 153) Some comments suggest that a recognized accreditation body, not FDA, should withdraw accreditation from a certification body it accredited, except for certification bodies directly accredited by FDA. Other comments urge us to include a requirement, in § 1.634(a), for FDA to consult with the appropriate accreditation body before withdrawal of an accreditation it had issued. The comments argue that consultation would facilitate coordination with the recognized accreditation body and would complement § 1.664(c), which addresses discretionary withdrawal of accreditation in the event we revoke our recognition of the accrediting accreditation body. Other comments recommend that we meet with the certification body's accrediting body when considering possible withdrawal of accreditation and that we allow for a formal appeal process.

(Response 153) We disagree with the comment asserting that only accreditation bodies may withdraw accreditations of certification bodies they have accredited, as FDA is mandated under section 808(c)(6) of the FD&C Act to withdraw accreditation of a certification body under the conditions set forth in the section, subject to the waiver provision in 808(c)(6)(C). We note that a third-party certification body whose accreditation was withdrawn by FDA may appeal the action by requesting a regulatory hearing under § 1.693. We further note that a recognized accreditation body has far broader authority to suspend, withdraw, reduce, or otherwise dispose of an accreditation it issued, than FDA does under section 808(c)(6) of the FD&C Act. Even in circumstances that meet the statutory criteria for withdrawal of accreditation, FDA believes it generally would not need to initiate withdrawal unless the recognized accreditation body failed to withdraw the certification body's accreditation in a timely manner.

We agree that in some cases, consultation with a certification body's accrediting body before withdrawal could have advantages to FDA and the accreditation body, if circumstances allow. Decisions on whether to consult with the certification body's accrediting body prior to withdrawal will be made on a case-by-case basis. Consultation might not be appropriate if, for example, the facts that support withdrawal of the third-party certification body's accreditation also support revocation of the accreditation body's recognition.

(Comment 154) Some comments ask how individual holders of food or facility certificates would be made aware of the withdrawal of accreditation of the third-party certification body that issued the certificate. Other comments recommended that FDA post on its Web site not only that fact that a certification body's accreditation has been withdrawn, but also the reason for the withdrawal.

(Response 154) If we withdraw accreditation of any third-party certification body, whether accredited by a recognized accreditation body or by FDA through direct accreditation, we will post information regarding the withdrawal, including a description of the basis for the action, on the FDA Web site pursuant to § 1.664(h). We do not intend to contact each eligible entity that was issued a certification by the third-party certification body because, as indicated in Response 152, certifications issued to eligible entities prior to withdrawal of accreditation will remain in effect until they expire, except where FDA has reason to believe the certification is not valid or reliable and on that basis may refuse to consider the certification under sections 801(q) or 806 of the FD&C Act.

(Comment 155) Some comments recommend we use ISO\IEC 17011:2004 as the reference document for the requirements of this section.

(Response 155) We decline the suggestion, because the grounds for withdrawal under section 808(c)(6) of the FD&C Act are much broader than those described in ISO/IEC 17011:2004 (Ref. 5). For example, under section 808(c)(6)(A)(i) and (C) of the FD&C Act FDA may withdraw accreditation of a certification body if a food or facility it certified under our program is linked to an outbreak of foodborne illness that has a reasonable probability of causing SAHCODHA, unless FDA determines the certification body satisfied the requirements for issuance of such certification. In such an outbreak situation, the statute contemplates that withdrawal of accreditation would occur after a single—albeit significant—failure by the certification body. By contrast ISO/IEC 17011:2004 allows for withdrawal of accreditation only when a certification body persistently fails to meet the requirements of accreditation or abide by the rules of accreditation.

We note that by declining to revise § 1.664 based on the comments, we are not suggesting that FDA will withdraw accreditation when the Agency identifies a single incident or mistake by a certification body, except where required by the statute. Any decision to withdraw accreditation will be based on the facts and circumstances of the situation and following due consideration by FDA.

(Comment 156) Some comments state that in a case where FDA withdraws an accredited certification body, the accreditation body should make an investigation and analysis and submit the analysis result to FDA within 3 Start Printed Page 74627months after the analysis report has been established.

(Response 156) We disagree. This rule does not require that the accreditation body make a full investigation and analysis and submit the analysis result to FDA within 3 months. Section 1.664(g) requires the accreditation body to perform a self-assessment and report the results of the self-assessment to FDA within 60 days. FDA may revoke the recognition of an accreditation body whenever FDA determines there is good cause for revocation of recognition under § 1.634. These procedures will help ensure that accreditation bodies remain in compliance with the requirements of the third-party program.

F. What if I want to voluntarily relinquish accreditation or do not want to renew accreditation? (§ 1.665)

Proposed § 1.665 offers a mechanism for an accredited third-party certification body to voluntarily relinquish its accreditation before it terminates by expiration.

Although we received no adverse comments on this section, we received comments on other sections of the rule that led us to identify a gap in procedural requirements when an accredited certification body decides to allow its accreditation to expire without renewing it. At our own initiative, we are revising the voluntary relinquishment provisions in § 1.665 to also address situations where a certification body decides it does not want to renew its accreditation once it expires.

G. How do I request reaccreditation? (Proposed § 1.666)

Proposed § 1.666 describes the procedures a certification body must follow when seeking to be reaccredited after its accreditation was withdrawn by FDA or after voluntarily relinquishing its accreditation.

FDA received no adverse comments on this section. On our own initiative we are revising paragraph (a)(2)(i) to conform to the changes in § 1.634(d) to clarify that the third-party certification body has to become accredited by another accreditation body or by FDA through direct accreditation no later than 1 year after the withdrawal or accreditation, or the original date of expiration of the accreditation, whichever comes first.

XI. Comments on Additional Procedures for Direct Accreditation of Third-Party Certification Bodies Under This Subpart

A. How do I apply to FDA for direct accreditation or renewal of direct accreditation? (§ 1.670)

Section 808(b)(1)(A)(ii) of the FD&C Act allows us to directly accredit third-party auditors/certification bodies if we have not identified and recognized an accreditation body to meet the requirements of section 808 within 2 years after establishing this program. We proposed circumstances and procedures that would apply for direct accreditation and renewal of direct accreditation.

(Comment 157) Some comments assert that the statute anticipates a bifurcated system for direct accreditation of certification bodies, because the standards for review for accreditation of foreign governments are distinct from those of the private auditing entities under section 808(c)(1) of the FD&C Act. The comments ask that we draft additional rules to specifically cover direct accreditation of foreign governments, asserting that we should provide a separate path for direct accreditation of foreign governments that prioritizes their applications based on, among other things, the language in section 808(c)(1) of the FD&C Act. Some comments ask whether the same eligibility requirements and procedures are required of both governmental and private bodies applying for direct accreditation.

(Response 157) We disagree with the suggestion to create a bifurcated system. We acknowledge that section 808(c)(1) of the FD&C Act contains different requirements for foreign governments/agencies than it does for foreign cooperatives and other private third-party certification bodies seeking accreditation. However, we do not interpret this language as suggesting a preference for public certification bodies over private certification bodies.

We believe sections 808(c)(1)(A) and (B) of the FD&C Act are tailored to reflect the objectives and scope of each type of assessment, which would vary because of the differences between public and private certification bodies. While governments typically are both auditors/inspectors and owners of food safety schemes, private certification bodies usually are not scheme owners, because of concerns about possible conflicts of interest associated with serving in dual roles. Therefore, a private certification body would not be assessed for its food safety program or standards; it would be assessed for the training and qualifications of its auditors and its internal management system. In light of the foregoing, we decline the suggestion to interpret sections 808(c)(1)(A) and (B) of the FD&C Act as supporting provisions for direct accreditation that would prioritize the applications of foreign governments/agencies over applications from private third-party certification bodies.

(Comment 158) Some comments suggest that FDA should not serve as an accreditation body for third-party certification bodies because it would open the door for other countries with less capability to do the same. The comments contend that FDA and its foreign regulatory partners need to provide the oversight of the industry, but should not be accreditation bodies.

(Response 158) We disagree. Section 808 of the FD&C Act contemplates that FDA can provide proper oversight of the program, while directly accrediting third-party certification bodies. We are unable to comment on what effects, if any, this would have on the actions of other countries. However, we emphasize that FDA will not perform direct accreditation unless the circumstances of section 808(b)(1)(A)(ii) of the FD&C Act are met—that is, if FDA has not identified and recognized an accreditation body to meet the requirements of section 808 of the FD&C Act within 2 years after establishing this program.

(Comment 159) Some comments ask that we wait for more than 2 years after the program is established to accept applications for direct accreditation, to allow enough time for accreditation bodies applying for recognition to satisfy all the necessary requirements. Other comments assert that we should not directly accredit certification bodies in a country if we have already recognized an accreditation body in that country. Some comments ask us to clarify when, under what conditions, and how we would choose to directly accredit a certification body.

(Response 159) Under section 808(b)(1)(A)(ii) of the FD&C Act, 2 years after establishing the program is the earliest date that FDA may begin to directly accredit third-party certification bodies. Further, we may only do so if we determine that we have not identified and recognized an accreditation body to meet the requirements of section 808 of the FD&C Act 2 years after establishing the program. In the proposed rule, we provided examples of how we may make this determination, such identifying a type of expertise or geographic location for which a recognized accreditation body is Start Printed Page 74628lacking, and stated that we will only accept applications for direct accreditation and renewal applications that are within the scope of the determination. FDA declines to limit itself to a time period longer than 2 years before it can consider direct accreditation as any decision to directly accredit will depend on the circumstances the needs of the program, as determined by FDA under § 1.670(a).

(Comment 160) Some comments express concern that we will not have the capacity to undertake the responsibility of directly accrediting certification bodies.

(Response 160) Section 808(c)(8) of the FD&C Act requires FDA to create a user fee program to section 808 of the FD&C Act. FDA is in the process of establishing this program by rulemaking (80 FR 43987). For more information about the costs of this program, please see the regulatory analysis of this final rule.

(Comment 161) Some comments ask if we will have a contract agreement with directly accredited certification bodies. These comments assert that if we do, the contract should specify that we have the capacity to access confidential information without prior written consent of the certification body. The contract should also specify that having access to records relating to accreditation activities under this subpart is necessary to ensure the rigor, credibility, and independence of the program.

(Response 161) Under § 1.671(d), FDA will list any conditions associated with the accreditation in the issuance and may establish an agreement with the certification body at that time. With respect to access to records, a third-party certification body that is directly accredited by FDA must comply with the records maintenance and access requirements of § 1.658. Records obtained by FDA will be subject to the disclosure requirements of § 1.695.

B. How will FDA review my application for direct accreditation or renewal of direct accreditation and what happens once FDA decides on my application? (§ 1.671)

Proposed § 1.671 describes a process for reviewing and deciding on applications for direct accreditation and renewal that is consistent with the procedures for reviewing and deciding on applications under other provisions in this rule.

On our own initiative we are revising paragraph (a) to clarify that FDA will review submitted applications for completeness and notify applicants of any deficiencies. We also are adding new paragraphs (e) through (h) to § 1.671 to explain what happens when a directly accredited certification body's renewal application is denied. We are adding provisions to clarify what the applicant must do, the effect of denial of an application for renewal of direct accreditation on food or facility certifications issued to eligible entities, and how FDA will notify the public.

(Comment 162) Some comments express concern that we are limiting ourselves to a “first in, first out” review process that gives us no discretion to accredit foreign governments before we consider other applications from private third-party entities that apply.

Some comments ask that we consider prioritizing approval of applications for direct accreditation on areas and regions where it is most needed to benefit our food safety mandates.

Some comments assert that priority for review of applications for direct accreditation should be for countries without an accreditation body or in circumstances where it is not economically feasible for a national accreditation body to expand its scope to include a certain single certification body.

(Response 162) As indicated Response 25, we intend to treat public and private certification bodies equally under this program, as both public and private certification bodies are capable of meeting the requirements of the program. Additionally, because we will only be accepting applications for direct accreditation in limited circumstances as discussed in Responses 158 and 159, all applications for direct accreditation will need to be able to demonstrate that there is a need for direct accreditation based on a determination made by FDA under § 1.670(a)(1). We note that we have revised § 1.671(a) to allow FDA to prioritize specific direct accreditation applications to meet the needs of the program.

(Comment 163) Some comments assert that our application review process must be comprehensive but also expedient. Some comments ask that our communications with applicants be timely.

Some comments express concern about the length of time it will take us to recognize and notify an applicant of any deficiencies in the application. These comments also assert that requiring applicants with deficiencies to resubmit their applications and sending it to the bottom of the review list would make for significant delays in the direct accreditation and renewal of direct accreditation application process.

(Response 163) We understand the concern expressed by comments with regard to timeliness. Although we decline to set specific deadlines for this review, FDA anticipates that a completeness determination could generally be made within 15 business days, because this is not a decision on the merits of the application. Nonetheless, the time needed to identify deficiencies in any particular individual application will depend on a number of factors, including the quality of the submission, the availability of resources, and other competing priorities at the time the application is submitted. With respect to the concerns about requiring incomplete applications to be resubmitted and added to the bottom of the review list, we note that from our experience gained from the third-party certification pilot for aquacultured shrimp, extensive followup was needed with many of the applicants in order to gain sufficient information for a complete application. With this in mind, we are processing only complete applications so that we are not delaying others that have correctly prepared complete applications. Further, we are establishing an electronic portal for submission of applications, reports, notifications, and other information under this rule and an electronic repository of this information, which will allow us to communicate with applicants as needed.

C. What is the duration of direct accreditation? (§ 1.672)

We proposed that direct accreditation of a third-party certification body may be granted for a period up to 4 years. We tentatively concluded that 4 years is an appropriate duration for an accreditation because we believe the rigor and credibility of this program rests, in part, on the oversight of accredited certification bodies to conduct audits and to certify eligible foreign entities. We requested comment on this tentative conclusion.

(Comment 164) Some comments ask that we establish a specific fixed duration of 5 years for direct accreditation before renewal is required. These comments also ask that the duration for recognition of accreditation bodies and accreditation of third-party certifications bodies also be fixed at 5 years and assert that having a standardized accreditation term for all parties in the third-party program would be more administratively viable for us.

(Response 164) For the reasons we explained in Response 145 we decline to establish a fixed duration of accreditation and also decline to establish a standard term of 5 years for Start Printed Page 74629accreditation for all parties in the third-party program.

XII. Comments on Requirements for Eligible Entities Under This Subpart

A. How and when will FDA monitor eligible entities? (§ 1.680)

Proposed § 1.680 would allow FDA to conduct onsite audits of eligible entities that have received certification from an accredited certification body at any time, with or without the accredited third-party certification body present. It also proposed that a food safety audit by an accredited certification body is not considered an inspection under section 704 of the FD&C Act. For clarification purposes at our own initiative, we are revising the second sentence of § 1.680(a) to add, “[w]here FDA determines necessary or appropriate,” before “the audit may be conducted with or without the accredited certification body or the recognized accreditation body (where applicable) present.”

(Comment 165) Some comments address the timing of FDA's audits of eligible entities. Some comments encourage FDA to conduct audits of eligible entities regularly, particularly in the first years of the program, to ensure compliance with the program and to verify that certification is appropriate. Some comments encourage FDA to conduct random as well as targeted audits of eligible entities. For example, the comments suggest that if FDA withdraws the accreditation of a certification body, the Agency should conduct onsite audits of a sample of the eligible entities to which the withdrawn certification body issued certifications.

(Response 165) We agree that robust government oversight of the third-party program will be vital to its success and periodic audits of eligible entities will be conducted consistent with our risk-based priorities and resources.

(Comment 166) Some comments discuss the substance of FDA's audits of eligible entities. Some of these comments encourage FDA to ensure that eligible entities implement corrective actions when deficiencies are identified. Some comments recommend that company data on tests of both products and the environment be made available to FDA auditors, and argue that without access to such data, FDA auditors would not be able to perform a thorough audit. Comments also maintain that, during an audit, FDA should be able to access results of the eligible entity's testing of both products and the environment.

(Response 166) We currently are developing internal operational procedures for the third-party certification program and will make these procedures public. As part of this process, we are developing protocols for FDA audits of eligible entities.

(Comment 167) Some comments argue that unannounced audits of eligible entities by FDA that have been certified by an accredited third-party certification body would likely result in incomplete audits and urge the agency to consider contacting the eligible entity to schedule such audits. Comments state that scheduled audits would be more efficient and less burdensome for both eligible entities and FDA because eligible entities would have a better understanding of what is needed during the audit and which employees should be present.

(Response 167) Section 808(c)(5)(C) of the FD&C Act directs FDA to promulgate regulations requiring that “audits performed under this section be unannounced.” Section 808(f)(3) of the FD&C Act allows FDA to, at any time, conduct an onsite audit of any eligible entity certified by an accredited third-party certification body to ensure compliance with the requirements of section 808. Given this statutory language, we are clarifying in § 1.680 that an FDA audit conducted under this section will be conducted on an unannounced basis and may be preceded by a request for a 30-day operating schedule. We note that it may not be appropriate at all times to precede audits for a 30-day operating schedule, such as in the case of a for-cause audit.

(Comment 168) Some comments state that when FDA has questions about eligible entities, it should notify the accreditation bodies and certification bodies to conduct a joint audit.

(Response 168) It is unclear what the comment means by conducting a joint audit, but § 1.680 would allow for the certification body and accreditation body to be present during the FDA audit when FDA determines it is necessary and appropriate.

(Comment 169) Some comments argue that the monitoring of eligible entities should be conducted by the competent authority of the exporting country, particularly where a systems recognition agreement is in place or where there is a robust national food control system in place.

(Response 169) We intend to coordinate as appropriate with our foreign regulatory counterparts; however, section 808(f)(3) of the FD&C Act specifically directs FDA to conduct onsite audits of eligible entities to ensure compliance with the requirements of section 808 of the FD&C Act. We believe onsite audits of certified eligible entities are an important component of the robust oversight essential to the success of the third-party program. Without the ability to conduct onsite audits of a certified eligible entity, FDA would not be able to directly ascertain whether the certification body and/or its accreditation body are in fact making accurate determinations of compliance with FDA requirements. Such oversight is necessary to maintain confidence in the certifications issued by accredited certification bodies under this program.

(Comment 170) Some comments ask FDA to clarify why an onsite audit of an eligible entity is not considered an inspection under section 704 of the FD&C Act, particularly since the purpose of the audit is to determine if the entity is in compliance with the FD&C Act and since an FDA inspection may be used to meet the verification requirements under the proposed FSVP regulation. Other comments endorse FDA's decision not to consider a food safety audit under this program an inspection under section 704 of the FD&C Act.

(Response 170) Section 808(h)(1) of the FD&C Act explicitly states that audits under the third-party certification program “shall not” be considered inspections under section 704. The inspections done under section 704 of the FD&C Act, unlike audits conducted under section 808(f)(3), are not conducted for the purpose of ensuring compliance with section 808 of the FD&C Act. The objective of an audit under § 1.680(a) extends beyond the eligible entity—through its audit of the eligible entity FDA is gathering information to use in its monitoring of the accredited certification body that audited the entity and the recognized accreditation body that accredited certification body that audited the eligible entity. We note that an audit under section 808(f)(3) is not a “food safety audit” under this subpart. As noted previously, the audits conducted under section 808(f)(3) are done specifically to ensure compliance with section 808 of the FD&C Act. As discussed in section III.C., we are clarifying that an audit conducted under this subpart is not an inspection under section 704 under the FD&C Act. Accordingly, we are removing § 1.680(b).

B. How frequently must eligible entities be recertified? (§ 1.681)

Proposed § 1.681 stated that an eligible entity seeking to maintain its facility certification must seek recertification prior to expiration of its certification. It also proposed that under Start Printed Page 74630section 801(q)(4)(A) of the FD&C Act, FDA could require, at any time we deem appropriate, that an eligible entity renew a food certification.

We received no comments on this proposed section. However, to clarify certain matters, we are amending this section on our own initiative. We are adding to first sentence the words, “food or” before “facility certification” because the maximum duration of certifications under section 808(d) of the FD&C Act applies to both food and facility certifications. Additionally, we are revising this section to state that FDA can require an eligible entity to apply for recertification of both food and facility certifications at any time that FDA deems appropriate.

XIII. Comments on General Requirements of This Subpart

A. How will FDA make information about recognized accreditation bodies and accredited third-party certification bodies available to the public? (§ 1.690)

We proposed to post on our Web site a registry of recognized accreditation bodies and of accredited third-party certification bodies, including the name and contact information for each. The registry may provide information on certification bodies accredited by recognized accreditation bodies through links to the Web sites of such accreditation bodies. We requested comment on our proposed public registry.

(Comment 171) Some comments support our proposal to place a registry of recognized accreditation bodies and accredited certification bodies on our Web site and to provide links to the Web sites of recognized accreditation bodies. Some comments assert that such a web-based resource where members of the industry and public could access standards associated with accreditation/certification and a list of accreditation and certification bodies is a meaningful demonstration of FDA oversight. Some comments ask that this list be updated regularly so that it stays accurate. These comments also ask that we provide appropriate indexing and filtering functions so that the registry is easily searchable and stakeholders can conveniently and reliably find and use this information.

(Response 171) FDA agrees that the online registry will be a valuable tool. We intend for it to be updated regularly. We also intend for it to have indexing and filtering functions which will make searches more efficient and productive.

(Comment 172) Some comments ask that we not include the name(s) of audit agent(s) on our Web site or otherwise publicly disclose such information could disrupt the marketplace for third-party certification services

Some comments assert that access to detailed, specific, and sensitive information is not necessary to gain credibility with consumers. These comments refer us to industry models that provide detailed information on the requirements of their program and posts a list of members in good standing along with a list of companies who have been decertified is an example of credible, balanced information that is actionable by consumers (i.e., California Leafy Green Products Handler Marketing Agreement).

(Response 172) To clarify, we do not intend to disclose the names of audit agents on our Web site. We will be providing the business name and business contact information for each recognized accreditation body. The business name and business contact information for each accredited third-party certification body may be listed on our Web site or may be provided by link to Web sites of their accreditation bodies. The Web site will contain program information as well and may be similar to the industry models recommended by some comments.

(Comment 173) Some comments seek maximum transparency, asserting that we must also post on our Web site the audit reports, self-assessments, and notifications prepared by the third-party certification bodies and submitted to FDA. The comments contend that making this information public would increase program transparency and help to ensure that imported products do not receive an unfair competitive advantage over products available domestically.

Other comments suggest that we allow accreditation bodies and third-party certification bodies to submit redacted versions of these documents, where confidential information is blacked out, so that these documents can also be made publicly available without compromising confidential information. These comments assert that making public these reports, self-assessments, and notifications would improve self-assessments, reduce the Agency's burden of responding to FOIA requests, and allow independent analysis to complement the Agency's evaluation. Thus, comments ask us to specify in § 1.690 that we will also place on our Web site the reports and notifications submitted pursuant to §§ 1.623 and 1.656 and that we will allow a recognized accreditation body and accredited auditors/certification body to submit a redacted version of the report or notification that is intended to be made publicly available.

(Response 173) Generally, we do not intend to post redacted versions of reports on our Web site. Information submitted to the Agency, including reports and notifications submitted pursuant to §§ 1.623 and 1.656, becomes an Agency record. We have added a new § 1.695 to the final rule to clarify that records under this subpart are subject to part 20; part 20 provides protections for trade secrets and confidential commercial information (CCI) from public disclosure (see, e.g., § 20.61).

(Comment 173) Some comments ask us to take action to ensure that third-party certification bodies act with maximum transparency and to ensure adequate protections against conflicts of interest. Some comments ask that we post on our Web site information concerning the scope of the recognized accreditation body recognition and accredited certification body accreditation, duration of accreditation, payments made to those accreditation bodies and certification bodies, and whether accreditation has been withdrawn or suspended. Some comments assert that requiring recognized accreditation bodies and accredited certification bodies to make this information available on their own Web sites does not ensure that all potential conflicts of interest will be identified, and suggest that we require that this information be submitted directly to us as well.

(Response 174) FDA agrees that it would be helpful to include on our Web site information concerning the scope of accreditation services that each recognized accreditation body is recognized for, and the scope of accreditation for each accredited certification body is accredited for. We also agree it would be useful and increase transparency to include the duration of recognition for each accreditation body, and the duration of accreditation for each certification body. Scope and duration information will make the site more practically useful and will increase transparency. Therefore, we intend to include this information on our Web site and we are revising § 1.690 to reflect this. In addition, we are revising this section to state that FDA will post on its Web site a list of accreditation bodies for which it has denied renewal of recognition, for which FDA has revoked recognition, and that have relinquished their recognition or have allowed their recognition to expire. Further, FDA will place on its Web site a list of certification bodies whose renewal of accreditation has been denied, for which FDA has withdrawn accreditation, and that have Start Printed Page 74631relinquished their accreditations or have allowed their accreditations to expire. Finally, FDA will place on its Web site determinations under § 1.670(a)(1) and modifications of such determinations under § 1.670(a)(2). This additional information will help ensure maximum transparency under the program.

With regard to information on dates of payment, we have determined there is little additional value to posting such information on the FDA Web site, and it would create an additional administrative burden; we do not believe the value exceeds the burden. In our view, conflict of interest and transparency concerns are sufficiently satisfied by making information on dates of payment publicly available online via the Web sites of recognized accreditation bodies (see § 1.624(c)) and accredited certification bodies (see § 1.657(d)).

(Comment 175) Some comments request clarification concerning whether and what information we collect pursuant to this program will be made available to importers and the public. Some comments question the extent and format of the audit data that will be shared, and what might be held confidential. These comments assert that businesses have a need to protect proprietary information (e.g., sales lists, supplier lists, equipment designs and specific information about product attributes), and any sharing of such information might compromise their ability to carry out business functions or to maintain competitive advantage. Some comments inquire about the extent and formats of audit data we intend to make public, what might be held confidential, and whether we will take steps to protect information provided by certification bodies from FOIA requests.

Some comments express concern about our ability to develop and maintain a dynamic system that will be able to collect, update, and present audit data to consumers, and assert that it is important for industry to gain a better understanding of what type of audit data we will require.

Some comments suggest that we look to USDA's Food Safety and Inspection Service (FSIS) Public Health Information System for insight into how to develop a database system that seeks to define the boundary between increasing public access to data and addressing confidentiality concerns by companies. Some comments note that the FSIS program is the result of several years of effort to establish a mechanism for public access to data that can lead to research and analysis that improves public health while protecting the proprietary rights of the establishments.

(Response 175) As discussed previously, newly added § 1.695 clarifies that records under this subpart are subject to part 20; part 20 provides protections for trade secrets and confidential commercial information from public disclosure (see, e.g., § 20.61).

FDA will provide periodic updates on program activities through our Web site, and our disclosures will be consistent with our statutory obligations to protect trade secrets and CCI from disclosure. With regard to the expressed concern about FDA's ability to develop and maintain an adequate data system to collect, update, and present audit data to consumers, we are aware of the size and importance of this undertaking and are diligently pursuing an effective system. We appreciate the suggestion to review the FSIS database system and intend to do so.

(Comment 176) Some comments encourage us to develop communication strategies to help consumers view the data in audit reports within the context of food production; specifically, to set proper program expectations and to provide proper context for consumers to understand what the data means. These comments assert that it is important to provide a frame of reference so that consumers have a basis for understanding what the audit data means and can then proceed to make informed decisions. The comments note that audits and certifications are not declarations or guarantees that products are safe, and that FDA and the industry need to feature this reality in communications strategies aimed to assist consumer groups and consumers in using any audit data that might be available for review.

(Response 176) As noted above, we do intend to share updates on program activities with the public; we will work to properly contextualize the data in our communications about and presentation of the information. As noted in Response 173, FDA does not generally intend to make audit reports public.

(Comment 177) Some comments assert that we must clearly describe how compliance with the program will be reported to the public.

(Response 177) As noted above, we intend to provide periodic updates on program activities through our Web site. Where appropriate, these updates may include aggregated program data. Additional information about program updates will be shared as we implement this program. Further, as noted in response to Comment 86, FDA will post information on its Web site regarding accreditation bodies that have had their recognition revoked, accreditation bodies for which FDA fails to renew recognition, certification bodies that have had their accreditation withdrawn, and certification bodies whose renewal of accreditation has been denied.

B. How do I request reconsideration of a denial by FDA of an application or a waiver request? (§ 1.691)

We proposed procedures for accreditation bodies and certification bodies to seek reconsideration of a denial of an application or a waiver request. We also proposed that after completing our review and evaluation of the request for reconsideration, we will notify the requestor, in writing, of our decision to grant or deny the application or waiver request upon reconsideration.

On our own initiative, we are revising § 1.691(c) to specify that a request for reconsideration or a waiver request must be submitted electronically. We are making corresponding changes to § 1.692(b).

(Comment 178) Some comments suggest that we provide an opportunity for interested stakeholders, in addition to the accreditation body or third-party certification body seeking reconsideration, to provide information to us that will inform our decisionmaking on any reconsideration request.

(Response 178) We decline to adopt comments' suggestion to allow for others beyond the accreditation body or third-party certification body seeking reconsideration to engage in this process. Our reconsideration of a denial is not a public process nor do we wish to make it one. Applications often contain confidential information not appropriate for public comment. We note that information shared with FDA is subject to the information disclosure regulations in part 20, as stated in § 1.695.

(Comment 179) Some comments ask us to specify that we will notify the requestor of our decision within 20 business days after receiving a request for reconsideration. These comments assert that the open-ended timeframe for our review of reconsideration request may place an undue burden on the party seeking reconsideration.

(Response 179) FDA agrees that a request for reconsideration should be reviewed in a timely fashion. FDA would anticipate that this review will generally be made within 30 business days. However, given the conflicting demands on Agency resources at various times, the Agency declines to add this time restriction to § 1.691.Start Printed Page 74632

C. How do I request internal agency review of a denial of an application or waiver request upon reconsideration? (§ 1.692)

We proposed that the requestor who received a denial upon reconsideration under § 1.691 may seek internal Agency review of such denial under 21 CFR 10.75(c)(1).

(Comment 180) Some comments suggest that we provide an opportunity for interested stakeholders to provide information to us that will inform our decisionmaking on any such reconsideration request.

(Response 180) As with the parallel suggestion in the context of a request for reconsideration, we decline to adopt comments' suggestion. The Agency's review of a denial is not a public process nor do we wish to make it one. As noted previously, applications often contain confidential information not appropriate for public comment. We note that information shared with FDA is subject to the information disclosure regulations in part 20, as stated in § 1.695.

D. How do I request a regulatory hearing on a revocation of a recognition or withdrawal of accreditation? (§ 1.693)

We proposed procedures that would be used for challenges to revocation of recognition or withdrawal of accreditation.

On our own initiative, we revised § 1.693(f) to include the standard for denial of a request for a regulatory hearing under 21 CFR 16.26(a).

(Comment 181) Some comments suggest that we provide an opportunity for interested stakeholders, in addition to the accreditation body or third-party certification body seeking a regulatory hearing, to provide information to us that will inform our decisionmaking during a regulatory hearing.

(Response 181) Again, we decline to adopt comments' suggestion to allow for others beyond the accreditation body or third-party certification body seeking to challenge an FDA decision to engage in this process. For purposes of this final rule, we are not making the regulatory hearing a public process because issues pertaining to revocation and withdrawal generally contain confidential or sensitive information. We note that information shared with FDA is subject to the information disclosure regulations in part 20, as stated in § 1.695. We are amending proposed § 1.693(g)(3), redesignated as § 1.693(g)(2), to state that § 16.60(a) (public process) is inapplicable to hearings under this rule.

E. Are electronic records created under this subpart subject to the electronic records requirements of part 11? (§ 1.694)

We did not specify requirements for the retention of electronic records in the proposed rule. However, as discussed in relation to § 1.625, we received several comments regarding the potential application of the requirements for electronic records in part 11 to records under this subpart; several comments ask that we not apply the part 11 requirements here.

We agree that it would be unnecessarily burdensome to require that records under the third-party program comply with the requirements in part 11. Therefore, we are adding § 1.694 to the final rule which states that records that are established or maintained to satisfy the requirements of this subpart and that meet the definition of electronic records in § 11.3(b)(6) are exempt from the requirements of part 11. We further specify that records that satisfy the requirements of this subpart, but those that also are required under other applicable statutory provisions or regulations, remain subject to part 11 to the extent that they are not separately exempted. Consistent with these provisions, we are making a conforming change in part 11 to specify in § 11.1(m) that part 11 does not apply to records that meet the definition of electronic records in § 11.3(b)(6) required to be established or maintained under this subpart, and that records that satisfy the requirements of this subpart, but that also are required under other statutory provisions or regulations, remain subject to part 11 to the extent that they are not separately exempted.

F. Are the records required by this subpart subject to public disclosure? (§ 1.695)

In the proposed rule, we did not specify requirements regarding the public disclosure of records created and retained under this subpart. However, as discussed previously in the preamble, several comments express concerns about whether notifications, records, and reports required by this rule would be protected from public disclosure. The comments state that notifications, records, and reports will often contain commercially sensitive information. Some comments ask that the regulations specify that such information under this program have the same level of protection from public disclosure under FOIA as juice and seafood HACCP records.

Information submitted to the Agency, including reports and notifications submitted pursuant to §§ 1.623 and 1.656, becomes an Agency record. We note we have added a new § 1.695 to the final rule to clarify that records under this subpart are subject to part 20; part 20 provides protections for trade secrets and CCI from public disclosure (see, e.g., § 20.61).

G. May importers use reports of regulatory audits by accredited certification bodies for purposes of subpart L of this part? (§ 1.698)

We proposed that an importer as defined in § 1.500 of this part may use a regulatory audit of an eligible entity, documented in a regulatory audit report, in meeting the requirements for an onsite audit of a foreign supplier under subpart L of this part.

(Comment 182) Some comments agree with FDA's proposal to allow importers to use regulatory audit reports of foreign suppliers, conducted for VQIP or import certification purposes, in meeting the verification requirements under the proposed FSVP program. These comments state that the use of regulatory audits by accredited third-party certification bodies should not be required under FSVP. The comments assert that importers should be free to choose how best to meet the verification requirements. Some comments misunderstood proposed § 1.698 to require the use of accredited third-party certification bodies for FSVP purposes.

(Response 182) To clarify that the use of an accredited third-party certification body for FSVP purposes is not required by this rule, we are removing this provision. This rule establishes the framework and procedures for participation in the accredited third-party certification program for purposes of sections 808 of the FD&C Act and does not create substantive requirements for the FSVP program. However, regulatory audits may be used to meet supplier verification requirements under FDA's final preventive controls regulations and FSVP regulations if they comport with those requirements.

XIV. Editorial and Conforming Changes

The revised regulatory text includes several changes that we have made to clarify requirements and to improve readability. The revised regulatory text also includes several conforming changes that we have made when a change to one provision affects other provisions. We summarize the principal editorial and conforming changes in table 5. We also made very minor editorial corrections, such as inserting a Start Printed Page 74633missing end parenthesis symbol; those changes are not included in this chart.

Table 5—Principal Editorial and Conforming Changes

Designation in the revised regulatory text (section)RevisionExplanation
Throughout part 1, subpart MWhere applicable, substituted the term “assessment”, or its derivations, for the terms “audit” or “review”, or their derivations, when describing an FDA evaluation of an accreditation body and when describing an evaluation of a third-party certification body performed by a recognized accreditation body or by FDAConforming change.
Throughout part 1, subpart MWhere applicable, substituted “evaluate”, or its derivations, for “assess” or “determine”, or their derivations, when describing the nature of activities involved in an “assessment” (as defined in this rule) of an accreditation body or a third-party certification bodyConforming change.
Throughout part 1, subpart MWhere applicable, substituted “examine”, or its derivations, for “audit”, “assess”, “determine”, or “evaluate”, or their derivations, when describing the nature of activities involved in an “audit,” as defined in this rule, of an eligible entityConforming change.
Throughout part 1, subpart MWhere applicable, revised to refer to “audit agent” rather than “agent” when describing individuals who conduct audits for accredited third-party certification bodies. Use “agent(s) used to conduct audits” rather than, “audit agent(s)” when referring to individuals who conduct audits for a third-party certification body prior to its accreditation under this programImprove clarity.
Throughout part 1, subpart MRevised to refer to “competency” rather than “competence”Improve clarity.
Throughout part 1, subpart MWhere appropriate, revised to refer to “recognized accreditation bodies” rather than “accreditation bodies”Improve clarity.
Throughout part 1, subpart MWhere appropriate, revised to refer to “accredited third-party certification bodies” rather than “third-party certification bodies”Improve clarity.
Throughout part 1, subpart MWhere appropriate, rephrased “[i]f FDA has reason to believe that a food certification issued for purposes of section 801(q) of the FD&C Act is not valid or reliable, FDA may refuse to consider the certification in determining the admissibility of the article of food for which the certification was offered.”Improve clarity.
Throughout part 1, subpart MReplaced “personnel” with “employees”Improve clarity.
§ 1.600(c)Deleted “, including the model accreditation standards” from the definition of “accreditation”Conforming change.
§ 1.600(c)Revised the definition of “accredited third party certification body” to replace “is authorized” with “is accredited”Improve clarity.
§ 1.600(c)Revised the definition of “eligible entity” to replace “subject to the registration requirements of” with “required to be registered under”Improve clarity.
§ 1.600(c)Revised the definition of “facility certification” to replace “establish that a facility meets” with “establish whether a facility complies with”Improve clarity.
§ 1.600(c)Revised the definition of “food certification” to replace “establish that a food meets” with “establish whether a food of an eligible entity complies with”Improve clarity.
§ 1.600(c)Revised the definition of “relinquishment” to state that relinquishment occurs prior to the expiration of recognition or accreditation for accreditation bodies and certification bodies, respectivelyImprove clarity.
§ 1.601(a)Changed “for conducting food safety audits and for issuing food and facility certifications to eligible entities” to “to conduct food safety audits and to issue food and facility certifications”Improve clarity.
§ 1.601(b)(2)Changed “Issuing food and facility certifications” to “Issuing certifications” Changed “or in meeting the eligibility requirements” to “or issuing a facility certification for meeting the eligibility requirements”Improve clarity.
§ 1.601(c)Replaced “except as provided in paragraph (d) of this section” with “under this subpart”Correction.
§ 1.601(d)Redesignated paragraphs (1), (1)(i), (1)(ii), (2), (2)(i), and (2)(ii) as paragraphs (1)(i), (1)(i)(A), (1)(i)(B), (1)(ii), (1)(ii)(A), and (1)(ii)(B)Editorial change.
§ 1.601(d)(1)(i)Changed “[t]he certification of food under section 801(q)” to “[a]ny certification required under section 801(q)”Conforming change.
§ 1.601(d)(1)(ii)Changed “[c]ertification of food under section 801(q)” to “Any certification required under section 801(q)”Conforming change.
§ 1.601(d)(1)(ii)Changed “food other than alcoholic beverages that is from a facility” to “food that is not an alcoholic beverage that is received and distributed by a facility”Improve clarity.
§ 1.610Section heading changed from “[w]ho is eligible for recognition,” to “[w]ho is eligible to seek recognition;” Text changed from “eligible for recognition” to “eligible to seek recognition.”Improve clarity.
Start Printed Page 74634
§ 1.611(a)Changed “through” to “as a legal entity with” Removed “such” from between “perform” and “assessments.” Changed “its capability to audit” to “its capability to conduct audits.”Improve clarity.
§ 1.611(a)(2)Replaced “personnel and other agents,” with “its agents, (or the third-party certification body in the case of a third-party certification body that is an individual, such individual)”Conforming change.
§§ 1.611(b), 1.612(b), 1.613(b), 1.614(b), 1.615(b), 1.623(d)(2), 1.630(b), 1.631(b), 1.641(b), 1.642(b), and 1.645(b)In sentences referencing requirements for recognized accreditation bodies or accredited third-party certification bodies, replaced specific references to other sections of this rule with “the applicable [* * *] requirements of this subpart”Improve clarity.
§ 1.612(b)Changed “capability to meet the* * *” to “capability to meet the applicable”Clarify that only the applicable assessment and monitoring requirements apply.
§ 1.615(a)Added “pertaining to this subpart” between “legal obligations” and “and to provide”Improve clarity.
§ 1.615(b)Replaced “[i]s capable of meeting,” with “The capability to meet”Editorial change.
§ 1.620(a)(2)Removed “that aggregates the products of growers or processor [sic],” after “foreign cooperative”Conforming change.
§ 1.620(d)Replaced “including,” with, “and include”Editorial change.
§ 1.621Last word of section heading changed from “accredits” to “accredited”Editorial change.
§ 1.621(a)At the end of the previously undesignated paragraph which is now paragraph (a), moved “recognized accreditation body . . . with this subpart”Improve clarity.
§ 1.622(a)Added “compliance with this subpart, including” at the end of the opening phraseImprove clarity.
§ 1.622(a)(1)Replaced “or other agents in activities under this subpart and the degree of consistency among such performances,” with “or other agents involved in accreditation activities and the degree of consistency in conducting accreditation activities”To clarify that the relevant activities under this subpart are accreditation activities.
§ 1.622(a)(2)Added “involved in accreditation activities,” between “other agents,” and “with the conflict of interest requirements”Conforming change.
§ 1.622(c)(1)Changed “area(s) needing improvement,” to “area(s) where deficiencies exist”Improve clarity.
§ 1.622(c)(2)Changed “implement effective correction action(s) to address those area(s)” to “implement corrective action(s) that effectively address those deficiencies”Improve clarity.
§ 1.622(c)(3)Inserted “any” between “records of,” and “such corrective action(s)”Improve clarity.
§ 1.622(d)Changed “includes:” to “includes the following elements.”Conforming change.
§ 1.622(d)(2)Added “involved in accreditation activities,” between, “other agents,” and “complied with the conflict of interest requirements”Conforming change.
§ 1.623(b)Created subparagraphs by inserting, “(i)” before “a report of the results of an annual self-assessment” and “(ii)” before “for a recognized accreditation body subject to § 1.664(g)((1);” Removed “must submit” from between “§ 1.664(g)(1),” and “a report of such self-assessment;” Changed “to FDA within 2 months” to “to FDA within 60 days of the third party certification body's withdrawal.”Improve clarity.
§ 1.623(c)(1)Added “(including expanding the scope of),” between “[g]ranting,” and “accreditation”Improve clarity.
§ 1.623(d)(1)(iv)Added “scope and,” between “the” and “basis for such denial”Improve clarity.
§ 1.624(a)Changed from “other agents)” to “other agents involved in accreditation activities)”Conforming change.
§ 1.624(b) redesignated as § 1.624(c)Rephrased “[t]he financial interests of the spouses and children younger than 18 years of age of officers, personnel, and other agents of a recognized accreditation body will be considered the financial interests of such officers, personnel, and other agents of the accreditation body”Improve clarity.
§ 1.624(d)Changed “and date(s) on each the accredited” to “and the date(s) on which the accredited”Editorial change.
§ 1.625 title and paragraphs (a), (b), and (c)Changed from “A recognized accreditation body,” to “An accreditation body that has been recognized”To clarify that the duties with respect to records as required under this subpart adhere to any accreditation body that has been recognized, including accreditation bodies that are no longer recognized.
§ 1.625(a)(2)Added “expand or” after “withdraw, or”Improve clarity.
§ 1.630(c)Changed from “needed by FDA to process the application” to “needed by FDA during processing of the application”Improve clarity.
Start Printed Page 74635
§ 1.630(d)Changed from “signed by the applicant or by any individual authorized” to “signed by an individual authorized”Improve clarity.
§ 1.631 headingChanged heading from “How will FDA review applications for recognition and renewal of recognition?” to “How will FDA review my application for recognition or renewal of recognition and what happens once FDA decides on my application?”Improve clarity.
§ 1.631(a)Added “an accreditation body's” after FDA will review, deleted “a”Improve clarity.
§ 1.631(b)Inserted “regarding” before “whether the application has been approved or denied.”Editorial change.
§ 1.631(c)Changed to state that the FDA will notify an applicant that its recognition or renewal application has been approved through issuance of recognition that will list any limitations associated with the recognitionImprove clarity.
§ 1.631(d)Changed to state that the FDA will notify an applicant that its recognition or renewal application has been denied through issuance of a denial of recognition that will state the basis for such denial and provide the procedures for requesting reconsideration of the application under § 1.691Improve clarity.
§ 1.632Added “from the date of recognition” to the end of the sentenceImprove clarity.
§ 1.633(a)Removed “periodically”Improve clarity.
§ 1.633(a)Rephrased “date of accreditation for a 5-year term of recognition, or by no later than mid-term point for recognition granted for less than 5 years.”Improve clarity.
§ 1.633(b)Rephrased “These may be conducted at any time, with or without the accreditation body or auditor/certification body present”Improve clarity.
§ 1.634(a)Inserted “found not to be in compliance with the requirements of this subpart, including” after “of an accreditation body”Improve clarity.
§ 1.634(a)(2)(ii)Changed “problem with the accreditation body” to “deficiency”Improve clarity.
§ 1.634(a)(2)(iii)Inserted “to do so” after “[d]irected”Improve clarity.
§ 1.634(c)(1)Changed “Upon revocation, FDA will notify that accreditation body, electronically, in English, stating * * *”Improve clarity.
§ 1.634(d)(1)Removed “electronically and in English”Improve clarity.
§ 1.634(d)(1)(i)Rephrased from “[n]o later than 2 months after the revocation” to “[n]o later than 60 days after the date of issuance of the revocation”Improve clarity.
§ 1.634(d)(1)(ii)Added “or the original date of the expiration of the accreditation, whichever comes first” after “revocation” Changed from “a recognized” to, “another recognized”Improve clarity.
§ 1.634(d)(2)Added “(c)” after “1.664”Improve clarity.
§ 1.635 headingChanged heading from “How do I voluntarily relinquish recognition?” to “What if I want to voluntarily relinquish recognition or do not want to renew recognition?”Improve clarity.
§ 1.636(a)Removed “or may be required to submit such application after a determination in a regulatory hearing under § 1.693”Improve clarity.
§ 1.640 headingChanged heading from, “Who is eligible for accreditation?” to, “Who is eligible to seek accreditation?”Improve clarity.
§ 1.641(a)Changed “or through contractual rights” to “or as a legal entity with contractual rights” and added “and conformance with applicable” before “industry standards and practices”Conforming change.
§ 1.642(a)(1)Changed “industry standards and practices and to issue” to “conformance with applicable industry standards and practices and issuance of”Improve clarity.
§ 1.641(a)(2)Changed “of the eligible entity” to “of an eligible entity” Removed “such as witnessing the performance of a statistically significant number of personnel and other agents conducting audits of food facilities.”Conforming change.
§ 1.643(a)Replaced “certification body (and its officers, personnel, and other agents) and eligible entities (and their owners and operators) seeking assessment and certification from,”Improve clarity.
§ 1.644(a)(1)Rephrased “[i]dentify areas in its auditing and certification program or performance that need improvement” to “[i]dentify deficiencies in its auditing and certification program or performance”Improve clarity.
§ 1.644(a)(2)Rephrased from “Quickly execute corrective actions when problems are found” to “[q]uickly execute corrective actions that effectively address any identified deficiencies”Improve clarity.
§ 1.650 headingChanged heading from “How must an accredited auditor/third-party certification body ensure its audit agents are competent and objective”, to “How must an accredited third-party certification body ensure competency and objectivity?”Improve clarity.
Start Printed Page 74636
§ 1.650(a)(3)Changed from “[p]articipates in annual food safety under the accredited auditor's/certification body's training plan,” to “[c]ompletes annual food safety training that is relevant to activities conducted under this subpart”Improve clarity.
Throughout §§ 1.651 and 1.652Where appropriate, added “eligible” before “entity” and “food safety” before “audit”Improve clarity.
§ 1.651(a)(1)(i)Inserted “subject to the requirements of this subpart” after “be conducted as a consultative or regulatory audit”Improve clarity.
§ 1.651(b)(1)Changed from “[c]onduct an unannounced audit to verify whether the activities and results” to “[c]onduct an unannounced audit to determine whether the facility, process(es), and food”Conforming change.
§ 1.651(b)(2)Removed “and, where appropriate, to issue food and facility certifications” from end of phraseImprove clarity.
§ 1.651(b)(5)Inserted “audits conducted under this subpart as follows” after “[p]repare reports of”Improve clarity.
§ 1.651(b)(5)(i) (previously § 1.651(b)(5))Inserted “For” before “consultative audits,” Inserted “maintain such records, subject to FDA access in accordance with section 414 of the FD&C Act.”Improve clarity.
§ 1.651(b)(5)Created (i) and (ii) to more easily distinguish between the different requirements for consultative and regulatory auditsImprove clarity.
§ 1.651(b)(6)Inserted “under this subpart” after “food safety audit”Improve clarity.
§ 1.651(c)(2)Changed “to establish compliance with the FD&C Act” to “to determine compliance with the applicable food safety requirements of the FD&C Act and FDA regulations, and, for consultative audits, also includes conformance with applicable industry standards and practices”Improve clarity.
§ 1.651(c)(3)Rephrased “entity would be likely to remain in compliance with the applicable requirements of the FD&C Act for at least 12 months following the audit, provided that the facility and its process(es) are properly maintained and implemented.”Improve clarity.
§ 1.651(c)(4)Removed “assessment” and added “other data and information from the examination, including information on” Removed “of the accredited auditor/certification body.”Improve clarity.
Throughout §§ 1.652, 1.653Where appropriate, inserted, “regulatory” before, “audit”Improve clarity.
§ 1.652(a)Reformatted requirements in § 1.652(a)(1) through (6) to more closely align with formatting of § 1.652(b)(1) through (6);Editorial change.
Inserted “subject to FDA access in accordance with the requirements of section 414 of the FD&C Act.”Improve clarity.
§ 1.652(b)(1)Replaced “audited facility” with “site or location where the regulatory audit was conducted”Improve clarity.
§ 1.652(b)(6)(i) and (ii)Inserted “to humans or animals” after “serious adverse health consequences or death”Improve clarity.
§ 1.652(b)(8)Rephrased from “is used in the facility” to “is performed in or used by the facility”Improve clarity.
§ 1.653 headingChanged heading from “What must accredited auditor/certification body do when issuing food or facility certifications?” to “What must an accredited third-party certification body do when issuing food or facility certifications?”Improve clarity.
§ 1.653(a)(1)Changed “(or an audit agent” to “(or, where applicable, an audit agent” Changed “to establish compliance” to “to determine compliance.”Improve clarity.
§ 1.653(a)(2)Changed “an observation” to “a deficiency”Improve clarity.
§ 1.654 headingRephrased language in heading from “eligible entity with a food or facility certification” to “eligible entity that it has issued a food or facility certification”Improve clarity.
§ 1.654Added “with such requirements” after “compliance” Changed “if it determines the eligible entity is no longer” to “if it withdraws or suspends a food or facility certification because it determines that the entity is no longer.”Improve clarity.
§ 1.655(a)Changed “must annually, and as required under § 1.631(f)(1)(i) or upon FDA request made for cause, conduct a self-assessment that includes evaluation of:”Improve clarity.
§§ 1.655(a)(1), 1.655(a)(2), 1.655(a)(3), 1.655(d)(2), 1.657(a), 1.657(a)(1), 1.657(c)Added “involved in auditing and certification activities,” after “other agents”Improve clarity.
§§ 1.655(a)(1), 1.655(a)(2)Removed “under this subpart”Improve clarity.
§ 1.655(a)(5)Inserted “of” between “determination” and “whether”Editorial change.
§ 1.655(c)(1)Replaced “area(s) needing improvement” with, “deficiencies in complying with the requirements of this subpart”Improve clarity.
Start Printed Page 74637
§ 1.655(c)(2)Rephrased from “effective corrective action(s) to address those area(s)” to “corrective action(s) that effectively address the identified deficiencies”Improve clarity.
§ 1.656(b)Modified submission timeframe from 2 months to 60 daysConforming change.
§ 1.656(c)Rephrased “when any of its audit agents or the accredited auditor/third-party certification body itself, discovers any condition found during a regulatory or consultative audit of an eligible entity, which”Improve clarity.
§ 1.657(a)(3) redesignated as § 1.657(a)(4)Added “accredited third-party certification body's” after “[p]rohibiting an” Changed “other agent of the accredited auditor/certification body from accepting any money, gift, gratuity, or item of value” to “other agent involving in auditing and certification activities from accepting any money, gift, gratuity, or other item of value.”Improve clarity.
§ 1.657(a)(4) redesignated as § 1.657(a)(5)Changed reference from “(a)(3)” to “(a)(4)”Editorial change.
§ 1.657(a)(4)(i) redesignated as § 1.657(a)(5)(i)Changed from “accreditation” to, “auditing and certification”Correction.
§ 1.657(c)Added “accredited third-party certification body's” before “officers” Changed “other agents of an accredited auditor/certification body” to “other agents involving in auditing and certification activities.”Improve clarity.
§ 1.658 headingChanged heading to “What records requirements must an accredited auditor/certification body that has been accredited meet?”Improve clarity.
§ 1.658(a)Rephrased from “certification body must maintain electronically for 4 years records” to “certification body that has been accredited must maintain electronically for 4 years records created during its period of accreditation”Improve clarity.
§ 1.658(a)(1)Removed “laboratory testing records and results (as applicable)Conforming change.
§§ 1.658(a)(1), 1.658(a)(3)Rephrased from “and corrective actions” to “verification of any corrective action(s) taken”Improve clarity.
§ 1.658(a)(4)Replaced “under § 1.650(a)(5) or by the accredited auditor/certification body to FDA under § 1.656(e)” with “in accordance with § 1.650(a)(5)”Conforming change.
§ 1.658(a)(5)-(a)(9) redesignated as § 1.658(a)(5)-(a)(8)Removed paragraph (a)(5)Conforming change.
§ 1.658(a)(8) redesignated as § 1.658(a)(7)Rephrased from, “taken as a result” to “taken to address any deficiencies identified during a self-assessment”Improve clarity.
§ 1.658(a)(9) redesignated as § 1.658(a)(8)Changed “the auditing or certification program” to “its auditing or certification program”Improve clarity.
§ 1.658(b)Changed from “FDA in accordance with the requirements of subpart J of this chapter” to “FDA in accordance with section 414 of the FD&C Act”Correction.
§ 1.660 headingChanged heading to “Where do I apply for accreditation or renewal of accreditation by a recognized accreditation body and what happens once the recognized accreditation body decides on my application?”Improve clarity.
§ 1.661Added “by a recognized accreditation body” at end of headerImprove clarity.
§ 1.662(a)Rephrased “comply with the requirements of §§ 1.640 to 1.658 and whether there are deficiencies in the performance of the accredited auditor/certification body that, if not corrected, would warrant withdrawal of its accreditation under this subpart.”Improve clarity.
§ 1.662(b)(4)Rephrased from “regarding the accredited auditor's/certification body's authority, qualifications (including the expertise and training of its audit agents), conflict of interest program, internal quality assurance program, and monitoring by its accreditation body (or, in the case of direct accreditation, FDA);”Improve clarity.
§ 1.663(d)Rephrased from “submission was completed” to “completed submission is received”Improve clarity.
§ 1.663(e)Removed “in writing” and “Such notification may be made electronically.”Conforming change.
§ 1.663(f)Replaced “conditions” with “limitations”Improve clarity.
§ 1.663(f)Replaced “notification” with “issuance of the waiver” and “issuance of a denial of a waiver request” as appropriate. Replaced “conditions” with “limitations.”Improve clarity.
§ 1.664(a)(1)Added “or chemical or physical hazard”Correction.
§ 1.664(a)(2)Changed “meets the requirements” to “complies with the applicable requirements”Improve clarity.
§ 1.664(b)(2)Replaced “steps” with “relevant audit records” Replaced “to justify the food or facility certification” with “in support of its decision to certify”Improve clarity.
§ 1.664(c)(2)Deleted “food or facility”For flexibility.
Start Printed Page 74638
§ 1.664(e)(1)Added “of its accreditation through issuance of a withdrawal that will state”Improve clarity.
§ 1.664(e)(1)Deleted, “electronically, in English”Conforming change.
§ 1.664(e)(2)Added “issuance of the” between “date of” and withdrawal”Improve clarity.
§ 1.664(g)(1)Replaced “bodies” with “body it accredited” Added “by FDA.” Changed “2 months” to “60 days.” Removed “electronically and in English.”Improve clarity.
§ 1.664(g)(2)Replaced “such” with “an”Editorial change.
§ 1.664(h)Replaced “and the status of recognition and food and facility certifications” in the heading with “accreditation”Improve clarity.
§ 1.664(h)Replaced “under this subpart” with “and provide a description of the basis for withdrawal”Improve clarity.
§ 1.665 headingChanged heading from “How do I voluntarily relinquish accreditation? to “what if I want to voluntarily relinquish accreditation or do not want to renew?”Improve clarity.
§ 1.665(a)Changed “2 months” to “60 days”Improve clarity.
§ 1.665(b)Added “The accreditation body must establish and maintain records of such notification under § 1.625(a).”Clarification.
§ 1.666(a)(1)Replaced “requirements for accreditation” with “applicable requirements of this subpart”Improve clarity.
§ 1.666(a)(2)(i)Replaced “a” with “another” and “not” with “no”Editorial changes.
§ 1.670(a)(3)Added “(a)(1) of this section, as described in paragraph (a)(2)”Correction.
§ 1.670(b)(1)Revised to specify provision “(a)(1)”Improve clarity.
§ 1.670(b)(2)Added subsection title “Submission”Improve clarity.
§ 1.670(b)(3)Added subsection title “Signature”Improve clarity.
§ 1.671 headingChanged title from “How will FDA review applications for direct accreditation and for renewal of direct accreditation?” to “How will FDA review my application for direct accreditation or for renewal of direct accreditation and what happens once FDA decides on my application?”Improve clarity.
§ 1.671(b)Reorganized the provision: Moved original (f) under (b)Improve clarity.
§ 1.671(c) previously (c) and (d)Redesignated as (c) to state that FDA will notify an applicant that its direct accreditation or renewal application has been approved through issuance of direct accreditation that will list any limitations associated with the accreditationImprove clarity.
§ 1.671(e)Redesignated (e) to (d) Replaced “denies” with “issues a denial” Added “for direct accreditation or for renewal of direct accreditation.” Replaced “notification” with “issuance of the denial of direct accreditation.” Deleted “address and”Improve clarity.
§ 1.681Combined (a) and (b) Replaced “seek” with “apply for”Improve clarity.
§ 1.691(a) and (b)Replaced “decision” with “the issuance of such denial”Improve clarity.
§ 1.691(c)Replaced “it describes” with “described in the notice”Editorial change.
§ 1.691(d)Deleted “in writing” Rephrased “of its decision to grant the application or waiver request upon reconsideration, or its decision to deny the application or waiver request upon reconsideration.”Improve clarity.
§ 1.692(a)Replaced “FDA issued” to “of issuance of”Editorial change.
§ 1.692(d)Deleted “electronically” Added phrases “through issuance of an application or waiver request upon reconsideration” and “application or waiver request upon reconsideration through issuance of a denial of.”Improve clarity.
§ 1.692(e)Replaced “Affirmation” with “Issuance”Improve clarity.
§ 1.693Replaced “FDA issued” and “written notice” with “issuance of”For consistency and to improve clarity.
§ 1.693(a)Rephrased “the accreditation body or an individual authorized to act on its behalf” to “an individual authorized to act on the accreditation body's behalf”Improve clarity.
§ 1.693(b)Rephrased “the auditor/certification body or an individual authorized to act on its behalf” to “an individual authorized to act on the third-party certification body's behalf”Improve clarity.
Start Printed Page 74639

XV. Executive Order 13175

In accordance with Executive Order 13175, FDA has consulted with tribal government officials. A Tribal Summary Impact Statement has been prepared that includes a summary of Tribal officials' concerns and how FDA has addressed them (Ref. 26). Persons with access to the Internet may obtain the Tribal Summary Impact Statement at http://www.regulations.gov. Copies of the Tribal Summary Impact Statement also may be obtained by contacting the person listed under FOR FURTHER INFORMATION CONTACT.

XVI. Analysis of Economic Impact

FDA has examined the impacts of the final rule under Executive Order 12866, Executive Order 13563, the Regulatory Flexibility Act (5 U.S.C. 601-612), and the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4). Executive Orders 12866 and 13563 direct Agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety, and other advantages; distributive impacts; and equity). The Agency believes that this final rule is a significant regulatory action under Executive Order 12866.

The Regulatory Flexibility Act requires Agencies to analyze regulatory options that would minimize any significant impact of a rule on small entities. Because the Third-Party program will be used primarily on voluntary basis where private enterprises determine that the benefits of participating in our program outweighs their associated user fee and compliance costs, the Agency certifies that the final rule will not have a significant economic impact on a substantial number of small entities.

Section 202(a) of the Unfunded Mandates Reform Act of 1995 requires that Agencies prepare a written statement, which includes an assessment of anticipated costs and benefits, before proposing “any rule that includes any Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more (adjusted annually for inflation) in any one year.” The current threshold after adjustment for inflation is $144 million, using the most current (2014) Implicit Price Deflator for the Gross Domestic Product. FDA does not expect this final rule to result in any 1-year expenditure that would meet or exceed this amount. Annualized cost of the Third-Party final rule is estimated at approximately $2.8 to $11.6 million, depending on the scenario.

XVII. Paperwork Reduction Act of 1995

This final rule contains information collection provisions that are subject to review by OMB under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-3520). The title, description, and respondent description of the information collection provisions are shown in the following paragraphs with an estimate of the annual reporting and recordkeeping burdens. Included in the estimate is the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing each collection of information.

Title: Accreditation of Third-Party Certification Bodies to Conduct Food Safety Audits and Issue Certifications (Third-Party final rule)

Description: FDA is amending its regulations to provide for accreditation of third-party certification bodies (CBs) to conduct food safety audits of eligible foreign food entities, including foreign food facilities, and to issue food and facility certifications, pursuant to the FDA Food Safety Modernization Act. Use of accredited third-party CBs and food and facility certifications will help us prevent potentially harmful food from reaching U.S. consumers and thereby improve the safety of the U.S. food supply. We also expect that these regulations will increase efficiency by reducing the number of redundant audits to assess compliance with applicable food safety requirements of the FD&C Act and FDA regulations.

Description of respondents: The coverage of the Third-Party final rule includes eligible entities seeking audits, certification, and/or recertification by accredited CBs participating in our program, accreditation bodies (ABs) seeking to comply with the recognition requirements of the Third-Party final rule, and CBs seeking to comply with the accreditation requirements of the Third-Party final rule (including those accredited by recognized ABs and those directly-accredited by FDA). An eligible entity is a foreign entity in the import supply chain of food for consumption in the United States that chooses to be subject to a food safety audit conducted by an accredited third-party certification body.

Based on FDA Operational and Administration System for Import Support database information, we estimate that there are 200,692 foreign food and feed exporters that offer their food and feed for import into the United States. These foreign food and feed exporters include 129,757 food and feed production facilities and 70,935 farms. A proportion of these foreign food and feed exporters may offer food subject to mandatory certification requirements under section 801(q) of the FD&C Act. In that case, the eligible entities must either comply with the Third-Party final rule in order to obtain certification from a CB accredited under the third-party program to continue exporting their food products into the United States, or a foreign government designated by FDA, or lose their access to U.S. markets. In the economic analysis of the Third-Party final rule, we assume that in any given year 75 foreign food and feed exporters will be subject to section 801(q) of the FD&C Act.

In addition to the entities subject to § 801(q), some food exporters will seek certificates to participate in VQIP under section 806 of the FD&C Act. We consider three different scenarios for the participation rate of VQIP importers and their associated foreign suppliers in a 10-year period: (1) Constant number of VQIP importers in every year, (2) increasing participation over time, peaking at 20 percent of all importers of perishable products by the fifth year, with stagnant growth in subsequent years, (3) increasing participation over time, peaking at 40 percent of all importers of perishable products by the 10th year of the program.

The VQIP draft guidance document caps the acceptance of applications by importers for VQIP at 200 for the initial year of the program. Under Scenario 1, we consider 200 importers participating in each of first 10 years of VQIP (see table 6). Average number of foreign suppliers per importers is approximately 5.58; therefore, under Scenario 1, we expect that 200 importers and approximately 1,116 foreign suppliers (200 importers × 5.58 foreign supplier per importer) will be participating in VQIP every year for a 10-year period (see tables 6 and 7).

According to FDA's Office of Regulatory Affairs Reporting Analysis and Decision Support System database, the number of importers of perishable products is approximately 2,759. These importers would have an incentive to participate in VQIP in order to expedite entry of their perishable food products into the United States. Under Scenario 2, we consider 200 importers participating in the initial year of VQIP and increasing steadily until the fifth year of the program until 552 importers (20 percent × 2,759 importers of perishable products) are participating in the program. For years 6 through 10, we consider 3 percent increase in Start Printed Page 74640participation of new importers in VQIP (see table 6). Multiplying the number of importers by the number of foreign suppliers per importers (5.58), we expect that the number of foreign supplies participating in VQIP, under Scenario 2, would increase from 1,116 to 3,527 in a 10-year period (see table 7).

Under Scenario 3, we consider the number of importers will increase from 200 in the initial year of VQIP to 1,104 importers (40 percent × 2,759 importers of perishable products) in the 10th year of the program. Tables 6 and 7 include the number of importers and their associated foreign suppliers for scenario 3. Table 9 includes total number of eligible entities in the Third-Party final rule based on the three considered scenarios in the 10th year of the program.

The economic analysis of the Third-Party final rule estimates compliance costs under the assumption that expected efficiency gains, and foreign food suppliers' incentive to maintain continued importation of their food to the United States would lead all foreign suppliers subject to section 801(q) of the FD&C Act, and foreign suppliers who choose to use third-party food safety audits to satisfy requirements of FDA's VQIP, to become eligible entities and seek food safety audits under the Third-Party final rule.

Considering the demand for food safety audits under the Third-Party program by foreign suppliers subject to section 801(q) of the FD&C Act and those wanting to participate in VQIP, we expect that some of the ABs and CBs operating globally will also have an incentive to participate and comply with the Third-Party final rule. Under the three different scenarios discussed above, we have estimated that 11 to 25 ABs will accredit CBs that will conduct food safety audits of foreign eligible entities that offer food or feed for import to the United States. We also estimate that approximately 91 to 207 CBs will be accredited by the potential 11 to 25 AB applicants; these CBs will comply with the Third-Party final rule in order to participate in the program. In addition, we expect that one CB will apply and participate in the third-party program via direct accreditation by FDA under the Third-Party final rule (see table 9).

Table 6—Potential Number of Importers Participating in VQIP in Its Initial 10 Years

ScenarioYear
12345678910
1200200200200200200200200200200
2200288376464552562579596614632
32003004005006007008009001,0001,104

Table 7—Potential Number of Foreign Suppliers (Section 806 of the FD&C Act) Participating in VQIP in Its Initial 10 Years

ScenarioYear
12345678910
11,1161,1161,1161,1161,1161,1161,1161,1161,1161,116
21,1161,6072,0982,5893,0803,1363,2313,3263,4263,527
31,1161,6742,2322,7903,3483,9064,4645,0225,5806,160

Table 8—Number of Respondents in the Third-Party Final Rule

Eligible entitiesScenario 1Scenario 2Scenario 3
Section 801(q) of FD&C Act757575
Section 806 of FD&C Act1,1163,5276,160
Total eligible entities1,1913,6026,235

Table 9—Number of Respondents to the Third-Party Final Rule

Status of ABs/CBsNumber of ABs/CBs
Scenario 1Scenario 2Scenario 3
ABs seeking recognition111725
CBs seeking accreditation by recognized ABs91140207
CBs seeking accreditation by FDA111
Total CBs accredited92141208

Information Collection Burden Estimate: We estimate the burden for this information collection as follows:

Recordkeeping Burden

In summary, under Scenario 1, total one-time recordkeeping burden by 11 recognized ABs and 92 CBs accredited under the third-party program is estimated at 25,792 hours (see table 10). Total annual recordkeeping burden by 11 recognized ABs and 92 CBs accredited under the third-party Start Printed Page 74641program is estimated at 2,673 hours (see table 13).

Under Scenario 2, total one-time recordkeeping burden by 17 recognized ABs and 141 CBs accredited under the third-party program is estimated at 41,640 hours (see table 11). Total annual recordkeeping burden by 17 recognized ABs and 141 CBs accredited under the third-party program s is estimated at 4,553 hours (see table 14).

Under Scenario 3, total one-time recordkeeping burden by 25 recognized ABs and 208 CBs accredited under the third-party program is estimated at 58,570 hours (see table 12). Total annual recordkeeping burden by 25 recognized ABs and 208 CBs accredited under the third-party program is estimated at 6,253 hours (see table 15).

For the purpose of this analysis we assume that all ABs that apply for recognition in the program become recognized and all CBs that apply for accreditation are accredited.

Table 10—Scenario 1, Estimated One-Time Recordkeeping Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.61511111222
§ 1.645921922184
§ 1.624(d)111111601,760
§ 1.657(d)9219216014,720
Contract modification118.27912182
§ 1.65192484,41628,832
§ 1.653(b)(2)92192192
Total One-Time Recordkeeping Burden25,792
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.

Table 11—Scenario 2, Estimated One-Time Recordkeeping Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.61517117234
§ 1.64514111412282
§ 1.624(d)171171602,720
§ 1.657(d)141114116022,560
Contract modification178.231402280
§ 1.65114155.47,811215,623
§ 1.653(b)(2)14111411141
Total One-Time Recordkeeping Burden41,640
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.

Table 12—Scenario 3, Estimated One-Time Recordkeeping Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.61525125250
§ 1.64520812082416
§ 1.624(d)251251604,000
§ 1.657(d)208120816033,280
Contract modification258.792202440
§ 1.65120848.510,088220,176
§ 1.653(b)(2)20812081208
Total One-Time Recordkeeping Burden58,570
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.

Table 13—Scenario 1, Estimated Annual Recordkeeping Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.625113974,3670.025 (15 minutes)1,092
§ 1.624(c)11111888
Start Printed Page 74642
§ 1.657(d)921928736
§ 1.65292484,4160.083 (5 minutes)367
§ 1.653(b)(2)92484,4160.083 (5 minutes)367
§ 1.656(c)920.2523123
Total Annual Recordkeeping Burden2,673
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.

Table 14—Scenario 2, Estimated Annual Recordkeeping Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.625174567,7520.25 (15 minutes)1,938
§ 1.624(c)171178136
§ 1.657(d)141114181,128
§ 1.65214155.47,8110.083 (5 minutes)648
§ 1.653(b)(2)14155.47,8110.083 (5 minutes)648
§ 1.656(c)1410.2535135
Total Annual Recordkeeping Burden4,533
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.

Table 15—Scenario 3, Estimated Annual Recordkeeping Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.6252542610,6500.25 (15 minutes)2,663
§ 1.624(c)251258200
§ 1.657(d)208120881,664
§ 1.65220848.510,0880.083 (5 minutes)837
§ 1.653(b)(2)20848.510,0880.083 (5 minutes)837
§ 1.656(c)208052152
Total Annual Recordkeeping Burden6,253
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.

Sections 1.615 and 1.645 of the Third-Party final rule require that at the time an AB submits an application for recognition (under § 1.630 of the Third-Party final rule) or a CB submits an application for direct accreditation (under § 1.660, or where applicable under § 1.670), the AB or CB must demonstrate that it has implemented written procedures to adequately establish, control, and maintain records for the period of time necessary to meet its contractual and legal obligations pertaining to the third-party program. Currently, ABs maintain recordkeeping protocols relating to their operations; however, we expect that ABs will review their recordkeeping protocols and, if necessary, modify them to meet the requirements of § 1.615 of the Third-Party final rule before submitting applications for recognition. We believe that the records requirements for ABs in § 1.615 and CBs in § 1.645 would constitute a new one-time burden for the 11 to 25 ABs in each of the three considered scenario, and 92 to 208 CBs respectively. We expect that it would take no more than 2 hours for an AB or a CB to modify its recordkeeping protocol to comply with the written recordkeeping requirements described in §§ 1.615 and 1.645 of the Third-Party final rule (see tables 10 to 12). Therefore, under Scenario 1, we estimate that it would take 22 hours (2 hours/AB × 11 ABs) for ABs to comply with § 1.615 (34 hours under Scenario 2, and 50 hours under Scenario 3) (see tables 10 to 12). We estimate 184 hours (2 hours/CB × 92 CBs) for CBs to comply with § 1.645 of the Third-Party final rule Start Printed Page 74643(282 hours under Scenario 2, and 416 hours under Scenario 3) (see tables 10 to 12).

Section 1.625 of the Third-Party final rule requires that an AB that has been recognized maintain records documenting requests by CBs for accreditation from the AB (per § 1.660), challenges to adverse accreditation decisions (§ 1.620(c)), monitoring activities of its accredited CBs (§ 1.621), self-assessments and corrective actions (§ 1.622), copies of regulatory audit reports submitted by its accredited CBs (§ 1.656), and copies of records of reports or notifications made to us, as required by § 1.623. A recognized AB's requirements for reporting and notifications per § 1.623 of the Third-Party final rule include submission of results of its annual performance assessment of each of its accredited CBs (§ 1.623(a)) and the results of its self-assessment (§ 1.623(b)) (see tables 20 to 22). A recognized AB also must notify us immediately upon granting, withdrawing, suspending, reducing the scope of accreditation of a CB or upon its determination that a CB it accredited issued a food or facility certification in violation of subpart M, pursuant to § 1.623(c) of the Third-Party final rule. Additionally, a recognized AB must notify us within 30 days after making significant changes to its operations that would affect the manner in which it complies with the Third-Party final rule (§ 1.623(d)).

Under current practice, ABs maintain records documenting requests by CBs for accreditation, monitoring activities of CBs they have accredited, and self-assessments and corrective actions. The records currently maintained by ABs are similar to those that would be required of a recognized AB under § 1.623 of the Third-Party final rule. However, CBs do not currently send copies of audit reports of their clients (food facilities) to their ABs. Therefore, an AB's maintenance of records pertaining to regulatory audit reports submitted by CBs they have accredited is considered as a new recordkeeping burden for recognized ABs. We expect that it would take no more than 15 minutes (0.25 hour) for a recognized AB to file a regulatory audit report submitted by its accredited CBs. Under Scenario 1, we estimate the burden for 11 recognized ABs to maintain regulatory audit reports that were submitted to them by their accredited CBs. We estimate that following the implementation of the Third-Party final rule, under Scenario 1, each recognized AB will accredit approximately 8.27 CBs under the program (average of 10-year period) (8.23 CBs/AB under Scenario 2; 8.79 CBs/AB under Scenario 3). In addition, under Scenario 1, we estimate that each CB accredited under the third-party program, on average, will conduct regulatory audits on approximately 48 eligible entities a year (average of 10-year period) (55.4 foreign suppliers per CB under Scenario 2; 48.5 foreign suppliers per CB under Scenario 3). Under Scenario 1, we expect that each recognized AB will receive, on average, 397 regulatory audit reports (48 regulatory audit reports/CB × 8.27 CBs/AB) from its CBs annually resulting in a total of 4,367 records per year (397 audit reports/AB × 11 ABs). Under Scenario 2, we expect that each recognized AB will receive, on average, 456 regulatory audit reports (55.4 regulatory audit reports/CB × 8.23 CBs/AB) from its CBs annually resulting in a total of 7,752 records per year (456 audit reports/AB × 17 ABs). Under Scenario 3, we expect that each recognized AB will receive, on average, 426 regulatory audit reports (48.5 regulatory audit reports/CB × 8.79 CBs/AB) from its CBs annually resulting in a total of 10,650 records per year (426 audit reports/AB × 25 ABs). Total annual burden of recordkeeping requirement for recognized AB under § 1.625 of the Third-Party final rule is estimated at 1,092 hours (4,367 records × 0.25 hours/record) under Scenario 1 (1,938 hours under Scenario 2; 2,663 hours under Scenario 3) (see tables 13 to 15).

Section 1.624(d) of the Third-Party final rule requires each recognized AB maintain on its Web site an up-to-date list of CBs it has accredited under the Third-Party final rule and for each CB identify the duration and scope of accreditation and date(s) on which the CB paid the AB any fee or reimbursement associated with such accreditation. Recognized ABs must also include information about changes in accreditation status of third-party certification bodies. Our review of AB Web sites found that none of the ABs reviewed publish all the information that is required by § 1.620(d) of the Third-Party final rule on their Web sites. We estimate that each AB, on average, would initially spend approximately 160 hours to update its Web page to conform with this section of the Third-Party final rule. Under Scenario 1, the one-time burden of conforming to § 1.624(d) of the Third-Party final rule by 11 recognized ABs is estimated at approximately 1,760 hours (11 ABs × 160 hours/AB) (see table 10). Under Scenario 2, the one-time burden of conforming to § 1.624(d) of the Third-Party final rule by 17 recognized ABs is estimated at approximately 2,720 hours (17 ABs × 160 hours/AB) (see table 11). Under Scenario 3, the one-time burden of conforming to § 1.624(d) of the Third-Party final rule by 25 recognized ABs is estimated at approximately 4,000 hours (25 ABs × 160 hours/AB) (see table 12). In addition, we estimate that each recognized AB would spend 8 hours annually, following the initial year, to update information as required by § 1.624(d) of the Third-Party final rule. Under Scenario 1, the annual hourly burden for 11 recognized ABs to update their Web pages to conform to disclosure of information requirement per § 1.624(d) of the Third-Party final rule is estimated at 88 hours (8 hours/AB × 11 ABs) (136 hours under Scenario 2; 200 hours under Scenario 3) (see tables 13 to 15).

Similarly, § 1.657(d) of the Third-Party final rule requires a CB accredited in compliance with the Third-Party final rule to maintain on its Web site an up-to-date list of eligible entities which it has issued certifications under this subpart. For each such eligible entity the Web site also must identify the duration and scope of the certification and date(s) on which the eligible entity paid the CB accredited under the third-party program any fee or reimbursement associated with such audit or certification. In the Third-Party final Regulatory Impact Analysis, we estimate that following the implementation of the Third-Party final rule and VQIP draft guidance, there will be approximately 91 CBs accredited by recognized ABs and 1 directly-accredited CB under Scenario 1 (140 CBs and one directly-accredited CB under Scenario 2; 207 CBs and 1 directly-accredited CB under Scenario 3). Under Scenario 1, the one-time recordkeeping burden of 92 CBs accredited under the third-party program to comply with § 1.657(d) of the Third-Party final rule is estimated at 14,720 hours (160 hours/CB × 92 CBs) (22,560 hours under Scenario 2; 33,280 hours under Scenario 3) (see tables 10 to 12). In addition, we estimate that each CB would spend 8 hours annually, following the initial year, to update information as required by § 1.657(d) of the Third-Party final rule. Under Scenario 1, annual hourly burden for 92 CBs accredited under the third-party program to update their Web pages to conform to disclosure of information requirement per § 1.657(d) of the Third-Party final rule is estimated at 736 hours (8 hours/CB × 92 CBs) (1,128 hours under Scenario 2; 1,664 hours under Scenario 3) (see tables 13 to 15).

There are certain provisions within the Third-Party final rule that may require ABs to modify their contracts Start Printed Page 74644with their CBs in order to comply with the Third-Party final rule. Therefore, it is expected that recognized ABs will modify their contracts with their accredited CBs to be able to conduct activities such as conducting unannounced audits of their accredited CBs' facilities. Minor modifications or addenda to contracts with standard language provided by provisions in the Third-Party final rule would consist of no more than 1 hour by an AB executive and 1 hour by a legal counsel representing the AB. As we discussed, following the implementation of the Third-Party final rule, we expect that each recognized AB will accredit approximately 8.27 CBs (8.23 CBs/AB under Scenario 2; 8.79 CBs/AB under Scenario 3). Therefore, under Scenario 1, a total of 91 contracts (8.27 contracts/AB × 11 ABs) (140 contracts under Scenario 2; 220 contracts under Scenario 3) are expected to be modified to reflect changes in contractual obligations between each recognized AB and its accredited CBs under the Third-Party final rule (see tables 10 to 12). The one-time burden of initial modification of 91 contracts between 11 recognized ABs and their respective accredited CBs is approximately 182 hours (91 contracts × 2 hours/contract) (280 hours under Scenario 2; 440 hours under Scenario 3) (see tables 10 to 12).

Similarly, CBs accredited by recognized ABs would need to modify or create new contracts with their client eligible entities in order to gain access to any records and any area of the facility, its process(es), and food of the eligible entity relevant to the scope and purpose of audit being performed by the CB (§ 1.651). Considering that each of the expected 92 CBs accredited under the third-party program, under Scenario 1, will each have approximately 48 client eligible entities, we expect that approximately 4,416 contracts (48 contracts/CB × 92 CBs) between CBs accredited under the third-party program and eligible entities will be modified (7,811 contracts scenario 2; 10,088 contracts under Scenario 3) (see tables 10 to 12). Under Scenario 1, the one-time burden of initial modification of 4,416 contracts between 92 CBs accredited under the third-party program and their respective client eligible entities is approximately 8,832 hours (4,416 contracts × 2 hours/contract) (15,623 hours under Scenario 2; 20,176 hours under Scenario 3) (see tables 10 to 12).

Section 1.652 of the Third-Party final rule requires that CBs accredited under the third-party program include certain information in reports of food safety audits. We believe that some information such as the FDA food facility registration number (where applicable) of the facility subject to the audit are currently not included in food safety audits conducted by CBs accredited under other programs. Although this information may not be required as part of the Third-Party program, we have conservatively included the burden of providing such information in this analysis. We expect that it would take about 5 minutes (0.083 hour), on average, by a CB accredited under the third-party program to include additional information, as required in § 1.652, in reports of food safety audits. Therefore, at a minimum, under Scenario 1, each CB accredited under the third-party program must modify a regulatory audit report for each of its 48 eligible entities (55.4 eligible entities per CB in Scenario 2; 48.5 eligible entities per CB in Scenario 3) every year. Under Scenario 1, total annual records of 92 CBs accredited under the third-party program modifying regulatory audit reports of their client eligible entities is estimated at 4,416 records (92 CBs × 48 eligible entities/CB × 1 record/eligible entity) (7,811 records under Scenario 2; 10,088 records under Scenario 3). Annual recordkeeping burden of CBs accredited under the third-party program, per § 1.652 of the Third-Party final rule, is estimated at 367 hours (4,416 records × 0.083 hour/record) for Scenario 1 (648 hours for Scenario 2; 837 hours for Scenario 3) (see tables 13 to 15).

Accredited third-party CBs will incur additional recordkeeping costs associated with modifying existing certification templates to meet the requirements of § 1.653(b)(2). For example, we are requiring accredited CBs to provide a certification number that follows an FDA numeric designation. We have included the burden of providing such information in this analysis because we know that CBs currently do not use an FDA designation in numbering their certificates. To the extent that any of the elements in § 1.653(b)(2) are already included in current certificates issued by some CBs, such as the date(s) and scope of the audit, the recordkeeping burden may be overestimated. We expect that it will take no more than 1 hour, on average, to change the design of certifications issued by CBs accredited under the third-party program. Under Scenario 1, we estimate a one-time recordkeeping burden of modifying the design of the certifications of 92 CBs accredited under the third-party program at 92 hours (92 CBs × 1 hour/CB) (141 hours under Scenario 2; 208 hours under Scenario 3) (see tables 16 to 18).

We expect that the burden to fill additional information on a certification that is issued is 5 minutes (0.083 hour). Therefore, under Scenario 1, the annual burden of § 1.653(b)(2) is estimated at 367 hours (92 CBs × 1 certificate/entity × 48 entities/CB × 0.083 hour/certificate) (see table 19). Under Scenario 2, the annual burden of § 1.653(b)(2) is estimated at 648 hours (141 CBs × 1 certificate/entity × 55.4 entities/CB × 0.083 hour/certificate) (see table 20). Finally, under Scenario 3, the annual burden of § 1.653(b)(2) is estimated at 837 hours (208 CBs × 1 certificate/entity × 48.5 entities/CB × 0.083 hour/certificate) (see table 21).

Section 1.656(c) of the Third-Party final rule requires that CBs accredited under the third-party program report to us any condition, found during a regulatory or consultative audit of an eligible entity, which could cause or contribute to a serious risk to the public health. We believe that these occurrences are rare and may occur once every 4 years, or 0.25 times per year. Reporting serious hazard conditions would consist of the onsite audit agent of a CB accredited under the third-party program to document the event as a record and to immediately submit the record to us. Therefore, under Scenario 1, the annual number of records prepared by 92 CBs accredited under the third-party program is estimated at 23 (0.25 records/CB × 92 CBs) (35 records under Scenario 2; 52 records under Scenario 3). It is expected that a CB accredited under the third-party program would take no more than 1 hour to prepare such record (notification). Under Scenario 1, annual burden of preparation of records per § 1.656(c) of the Third-Party final rule by 92 CBs accredited under the third-party program is estimated at 23 hours (23 records × 1 hour/record; see table 13) (35 hours for Scenario 2, and 52 hours for Scenario 3; see tables 14 to 15).

We also acknowledge that an accreditation body seeking to challenge a denial of its application for recognition, renewal of recognition, or reinstatement of recognition will incur costs in compiling information to support its request for reconsideration under § 1.691 or its request for internal Agency review under § 1.692. A third-party certification body seeking to challenge a denial of its application for direct accreditation, renewal of direct accreditation, or reaccreditation as a directly accredited third-party certification body will incur costs in compiling information to support its Start Printed Page 74645request for reconsideration under § 1.691 or its request for internal Agency review under § 1.692, as will any accredited third-party certification body seeking to challenge a denial of its request for a waiver of the conflict of interest requirement of § 1.650(b) or a waiver extension. We anticipate that most accreditation bodies and third-party certification bodies who seek to participate in our program will carefully consider the program requirements before applying to, or joining, the program or before submitting a waiver request. We anticipate the submission of challenges under § 1.691 or § 1.692 to be an infrequent event, and one that most program participants will not encounter. Therefore, we are not calculating costs associated with the compiling of information to support a request for reconsideration under § 1.691 or a request for internal agency review under § 1.692 by an accreditation body seeking to challenge a denial of its application for recognition, renewal of recognition, or reinstatement of recognition; by an third-party certification body seeking to challenge a denial of its application for direct accreditation, renewal of direct accreditation, or reaccreditation as a directly accredited third-party certification body; or by an accredited third-party certification body seeking to challenge a denial of its request for a waiver of the conflict of interest requirement of § 1.650(b) or a waiver extension.

Reporting Burden

In summary, under Scenario 1, total one-time reporting burden by 11 recognized ABs and 92 CBs accredited under the third-party program is estimated at 960 hours (see table 16). Under Scenario 2, total one-time reporting burden by 17 recognized ABs and 141 CBs accredited under the third-party program is estimated at 1,440 hours (see table 17). Under Scenario 3, total one-time reporting burden by 25 recognized ABs and 208 CBs accredited under the third-party program is estimated at 2,080 hours (see table 18). Total annual reporting burden, under Scenarios 1 to 3 is estimated between 3,466 and 7,919 hours (see tables 19 to 21).

Table 16—Scenario 1, Estimated One-Time Reporting Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.6301111180880
§ 1.670(a-b)1118080
Total One-Time Reporting Burden960
Note: There are no operations and maintenance costs associated with one-time reporting burden.

Table 17—Scenario 2, Estimated One-Time Reporting Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.63017117801,360
§ 1.670(a-b)1118080
Total One-Time Reporting Burden1,440
Note: There are no operations and maintenance costs associated with one-time reporting burden.

Table 18—Scenario 3, Estimated One-Time Reporting Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.63025125802,000
§ 1.670(a-b)1118080
Total One-Time Reporting Burden2,080
Note: There are no operations and maintenance costs associated with one-time reporting burden.

Table 19—Scenario 1, Estimated Annual Reporting Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.63411111888
§ 1.6731111010
§ 1.623(a)118.27910.25 (15 minutes)23
§ 1.623(b)111110.25 (15 minutes)3
Start Printed Page 74646
§ 1.653(b)(1)92484,4160.25 (15 minutes)1,104
§ 1.656(a) 191484,3680.25 (15 minutes)1,092
§ 1.656(a) 291484,3680.25 (15 minutes)1,092
§ 1.656(a) 3148480.25 (15 minutes)12
§ 1.656(b) 4911910.25 (15 minutes)23
§ 1.656(b) 51110.25 (15 minutes)1
§ 1.656(c)920.25230.25 (15 minutes)6
§ 1.656(e) 6920.25230.25 (15 minutes)6
§ 1.656(e) 7910.25230.25 (15 minutes)6
Total Annual Reporting Burden3,446
Note: There are no operations and maintenance costs associated with annual reporting burden.
1 Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to their accrediting ABs.
2 Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to the FDA.
3 Annual reporting of regulatory audit reports by directly accredited CBs to the FDA.
4 Annual reporting of self-assessment by accredited CBs to their recognized ABs.
5 Annual reporting of self-assessment by directly-accredited CBs to the FDA.
6 Annual reporting of serious risk to public health by CBs accredited under the third-party program to eligible entities.
7 Annual reporting of serious risk to public health by accredited CBs to their recognized ABs.

Table 20—Scenario 2, Estimated Annual Reporting Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.634171178136
§ 1.6731111010
§ 1.623(a)178.231400.25 (15 minutes)35
§ 1.623(b)171170.25 (15 minutes)4
§ 1.653(b)(1)14155.47,8110.25 (15 minutes)1,953
§ 1.656(a) 114055.47,7560.25 (15 minutes)1,939
§ 1.656(a) 214055.47,7560.25 (15 minutes)1,939
§ 1.656(a) 3155.4550.25 (15 minutes)14
§ 1.656(b) 414011400.25 (15 minutes)35
§ 1.656(b) 51110.25 (15 minutes)1
§ 1.656(c)1410.25350.25 (15 minutes)9
§ 1.656(e) 61410.25350.25 (15 minutes)9
§ 1.656(e) 71400.25350.25 (15 minutes)9
Total Annual Reporting Burden6,093
Note: There are no operations and maintenance costs associated with annual reporting burden.
1 Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to their accrediting ABs.
2 Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to the FDA.
3 Annual reporting of regulatory audit reports by directly-accredited CBs to the FDA.
4 Annual reporting of self-assessment by CBs to their recognized ABs.
5 Annual reporting of self-assessment by directly-accredited CBs to the FDA.
6 Annual reporting of serious risk to public health by CBs accredited under the third-party program to eligible entities.
7 Annual reporting of serious risk to public health by CBs to their recognized ABs.
Start Printed Page 74647

Table 21—Scenario 3, Estimated Annual Reporting Burden

21 CFR Part 1, subpart MNumber of recordkeepersNumber of records per recordkeeperTotal one-time recordsAverage burden per recordkeeping (in hours)Total hours
§ 1.634251258200
§ 1.6731111010
§ 1.623(a)258.792200.25 (15 minutes)55
§ 1.623(b)251250.25 (15 minutes)6
§ 1.653(b)(1)20848.510,0880.25 (15 minutes)2,522
§ 1.656(a) 120748.510,0400.25 (15 minutes)2,510
§ 1.656(a) 220748.510,0400.25 (15 minutes)2,510
§ 1.656(a) 3155.4550.25 (15 minutes)14
§ 1.656(b) 420712070.25 (15 minutes)52
§ 1.656(b) 51110.25 (15 minutes)1
§ 1.656(c)2080.25520.25 (15 minutes)13
§ 1.656(e) 62080.25520.25 (15 minutes)13
§ 1.656(e) 72070.25520.25 (15 minutes)13
Total Annual Reporting Burden7,919
Note: There are no operations and maintenance costs associated with annual reporting burden.
1 Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to their accrediting ABs.
2 Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to the FDA.
3 Annual reporting of regulatory audit reports by directly-accredited CBs to the FDA.
4 Annual reporting of self-assessment by CBs to their recognized ABs.
5 Annual reporting of self-assessment by directly-accredited CBs to the FDA.
6 Annual reporting of serious risk to public health by CBs accredited under the third-party program to eligible entities.
7 Annual reporting of serious risk to public health by CBs to their recognized ABs.

Section 1.630 of the Third-Party final rule allows for any AB to apply for recognition. Under Scenario 1, we estimate that approximately 11 ABs would apply for recognition. We estimate that it will take 80 person-hours to compile all the relevant information and complete the application for recognition. The initial application for recognition is a one-time burden for each AB that applies. Under Scenario 1, the one-time initial application burden for 11 ABs is estimated at 880 hours (11 applications × 80 hours/application) (see table 16). The one-time initial application burden for 17 ABs, under Scenario 2 (25 ABs under Scenario 3), is estimated at 1,360 hours (2,000 hours under Scenario 3) (see tables 17 and 18). The duration of recognition for a recognized AB will not exceed 5 years per § 1.632 of the Third-Party final rule. Therefore, it is expected that each of the recognized ABs would apply to renew its recognition every 5 years per § 1.634 of the Third-Party final rule. We expect that applications for renewal of recognition will take significantly less time to prepare. We use 50 percent of the amount of effort to prepare and submit an application for renewal of recognition. Therefore, it is expected that, on average, each recognized AB will spend 40 hours every 5 years (after the initial application) to complete and submit an application for renewal of its recognition, or approximately 8 hours per year (40 hours ÷ 5 years) for each AB. Therefore, the annual burden of completing the renewal of recognition application by 11 ABs, under Scenario 1, is 88 hours (11 applications × 8 hours/application) per year (136 hours per year for 17 ABs under Scenario 2; 200 per hour for each of 25 ABs under Scenario 3) (see tables 19 to 21).

Similarly, § 1.670(a) and (b) of the Third-Party final rule allows for CBs to apply to us for direct accreditation, when the criteria for direct accreditation are met. We estimate that approximately one CB would apply for direct accreditation. It is expected that the application for direct accreditation would require the same amount of effort as does an AB's application for recognition. Hence, we estimate that the initial application for direct accreditation would take 80-person hours. The one-time initial application burden for 1 CB, for each scenario, is estimated at 80 hours (1 application × 80 hours/application) (see tables 16 to 18). The duration of accreditation for a directly-accredited CB will not exceed 4 years, per § 1.671 of the Third-Party final rule. Therefore, it is expected that each of the expected directly-accredited CBs would apply to renew its accreditation every 4 years, per § 1.673 of the Third-Party final rule. We expect that directly accredited CBs use 50 percent amount of effort, or 40 person-hours, for their initial application for direct accreditation, yielding an average of 10 hours per year. Therefore, the annual burden of completing the application for renewal by 1 directly-accredited CB is 10 hours (1 application × 10 hours/application) per year (see tables 19 to 21).

For the purposes of the Third-Party final economic and PRA analyses, we have estimated costs assuming that, during the application process, affected entities will do their paperwork properly and completely the first time. If we assumed a less consistent outcome, one that would result in Start Printed Page 74648recognition denials, the initial burden might increase.

Section 1.623(a) of the Third-Party final rule requires that recognized ABs annually conduct comprehensive assessments of the performance of CBs they have accredited and submit the results of the assessments to us within 45 days of their completion. We expect that it would take no more than 15 minutes (0.25 hour) for a recognized AB to electronically submit the assessment of each its accredited CBs. Following the implementation of the Third-Party final rule and VQIP draft guidance, we expect, on average, each recognized AB would accredit approximately 8.27 CBs (8.23 CBs under Scenario 2; 8.79 under Scenario 3). Therefore, under Scenario 1, each recognized AB would submit, on average, approximately 91 copies of assessments of performance of their accredited CBs (8.27 assessments/AB × 11 ABs) (140 assessments under Scenario 2; 220 under Scenario 3). Under Scenario 1, annual reporting of 91 assessments by 11 recognized ABs is estimated at 23 hours (91 submission of assessments × 0.25 hour/submission) (35 hours under Scenario 2; 55 hours under Scenario 3) (see tables 19 to 21).

Section 1.623(b) of the Third-Party final rule requires that recognized ABs annually conduct a self-assessment and submit the assessments within 45 days of their completion. We expect that it would take no more than 15 minutes for an AB to electronically submit a copy of its self-assessment. Under Scenario 1, annual reporting of 11 self-assessments by 11 recognized ABs is estimated at 3 hours (11 submission of self-assessments × 0.25 hour/submission) (4 hours under Scenario 2; 6 hours under Scenario 3) (see tables 10 to 21).

Section 1.656(a) of the Third-Party final rule requires that a CB accredited under the third-party program must submit the regulatory audit reports it conducts to us and to the AB that granted its accreditation (where applicable) within 45 days after completing such audit. In the Third-Party final economic analysis, we estimate that following the implementation of the Third-Party final rule, there will be 11 recognized ABs that accredit 91 CBs (17 recognized ABs and 140 accredited CBs under Scenario 2; 25 recognized ABs and 207 accredited CBs under Scenario 3), and we will directly accredit one CB. In addition, we estimated that each CB accredited under the third-party program, on average, conducts food safety audits and certifies 48 eligible entities under Scenario 1 (55.4 eligible entities/CB under Scenario 2; 48.5 eligible entities/CB under Scenario 3). Therefore, under Scenario 1, CBs accredited by recognized ABs will annually submit 4,368 regulatory audit reports (91 CBs × 48 reports/CB) to their accrediting ABs and 4,368 reports to us (see table 19). Similarly, under Scenarios 2 and 3, CBs accredited by recognized ABs will annually submit 7,756 and 10,040 regulatory audit reports to their accrediting ABs and the FDA, respectively (see tables 20 and 21). Under Scenario 1, the directly-accredited CB will annually submit 48 regulatory audit reports (1 CB × 48 reports/CB) (see table 19). The number of eligible entities per directly-accredited CB increases to 55.4 in Scenario 2. We assume that the number of eligible entities per directly-accredited CBs remains the same for Scenario 3. We expect that it would take no more than 15 minutes (0.25 hour) for a CB accredited under the third-party program to electronically submit a copy of the regulatory report it conducts to us and to its AB (where applicable).

Under Scenario 1, annual reporting burden for CBs accredited by recognized ABs is estimated at 1,092 hours (4,368 reports × 0.25 hours/report) for submitting copies of regulatory audit reports they have conducted to their accrediting ABs and 1,092 hours for submitting the same records to us (see table 19). Under Scenario 2, annual reporting burden for CBs accredited by recognized ABs is estimated at 1,939 hours (7,756 reports × 0.25 hours/report) for submitting copies of regulatory audit reports they have conducted to their accrediting ABs and 1,939 hours for submitting the same records to us (see table 20). Similarly, under Scenario 3, annual reporting burden for CBs accredited by recognized ABs is estimated at 2,510 hours (10,040 reports × 0.25 hours/report) for submitting copies of regulatory audit reports they have conducted to their accrediting ABs and 2,510 hours for submitting the same records to us (see table 21). Under Scenario 1, annual burden for submission of regulatory audit reports by directly-accredited CBs is estimated at 12 hours (48 reports × 0.25 hours/report) (14 hours for Scenarios 2 and 3) (see tables 19 to 21).

Section 1.656(b) of the Third-Party final rule requires CBs accredited under the third-party program to submit reports of their annual self-assessments electronically to their ABs, or in the case of direct accreditation to us, within 45 days of the anniversary date of their accreditation under subpart M. We expect that it would take no more than 15 minutes (0.25 hour) for a CB accredited under the third-party program to electronically send a copy of its annual self-assessment to its AB or us (as applicable). Under Scenario 1, the annual burden for CBs accredited by recognized ABs is estimated at 23 hours (91 self-assessments × 0.25 hour/self-assessment; see table 19) (35 hours under Scenario 2 and 52 hours under Scenario 3; see tables 20 and 21). Annual burden for submission of self-assessments by one directly-accredited CB is estimated at 0.25 hour (1 self-assessment × 0.25 hour/self-assessment; see tables 19 to 21) (rounded to 1 hour).

As we discussed, § 1.656(c) of the Third-Party final rule requires that a CB accredited under the third-party program report to us any condition, found during a regulatory or consultative audit of an eligible entity, which could cause or contribute to a serious risk to the public health. In the Recordkeeping Burden section above, we estimated that such events are expected to occur once every 4 years, or 0.25 per year. We expect that it would take no more than 15 minutes (0.25 hour) for a CB accredited under the third-party program to electronically send a copy of its notification to us. Therefore, under Scenario 1, the total number of notifications sent to us on an annual basis per § 1.656(c) of the Third-Party final rule is estimated at 23 (92 CBs × 0.25 records/CB) (35 notifications under Scenario 2; 52 notifications under Scenario 3). Under Scenario 1, annual burden for submitting a notification under § 1.656(c) of the Third-Party final rule to us by CBs accredited under the third-party program is estimated at 6 hours (23 records × 0.25 hour/record) (9 hours under Scenario 2; 13 hours under Scenario 3) (see tables 19 to 21).

Following reporting under § 1.656(c), a CB accredited under the third-party program is required under § 1.656(e) of the Third-Party final rule to immediately notify the eligible entity and its accrediting AB of any conditions identified during the audit which triggered the reporting requirement per § 1.656(c) of the Third-Party final rule. Under Scenario 1, total number of notification sent to eligible entities by 141 CBs accredited under the third-party program is estimated at 23 (92 CBs × 0.25 records/CB) (35 notifications under Scenario 2; 52 notifications under Scenario 3) while the number of notifications sent to recognized ABs by their accredited CBs is estimated at 23 (91 CBs × 0.25 records/CB) (35 under Scenario 2; 52 under Scenario 3). Under Scenario 1, annual burden of submitting a notification under § 1.656(e) of the Third-Party final rule to affected eligible entities and ABs by accredited CBs is estimated at 6 hours (9 hours under Scenario 2; 13 hours under Scenario 3) (see tables 19 to 21).Start Printed Page 74649

XVIII. Analysis of Environmental Impact

We have determined under 21 CFR 25.30(j) that this action is of a type that does not individually or cumulatively have a significant effect on the human environment. Therefore, neither an environmental assessment nor an environmental impact statement is required.

XIX. Federalism

We have analyzed the final rule in accordance with the principles set forth in Executive Order 13132. We have determined that the rule does not contain policies that have substantial direct effects on the States, on the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government. Accordingly, we conclude that the rule does not contain policies that have federalism implications as defined in the Executive Order and, consequently, a federalism summary impact statement is not required.

XX. References

The following references have been placed on display in the Division of Dockets Management (see ADDRESSES) and may be seen by interested persons between 9 a.m. and 4 p.m., Monday through Friday, and are available electronically at http://www.regulations.gov. We have verified the Web site addresses, but we are not responsible for any subsequent changes to Web sites after this document publishes in the Federal Register.

1. FDA, “Transcript: FSMA Proposed Rules on Foreign Supplier Verification Programs and the Accreditation of Third-Party Auditors/Certification Bodies, Public Meeting, Day One, September 19, 2013.” Available in Docket No. FDA-2011-N-0143.

2. FDA, “Transcript: FSMA Proposed Rules on Foreign Supplier Verification Programs and the Accreditation of Third-Party Auditors/Certification Bodies, Public Meeting, Day Two, September 20, 2013.” Available in Docket No. FDA-2011-N-0143.

3. FDA, “FDA Office of Foods and Veterinary Medicine Memorandum to the Division of Dockets Management on FDA Records of Outreach Sessions,” November 21, 2013. Available in Docket No. FDA-2011-N-0920.

4. International Organization for Standardization/International Electrotechnical Commission, “ISO/IEC 17000:2004 Conformity Assessment—Vocabulary and General Principles.” Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/​iso/​catalogue_​detail.htm?​csnumber=​29316 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

5. International Organization for Standardization/International Electrotechnical Commission, ISO/IEC “17011:2004 Conformity Assessment—General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies.” Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/​iso/​home/​store/​catalogue_​tc/​catalogue_​detail.htm?​csnumber=​29332 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

6. International Organization for Standardization/International Electrotechnical Commission, “ISO/IEC 17021:2011 Conformity Assessment—Requirements for Bodies Providing Audit and Certification of Management Systems.” Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/​iso/​home/​store/​publication_​item.htm?​pid=​PUB100353 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

7. International Organization for Standardization/International Electrotechnical Commission, “ISO/IEC 17065:2012 Conformity Assessment—Requirements for Bodies Certifying Products, Processes and Services.” Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/​iso/​home/​store/​catalogue_​tc/​catalogue_​detail.htm?​csnumber=​46568 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

8. International Organization for Standardization, ISO 19011:2011 Guidelines for Auditing Management Systems.” Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/​iso/​home/​store/​catalogue_​tc/​catalogue_​detail.htm?​csnumber=​50675 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

9. International Organization for Standardization/International Electrotechnical Commission, “ISO/IEC Guide 65:1996 General Requirements for Bodies Operating Product Certification Systems.” Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/​iso/​catalogue_​detail.htm?​csnumber=​26796 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

10. International Organization for Standardization/International Electrotechnical Commission, “ISO/IEC 17020:2012 Conformity Assessment—Requirements for the Operation of Various Types of Bodies Performing Inspection.” Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/​iso/​home/​store/​catalogue_​tc/​catalogue_​detail.htm?​csnumber=​52994 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

11. Global Food Safety Initiative, “Enhancing Food Safety Through Third-Party Certification,” March 2011.

12. International Organization for Standardization/International Electrotechnical Commission, “ISO/IEC 17040:2005 Conformity Assessment—General Requirements for Peer Assessment of Conformity Assessment Bodies and Accreditation Bodies.” Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/​iso/​home/​store/​catalogue_​tc/​catalogue_​detail.htm?​csnumber=​31815 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

13. International Accreditation Forum, “IAF Endorsed Normative Documents, Issue 4 (IAF PR 4:2007),” http://www.iaf.nu/​upFiles/​197878.IAF-PR4-2007_​Endorsed_​NormDocs_​Issue_​4_​Pub.pdf. Accessed on October 26, 2015.

14. Codex Alimentarius Commission, “Principles for Food Import and Export Inspection and Certification (CAC/GL 20-1995).” http://www.codexalimentarius.org/​input/​download/​standards/​37/​CXG_​020e.pdf. Accessed on October 26, 2015.

15. Armour, S., Lippert, J., and Smith, M., “Food Sickens Millions as Company-Paid Checks Find It Safe,” Bloomberg Business, October 11, 2012. http://www.bloomberg.com/​news/​articles/​2012-10-11/​food-sickens-millions-as-industry-paid-inspectors-find-it-safe. Accessed on October 26, 2015.

16. Zheng, Y., Muth, M.M., Kosa, K., “Economic Analysis of Third-Party Food Start Printed Page 74650Safety Certification of Imported Food,” RTI International, June 2012.

17. American National Standards Institute, “About ANSI,” http://www.ansi.org/​about_​ansi/​overview/​overview.aspx?​menuid=​1. Accessed on May 6, 2015.

18. United Kingdom Accreditation Service, “About UKAS,” http://www.ukas.com/​about/​. Accessed on October 26, 2015.

19. Danish Accreditation Fund, “DANAK Home” http://english.danak.dk/​. Accessed on May 4, 2015.

20. International Organization for Standards, “ISO/TS 22003:2007 Food Safety Management Systems—Requirements for Bodies Providing Audit and Certification of Food Safety Management Systems.” Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/​iso/​home/​store/​catalogue_​tc/​catalogue_​detail.htm?​csnumber=​39834 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

21. International Organization for Standardization/International Electrotechnical Commission, “ISO 22000:2005 Food Safety Management Systems—Requirements for Any Organization in the Food Chain.” Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/​iso/​home/​store/​catalogue_​tc/​catalogue_​detail.htm?​csnumber=​35466 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

22. British Retail Consortium, “Global Standard for Food Safety, Issue 6,” 2012. Copies are available from the British Retail Consortium, Second Floor, 21 Dartmouth Street, London SW1H 9BP, or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

23. Safe Quality Food Institute, “SQF Code, Edition 7.2: A HACCP-Based Supplier Assurance Code for the Food Industry,” July 2014. https://www.sqfi.com/​wp-content/​uploads/​SQF-Code_​Ed-7.2-July.pdf. Accessed on October 27, 2015.

24. International Organization for Standardization, “ISO/TS 22003:2013 Food Safety Management Systems—Requirements for Bodies Providing Audit and Certification of Food Safety Management Systems.” Copies are available from the International Organization for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/​iso/​home/​store/​catalogue_​tc/​catalogue_​detail.htm?​csnumber=​60605 or may be examined at the Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).

25. FDA, “Tribal Summary Impact Statement: Final Rule on Accreditation of Third-Party Certification Bodies to Conduct Food Safety Audits and to Issue,” Docket No. FDA-2011-N-0146.

Start List of Subjects

List of Subjects

21 CFR Part 1

  • Cosmetics
  • Drugs
  • Exports
  • Food labeling
  • Imports
  • Labeling
  • Reporting and recordkeeping requirements

21 CFR Part 11

  • Administrative practice and procedure
  • Computer technology
  • Reporting and recordkeeping requirements

21 CFR Part 16

  • Administrative practice and procedure
End List of Subjects

Therefore, under the Federal Food, Drug, and Cosmetic Act and under authority delegated to the Commissioner of Food and Drugs, 21 CFR parts 1, 11, and 16 are amended as follows:

Start Part

PART 1—GENERAL ENFORCEMENT REGULATIONS

End Part Start Amendment Part

1. The authority citation for 21 CFR part 1 is revised to read as follows:

End Amendment Part Start Authority

Authority: 15 U.S.C. 1333, 1453, 1454, 1455, 4402; 19 U.S.C. 1490, 1491; 21 U.S.C. 321, 331, 332, 333, 334, 335a, 343, 350c, 350d, 350j, 352, 355, 360b, 360ccc, 360ccc-1, 360ccc-2, 362, 371, 374, 381, 382, 384a, 384b, 384d, 387, 387a, 387c, 393; 42 U.S.C. 216, 241, 243, 262, 264, 271.

End Authority Start Amendment Part

2. Add subpart M, consisting of §§ 1.600 through 1.695, to read as follows:

End Amendment Part
Subpart M—Accreditation of Third-Party Certification Bodies To Conduct Food Safety Audits and To Issue Certifications
1.600
What definitions apply to this subpart?
1.601
Who is subject to this subpart?
Recognition of Accreditation Bodies Under This Subpart
1.610
Who is eligible to seek recognition?
1.611
What legal authority must an accreditation body have to qualify for recognition?
1.612
What competency and capacity must an accreditation body have to qualify for recognition?
1.613
What protections against conflicts of interest must an accreditation body have to qualify for recognition?
1.614
What quality assurance procedures must an accreditation body have to qualify for recognition?
1.615
What records procedures must an accreditation body have to qualify for recognition?
Requirements for Accreditation Bodies That Have Been Recognized Under This Subpart
1.620
How must a recognized accreditation body evaluate third-party certification bodies seeking accreditation?
1.621
How must a recognized accreditation body monitor the performance of third-party certification bodies it accredited?
1.622
How must a recognized accreditation body monitor its own performance?
1.623
What reports and notifications must a recognized accreditation body submit to FDA?
1.624
How must a recognized accreditation body protect against conflicts of interest?
1.625
What records requirements must an accreditation body that has been recognized meet?
Procedures for Recognition of Accreditation Bodies Under This Subpart
1.630
How do I apply to FDA for recognition or renewal of recognition?
1.631
How will FDA review my application for recognition or renewal of recognition and what happens once FDA decides on my application?
1.632
What is the duration of recognition?
1.633
How will FDA monitor recognized accreditation bodies?
1.634
When will FDA revoke recognition?
1.635
What if I want to voluntarily relinquish recognition or do not want to renew recognition?
1.636
How do I request reinstatement of recognition?
Accreditation of Third-Party Certification Bodies Under This Subpart
1.640
Who is eligible to seek accreditation?
1.641
What legal authority must a third-party certification body have to qualify for accreditation?
1.642
What competency and capacity must a third-party certification body have to qualify for accreditation?
1.643
What protections against conflicts of interest must a third-party certification body have to qualify for accreditation?
1.644
What quality assurance procedures must a third-party certification body have to qualify for accreditation?
1.645
What records procedures must a third-party certification body have to qualify for accreditation?
Requirements for Third-Party Certification Bodies That Have Been Accredited Under This Subpart
1.650
How must an accredited third-party certification body ensure its audit agents are competent and objective?
1.651
How must an accredited third-party certification body conduct a food safety audit of an eligible entity?
1.652
What must an accredited third-party certification body include in food safety audit reports?
1.653
What must an accredited third-party certification body do when issuing food or facility certifications?
1.654
When must an accredited third-party certification body monitor an eligible entity that it has issued a food or facility certification?
1.655
How must an accredited third-party certification body monitor its own performance?
1.656
What reports and notifications must an accredited third-party certification body submit?Start Printed Page 74651
1.657
How must an accredited third-party certification body protect against conflicts of interest?
1.658
What records requirements must a third-party certification body that has been accredited meet?
Procedures for Accreditation of Third-Party Certification Bodies Under This Subpart
1.660
Where do I apply for accreditation or renewal of accreditation by a recognized accreditation body and what happens once the recognized accreditation body decides on my application?
1.661
What is the duration of accreditation by a recognized accreditation body?
1.662
How will FDA monitor accredited third-party certification bodies?
1.663
How do I request an FDA waiver or waiver extension for the 13-month limit for audit agents conducting regulatory audits?
1.664
When would FDA withdraw accreditation?
1.665
What if I want to voluntarily relinquish accreditation or do not want to renew accreditation?
1.666
How do I request reaccreditation?
Additional Procedures for Direct Accreditation of Third-Party Certification Bodies Under This Subpart
1.670
How do I apply to FDA for direct accreditation or renewal of direct accreditation?
1.671
How will FDA review my application for direct accreditation or renewal of direct accreditation and what happens once FDA decides on my application?
1.672
What is the duration of direct accreditation?
Requirements for Eligible Entities Under This Subpart
1.680
How and when will FDA monitor eligible entities?
1.681
How frequently must eligible entities be recertified?
General Requirements of This Subpart
1.690
How will FDA make information about recognized accreditation bodies and accredited third-party certification bodies available to the public?
1.691
How do I request reconsideration of a denial by FDA of an application or a waiver request?
1.692
How do I request internal agency review of a denial of an application or waiver request upon reconsideration?
1.693
How do I request a regulatory hearing on a revocation of recognition or withdrawal of accreditation?
1.694
Are electronic records created under this subpart subject to the electronic records requirements of part 11 of this chapter?
1.695
Are the records obtained by FDA under this subpart subject to public disclosure?

Subpart M—Accreditation of Third-Party Certification Bodies To Conduct Food Safety Audits and To Issue Certifications

What definitions apply to this subpart?

(a) The FD&C Act means the Federal Food, Drug, and Cosmetic Act.

(b) Except as otherwise defined in paragraph (c) of this section, the definitions of terms in section 201 of the FD&C Act apply when the terms are used in this subpart.

(c) In addition, for the purposes of this subpart:

Accreditation means a determination by a recognized accreditation body (or, in the case of direct accreditation, by FDA) that a third-party certification body meets the applicable requirements of this subpart.

Accreditation body means an authority that performs accreditation of third-party certification bodies.

Accredited third-party certification body means a third-party certification body that a recognized accreditation body (or, in the case of direct accreditation, FDA) has determined meets the applicable requirements of this subpart and is accredited to conduct food safety audits and to issue food or facility certifications to eligible entities. An accredited third-party certification body has the same meaning as accredited third-party auditor as defined in section 808(a)(4) of the FD&C Act.

Assessment means:

(i) With respect to an accreditation body, an evaluation by FDA of the competency and capacity of the accreditation body under the applicable requirements of this subpart for the defined scope of recognition. An assessment of the competency and capacity of the accreditation body involves evaluating the competency and capacity of the operations of the accreditation body that are relevant to decisions on recognition and, if recognized, an evaluation of its performance and the validity of its accreditation decisions under the applicable requirements of this subpart.

(ii) With respect to a third-party certification body, an evaluation by a recognized accreditation body (or, in the case of direct accreditation, FDA) of the competency and capacity of a third-party certification body under the applicable requirements of this subpart for the defined scope of accreditation. An assessment of the competency and capacity of the third-party certification body involves evaluating the competency and capacity of the operations of the third-party certification body that are relevant to decisions on accreditation and, if accredited, an evaluation of its performance and the validity of its audit results and certification decisions under the applicable requirements of this subpart.

Audit means the systematic and functionally independent examination of an eligible entity under this subpart by an accredited third-party certification body or by FDA. An audit conducted under this subpart is not considered an inspection under section 704 of the FD&C Act.

Audit agent means an individual who is an employee or other agent of an accredited third-party certification body who, although not individually accredited, is qualified to conduct food safety audits on behalf of an accredited third-party certification body. An audit agent includes a contractor of the accredited third-party certification body but excludes subcontractors or other agents under outsourcing arrangements for conducting food safety audits without direct control by the accredited third-party certification body.

Consultative audit means an audit of an eligible entity:

(i) To determine whether such entity is in compliance with the applicable food safety requirements of the FD&C Act, FDA regulations, and industry standards and practices;

(ii) The results of which are for internal purposes only; and

(iii) That is conducted in preparation for a regulatory audit; only the results of a regulatory audit may form the basis for issuance of a food or facility certification under this subpart.

Direct accreditation means accreditation of a third-party certification body by FDA.

Eligible entity means a foreign entity in the import supply chain of food for consumption in the United States that chooses to be subject to a food safety audit under this subpart conducted by an accredited third-party certification body. Eligible entities include foreign facilities required to be registered under subpart H of this part.

Facility means any structure, or structures of an eligible entity under one ownership at one general physical location, or, in the case of a mobile facility, traveling to multiple locations, that manufactures/processes, packs, holds, grows, harvests, or raises animals for food for consumption in the United States. Transport vehicles are not facilities if they hold food only in the usual course of business as carriers. A facility may consist of one or more contiguous structures, and a single building may house more than one Start Printed Page 74652distinct facility if the facilities are under separate ownership. The private residence of an individual is not a facility. Non-bottled water drinking water collection and distribution establishments and their structures are not facilities. Facilities for the purposes of this subpart are not limited to facilities required to be registered under subpart H of this part.

Facility certification means an attestation, issued for purposes of section 801(q) or 806 of the FD&C Act by an accredited third-party certification body, after conducting a regulatory audit and any other activities necessary to establish whether a facility complies with the applicable food safety requirements of the FD&C Act and FDA regulations.

Food has the meaning given in section 201(f) of the FD&C Act, except that food does not include pesticides (as defined in 7 U.S.C. 136(u)).

Food certification means an attestation, issued for purposes of section 801(q) of the FD&C Act by an accredited third-party certification body, after conducting a regulatory audit and any other activities necessary to establish whether a food of an eligible entity complies with the applicable food safety requirements of the FD&C Act and FDA regulations.

Food safety audit means a regulatory audit or a consultative audit that is conducted to determine compliance with the applicable food safety requirements of the FD&C Act, FDA regulations, and for consultative audits, also includes conformance with industry standards and practices. An eligible entity must declare that an audit is to be conducted as a regulatory audit or consultative audit at the time of audit planning and the audit will be conducted on an unannounced basis under this subpart.

Foreign cooperative means an autonomous association of persons, identified as members, who are united through a jointly owned enterprise to aggregate food from member growers or processors that is intended for export to the United States.

Recognized accreditation body means an accreditation body that FDA has determined meets the applicable requirements of this subpart and is authorized to accredit third-party certification bodies under this subpart.

Regulatory audit means an audit of an eligible entity:

(i) To determine whether such entity is in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations; and

(ii) The results of which are used in determining eligibility for certification under section 801(q) or under section 806 of the FD&C Act.

Relinquishment means:

(i) With respect to an accreditation body, a decision to cede voluntarily its authority to accredit third-party certification bodies as a recognized accreditation body prior to expiration of its recognition under this subpart; and

(ii) With respect to a third-party certification body, a decision to cede voluntarily its authority to conduct food safety audits and to issue food and facility certifications to eligible entities as an accredited third-party certification body prior to expiration of its accreditation under this subpart.

Self-assessment means an evaluation conducted by a recognized accreditation body or by an accredited third-party certification body of its competency and capacity under the applicable requirements of this subpart for the defined scope of recognition or accreditation. For recognized accreditation bodies this involves evaluating the competency and capacity of the entire operations of the accreditation body and the validity of its accreditation decisions under the applicable requirements of this subpart. For accredited third-party certification bodies this involves evaluating the competency and capacity of the entire operations of the third-party certification body and the validity of its audit results under the applicable requirements of this subpart.

Third-party certification body has the same meaning as third-party auditor as that term is defined in section 808(a)(3) of the FD&C Act and means a foreign government, agency of a foreign government, foreign cooperative, or any other third party that is eligible to be considered for accreditation to conduct food safety audits and to certify that eligible entities meet the applicable food safety requirements of the FD&C Act and FDA regulations. A third-party certification body may be a single individual or an organization. Once accredited, a third-party certification body may use audit agents to conduct food safety audits.

Who is subject to this subpart?

(a) Accreditation bodies. Any accreditation body seeking recognition from FDA to accredit third-party certification bodies to conduct food safety audits and to issue food and facility certifications under this subpart.

(b) Third-party certification bodies. Any third-party certification body seeking accreditation from a recognized accreditation body or direct accreditation by FDA for:

(1) Conducting food safety audits; and

(2) Issuing certifications that may be used in satisfying a condition of admissibility of an article of food under section 801(q) of the FD&C Act; or issuing a facility certification for meeting the eligibility requirements for the Voluntary Qualified Importer Program under section 806 of the FD&C Act.

(c) Eligible entities. Any eligible entity seeking a food safety audit or a food or facility certification from an accredited third-party certification body under this subpart.

(d) Limited exemptions from section 801(q) of the FD&C Act—(1) Alcoholic beverages. (i) Any certification required under section 801(q) of the FD&C Act does not apply with respect to alcoholic beverages from an eligible entity that is a facility that meets the following two conditions:

(A) Under the Federal Alcohol Administration Act (27 U.S.C. 201 et seq.) or chapter 51 of subtitle E of the Internal Revenue Code of 1986 (26 U.S.C. 5001 et seq.), the facility is a foreign facility of a type that, if it were a domestic facility, would require obtaining a permit from, registering with, or obtaining approval of a notice or application from the Secretary of the Treasury as a condition of doing business in the United States; and

(B) Under section 415 of the FD&C Act, the facility is required to register as a facility because it is engaged in manufacturing/processing one or more alcoholic beverages.

(ii) Any certification required under section 801(q) of the FD&C Act does not apply with respect to food that is not an alcoholic beverage that is received and distributed by a facility described in paragraph (d)(1)(i) of this section, provided such food:

(A) Is received and distributed in prepackaged form that prevents any direct human contact with such food; and

(B) Constitutes not more than 5 percent of the overall sales of the facility, as determined by the Secretary of the Treasury.

(iii) Any certification required under section 801(q) of the FD&C Act does not apply with respect to raw materials or other ingredients that are imported for use in alcoholic beverages provided that:

(A) The imported raw materials or other ingredients are used in the manufacturing/processing, packing, or holding of alcoholic beverages;

(B) Such manufacturing/processing, packing, or holding is performed by the importer;Start Printed Page 74653

(C) The importer is required to register under section 415 of the Federal Food, Drug, and Cosmetic Act; and

(D) The importer is exempt from the regulations in part 117 of this chapter in accordance with § 117.5(i).

(2) Certain meat, poultry, and egg products. Any certification required under section 801(q) of the FD&C Act does not apply with respect to:

(i) Meat food products that at the time of importation are subject to the requirements of the United States Department of Agriculture (USDA) under the Federal Meat Inspection Act (21 U.S.C. 601 et seq.);

(ii) Poultry products that at the time of importation are subject to the requirements of the USDA under the Poultry Products Inspection Act (21 U.S.C. 451 et seq.); and

(iii) Egg products that at the time of importation are subject to the requirements of the USDA under the Egg Products Inspection Act (21 U.S.C. 1031 et seq.).

Recognition of Accreditation Bodies Under This Subpart

Who is eligible to seek recognition?

An accreditation body is eligible to seek recognition by FDA if it can demonstrate that it meets the requirements of §§ 1.611 through 1.615. The accreditation body may use documentation of conformance with International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 17011:2004, supplemented as necessary, in meeting the applicable requirements of this subpart.

What legal authority must an accreditation body have to qualify for recognition?

(a) An accreditation body seeking recognition must demonstrate that it has the authority (as a governmental entity or as a legal entity with contractual rights) to perform assessments of a third-party certification body as are necessary to determine its capability to conduct audits and certify food facilities and food, including authority to:

(1) Review any relevant records;

(2) Conduct onsite assessments of the performance of third-party certification bodies, such as by witnessing the performance of a representative sample of its agents (or, in the case of a third-party certification body that is an individual, such individual) conducting a representative sample of audits;

(3) Perform any reassessments or surveillance necessary to monitor compliance of accredited third-party certification bodies; and

(4) Suspend, withdraw, or reduce the scope of accreditation for failure to comply with the requirements of accreditation.

(b) An accreditation body seeking recognition must demonstrate that it is capable of exerting the authority (as a governmental entity or as a legal entity with contractual rights) necessary to meet the applicable requirements of this subpart, if recognized.

What competency and capacity must an accreditation body have to qualify for recognition?

An accreditation body seeking recognition must demonstrate that it has:

(a) The resources required to adequately implement its accreditation program, including:

(1) Adequate numbers of employees and other agents with relevant knowledge, skills, and experience to effectively evaluate the qualifications of third-party certification bodies seeking accreditation and to effectively monitor the performance of accredited third-party certification bodies; and

(2) Adequate financial resources for its operations; and

(b) The capability to meet the applicable assessment and monitoring requirements, the reporting and notification requirements, and the procedures of this subpart, if recognized.

What protections against conflicts of interest must an accreditation body have to qualify for recognition?

An accreditation body must demonstrate that it has:

(a) Implemented written measures to protect against conflicts of interest between the accreditation body (and its officers, employees, and other agents involved in accreditation activities) and any third-party certification body (and its officers, employees, and other agents involved in auditing and certification activities) seeking accreditation from, or accredited by, such accreditation body; and

(b) The capability to meet the applicable conflict of interest requirements of this subpart, if recognized.

What quality assurance procedures must an accreditation body have to qualify for recognition?

An accreditation body seeking recognition must demonstrate that it has:

(a) Implemented a written program for monitoring and evaluating the performance of its officers, employees, and other agents and its accreditation program, including procedures to:

(1) Identify areas in its accreditation program or performance where deficiencies exist; and

(2) Quickly execute corrective actions that effectively address deficiencies when identified; and

(b) The capability to meet the applicable quality assurance requirements of this subpart, if recognized.

What records procedures must an accreditation body have to qualify for recognition?

An accreditation body seeking recognition must demonstrate that it has:

(a) Implemented written procedures to establish, control, and retain records (including documents and data) for the period of time necessary to meet its contractual and legal obligations pertaining to this subpart and to provide an adequate basis for evaluating its program and performance; and

(b) The capability to meet the applicable reporting and notification requirements of this subpart, if recognized.

Requirements for Accreditation Bodies That Have Been Recognized Under This Subpart

How must a recognized accreditation body evaluate third-party certification bodies seeking accreditation?

(a) Prior to accrediting a third-party certification body under this subpart, a recognized accreditation body must perform, at a minimum, the following:

(1) In the case of a foreign government or an agency of a foreign government, such reviews and audits of the government's or agency's food safety programs, systems, and standards as are necessary to determine that it meets the eligibility requirements of § 1.640(b).

(2) In the case of a foreign cooperative or any other third-party seeking accreditation as a third-party certification body, such reviews and audits of the training and qualifications of agents conducting audits for such cooperative or other third party (or in the case of a third-party certification body that is an individual, such individual) and such reviews of internal systems and any other investigation of the cooperative or other third party necessary to determine that it meets the eligibility requirements of § 1.640(c).

(3) In conducting a review and audit under paragraph (a)(1) or (2) of this section, an observation of a representative sample of onsite audits examining compliance with the applicable food safety requirements of the FD&C Act and FDA regulations as conducted by the third-party Start Printed Page 74654certification body or its agents (or, in the case of a third-party certification body that is an individual, such individual).

(b) A recognized accreditation body must require a third-party certification body, as a condition of accreditation under this subpart, to comply with the reports and notification requirements of §§ 1.652 and 1.656 and to agree to submit to FDA, electronically and in English, any food or facility certifications it issues for purposes of sections 801(q) or 806 of the FD&C Act.

(c) A recognized accreditation body must maintain records on any denial of accreditation (in whole or in part) and on any withdrawal, suspension, or reduction in scope of accreditation of a third-party certification body under this subpart. The records must include the name and contact information for the third-party certification body; the date of the action; the scope of accreditation denied, withdrawn, suspended, or reduced; and the basis for such action.

(d) A recognized accreditation body must notify any third-party certification body of an adverse decision associated with its accreditation under this subpart, including denial of accreditation or the withdrawal, suspension, or reduction in the scope of its accreditation. The recognized accreditation body must establish and implement written procedures for receiving and addressing appeals from any third-party certification body challenging such an adverse decision and for investigating and deciding on appeals in a fair and meaningful manner. The appeals procedures must provide similar protections to those offered by FDA under §§ 1.692 and 1.693, and include requirements to:

(1) Make the appeals procedures publicly available;

(2) Use competent persons, who may or may not be external to the recognized accreditation body, who are free from bias or prejudice and have not participated in the accreditation decision or be subordinate to a person who has participated in the accreditation decision to investigate and decide appeals;

(3) Advise third-party certification bodies of the final decisions on their appeals; and

(4) Maintain records under § 1.625 of appeals, final decisions on appeals, and the bases for such decisions.

How must a recognized accreditation body monitor the performance of third-party certification bodies it accredited?

(a) A recognized accreditation body must annually conduct a comprehensive assessment of the performance of each third-party certification body it accredited under this subpart by reviewing the accredited third-party certification body's self-assessments (including information on compliance with the conflict of interest requirements of §§ 1.643 and 1.657); its regulatory audit reports and notifications submitted to FDA under § 1.656; and any other information reasonably available to the recognized accreditation body regarding the compliance history of eligible entities the accredited third-party certification body certified under this subpart; or that is otherwise relevant to a determination whether the accredited third-party certification body is in compliance with this subpart.

(b) No later than 1 year after the initial date of accreditation of the third-party certification body and every 2 years thereafter for duration of its accreditation under this subpart, a recognized accreditation body must conduct onsite observations of a representative sample of regulatory audits performed by the third-party certification body (or its audit agents) (or, in the case of a third-party certification body that is an individual, such individual) accredited under this subpart and must visit the accredited third-party certification body's headquarters (or other location that manages audit agents conducting food safety audits under this subpart, if different than its headquarters). The recognized accreditation body will consider the results of such observations and visits in the annual assessment of the accredited third-party certification body required by paragraph (a) of this section.

How must a recognized accreditation body monitor its own performance?

(a) A recognized accreditation body must annually, and as required under § 1.664(g), conduct a self-assessment that includes evaluation of compliance with this subpart, including:

(1) The performance of its officers, employees, or other agents involved in accreditation activities and the degree of consistency in conducting accreditation activities;

(2) The compliance of the recognized accreditation body and its officers, employees, and other agents involved in accreditation activities, with the conflict of interest requirements of § 1.624; and

(3) If requested by FDA, any other aspects of its performance relevant to a determination whether the recognized accreditation body is in compliance with this subpart.

(b) As a means to evaluate the recognized accreditation body's performance, the self-assessment must include onsite observation of regulatory audits of a representative sample of third-party certification bodies it accredited under this subpart. In meeting this requirement, the recognized accreditation body may use the results of onsite observations performed under § 1.621(b).

(c) Based on the evaluations conducted under paragraphs (a) and (b) of this section, the recognized accreditation body must:

(1) Identify any area(s) where deficiencies exist;

(2) Quickly implement corrective action(s) that effectively address those deficiencies; and

(3) Establish and maintain records of any such corrective action(s) under § 1.625.

(d) The recognized accreditation body must prepare, and as required by § 1.623(b) submit, a written report of the results of its self-assessment that includes the following elements. Documentation of conformance to ISO/IEC 17011:2004 may be used, supplemented as necessary, in meeting the requirements of this paragraph.

(1) A description of any corrective actions taken under paragraph (c) of this section;

(2) A statement disclosing the extent to which the recognized accreditation body, and its officers, employees, and other agents involved in accreditation activities, complied with the conflict of interest requirements in § 1.624; and

(3) A statement attesting to the extent to which the recognized accreditation body complied with applicable requirements of this subpart.

What reports and notifications must a recognized accreditation body submit to FDA?

(a) Reporting results of assessments of accredited third-party certification body performance. A recognized accreditation body must submit to FDA electronically, in English, a report of the results of any assessment conducted under § 1.621, no later than 45 days after completing such assessment. The report must include an up-to-date list of any audit agents used by the accredited third-party certification body to conduct food safety audits under this subpart.

(b) Reporting results of recognized accreditation body self-assessments. A recognized accreditation body must submit to FDA electronically, in English:

(1) A report of the results of an annual self-assessment required under § 1.622, no later than 45 days after completing such self-assessment; andStart Printed Page 74655

(2) For a recognized accreditation body subject to § 1.664(g)(1), a report of such self-assessment to FDA within 60 days of the third-party certification body's withdrawal. A recognized accreditation body may use a report prepared for conformance to ISO/IEC 17011:2004, supplemented as necessary, in meeting the requirements this section.

(c) Immediate notification to FDA. A recognized accreditation body must notify FDA electronically, in English, immediately upon:

(1) Granting (including expanding the scope of) accreditation to a third-party certification body under this subpart, and include:

(i) The name, address, telephone number, and email address of the accredited third-party certification body;

(ii) The name of one or more officers of the accredited third-party certification body;

(iii) A list of the accredited third-party certification body's audit agents; and

(iv) The scope of accreditation, the date on which it was granted, and its expiration date.

(2) Withdrawing, suspending, or reducing the scope of an accreditation under this subpart, and include:

(i) The basis for such action; and

(ii) Any additional changes to accreditation information previously submitted to FDA under paragraph (c)(1) of this section.

(3) Determining that a third-party certification body it accredited failed to comply with § 1.653 in issuing a food or facility certification under this subpart, and include:

(i) The basis for such determination; and

(ii) Any changes to accreditation information previously submitted to FDA under paragraph (c)(1) of this section.

(d) Other notification to FDA. A recognized accreditation body must notify FDA electronically, in English, within 30 days after:

(1) Denying accreditation (in whole or in part) under this subpart and include:

(i) The name, address, telephone number, and email address of the third-party certification body;

(ii) The name of one or more officers of the third-party certification body;

(iii) The scope of accreditation requested; and

(iv) The scope and basis for such denial.

(2) Making any significant change that would affect the manner in which it complies with the applicable requirements of this subpart and include:

(i) A description of the change; and

(ii) An explanation for the purpose of the change.

How must a recognized accreditation body protect against conflicts of interest?

(a) A recognized accreditation body must implement a written program to protect against conflicts of interest between the recognized accreditation body (and its officers, employees, and other agents involved in accreditation activities) and any third-party certification body (and its officers, employees, and other agents involved in auditing and certification activities) seeking accreditation from, or accredited by, such recognized accreditation body, including the following:

(1) Ensuring that the recognized accreditation body (and its officers, employees, or other agents involved in accreditation activities) does not own or have a financial interest in, manage, or otherwise control the third-party certification body (or any affiliate, parent, or subsidiary); and

(2) Prohibiting officers, employees, or other agents involved in accreditation activities of the recognized accreditation body from accepting any money, gift, gratuity, or item of value from the third-party certification body.

(3) The items specified in paragraph (a)(2) of this section do not include:

(i) Money representing payment of fees for accreditation services and reimbursement of direct costs associated with an onsite assessment of the third-party certification body; or

(ii) Lunch of de minimis value provided during the course of an assessment and on the premises where the assessment is conducted, if necessary to facilitate the efficient conduct of the assessment.

(b) A recognized accreditation body may accept the payment of fees for accreditation services and the reimbursement of direct costs associated with assessment of a certification body only after the date on which the report of such assessment was completed or the date of which the accreditation was issued, whichever comes later. Such payment is not considered a conflict of interest for purposes of paragraph (a) of this section.

(c) The financial interests of the spouses and children younger than 18 years of age of a recognized accreditation body's officers, employees, and other agents involved in accreditation activities will be considered the financial interests of such officers, employees, and other agents involved in accreditation activities.

(d) A recognized accreditation body must maintain on its Web site an up-to-date list of the third-party certification bodies it accredited under this subpart and must identify the duration and scope of each accreditation and the date(s) on which the accredited third-party certification body paid any fee or reimbursement associated with such accreditation. If the accreditation of a certification body is suspended, withdrawn, or reduced in scope, this list must also include the date of suspension, withdrawal, or reduction in scope and maintain that information for the duration of accreditation or until the suspension is lifted, the certification body is reaccredited, or the scope of accreditation is reinstated, whichever comes first.

What records requirements must an accreditation body that has been recognized meet?

(a) An accreditation body that has been recognized must maintain electronically for 5 years records created while it is recognized (including documents and data) demonstrating its compliance with this subpart, including records relating to:

(1) Applications for accreditation and renewal of accreditation under § 1.660;

(2) Decisions to grant, deny, suspend, withdraw, or expand or reduce the scope of an accreditation;

(3) Challenges to adverse accreditation decisions under § 1.620(c);

(4) Its monitoring of accredited third-party certification bodies under § 1.621;

(5) Self-assessments and corrective actions under § 1.622;

(6) Regulatory audit reports, including any supporting information, that an accredited third-party certification body may have submitted;

(7) Any reports or notifications to FDA under § 1.623, including any supporting information; and

(8) Records of fee payments and reimbursement of direct costs.

(b) An accreditation body that has been recognized must make records required by paragraph (a) of this section available for inspection and copying promptly upon written request of an authorized FDA officer or employee at the place of business of the accreditation body or at a reasonably accessible location. If the records required by paragraph (a) of this section are requested by FDA electronically, the records must be submitted to FDA electronically not later than 10 business days after the date of the request. Additionally, if the requested records are maintained in a language other than Start Printed Page 74656English, the accreditation body must electronically submit an English translation within a reasonable time.

(c) An accreditation body that has been recognized must not prevent or interfere with FDA's access to its accredited third-party certification bodies and the accredited third-party certification body records required by § 1.658.

Procedures for Recognition of Accreditation Bodies Under This Subpart

How do I apply to FDA for recognition or renewal of recognition?

(a) Applicant for recognition. An accreditation body seeking recognition must submit an application demonstrating that it meets the eligibility requirements in § 1.610.

(b) Applicant for renewal of recognition. An accreditation body seeking renewal of its accreditation must submit a renewal application demonstrating that it continues to meet the requirements of this subpart.

(c) Submission. Recognition and renewal applications and any documents provided as part of the application process must be submitted electronically, in English. An applicant must provide any translation and interpretation services needed by FDA during the processing of the application, including during onsite assessments of the applicant by FDA.

(d) Signature. Recognition and renewal applications must be signed in the manner designated by FDA, by an individual authorized to act on behalf of the applicant for purposes of seeking recognition or renewal of recognition.

How will FDA review my application for recognition or renewal of recognition and what happens once FDA decides on my application?

(a) Review of recognition or renewal application. FDA will examine an accreditation body's recognition or renewal application for completeness and notify the applicant of any deficiencies. FDA will review an accreditation body's recognition or renewal application on a first in, first out basis according to the date on which the completed application was submitted; however, FDA may prioritize the review of specific applications to meet the needs of the program.

(b) Evaluation of recognition or renewal. FDA will evaluate any completed recognition or renewal application to determine whether the applicant meets the applicable requirements of this subpart. Such evaluation may include an onsite assessment of the accreditation body. FDA will notify the applicant, in writing, regarding whether the application has been approved or denied. FDA may make such notification electronically. If FDA does not reach a final decision on a renewal application before an accreditation body's recognition terminates by expiration, FDA may extend such recognition for a specified period of time or until the Agency reaches a final decision on the renewal application.

(c) Issuance of recognition. FDA will notify an applicant that its recognition or renewal application has been approved through issuance of recognition that will list any limitations associated with the recognition.

(d) Issuance of denial of recognition or renewal application. FDA will notify an applicant that its recognition or renewal application has been denied through issuance of a denial of recognition or denial of a renewal application that will state the basis for such denial and provide the procedures for requesting reconsideration of the application under § 1.691.

(e) Notice of records custodian after denial of an application for renewal of recognition. An applicant whose renewal application was denied must notify FDA electronically, in English, within 10 business days of the date of issuance of a denial of a renewal application, of the name and contact information of the custodian who will maintain the records required by § 1.625(a) and make them available to FDA as required by § 1.625(b). The contact information for the custodian must include, at a minimum, an email address and the physical address where the records required by § 1.625(a) will be located.

(f) Effect of denial of an application for renewal of recognition of an accreditation body on accredited third-party certification bodies. (1) FDA will issue a notice of the denial of a recognition renewal to any third-party certification bodies accredited by the accreditation body whose renewal application was denied. The third-party certification body's accreditation will remain in effect so long as the third-party certification body:

(i) No later than 60 days after FDA's issuance of the notice of the denial of recognition renewal, conducts a self-assessment under § 1.655 and reports the results of the self-assessment to FDA under § 1.656(b); and

(ii) No later than 1 year after issuance of the notice of denial of recognition renewal or the original date of the expiration of the accreditation, whichever comes first, becomes accredited by another recognized accreditation body or by FDA through direct accreditation.

(2) FDA may withdraw the accreditation of a third-party certification body whenever FDA determines there is good cause for withdrawal of accreditation under § 1.664(c).

(g) Effect of denial of an application for renewal of recognition of an accreditation body on food or facility certifications issued to eligible entities. A food or facility certification issued by a third-party certification body accredited by a recognized accreditation body prior to issuance of a denial of the renewal application will remain in effect until the certification expires. If FDA has reason to believe that a certification issued for purposes of section 801(q) or 806 of the FD&C Act is not valid or reliable, FDA may refuse to consider the certification in determining the admissibility of the article of food for which the certification was offered or in determining the importer's eligibility for participation in the voluntary qualified importer program (VQIP).

(h) Public notice of denial of an application for renewal of recognition of an accreditation body. FDA will provide notice on the Web site described in § 1.690 of the date of issuance of a denial of a renewal application and will describe the basis for the denial.

What is the duration of recognition?

FDA may grant recognition of an accreditation body for a period not to exceed 5 years from the date of recognition.

How will FDA monitor recognized accreditation bodies?

(a) FDA will evaluate the performance of each recognized accreditation body to determine its compliance with the applicable requirements of this subpart. Such assessment must occur by at least 4 years after the date of recognition for a 5-year recognition period, or by no later than the mid-term point for a recognition period of less than 5 years. FDA may conduct additional assessments of a recognized accreditation body at any time.

(b) An FDA assessment of a recognized accreditation body may include onsite assessments of a representative sample of third-party certification bodies the recognized accreditation body accredited and onsite audits of a representative sample of eligible entities certified by such third-party certification bodies under this subpart. These may be conducted at any time and, as FDA determines necessary Start Printed Page 74657or appropriate, may occur without the recognized accreditation body or, in the case of an audit of an eligible entity, the accredited third-party certification body present.

When will FDA revoke recognition?

(a) Grounds for revocation of recognition. FDA will revoke the recognition of an accreditation body found not to be in compliance with the requirements of this subpart, including for any one or more of the following:

(1) Refusal by the accreditation body to allow FDA to access records required by § 1.625, or to conduct an assessment or investigation of the accreditation body or of a third-party certification body it accredited to ensure the accreditation body's continued compliance with the requirements of this subpart.

(2) Failure to take timely and necessary corrective action when:

(i) The accreditation of a third-party certification body it accredited is withdrawn by FDA under § 1.664(a);

(ii) A significant deficiency is identified through self-assessment under § 1.622, monitoring under § 1.621, or self-assessment by one or more of its accredited third-party certification bodies under § 1.655; or

(iii) Directed to do so by FDA to ensure compliance with this subpart.

(3) A determination by FDA that the accreditation body has committed fraud or has submitted material false statements to the Agency.

(4) A determination by FDA that there is otherwise good cause for revocation, including:

(i) Demonstrated bias or lack of objectivity when conducting activities under this subpart; or

(ii) Failure to adequately support one or more decisions to grant accreditation under this subpart.

(b) Records request associated with revocation. To assist in determining whether revocation is warranted under paragraph (a) of this section, FDA may request records of the accreditation body required by § 1.625 or the records, required by § 1.658, of one or more of the third-party certification bodies it accredited under this subpart.

(c) Issuance of revocation of recognition. (1) FDA will notify an accreditation body that its recognition has been revoked through issuance of a revocation that will state the grounds for revocation, the procedures for requesting a regulatory hearing under § 1.693 on the revocation, and the procedures for requesting reinstatement of recognition under § 1.636.

(2) Within 10 business days of the date of issuance of the revocation, the accreditation body must notify FDA electronically, in English, of the name of the custodian who will maintain the records and make them available to FDA as required by § 1.625. The contact information for the custodian must provide, at a minimum, an email address and the physical address where the records will be located.

(d) Effect of revocation of recognition of an accreditation body on accredited third-party certification bodies. (1) FDA will issue a notice of the revocation of recognition to any accredited third-party certification body accredited by the accreditation body whose recognition was revoked. The third-party certification body's accreditation will remain in effect if the third-party certification body:

(i) No later than 60 days after FDA's issuance of the notice of revocation, conducts a self-assessment under § 1.655 and reports the results of the self-assessment to FDA under § 1.656(b); and

(ii) No later than 1 year after issuance of the notice of the revocation, or the original date of expiration of the accreditation, whichever comes first, becomes accredited by another recognized accreditation body or by FDA through direct accreditation.

(2) FDA may withdraw the accreditation of a third-party certification body whenever FDA determines there is good cause for withdrawal of accreditation under § 1.664(c).

(e) Effect of revocation of recognition of an accreditation body on food or facility certifications issued to eligible entities. A food or facility certification issued by a third-party certification body accredited by a recognized accreditation body prior to issuance of the revocation of recognition will remain in effect until the certificate terminates by expiration. If FDA has reason to believe that a certification issued for purposes of section 801(q) or 806 of the FD&C Act is not valid or reliable, FDA may refuse to consider the certification in determining the admissibility of the article of food for which the certification was offered or in determining the importer's eligibility for participation in VQIP.

(f) Public notice of revocation of recognition. FDA will provide notice on the Web site described in § 1.690 of the issuance of the revocation of recognition of an accreditation body and will describe the basis for revocation.

What if I want to voluntarily relinquish recognition or do not want to renew recognition?

(a) Notice to FDA of intent to relinquish or not to renew recognition. A recognized accreditation body must notify FDA electronically, in English, at least 60 days before voluntarily relinquishing recognition or before allowing recognition to expire without seeking renewal. The recognized accreditation body must provide the name and contact information of the custodian who will maintain the records required under § 1.625(a) after the date of relinquishment or the date recognition expires, as applicable, and make them available to FDA as required by § 1.625(b). The contact information for the custodian must include, at a minimum, an email address and the physical address where the records required by § 1.625(a) will be located.

(b) Notice to accredited third-party certification bodies of intent to relinquish or not to renew recognition. No later than 15 business days after notifying FDA under paragraph (a) of this section, the recognized accreditation body must notify any currently accredited third-party certification body that it intends to relinquish recognition or to allow its recognition to expire, specifying the date on which relinquishment or expiration will occur. The recognized accreditation body must establish and maintain records of such notification under § 1.625.

(c)(1) Effect of voluntary relinquishment or expiration of recognition on third-party certification bodies. The accreditation of a third-party certification body issued prior to the relinquishment or expiration of its accreditation body's recognition will remain in effect, so long as the third-party certification body:

(i) No later than 60 days after the date of relinquishment or the date of expiration of the recognition, conducts a self-assessment under § 1.655 and reports the results of the self-assessment to FDA under § 1.656(b); and

(ii) No later than 1 year after the date of relinquishment or the date of expiration of recognition, or the original date of the expiration of the accreditation, whichever comes first, becomes accredited by another recognized accreditation body or by FDA through direct accreditation.

(2) FDA may withdraw the accreditation of a third-party certification body whenever FDA determines there is good cause for withdrawal of accreditation under § 1.664(c).Start Printed Page 74658

(d) Effect of voluntary relinquishment or expiration of recognition of an accreditation body on food or facility certifications issued to eligible entities. A food or facility certification issued by a third-party certification body accredited by a recognized accreditation body prior to relinquishment or expiration of its recognition will remain in effect until the certification expires. If FDA has reason to believe that a certification issued for purposes of section 801(q) or 806 of the FD&C Act is not valid or reliable, FDA may refuse to consider the certification in determining the admissibility of the article of food for which the certification was offered or in determining the importer's eligibility for participation in VQIP.

(e) Public notice of voluntary relinquishment or expiration of recognition. FDA will provide notice on the Web site described in § 1.690 of the voluntary relinquishment or expiration of recognition of an accreditation body under this subpart.

How do I request reinstatement of recognition?

(a) Application following revocation. An accreditation body that has had its recognition revoked may seek reinstatement by submitting a new application for recognition under § 1.630. The accreditation body must submit evidence that the grounds for revocation have been resolved, including evidence addressing the cause or conditions that were the basis for revocation and identifying measures that have been implemented to help ensure that such cause(s) or condition(s) are unlikely to recur.

(b) Application following relinquishment. An accreditation body that previously relinquished its recognition under § 1.635 may seek recognition by submitting a new application for recognition under § 1.630.

Accreditation of Third-Party Certification Bodies Under This Subpart

Who is eligible to seek accreditation?

(a) A foreign government, agency of a foreign government, foreign cooperative, or any other third party may seek accreditation from a recognized accreditation body (or, where direct accreditation is appropriate, FDA) to conduct food safety audits and to issue food and facility certifications to eligible entities under this subpart. An accredited third-party certification body may use documentation of conformance with ISO/IEC 17021: 2011 or ISO/IEC 17065: 2012, supplemented as necessary, in meeting the applicable requirements of this subpart.

(b) A foreign government or an agency of a foreign government is eligible for accreditation if it can demonstrate that its food safety programs, systems, and standards meet the requirements of §§ 1.641 through 1.645.

(c) A foreign cooperative or other third party is eligible for accreditation if it can demonstrate that the training and qualifications of its agents used to conduct audits (or, in the case of a third-party certification body that is an individual, such individual) and its internal systems and standards meet the requirements of §§ 1.641 through 1.645.

What legal authority must a third-party certification body have to qualify for accreditation?

(a) A third-party certification body seeking accreditation from a recognized accreditation body or from FDA must demonstrate that it has the authority (as a governmental entity or as a legal entity with contractual rights) to perform such examinations of facilities, their process(es), and food(s) as are necessary to determine compliance with the applicable food safety requirements of the FD&C Act and FDA regulations, and conformance with applicable industry standards and practices and to issue certifications where appropriate based on a review of the findings of such examinations. This includes authority to:

(1) Review any relevant records;

(2) Conduct onsite audits of an eligible entity; and

(3) Suspend or withdraw certification for failure to comply with applicable requirements.

(b) A third-party certification body seeking accreditation must demonstrate that it is capable of exerting the authority (as a governmental entity or as legal entity with contractual rights) necessary to meet the applicable requirements of accreditation under this subpart if accredited.

What competency and capacity must a third-party certification body have to qualify for accreditation?

A third-party certification body seeking accreditation must demonstrate that it has:

(a) The resources necessary to fully implement its certification program, including:

(1) Adequate numbers of employees and other agents with relevant knowledge, skills, and experience to effectively examine for compliance with applicable FDA food safety requirements of the FD&C Act and FDA regulations, conformance with applicable industry standards and practices, and issuance of valid and reliable certifications; and

(2) Adequate financial resources for its operations; and

(b) The competency and capacity to meet the applicable requirements of this subpart, if accredited.

What protections against conflicts of interest must a third-party certification body have to qualify for accreditation?

A third-party certification body must demonstrate that it has:

(a) Implemented written measures to protect against conflicts of interest between the third-party certification body (and its officers, employees, and other agents involved in auditing and certification activities) and clients seeking examinations or certification from, or audited or certified by, such third-party certification body; and

(b) The capability to meet the conflict of interest requirements in § 1.657, if accredited.

What quality assurance procedures must a third-party certification body have to qualify for accreditation?

A third-party certification body seeking accreditation must demonstrate that it has:

(a) Implemented a written program for monitoring and evaluating the performance of its officers, employees, and other agents involved in auditing and certification activities, including procedures to:

(1) Identify deficiencies in its auditing and certification program or performance; and

(2) Quickly execute corrective actions that effectively address any identified deficiencies; and

(b) The capability to meet the quality assurance requirements of § 1.655, if accredited.

What records procedures must a third-party certification body have to qualify for accreditation?

A third-party certification body seeking accreditation must demonstrate that it:

(a) Implemented written procedures to establish, control, and retain records (including documents and data) for a period of time necessary to meet its contractual and legal obligations and to provide an adequate basis for evaluating its program and performance; and

(b) Is capable of meeting the reporting, notification, and records requirements of this subpart, if accredited.Start Printed Page 74659

Requirements for Third-Party Certification Bodies That Have Been Accredited Under This Subpart

How must an accredited third-party certification body ensure its audit agents are competent and objective?

(a) An accredited third-party certification body that uses audit agents to conduct food safety audits must ensure that each such audit agent meets the following requirements with respect to the scope of its accreditation under this subpart. If the accredited third-party certification body is an individual, that individual is also subject to the following requirements, as applicable:

(1) Has relevant knowledge and experience that provides an adequate basis for the audit agent to evaluate compliance with applicable food safety requirements of the FD&C Act and FDA regulations and, for consultative audits, also includes conformance with applicable industry standards and practices;

(2) Has been determined by the accredited third-party certification body, through observations of a representative sample of audits, to be competent to conduct food safety audits under this subpart relevant to the audits they will be assigned to perform;

(3) Has completed annual food safety training that is relevant to activities conducted under this subpart;

(4) Is in compliance with the conflict of interest requirements of § 1.657 and has no other conflicts of interest with the eligible entity to be audited that might impair the audit agent's objectivity; and

(5) Agrees to notify its accredited third-party certification body immediately upon discovering, during a food safety audit, any condition that could cause or contribute to a serious risk to the public health.

(b) In assigning an audit agent to conduct a food safety audit at a particular eligible entity, an accredited third-party certification body must determine that the audit agent is qualified to conduct such audit under the criteria established in paragraph (a) of this section and based on the scope and purpose of the audit and the type of facility, its process(es), and food.

(c) An accredited third-party certification body cannot use an audit agent to conduct a regulatory audit at an eligible entity if such audit agent conducted a consultative audit or regulatory audit for the same eligible entity in the preceding 13 months, except that such limitation may be waived if the accredited third-party certification body demonstrates to FDA, under § 1.663, there is insufficient access to audit agents in the country or region where the eligible entity is located. If the accredited third-party certification body is an individual, that individual is also subject to such limitations.

How must an accredited third-party certification body conduct a food safety audit of an eligible entity?

(a) Audit planning. Before beginning to conduct a food safety audit under this subpart, an accredited third-party certification body must:

(1) Require the eligible entity seeking a food safety audit to:

(i) Identify the scope and purpose of the food safety audit, including the facility, process(es), or food to be audited; whether the food safety audit is to be conducted as a consultative or regulatory audit subject to the requirements of this subpart, and if a regulatory audit, the type(s) of certification(s) sought; and

(ii) Provide a 30-day operating schedule for such facility that includes information relevant to the scope and purpose of the audit; and

(2) Determine whether the requested audit is within its scope of accreditation.

(b) Authority to audit. In arranging a food safety audit with an eligible entity under this subpart, an accredited third-party certification body must ensure it has authority, whether contractual or otherwise, to:

(1) Conduct an unannounced audit to determine whether the facility, process(es), and food of the eligible entity (within the scope of the audit) comply with the applicable food safety requirements of the FD&C Act and FDA regulations and, for consultative audits, also includes conformance with applicable industry standards and practices;

(2) Access any records and any area of the facility, process(es), and food of the eligible entity relevant to the scope and purpose of such audit;

(3) When, for a regulatory audit, sampling and analysis is conducted, the accredited third-party certification body must use a laboratory that is accredited in accordance with:

(i) ISO/IEC 17025:2005; or

(ii) Another laboratory accreditation standard that provides at least a similar level of assurance in the validity and reliability of sampling methodologies, analytical methodologies, and analytical results.

(4) Notify FDA immediately if, at any time during a food safety audit, the accredited third-party certification body (or its audit agent, where applicable) discovers a condition that could cause or contribute to a serious risk to the public health and provide information required by § 1.656(c);

(5) Prepare reports of audits conducted under this subpart as follows:

(i) For consultative audits, prepare reports that contain the elements specified in § 1.652(a) and maintain such records, subject to FDA access in accordance with section 414 of the FD&C Act; and

(ii) For regulatory audits, prepare reports that contain the elements specified in § 1.652(b) and submit them to FDA and to its recognized accreditation body (where applicable) under § 1.656(a); and

(6) Allow FDA and the recognized accreditation body that accredited such third-party certification body, if any, to observe any food safety audit conducted under this subpart for purposes of evaluating the accredited third-party certification body's performance under §§ 1.621 and 1.662 or, where appropriate, the recognized accreditation body's performance under §§ 1.622 and 1.633.

(c) Audit protocols. An accredited third-party certification body (or its audit agent, where applicable) must conduct a food safety audit in a manner consistent with the identified scope and purpose of the audit and within the scope of its accreditation.

(1) With the exception of records review, which may be scheduled, the audit must be conducted without announcement during the 30-day timeframe identified under paragraph (a)(1)(ii) of this section and must be focused on determining whether the facility, its process(es), and food are in compliance with applicable food safety requirements of the FD&C Act and FDA regulations, and, for consultative audits, also includes conformance with applicable industry standards and practices that are within the scope of the audit.

(2) The audit must include records review prior to the onsite examination; an onsite examination of the facility, its process(es), and the food that results from such process(es); and where appropriate or when required by FDA, environmental or product sampling and analysis. When, for a regulatory audit, sampling and analysis is conducted, the accredited third-party certification body must use a laboratory that is accredited in accordance with paragraph (b)(3) of this section. The audit may include any other activities necessary to determine compliance with applicable food safety requirements of the FD&C Act and FDA regulations, and, for consultative audits, also includes conformance with Start Printed Page 74660applicable industry standards and practices.

(3) The audit must be sufficiently rigorous to allow the accredited third-party certification body to determine whether the eligible entity is in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations, and for consultative audits, also includes conformance with applicable industry standards and practices, at the time of the audit; and for a regulatory audit, whether the eligible entity, given its food safety system and practices would be likely to remain in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations for the duration of any certification issued under this subpart. An accredited third-party certification body (or its audit agent, where applicable) that identifies a deficiency requiring corrective action may verify the effectiveness of a corrective action once implemented by the eligible entity but must not recommend or provide input to the eligible entity in identifying, selecting, or implementing the corrective action.

(4) Audit observations and other data and information from the examination, including information on corrective actions, must be documented and must be used to support the findings contained in the audit report required by § 1.652 and maintained as a record under § 1.658.

What must an accredited third-party certification body include in food safety audit reports?

(a) Consultative audits. An accredited third-party certification body must prepare a report of a consultative audit not later than 45 days after completing such audit and must provide a copy of such report to the eligible entity and must maintain such report under § 1.658, subject to FDA access in accordance with the requirements of section 414 of the FD&C Act. A consultative audit report must include:

(1) The identity of the site or location where the consultative audit was conducted, including:

(i) The name, address and the FDA Establishment Identifier of the facility subject to the consultative audit and a unique facility identifier, if designated by FDA; and

(ii) Where applicable, the FDA registration number assigned to the facility under subpart H of this part;

(2) The identity of the eligible entity, if different from the facility, including the name, address, the FDA Establishment Identifier and unique facility identifier, if designated by FDA, and, where applicable, registration number under subpart H of this part;

(3) The name(s) and telephone number(s) of the person(s) responsible for compliance with the applicable food safety requirements of the FD&C Act and FDA regulations

(4) The dates and scope of the consultative audit;

(5) The process(es) and food(s) observed during such consultative audit; and

(6) Any deficiencies observed that relate to or may influence a determination of compliance with the applicable food safety requirements of the FD&C Act and FDA regulations that require corrective action, the corrective action plan, and the date on which such corrective actions were completed. Such consultative audit report must be maintained as a record under § 1.658 and must be made available to FDA in accordance with section 414 of the FD&C Act.

(b) Regulatory audits. An accredited third-party certification body must, no later than 45 days after completing a regulatory audit, prepare and submit electronically, in English, to FDA and to its recognized accreditation body (or, in the case of direct accreditation, only to FDA) and must provide to the eligible entity a report of such regulatory audit that includes the following information:

(1) The identity of the site or location where the regulatory audit was conducted, including:

(i) The name, address, and FDA Establishment Identifier of the facility subject to the regulatory audit and a unique facility identifier, if designated by FDA; and

(ii) Where