
[Federal Register Volume 80, Number 228 (Friday, November 27, 2015)]
[Rules and Regulations]
[Pages 74569-74667]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-28160]



[[Page 74569]]

Vol. 80

Friday,

No. 228

November 27, 2015

Part IV





Department of Health and Human Services





-----------------------------------------------------------------------





 Food and Drug Administration





-----------------------------------------------------------------------





21 CFR Parts 1, 11, and 16





 Accreditation of Third-Party Certification Bodies To Conduct Food 
Safety Audits and To Issue Certifications; Final Rule

  Federal Register / Vol. 80 , No. 228 / Friday, November 27, 2015 / 
Rules and Regulations  

[[Page 74570]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration

21 CFR Parts 1, 11, and 16

[Docket No. FDA-2011-N-0146]
RIN 0910-AG66


Accreditation of Third-Party Certification Bodies To Conduct Food 
Safety Audits and To Issue Certifications

AGENCY: Food and Drug Administration, HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Food and Drug Administration (FDA or we) is adopting 
regulations to provide for accreditation of third-party certification 
bodies to conduct food safety audits of foreign food entities, 
including registered foreign food facilities, and to issue food and 
facility certifications, under the FDA Food Safety Modernization Act 
(FSMA). These certifications will be required for participation in the 
voluntary qualified importer program (VQIP) established under the 
Federal Food, Drug, and Cosmetic Act (FD&C Act). In addition, when the 
Agency has determined that an imported food is subject to certification 
under FSMA, the Agency may require a certification under this rule as a 
condition for admitting the food into the United States. FDA also 
expects that these regulations will increase efficiency by reducing the 
number of redundant food safety audits.

DATES: This rule is effective January 26, 2016.

FOR FURTHER INFORMATION CONTACT: Charlotte A. Christin, Office of Foods 
and Veterinary Medicine, Food and Drug Administration, 10903 New 
Hampshire Ave., Silver Spring, MD 20993, 301-796-7526.

SUPPLEMENTARY INFORMATION: 

Table of Contents

Executive Summary
I. Introduction and Background
    A. FDA Food Safety Modernization Act
    B. Purpose of This Rulemaking
    C. The Proposed Rule
    D. Public Comments
II. Legal Authority
III. Comments on What Definitions Apply to This Subpart (Sec.  
1.600)
    A. Definitions, Generally
    B. Assessment
    C. Audit
    D. Audit Agent
    E. Consultative Audit
    F. Eligible Entity
    G. Facility
    H. Facility Certification and Food Certification
    I. Food
    J. Food Safety Audit
    K. Foreign Cooperative
    L. Regulatory Audit
    M. Self-Assessment
    N. Third-Party Auditor
IV. Comments on Who Is Subject to This Subpart (Sec.  1.601)
    A. Limiting the Scope of the Rule to Regulatory Audits and 
Certifications
    B. Exemption for Alcoholic Beverages
    C. USDA Regulated Products
V. Comments on Recognition of Accreditation Bodies Under This 
Subpart
    A. Who is eligible to seek recognition? (Sec.  1.610)
    B. What legal authority must an accreditation body have to 
qualify for recognition? (Sec.  1.611)
    C. What competency and capacity must an accreditation body have 
to qualify for recognition? (Sec.  1.612)
    D. What protections against conflicts of interest must an 
accreditation body have to qualify for recognition? (Sec.  1.613)
    E. What quality assurance procedures must an accreditation body 
have to qualify for recognition? (Sec.  1.614)
    F. What records procedures must an accreditation body have to 
qualify for recognition? (Sec.  1.615)
VI. Comments on Requirements for Accreditation Bodies That Have Been 
Recognized Under This Subpart
    A. How must a recognized accreditation body evaluate third-party 
certification bodies seeking accreditation? (Sec.  1.620)
    B. How must a recognized accreditation body monitor the 
performance of third-party certification bodies it accredited? 
(Sec.  1.621)
    C. How must a recognized accreditation body monitor its own 
performance? (Sec.  1.622)
    D. What reports and notifications must a recognized 
accreditation body submit to FDA? (Sec.  1.623)
    E. How must a recognized accreditation body protect against 
conflicts of interest? (Sec.  1.624)
    F. What records requirements must an accreditation body that has 
been recognized meet? (Sec.  1.625)
VII. Comments on Procedures for Recognition of Accreditation Bodies 
Under This Subpart
    A. How do I apply to FDA for recognition or renewal of 
recognition? (Sec.  1.630)
    B. How will FDA review my application for recognition or for 
renewal of recognition and what happens once FDA decides on my 
application? (Sec.  1.631)
    C. What is the duration of recognition? (Sec.  1.632)
    D. How will FDA monitor recognized accreditation bodies? (Sec.  
1.633)
    E. When will FDA revoke recognition? (Sec.  1.634)
    F. What if I want to voluntarily relinquish recognition or do 
not want to renew recognition? (Sec.  1.635)
    G. How do I request reinstatement of recognition? (Sec.  1.636)
VIII. Comments on Accreditation of Third-Party Certification Bodies 
Under This Subpart
    A. Who is eligible to seek accreditation? (Sec.  1.640)
    B. What legal authority must a third-party certification body 
have to qualify for accreditation? (Sec.  1.641)
    C. What competency and capacity must a third-party certification 
body have to qualify for accreditation? (Sec.  1.642)
    D. What protections against conflicts of interest must a third-
party certification body have to qualify for accreditation? (Sec.  
1.643)
    E. What quality assurance procedures must a third-party 
certification body have to qualify for accreditation? (Sec.  1.644)
    F. What records procedures must a third-party certification body 
have to qualify for accreditation? (Sec.  1.645)
IX. Comments on Requirements for Third-Party Certification Bodies 
That Have Been Accredited Under This Subpart
    A. How must an accredited third-party certification body ensure 
its audit agents are competent and objective? (Sec.  1.650)
    B. How must an accredited third-party certification body conduct 
a food safety audit of an eligible entity? (Sec.  1.651)
    C. What must an accredited third-party certification body 
include in food safety audit reports? (Sec.  1.652)
    D. What must an accredited third-party certification body do 
when issuing food or facility certifications? (Sec.  1.653)
    E. When must an accredited third-party certification body 
monitor an eligible entity that it has issued a food or facility 
certification? (Sec.  1.654)
    F. How must an accredited third-party certification body monitor 
its own performance? (Sec.  1.655)
    G. What reports and notifications must an accredited third-party 
certification body submit? (Sec.  1.656)
    H. How must an accredited third-party certification body protect 
against conflicts of interest? (Sec.  1.657)
    I. What records requirements must a third-party certification 
body that has been accredited meet? (Sec.  1.658)
X. Comments on Procedures for Accreditation of Third-Party 
Certification Bodies Under This Subpart
    A. Where do I apply for accreditation or renewal of 
accreditation by a recognized accreditation body and what happens 
once the recognized accreditation body decides on my application? 
(Sec.  1.660)
    B. What is the duration of accreditation by a recognized 
accreditation body? (Sec.  1.661)
    C. How will FDA monitor accredited third-party certification 
bodies? (Sec.  1.662)
    D. How do I request an FDA waiver or waiver extension for the 
13-month limit for audit agents conducting regulatory audits? (Sec.  
1.663)
    E. When would FDA withdraw accreditation? (Sec.  1.664)
    F. What if I want to voluntarily relinquish accreditation or do 
not want to renew accreditation? (Sec.  1.665)
    G. How do I request reaccreditation? (Sec.  1.666)

[[Page 74571]]

XI. Comments on Additional Procedures for Direct Accreditation of 
Third-Party Certification Bodies Under This Subpart
    A. How do I apply to FDA for direct accreditation or renewal of 
direct accreditation? (Sec.  1.670)
    B. How will FDA review my application for direct accreditation 
or renewal of direct accreditation and what happens once FDA decides 
on my application? (Sec.  1.671)
    C. What is the duration of direct accreditation? (Sec.  1.672)
XII. Comments on Requirements for Eligible Entities Under This 
Subpart
    A. How and when will FDA monitor eligible entities? (Sec.  
1.680)
    B. How frequently must eligible entities be recertified? (Sec.  
1.681)
XIII. Comments on General Requirements of This Subpart
    A. How will FDA make information about recognized accreditation 
bodies and accredited third-party certification bodies available to 
the public? (Sec.  1.690)
    B. How do I request reconsideration of a denial by FDA of an 
application or a waiver request? (Sec.  1.691)
    C. How do I request internal agency review of a denial of an 
application or waiver request upon reconsideration? (Sec.  1.692)
    D. How do I request a regulatory hearing on a revocation of 
recognition or withdrawal of accreditation? (Sec.  1.693)
    E. Are electronic records created under this subpart subject to 
the electronic records requirements of part 11? (Sec.  1.694)
    F. Are the records obtained by FDA under this subpart subject to 
public disclosure? (Sec.  1.695)
    G. May importers use reports of regulatory audits by accredited 
certification bodies for purposes of subpart L of this part? (Sec.  
1.698)
XIV. Editorial and Conforming Changes
XV. Executive Order 13175
XVI. Analysis of Economic Impact
XVII. Paperwork Reduction Act of 1995
XVIII. Analysis of Environmental Impact
XIX. Federalism
XX. References

Executive Summary

Purpose and Coverage of the Final Rule

    This rule is part of FDA's implementation of FSMA, which intends to 
better protect public health by, among other things, adopting a modern, 
preventive, and risk-based approach to food safety regulation. In this 
document, we establish a program for accreditation of third-party 
certification bodies \1\ to conduct food safety audits and issue 
certifications of foreign food facilities and foods for humans and 
animals for purposes of sections 801(q) and 806 of the FD&C Act. We are 
also codifying certain limited exemptions to mandatory import 
certification under 801(q) of the FD&C Act (21 U.S.C. 381).
---------------------------------------------------------------------------

    \1\ As explained more fully in Response 1, in response to 
comments and for clarity, this final rule uses the term ``third-
party certification body'' rather than either the term ``third-party 
auditor'' or the term, ``third party auditor/certification body'' 
(except that we will use the term ``third-party auditor'' in the 
definitions of ``accredited third-party certification body'' and 
``third-party certification body'' in 21 CFR 1.600(c) and in the 
preamble discussion of those definitions in section III.A).
---------------------------------------------------------------------------

    FSMA added section 808 to the FD&C Act (21 U.S.C. 384d), which 
directs FDA to establish a new program for accreditation of third-party 
certification bodies to conduct food safety audits and to certify that 
eligible foreign entities (including registered foreign food 
facilities) and food produced by such entities meet applicable FDA 
requirements for purposes of sections 801(q) and 806 of the FD&C Act. 
This rulemaking implements section 808 of the FD&C Act; we will 
recognize accreditation bodies to accredit third-party certification 
bodies, except for limited circumstances in which we may directly 
accredit third-party certification bodies.
    FSMA specifies two uses for the food and facility certifications 
issued by accredited third-party certification bodies under this 
program. First, facility certifications will be used by importers to 
establish eligibility for VQIP under section 806 of the FD&C Act (21 
U.S.C. 384b(a)). VQIP offers participating importers expedited review 
and entry of food that is part of VQIP. One condition of participation 
is importation of food from facilities audited and certified by third-
party certification bodies accredited under this subpart. FDA issued 
draft guidance on VQIP on June 5, 2015 (80 FR 32136); the draft 
guidance may be accessed at http://www.fda.gov/downloads/Food/GuidanceRegulation/GuidanceDocumentsRegulatoryInformation/UCM448558.pdf.
    Second, section 801(q) of the FD&C Act gives FDA the authority to 
make a risk-based determination to require, as a condition of 
admissibility, that a food imported or offered for import into the 
United States be accompanied by a certification or other assurance that 
the food meets the applicable requirements of the FD&C Act. The 
authority to mandate import certification for food, based on risk, is 
one of the tools we can use to help prevent potentially harmful food 
from reaching U.S. consumers. When FDA has determined that a food 
import is subject to such certification under section 801(q) of the 
FD&C Act, FDA will require, as a condition of entry, a certification 
issued either by an accredited third-party certification body under 
this rule or by an agency or representative of the government of the 
country from which the food at issue originated, as designated by FDA.
    In addition, facilities and importers may choose to use onsite 
audits conducted by third-party certification bodies accredited under 
the program set out in this rule in connection with meeting supplier 
verification requirements under FDA's final rules for Current Good 
Manufacturing Practice and Hazard Analysis and Risk-Based Preventive 
Controls for Human Food (final human preventive controls regulation) 
(80 FR55907, September 17, 2015); Current Good Manufacturing Practice 
and Hazard Analysis and Risk-Based Preventive Controls for Food for 
Animals (final animal preventive controls regulation) (80 FR 56169, 
September 17, 2015); and the Foreign Supplier Verification Programs 
(FSVP) for Importers of Food for Humans and Animals (published 
elsewhere in this edition of the Federal Register) (implementing 
sections 418 and 805 of the FD&C Act, respectively). Under those rules, 
in circumstances where an onsite audit is the appropriate supplier 
verification activity, such audit must be conducted by a ``qualified 
auditor.'' The definitions of ``qualified auditor'' in those rules make 
clear that an example of a potential qualified auditor includes, but is 
not limited to, an audit agent of a certification body that has been 
accredited in accordance with regulations in part 1, subpart M of this 
chapter (i.e., this rule implementing section 808 of the FD&C Act).

Summary of Major Provisions of the Final Rule

    This rule establishes the framework, procedures, and requirements 
for accreditation bodies and third-party certification bodies for 
purposes of section 808 of the FD&C Act. The rule sets requirements for 
the legal authority, competency, capacity, conflict of interest 
safeguards, quality assurance, and records procedures that 
accreditation bodies must demonstrate to be eligible for recognition. 
Accreditation bodies also must demonstrate capability to meet the FDA 
requirements that would apply upon recognition. Additionally, the rule 
establishes requirements for the legal authority, competency, capacity, 
conflict of interest safeguards, quality assurance, and records 
procedures that third-party certification bodies must demonstrate to be 
eligible for accreditation. Third-party certification bodies also must 
demonstrate capability to meet the applicable requirements of the rule 
that would apply upon accreditation.
    Pursuant to FSMA section 307 (21 U.S.C. 384d), the rule requires 
accredited third-party certification

[[Page 74572]]

bodies to perform unannounced facility audits, to notify FDA upon 
discovering a condition that could cause or contribute to a serious 
risk to the public health, and to submit to FDA reports of regulatory 
audits conducted for certification purposes. The rule includes 
stringent requirements to prevent conflicts of interest from 
influencing the decisions of recognized accreditation bodies and 
accredited third-party certification bodies. The rule does not, 
however, establish the audit criteria that accredited third-party 
certification bodies will use in examining eligible entities for 
compliance with the applicable food safety requirements of the FD&C Act 
and FDA regulations, because those criteria appear elsewhere in FDA 
regulations and the FD&C Act.

Costs and Benefits

    Costs of the Third-Party final rule include compliance costs of 
accreditation bodies and certification bodies that choose to 
participate in our third-party program, and user fees imposed by FDA on 
accreditation bodies and certification bodies for application review 
and monitoring of program participants.

  Table 1--Summary User Fee, Compliance, Undiscounted and Annualized Costs of the Third-Party (TP) Program per
                                                   Participant
----------------------------------------------------------------------------------------------------------------
                                                                    Audited by
                                                     ----------------------------------------
                                                         Certification
                   Eligible entity                       bodies (CBs)                                Total
                                                           currently      CBs not accredited
                                                       accredited under    under any program
                                                        other programs
----------------------------------------------------------------------------------------------------------------
                                                   SCENARIO 1
----------------------------------------------------------------------------------------------------------------
Number of section 801(q) Entities...................                  10                  65                  75
Cost of Compliance with Program Requirements (TP                    $694              $2,569  ..................
 Compliance Cost)...................................
Section 801(q) Compliance Cost......................              $6,940            $166,985            $173,925
Number of section 806 Entities......................                 145                 971               1,116
TP Compliance Cost..................................                $694              $2,569  ..................
Section 806 Compliance Cost.........................            $100,630          $2,494,499          $2,595,129
                                                     -----------------------------------------------------------
    Total TP Compliance Cost--Scenario 1............  ..................  ..................          $2,769,054
----------------------------------------------------------------------------------------------------------------
                                                   SCENARIO 2
----------------------------------------------------------------------------------------------------------------
Number of section 801(q) Entities...................                  10                  65                  75
TP Compliance Cost..................................                $322              $2,197  ..................
Section 801(q) Compliance Cost......................              $3,220            $142,805            $146,025
Number of Sec.   806 Entities.......................                 459               3,068               3,527
TP Compliance Cost..................................                $322              $2,197  ..................
Section 806 Compliance Cost.........................            $147,798          $6,740,396          $6,888,194
                                                     -----------------------------------------------------------
    Total TP Compliance Cost--Scenario 2............  ..................  ..................          $7,034,219
----------------------------------------------------------------------------------------------------------------
                                                   SCENARIO 3
----------------------------------------------------------------------------------------------------------------
Number of section 801(q) Entities...................                  10                  65                  75
TP Compliance Cost..................................                $227              $2,102  ..................
Section 801(q) Compliance Cost......................              $2,270            $136,630            $138,900
Number of section 806 Entities......................                 801               5,359               6,160
TP Compliance Cost..................................                $227              $2,102  ..................
Section 806 Compliance Cost.........................            $181,827         $11,264,618         $11,446,445
                                                     -----------------------------------------------------------
    Total TP Compliance Cost--Scenario 3............  ..................  ..................         $11,585,345
----------------------------------------------------------------------------------------------------------------

    The costs that accreditation bodies and certification bodies incur 
in complying with the regulation are necessarily less than the private 
benefits they accrue by becoming recognized or accredited, 
respectively. Through the third-party accreditation program more 
effective regulatory oversight is achieved. FDA will recoup resources 
in managing its third-party accreditation program through user fees 
that FDA intends to impose on participating accreditation bodies and 
third-party certification bodies.

I. Introduction and Background

A. FDA Food Safety Modernization Act

    FSMA (Pub. L. 111-353), signed into law by President Obama on 
January 4, 2011, is intended to allow FDA to better protect public 
health by helping to ensure the safety and security of the food supply. 
FSMA enables us to focus more on preventing food safety problems rather 
than relying primarily on reacting to problems after they occur. The 
law also provides new enforcement authorities to help achieve higher 
rates of compliance with risk-based, prevention-oriented safety 
standards and to better respond to and contain problems when they do 
occur. In addition, the law contains important new tools to better 
ensure the safety of imported foods and encourages partnerships with 
State, local, tribal, and territorial authorities and international 
collaborations with foreign regulatory counterparts. A top priority for 
FDA are those FSMA-required regulations that provide the framework for 
industry's implementation of preventive controls and enhance our 
ability to oversee their implementation for both domestic and imported 
food. To that end, we proposed the seven foundational rules listed in 
table 2 and

[[Page 74573]]

requested comments on all aspects of these proposed rules.

                    Table 2--Published Foundational Proposed Rules for Implementation of FSMA
----------------------------------------------------------------------------------------------------------------
                Title                        Abbreviation                          Publication
----------------------------------------------------------------------------------------------------------------
Current Good Manufacturing Practice    2013 proposed human      78 FR 3646, January 16, 2013.
 and Hazard Analysis and Risk-Based     preventive controls
 Preventive Controls for Human Food.    regulation.
Standards for the Growing,             2013 proposed produce    78 FR 3504, January 16, 2013.
 Harvesting, Packing, and Holding of    safety regulation.
 Produce for Human Consumption.
Current Good Manufacturing Practice    2013 proposed animal     78 FR 64736, October 29, 2013.
 and Hazard Analysis and Risk-Based     preventive controls
 Preventive Controls for Food for       regulation.
 Animals.
Foreign Supplier Verification          2013 proposed FSVP       78 FR 45730, July 29, 2013.
 Programs (FSVP) for Importers of       regulation.
 Food for Humans and Animals.
Accreditation of Third-Party Auditors/ 2013 proposed third-     78 FR 45782, July 29, 2013.
 Certification Bodies to Conduct Food   party certification
 Safety Audits and to Issue             regulation (also
 Certifications.                        referred to in this
                                        document as the
                                        proposed rule).
Focused Mitigation Strategies To       2013 proposed            78 FR 78014, December 24, 2013.
 Protect Food Against Intentional       intentional
 Adulteration.                          adulteration
                                        regulation.
Sanitary Transportation of Human and   2014 proposed sanitary   79 FR 7006, February 5, 2014.
 Animal Food.                           transportation
                                        regulation.
----------------------------------------------------------------------------------------------------------------

    We also issued a supplemental notice of proposed rulemaking for the 
rules listed in table 3 and requested comments on specific issues 
identified in each supplemental notice of proposed rulemaking.

 Table 3--Published Supplemental Notices of Proposed Rulemaking for the Foundational Rules for Implementation of
                                                      FSMA
----------------------------------------------------------------------------------------------------------------
                Title                        Abbreviation                          Publication
----------------------------------------------------------------------------------------------------------------
Current Good Manufacturing Practice    2014 supplemental human  79 FR 58524, September 29, 2014.
 and Hazard Analysis and Risk-Based     preventive controls
 Preventive Controls for Human Food.    notice.
Standards for the Growing,             2014 supplemental        79 FR 58434, September 29, 2014.
 Harvesting, Packing, and Holding of    produce safety notice.
 Produce for Human Consumption.
Current Good Manufacturing Practice    2014 supplemental        79 FR 58476, September 29, 2014.
 and Hazard Analysis and Risk-Based     animal preventive
 Preventive Controls for Food for       controls notice.
 Animals.
FSVP for Importers of Food for Humans  2014 supplemental FSVP   79 FR 58574, September 29, 2014.
 and Animals.                           notice.
----------------------------------------------------------------------------------------------------------------

    We finalized two of the foundational rulemakings listed in table 4 
in September 2015.

                     Table 4--Published Foundational Final Rules for Implementation of FSMA
----------------------------------------------------------------------------------------------------------------
                Title                        Abbreviation                          Publication
----------------------------------------------------------------------------------------------------------------
Current Good Manufacturing Practice    final human preventive   80 FR 55908, September 17, 2015.
 and Hazard Analysis and Risk-Based     controls regulation.
 Preventive Controls for Human Food.
Current Good Manufacturing Practice    final animal preventive  80 FR 56170, September 17, 2015.
 and Hazard Analysis and Risk-Based     controls regulation.
 Preventive Controls for Food for
 Animals.
----------------------------------------------------------------------------------------------------------------

    As FDA finalizes these seven foundational rulemakings, we are 
putting in place a modern, risk-based framework for food safety that is 
based on the most recent science, that focuses efforts where the 
hazards are reasonably likely to occur, and that is flexible and 
practical given our current knowledge of food safety practices. To 
achieve this, FDA has engaged in a significant amount of outreach to 
the stakeholder community to find the right balance between flexibility 
and accountability in these regulations.
    After FSMA was enacted in 2011, we have been involved in 
approximately 600 stakeholder engagements on FSMA and the proposed 
rules, including public meetings, webinars, listening sessions, farm 
tours, and extensive presentations and meetings with various 
stakeholder groups (Refs. 1, 2, 3). As a result of this stakeholder 
dialogue, FDA decided to issue the four supplemental notices of 
proposed rulemaking to share our current thinking on key issues and get 
additional stakeholder input on those issues. As we move forward into 
the next phase of FSMA implementation, we intend to continue this 
dialogue and collaboration with our stakeholders, through guidance, 
education, training, and assistance, to ensure that stakeholders 
understand and engage in their respective roles in food safety. FDA 
believes these seven foundational final rules, when implemented, will 
affect the paradigm shift toward prevention that was envisioned in FSMA 
and be a major step forward for food safety that will help protect 
consumers into the future.

[[Page 74574]]

B. Purpose of This Rulemaking

    FSMA added section 808 to the FD&C Act which directs FDA to 
establish a new voluntary program for accreditation of third-party 
certification bodies to conduct food safety audits and to issue food 
and facility certifications to eligible foreign entities (including 
registered foreign food facilities) that meet our applicable 
requirements for purposes of sections 801(q) and 806 of the FD&C Act. 
This rulemaking implements section 808 of the FD&C Act; we will 
recognize accreditation bodies to accredit third-party certification 
bodies, except for limited circumstances in which we may directly 
accredit third-party certification bodies.
    FSMA specifies two uses for the food and facility certifications 
issued by accredited third-party certification bodies under this 
program. First, facility certifications will be used by importers to 
establish eligibility for VQIP under section 806 of the FD&C Act. VQIP 
offers participating importers expedited review and importation for 
food from facilities audited and certified by third-party certification 
bodies accredited under this subpart. FDA issued draft guidance on VQIP 
on June 5, 2015 (80 FR 32136); the draft guidance may be accessed at 
http://www.fda.gov/downloads/Food/GuidanceRegulation/GuidanceDocumentsRegulatoryInformation/UCM448558.pdf.
    Second, section 801(q) of the FD&C Act gives FDA the authority to 
make a risk-based determination to require, as a condition of 
admissibility, that a food imported or offered for import into the 
United States be accompanied by a certification or other assurance that 
the food meets the applicable requirements of the FD&C Act. The 
authority to mandate import certification for food, based on risk, is 
one of the tools we can use to help prevent potentially harmful food 
from reaching U.S. consumers. When FDA has determined that a food 
import is subject to such certification under section 801(q) of the 
FD&C Act, FDA will require, as a condition of entry, a certification 
issued either by an accredited third-party certification body under 
this rule or by an agency or representative of the government of the 
country from which the food at issue originated, as designated by FDA.
    This final rule will help FDA ensure the competence and 
independence of third-party certification bodies who are accredited to 
conduct foreign food safety audits to examine compliance with the 
applicable food safety requirements of the FD&C Act and FDA 
regulations, among other things. The document also will help ensure the 
validity and reliability of certifications offered to FDA for purposes 
of VQIP eligibility under section 806 of the FD&C Act and admissibility 
of an imported food subject to an FDA risk determination under section 
801(q) of the FD&C Act.
    The third-party certification program is part of FSMA's paradigm 
shift toward a modern, preventive, and risk-based approach to food 
safety regulation and new programs to facilitate global trade in safe 
food. Specifically, FSMA requires FDA to issue new preventive controls 
and produce safety standards that apply to domestic and foreign 
processors and producers. In addition, FSMA directs FDA to issue an 
FSVP regulation requiring importers to implement FSVPs that provide 
adequate assurances that their foreign suppliers produce food that is 
in compliance with processes and procedures, including risk-based 
preventive controls, that provide the same level of public health 
protection as those required under section 418 (concerning hazard 
analysis and preventive controls) or 419 (concerning produce safety) of 
the FD&C Act, as appropriate, and that is in compliance with sections 
402 (concerning adulteration) and 403(w) (concerning misbranding 
regarding allergen labeling) of the FD&C Act. We emphasize that 
facilities and importers are not required to use third-party 
certification bodies accredited under this rule in meeting their 
supplier verification requirements under the final human or animal 
preventive controls or FSVP regulations. See section XIII.G.
    By contrast, the third-party certification program established 
under section 808 of the FD&C Act focuses on food safety audits to 
certify that eligible foreign entities and the food produced by such 
entities meet applicable FDA requirements for purposes of sections 
801(q) and 806 of the FD&C Act. Although importers must obtain facility 
certifications from accredited third-party certification bodies under 
this rule in order to be eligible for VQIP, we note that importers 
seeking to satisfy a requirement for certification as a condition of 
admissibility for an article of food under section 801(q) of the FD&C 
Act may offer a certification issued either by foreign governments 
designated by FDA to issue such certifications or by third-party 
certification bodies accredited under this rule.
    Through FSMA we are transforming our role in the global food safety 
system, by building ever stronger partnerships with our foreign 
regulatory counterparts and by exploring opportunities to leverage 
private food safety activities to benefit of our system of public food 
safety assurances. We value the role that private audits can play in 
enhancing food safety when done properly, and we share common purpose 
with the food industry in ensuring the rigor and objectivity of those 
audits.
    The final rule on accreditation of third-party certification bodies 
reflects the results of significant stakeholder engagement to help 
ensure that the rule achieves its public health goal, reflects industry 
best practices, and strikes the right balance between flexibility and 
accountability.

C. The Proposed Rule

    FDA published a proposed rule for ``Accreditation of Third-Party 
Auditors/Certification Bodies to Conduct Food Safety Audits and to 
Issue Certifications'' (the proposed rule) on July 29, 2013. The 
proposed rule included eligibility requirements for accreditation 
bodies to qualify for recognition and requirements that accreditation 
bodies choosing to participate in the FDA program must meet, once 
recognized. We also proposed eligibility requirements for third-party 
certification bodies to qualify for accreditation and requirements that 
third-party certification bodies choosing to participate in the FDA 
program must meet, once accredited. We intended the proposed 
requirements to ensure the competency and independence of the 
accreditation bodies and third-party certification bodies participating 
in the program.
    We also proposed procedures for recognition and accreditation, as 
well as requirements relating to monitoring and oversight of 
participating accreditation bodies and third-party certification 
bodies. These included procedures that we would follow when removing a 
third-party certification body or an accreditation body from the 
program. Further, we proposed requirements relating to auditing and 
certification of foreign eligible entities under the program, and for 
notifying us of conditions in an audited facility that could cause or 
contribute to a serious risk to the public health. In response to 
several requests, we extended the proposed rule comment period until 
January 27, 2014.

D. Public Comments

    We received over 150 comments from accreditation bodies, 
certification bodies, members of the food industry, industry 
associations, foreign governments, State governments, public health 
organizations, public advocacy

[[Page 74575]]

groups, individual consumers, consumer groups, and others. Some 
submissions included signatures and statements from multiple 
individuals. Taken as a whole, the comments address virtually every 
provision of the proposed rule. In the remainder of this document, we 
describe the comments that are within the scope of this rulemaking, 
respond to them, and explain any revisions we made from the proposed 
rule.
    A number of comments focus on the overarching issues of: (1) 
Alignment with voluntary consensus standards; (2) the use of private 
food safety schemes; (3) the relationship between the third-party 
certification program, foreign competent authorities, and FDA's 
international activities; and (4) the possible implications of the lack 
of qualified auditors on the third-party certification program. We 
address these comments generally below.
    We received several comments on the overarching issue of the use of 
voluntary international consensus standards issued by the International 
Organization for Standardization (ISO) and the International 
Electrotechnical Commission (IEC), including the following ISO/IEC 
standards: ISO/IEC 17000:2004 Conformity assessment--Vocabulary and 
general principles (ISO/IEC 17000:2004) (Ref. 4); ISO/IEC 17011:2004, 
Conformity assessment--General requirements for accreditation bodies 
accrediting conformity assessment bodies (ISO/IEC 17011:2004) (Ref. 5); 
ISO/IEC 17021:2011, Conformity assessment--Requirements for bodies 
providing audit and certification of management systems (ISO/IEC 
17021:2011) (Ref. 6); ISO/IEC 17065:2012, Conformity assessment--
Requirements for bodies certifying products, processes and services 
(ISO/IEC 17065:2012) (Ref. 7); and ISO/IEC 19011:2011, Guidelines for 
auditing management systems (ISO/IEC 19011:2011) (Ref. 8).
    Some comments support the approach to ISO/IEC standards that we 
used when developing the proposed rule; some comments state that the 
process for developing these standards makes them unbiased. Other 
comments suggest we should place greater reliance on ISO/IEC standards, 
including some comments asserting that we should incorporate ISO/IEC 
standards by reference into the final rule. These comments encourage us 
to follow the example of a proposed rule issued by the Environmental 
Protection Agency and entitled, ``Formaldehyde; Third-Party 
Certification Framework for the Formaldehyde Standards for Composite 
Wood Products'' (78 FR 34795, June 10, 2013), which proposed to 
incorporate by reference certain international standards. These 
comments assert that by placing greater reliance on ISO standards, we 
could allow ISO's broader oversight program to complement FDA's 
management of these bodies.
    Implementation of section 808 of the FD&C Act occurs against the 
backdrop of the broader Federal policies on consensus standards and 
conformity assessment under the National Technology Transfer and 
Advancement Act of 1995 (NTTAA) (Pub. L. 104-113). The NTTAA, together 
with the Office of Management and Budget (OMB) Circular A-119, revised 
February 10, 1998 (63 FR 8546, February 19, 1998), directs Federal 
Agencies to use voluntary consensus standards in lieu of government-
unique standards except where inconsistent with law or otherwise 
impractical. OMB Circular A-119 states that the use of voluntary 
standards, whenever practicable and appropriate, is intended to 
eliminate the cost to government of developing its own standards and 
decrease the cost of goods procured and the burden of complying with 
Agency regulation; provide incentives and opportunities to establish 
standards that serve national needs; encourage long-term growth for 
U.S. enterprises and promote efficiency and economic competition 
through harmonization of standards; and further the policy of reliance 
upon the private sector to supply government needs for goods and 
services.
    As directed by OMB in Circular A-119, the National Institute of 
Standards and Technology (NIST), in the Federal Register of August 10, 
2000 (65 FR 48894), issued policy guidance on Federal conformity 
assessment activities (defined as activities concerned with determining 
directly or indirectly that requirements for products, services, 
systems, and organizations are fulfilled) (15 CFR 287.2). The Federal 
conformity assessment guidance is codified at 15 CFR part 287 and 
applies to all Federal Agencies that set policy for, manage, operate, 
or use conformity assessment activities or results, domestically and 
internationally (except for activities conducted pursuant to treaties) 
and is intended to eliminate unnecessary duplication and complexity in 
conformity assessment requirements. (We note that OMB has announced it 
is currently revising Circular A-119, and NIST is revising the Federal 
conformity assessment guidance.)
    We agree with comments on the value of promoting international 
consistency and tapping into an existing framework of consensus 
standards that is familiar to industry, which may make it easier for 
accreditation bodies, third-party certification bodies, and eligible 
entities to comply with this rule. Therefore, we are revising the rule 
to allow for accreditation bodies and third-party certification bodies 
to use documentation of their conformance with ISO/IEC standards in 
meeting the program requirements under this rule, supplemented as 
necessary. We are not, however, incorporating these standards by 
reference into the rule as further discussed in our responses to 
comments in sections III. to XIII., except that we are not further 
responding to comments citing specific requirements of ISO/IEC Guide 
65:1996, Conformity assessment--Requirements for bodies providing audit 
and certification of management systems (ISO/IEC Guide 65:1996) (Ref. 
9) in sections III. to XIII., because that standard has been withdrawn 
and replaced by ISO/IEC 17065:2012 (Ref. 7) in September 2015. Comments 
referring to ISO/IEC 17020:2012, Conformity assessment--Requirements 
for the operation of various types of bodies performing inspection 
(ISO/IEC 17020:2012) (Ref. 10) are outside the scope of this 
rulemaking, because that standard relates to inspections and not the 
auditing and certification activities that will be performed under this 
rule. Therefore, we are not responding to comments citing to ISO/IEC 
17020:2012, Conformity assessment--Requirements for the operation of 
various types of bodies performing inspection (ISO/IEC 17020:2012) 
(Ref. 10) in sections III. to XIII.
    We also received several comments on the overarching issue of using 
private food safety schemes as audit criteria for regulatory audits 
conducted under the third-party certification program. Some comments 
suggest that FDA should rely on private food safety schemes, 
particularly those that have been benchmarked by the Global Food Safety 
Initiative (GFSI), as the audit criteria for regulatory audits of 
eligible entities under the third-party certification program. Other 
comments suggest that FDA should establish requirements for 
accreditation bodies and third-party certification bodies that are 
similar to those required by GFSI, such as GFSI requirements relating 
to accreditation under relevant ISO/IEC product certification or 
management system standards.
    By way of background, a group of international retailers 
established GFSI in 2000 with the goal of reducing the need for 
duplicative third-party audits by benchmarking private food safety 
schemes against a harmonized set of

[[Page 74576]]

criteria for food safety and management systems (see 78 FR 45782 at 
45788; July 29, 2013). Under current GFSI criteria, a food safety 
scheme must have a commitment with one or more accreditation bodies for 
certification bodies that operate in conformance with either the 
product certification standard, ISO/IEC Guide 65, or the management 
system standard, ISO/IEC 17021:2006 (supplemented by ISO/TS 22003). 
GFSI describes these standards as having similar requirements for how a 
certification body must operate--e.g., in addressing issues of 
preventing conflict of interest, managing customer information, 
properly qualifying personnel, auditor calibration, and many other 
aspects involved with the certification process. However, as GFSI noted 
in a 2011 White Paper (Ref. 11), there is a distinct difference between 
the two. ISO 17021/ISO 22003 is not product specific. ISO/IEC Guide 65, 
on the other hand, is concerned with verifying that particular products 
or services meet specified requirements. The type and scope of GFSI 
benchmarked scheme selected, determines the accreditation standard 
which applies. The majority of GFSI recognized schemes fall under ISO/
IEC Guide 65 accreditation requirements, whereas only two currently 
recognized schemes are management system schemes accredited to ISO 
17021/ISO 22003.
    Comments suggesting that we should rely on GFSI-benchmarked food 
safety schemes or other private food safety schemes as the criteria for 
certification under the third-party program are outside the scope of 
this rulemaking. This rule establishes the framework for the third-
party certification program, and not the food safety standards that 
accredited third-party certification bodies will use to determine an 
eligible entity's compliance with the applicable food safety 
requirements of the FD&C Act and FDA regulations. We are however 
responding to relevant comments that address audit quality and auditor 
competency, consistency, and capacity, including comments referencing 
GFSI's work in these areas.
    Other overarching comments ask how the FSMA third-party 
certification program relates to the roles of foreign competent 
authorities and to FDA's international activities. Some comments assert 
that competent authorities should be allowed to participate in the 
third-party certification program purely by administrative procedures 
without a formal review process. Other comments suggest that government 
agencies with both regulatory and trade promotion missions face 
inherent conflicts of interest.
    Some comments recommend that we should establish a different 
structure for accrediting third-party certification bodies that already 
have been approved by a foreign government accreditation body. Other 
comments suggest that FDA should reserve the role of accreditation body 
or third-party certification body for a national competent authority 
that requests it. The comments argue that the responsibility for 
monitoring the safety of food exports should remain with the national 
competent authorities in each country.
    Some comments ask whether a national competent authority has a role 
in auditing and certification activities occurring in the country, 
including in countries where an FDA foreign office is located. Other 
comments ask whether the competent authority may perform other 
activities in the third-party certification program, such as 
authentication of audit information before it is submitted to FDA. 
Still other comments suggest that FDA require accredited third-party 
certification bodies to review correspondence between an audited 
eligible entity and the competent authorities in the country where the 
eligible entity is located.
    Section 808 of the FD&C Act expressly provides for both public and 
private accredited third-party certification bodies. Public 
accreditation bodies and third-party certification bodies, as well as 
private accreditation bodies and third-party certification bodies that 
meet the eligibility requirements for recognition and accreditation 
under section 808 of the FD&C Act and this rule are equally eligible to 
participate in the third-party certification program. This includes 
government accreditation bodies and certification bodies in countries 
where FDA has a foreign office, as well as government agencies with the 
dual missions of food safety and trade promotion. We believe that both 
public and private third-party certification bodies and accreditation 
bodies are capable of exhibiting the competency, capacity, and 
impartiality necessary to meet the letter and spirit of the law and 
this regulation.
    By becoming an accredited third-party certification body or a 
recognized accreditation body, a competent authority for food safety or 
a foreign accreditation body would establish a role in the third-party 
certification program. Only if competent authorities are accredited 
under this rule, may they issue food and facility certifications under 
section 808 of the FD&C Act. (We note, however, that FDA may require 
certifications from competent authorities under section 801(q) of the 
FD&C Act for foods that FDA determines meet the criteria set forth in 
that section (see 801(q)(3)(A) of the FD&C Act), regardless of whether 
the competent authorities are accredited.) We acknowledge that the 
third-party certification program that is the subject of this rule is 
narrowly tailored and only a small piece of the much larger modernized, 
prevention-oriented food safety system we are establishing under FSMA. 
Broader FSMA activities are outside the scope of this rulemaking, as 
are matters covered by FDA's information sharing arrangements with 
foreign competent authorities.
    We received other comments on the overarching issue of how the 
third-party certification program fits into FDA's international 
activities. Some comments assert that, for countries with a systems 
recognition agreement with FDA, there should be no need for a (direct 
or indirect) role for FDA in monitoring accredited third-party 
certification bodies. Other comments encourage us to recognize their 
national food safety system as equivalent to that of the United States.
    The systems recognition initiative is a food safety regulatory 
cooperation program that allows FDA to take into account the role of 
food safety systems of exporting countries in our risk-based 
decisionmaking. We are using systems recognition as a tool to determine 
when we can rely on the implementation of science-based food safety 
programs by foreign regulatory authorities and take action based on 
information provided by such authorities.
    We note that a competent authority with whom FDA has a systems 
recognition agreement must apply for recognition to make accreditation 
decisions and apply for accreditation to issue certifications under 
section 808 of the FD&C Act. If the competent authority applies for 
recognition or direct accreditation by FDA (assuming that the statutory 
criteria have been met for FDA to begin direct accreditation), FDA's 
review will be informed by the data, experiences, and insights into the 
foreign system that FDA gained through the systems recognition review. 
Except as described above, systems recognition activities are outside 
the scope of this rulemaking, as are equivalency determinations.
    We also received several overarching comments noting that the lack 
of qualified food safety auditors is a problem in many countries. Some 
comments suggest that we may face similar problems with the 
availability of accredited third-party certification

[[Page 74577]]

bodies in our program. The comments assert that we should prioritize 
the review of applications from foreign countries with significant 
volumes of exports to the United States because of the cost and 
inconvenience to foreign suppliers and the likely trade disruption that 
would result if the only accredited third-party certification bodies 
were located in other countries. Some comments predict that rapid 
expansion in the field of food safety auditing may result in shortcuts 
in auditing. Other comments contend that because of the limited 
availability of qualified auditors we should adjust the timeframes for 
accredited third-party certification bodies to submit information to 
FDA under the regulations. The comments specifically request that we 
lengthen the 45-day timeframe for submitting regulatory audit reports.
    We acknowledge the concerns about cost, inconvenience, and 
disruption resulting from auditor capacity issues. We are encouraging 
broad program participation to minimize the likelihood that capacity 
issues might emerge, because certifications issued by accredited third-
party certification bodies under this program are intended to 
facilitate trade. The certifications are used in meeting the 
eligibility requirements of VQIP for expedited entry of food under 
section 806 of the FD&C Act and in satisfying a condition of 
admissibility for a food subject an FDA determination under section 
801(q) of the FD&C Act.
    Revisions have been made to this rule made in response to comments, 
such as allowing accreditation bodies and third-party certification 
bodies to use documentation of their conformance with ISO/IEC standards 
in support of their applications. We also are modifying our ``first in, 
first out'' approach to processing applications, as comments request, 
to allow for prioritizing specific applications and requests based on 
program needs. We are unable to accommodate the request to lengthen the 
timeframe for submission of regulatory audit reports to FDA, because 
the 45-day deadline for submission is established in section 
808(c)(3)(A) of the FD&C Act. Audit protocols and other requirements of 
the rule are designed to prevent audit agents (auditors) and third-
party certification bodies from taking shortcuts that would jeopardize 
audit results.
    Some comments addressed the Model Accreditation Standards that FDA 
is required to develop under section 808(b)(2) of the FD&C Act for use 
in qualifying third-party certification bodies for accreditation. Some 
of these comments suggest various criteria to be included in the model 
standards. Other comments suggest the proposed rule was ambiguous with 
respect to the form of, and manner by which, FDA will establish the 
Model Accreditation Standards.
    While the substance of the Model Accreditation Standards is outside 
the scope of this rulemaking, we note that on July 24, 2015, FDA 
published a draft guidance on Model Accreditation Standards. The draft 
guidance can be accessed at: http://www.fda.gov/Food/GuidanceRegulation/GuidancevDocumentsRegulatoryInformation/ucm455328.htm. Additionally, a notice was published in the Federal 
Register (80 FR 44137, July 24, 2015) of the availability of the draft 
guidance and of the opening of a docket for public comments on the 
document. As explained in the draft guidance, section 808(b)(2) of the 
FD&C Act requires FDA to develop Model Accreditation Standards that 
recognized accreditation bodies shall use to qualify third-party 
certification bodies for accreditation, and in so doing, to look to 
existing standards for certification bodies (as of the date of 
enactment of FSMA) to avoid unnecessary duplication of efforts and 
costs. The draft guidance contains FDA recommendations on third-party 
certification body qualifications, including recommendations based on 
relevant provisions in the proposed rule. This final rule will serve as 
a framework for the Model Accreditation Standards final guidance, which 
will include more detailed recommendations on third-party certification 
body qualifications.
    Some comments respond to our request for input on the question 
about the value of, and possible need for, FDA to establish a program 
for use of accredited third-party certification bodies to conduct 
domestic food safety audits (78 FR 45782 at 45823). We received 
comments on all sides, expressing various views. We are taking these 
comments under advisement at this time, as the focus of this final rule 
is on establishing and implementing the third-party certification 
program set forth in section 808 of the FD&C Act.
    Other comments addressed the substance of VQIP, import 
certification, laboratory accreditation, and provisions in the proposed 
FSVP rule and/or other FMSA rules that are outside the scope of this 
rulemaking; accordingly we will not be responding to those comments 
here. Other comments that fall outside the scope of this rulemaking, 
and to which we will therefore not be responding, include comments on 
the value of a universal, mandatory food safety system; comments 
advocating for policies promoting locally grown produce; comments 
addressing the information technology infrastructure needs of the 
third-party certification program; comments suggesting the value of 
student interns to the food safety system; and comments on factors 
beyond the use of third-party audits that FDA should consider in 
setting inspection priorities.
    We also received a few comments concerning the rulemaking process. 
Comments suggest that we devise a new process for regularly updating 
the rule; they state that FDA has cumbersome requirements for modifying 
rules. FDA's current rulemaking process is consistent with FDA's 
obligations under the Administrative Procedure Act (5 U.S.C. 551-559).

II. Legal Authority

    Section 307 of FSMA, Accreditation of Third-Party Auditors, amends 
the FD&C Act to create a new provision, section 808, under the same 
name. Section 808(b)(1)(A) of the FD&C Act requires us to establish a 
system, within 2 years of the enactment of FSMA, for the recognition of 
accreditation bodies that accredit third-party certification bodies to 
conduct food safety audits and to issue certifications for eligible 
foreign food entities and their products for purposes of sections 
801(q) and 806 of the FD&C Act.
    Section 808(c)(5)(C) of the FD&C Act directs us to issue 
implementing regulations for section 808 of the FD&C Act. The 
regulations must require audits to be unannounced and must contain 
protections against conflicts of interest between accredited third-
party certification bodies (and their audit agents) and the entities 
they audit or certify, including requirements on timing and public 
disclosure of fees and appropriate limits on financial affiliations (21 
U.S.C. 384d(c)(5)(C)(i), (ii), and (iii)).
    This final rule establishes regulations implementing section 808 of 
the FD&C Act. The authority for the requirements in this rule comes 
primarily from section 808 of the FD&C Act. However, FDA also derives 
authority for this final rule from other sections of the FD&C Act, 
including section 701(a) of the FD&C Act (21 U.S.C. 371(a)), which 
authorizes us to issue regulations for the efficient enforcement of the 
FD&C Act. The regulations in this final rule ensure the competency and 
independence of recognized accreditation bodies and of accredited 
third-party certification bodies, which will help ensure the validity 
and reliability of certifications and other information resulting from 
the food safety audits conducted by

[[Page 74578]]

accredited third-party certification bodies. These features of the 
final rule are essential to the operation of the third-party program. 
This rule also is consistent with section 404 of FSMA (21 U.S.C. 2252), 
which states that nothing in FSMA should be construed in a manner that 
is inconsistent with the agreement establishing the World Trade 
Organization or any other treaty or international agreement to which 
the United States is a party.
    This rule establishes requirements for accreditation bodies and 
third-party certification bodies seeking recognition and accreditation, 
respectively. These requirements will help ensure that any 
accreditation bodies that we recognize, and any certification bodies 
that are accredited, are capable of meeting all of the requirements of 
this program. This includes requirements, for example, for legal 
authority and competency and capacity. It also includes provisions for 
the direct accreditation of third-party certification bodies by FDA in 
accordance with section 808(b)(1)(A)(ii) of the FD&C Act. This rule 
also establishes requirements for accreditation bodies that have been 
recognized, and third-party certification bodies that have been 
accredited. This includes requirements designed to decrease the 
potential for conflicts of interest in accordance with section 
808(c)(5)(C)(ii) of the FD&C Act. Additionally, this rule establishes 
requirements for eligible entities that want to be certified under this 
program. This includes requirements for onsite audits by FDA for the 
purpose of monitoring in accordance with section 808(f)(3) of the FD&C 
Act. Finally, this rule establishes general requirements related to the 
operation of this program. These include requirements for requesting a 
regulatory hearing on revocation of recognition or withdrawal of 
accreditation.
    Some of the requirements under this final rule are also 
established, in part, under the authority in sections 806 and 801(q) of 
the FD&C Act. Section 806 of the FD&C Act describes a voluntary program 
to provide for the expedited review and importation of food offered for 
importation from certified facilities (VQIP). Section 801(q) of the 
FD&C Act gives FDA authority to require certifications for imported 
food in certain situations. This final rule does not set up the 
framework for participation in the program described under section 806 
of the FD&C Act, nor does it describe the circumstances under which FDA 
might require certification under section 801(q) of the FD&C Act. 
However, this rule does describe circumstances under which FDA might 
refuse to consider a certification issued under this program in 
determining the admissibility of an article of food for which the 
certification was offered under section 801(q) of the FD&C Act, or in 
determining eligibility for participation in VQIP under section 806 of 
the FD&C Act. Additionally, this rule creates limited exemptions from 
the certification requirements of section 801(q) of the FD&C Act for 
certain alcoholic beverages, including certain raw materials and 
ingredients that are used to manufacture/process alcoholic beverages. 
The exemptions are being promulgated consistent with section 116 of 
FSMA (21 U.S.C. 2206). Section 116(a) of FSMA states that, except as 
provided by certain listed sections in FSMA, nothing in FSMA, or the 
amendments made by FSMA, will be construed to apply to a facility that: 
(1) Under the Federal Alcohol Administration Act (27 U.S.C. 201 et 
seq.) or chapter 51 of subtitle E of the Internal Revenue Code of 1986 
(26 U.S.C. 5001 et seq.) is required to obtain a permit or to register 
with the Secretary of the Treasury as a condition of doing business in 
the United States and (2) under section 415 of the FD&C Act (21 U.S.C. 
350d) is required to register as a facility because such facility is 
engaged in manufacturing, processing, packing, or holding one or more 
alcoholic beverages (with respect to the activities of such facility 
that relate to the manufacturing, processing, packing, or holding of 
alcoholic beverages). This rule also creates exemptions from the 
certification requirements of section 801(q) of the FD&C Act for 
products subject to the requirements of the U.S. Department of 
Agriculture (USDA) under the Federal Meat Inspection Act (FMIA) (21 
U.S.C. 601 et seq.), the Poultry Products Inspection Act (PPIA) (21 
U.S.C. 451 et seq.), or the Egg Products Inspection Act (EPIA) (21 
U.S.C. 1031 et seq.) at the time of importation. We conclude that this 
provision is consistent with section 403 of FSMA, entitled ``Rule of 
Construction,'' which states that nothing in FSMA shall be construed to 
alter or limit the jurisdiction of the Secretary of the Department of 
Agriculture.

III. Comments on What Definitions Apply to This Subpart (Sec.  1.600)

    We proposed to codify definitions of several terms used in the 
third-party certification regulations. We received several comments on 
this section. As discussed in the following paragraphs, we have revised 
many of the proposed definitions in response to comments as well as on 
our own initiative. Where we disagree with comments or decline a 
suggested revision, we offer an explanation in response. Some 
definitions were finalized as proposed.
    The definitions for terms used in the third-party certification 
regulations are codified in 21 CFR 1.600.

A. Definitions, Generally

    (Comment 1) Several comments encourage us to more closely align the 
definitions in Sec.  1.600 with international standards to promote 
consistency and common understanding of the rule. The comments explain 
that the terms and definitions used in section 808 of the FD&C Act and 
in the proposed rule convey a different meaning for accreditation 
bodies, certification bodies, and the standards community. To that end, 
some comments encourage us to avoid using the term ``third-party 
auditor'' synonymously with ``certification body,'' to be consistent 
with international standards, which use the term ``certification body'' 
(e.g., ISO/IEC 17065:2012 (Ref.7).
    Similarly, some comments indicate that, the language of the statute 
notwithstanding, it is not correct to use the term ``third-party 
auditor'' when describing the activities of a ``third-party 
certification body.'' The comments explain that auditors are 
individuals contracted or employed by certification bodies to conduct 
audits, and they urge us to clarify the rule by substituting 
``certification body'' for ``third-party auditor.''
    (Response 1) We agree that alignment with the terminology used in 
international standards is preferable, wherever possible. Congress 
recognized the value of international standards in accreditation and 
certification, having instructed us in section 808(b)(2) of the FD&C 
Act to look to existing standards in developing our model accreditation 
standards to avoid unnecessary duplication of efforts and costs. We 
believe it is particularly useful to rely on definitions and 
terminology from international consensus standards when possible where, 
as here, the rule is establishing a voluntary program with an 
international focus. In addition, we agree that, notwithstanding the 
use of the term ``third-party auditor'' in the statute, the use of the 
term ``third-party certification body'' instead of the term ``third-
party auditor'' provides some clarity for purposes of referring to 
bodies that employ or contract individuals to perform audits.
    Therefore, in response to the comments suggesting the term ``third-
party auditor'' is confusing and inconsistent with international 
standards, we are using the term ``third-party certification body'' in 
the

[[Page 74579]]

remainder of the preamble and in the codified of this final rule, 
except in the definitions of ``Accredited third-party certification 
body'' and ``Third-party certification body'' in Sec.  1.600(c) and in 
the preamble discussion of those definitions.
    On our own initiative, we are including the descriptor ``third-
party'' before ``certification body'' throughout this final rule. We 
did not use that descriptor in the proposed rule when referring to a 
third-party auditor/certification body once accredited. We are doing so 
now in order that the term accurately reflects that, under this 
subpart, only third-party certification bodies are eligible for 
accreditation. We are making corresponding changes to the term 
``accredited auditor/certification body;'' and in this final rule we 
will instead use the term, ``accredited third-party certification 
body.''
    Accordingly, we have revised the proposed definitions of 
``accreditation,'' ``accreditation body,'' ``accredited auditor/
certification body,'' ``audit,'' ``audit agent,'' ``certification 
body,'' ``direct accreditation,'' ``eligible entity,'' ``facility 
certification,'' ``food certification,'' ``recognized accreditation 
body,'' ``relinquishment,'' and ``self-assessment,'' to replace the 
term ``third-party auditor'' with the term ``third-party certification 
body,'' or ``third-party certification bodies,'' and to remove 
``auditor/'' from in the term ``third-party auditor/certification 
body'' or ``third-party auditors/certification bodies'' that was used 
in the proposed rule.
    On our own initiative, we added a sentence to the definition of 
``accredited third-party certification body'' in Sec.  1.600 of this 
final rule to explain that the term has the same meaning as 
``accredited third-party auditor'' as defined in section 808(a)(4) of 
the FD&C Act. Similarly, we added language to the definition of 
``third-party certification body'' in Sec.  1.600 of this final rule 
explaining that the term has the same meaning as ``third-party 
auditor'' as defined in section 808(a)(3) of the FD&C Act.
    (Comment 2) Some comments encourage us to make the definitions in 
this rule consistent with the definitions in other FSMA proposed rules, 
such as the 2013 proposed FSVP regulation, the 2013 proposed human 
preventive controls regulation, the 2013 proposed animal preventive 
controls regulation, and the 2012 proposed produce safety regulation, 
where feasible.
    (Response 2) We agree with the comments on the overarching goal of 
alignment across regulations and accepted suggested revisions, where 
feasible and appropriate. However, it is not always possible to develop 
uniform definitions due to the distinct statutory requirements and the 
framework of each program. In such cases where it was not feasible or 
appropriate, we declined the suggested revisions from comments. We 
discuss such comments and our responses under each relevant term.

B. Assessment

    We did not define ``assessment'' in the proposed rule.
    (Comment 3) Some comments recommend adding a definition of 
``assessment'' based on ISO/IEC 17011:2004 (Ref. 5), clause 3.7, which 
describes the process for evaluating certification bodies. The comments 
explain that defining such evaluations as ``audits,'' as we had 
proposed, is inconsistent with international standards. The comments 
suggest consulting with other ISO/IEC standards for relevant 
terminology.
    (Response 3) We agree that the term ``assessment'' should be used, 
in part, to refer to the activity undertaken to assess the competency 
and capacity of a third-party certification body under the rule. We 
reviewed ISO/IEC 17011:2004 (Ref. 5) (clause 3.7 and NOTE) and ISO/IEC 
17000:2004 (Ref. 4), ISO/IEC 17040:2005 Conformity assessment--General 
requirements for peer assessment of conformity assessment bodies and 
accreditation bodies (ISO/IEC 17040:2005) (Ref. 12), and an 
International Accreditation Forum (IAF) document entitled, ``IAF 
Endorsed Normative Documents'' (Ref. 13).
    After considering the comments and reviewing the referenced 
documents, we developed a definition of ``assessment'' that describes, 
with respect to accreditation bodies, the activity undertaken by FDA to 
evaluate the competency and capacity of the accreditation body under 
the applicable requirements of this rule. With respect to certification 
bodies, ``assessment'' describes the activity undertaken by a 
recognized accreditation body (or, in the case of direct accreditation, 
FDA) to evaluate the competency and capacity of a certification body 
under the applicable requirements of this rule. We also made 
corresponding changes to the definition of ``audit'' from proposed 
Sec.  1.600(c) by removing clauses (1) and (2).

C. Audit

    We proposed a definition of ``audit'' describing the examination of 
accreditation bodies, third-party certification bodies, and eligible 
entities. We proposed to define an audit of an accreditation body as an 
examination by FDA of the accreditation body's authority, 
qualifications, resources, policies, procedures, and performance, as 
well as of its capability to meet the requirements of the proposed 
rule. We proposed to define an audit of a third-party certification 
body as an examination by a recognized accreditation body (or, by FDA, 
for direct accreditation) of the third-party certification body's 
authority, qualifications, resources, policies, procedures, and 
performance, as well as of its capability to meet the requirements of 
the proposed rule. We proposed to define an audit of an eligible entity 
as an examination by an accredited third-party certification body of 
the eligible entity to assess the entity, its facility, system(s), and 
food using audit criteria for consultative or regulatory audits, and, 
for consultative audits, also including an assessment of compliance 
with applicable industry standards and practices.
    We received some comments on the proposed definition of ``audit,'' 
and the related definitions of ``consultative audit'' and ``regulatory 
audit.'' Comments specific to the definition of ``consultative audit'' 
are discussed in section III.E., and comments on the definition of 
``regulatory audit'' are discussed in section III.L. As described in 
Response 3, we also removed clauses (1) and (2) from the proposed 
definition of ``audit'' because those evaluations are ``assessments'' 
as the term is defined in Sec.  1.600(c).
    On our own initiative, we are revising the definition of ``audit'' 
to clarify that an audit conducted under this subpart is not an 
inspection under section 704 of the FD&C Act (21 U.S.C. 374).
    (Comment 4) Several comments encourage us to align our definition 
of audit with relevant international standards, and some comments 
request that we use the definition of ``audit'' from the Codex 
``Principles for Food Import and Export Inspection and Certification'' 
(CAC/GL 20-1995) (Ref. 14), which defines ``audit'' as a ``systematic 
and functionally independent examination to determine whether 
activities and related results comply with planned objectives.''
    (Response 4) We agree with the general principle of creating 
consistency with international standards and have revised the 
definition of ``audit'' in Sec.  1.600(c) accordingly. Rather than 
describing the determination of whether activities comply with 
``planned objectives'' that appears in the Codex definition of 
``audit'' (Ref. 14), we inserted a brief description of the objectives 
of consultative and regulatory audits from the definitions in section 
808(a)(5) and (7) of the FD&C Act (i.e.,

[[Page 74580]]

the examination of an eligible entity under this rule).
    (Comment 5) Some comments encourage us to remove the proposed 
definition of ``audit'' in Sec.  1.600(c) and substitute the FSVP 
definition of ``audit'' instead, to promote consistency and a common 
understanding of terminology.
    (Response 5) We disagree. We believe that it is more important for 
the definition in this rule to reflect international standards that are 
generally well known to the parties subject to this rule than it is for 
the definition to mirror the definition in FSVP, which has different 
applicability. FSVP applies to importers; this rule applies to 
accreditation bodies, third-party certification bodies, and eligible 
entities. Therefore, we are rejecting the suggestion to use the FSVP 
definition of ``audit'' as the definition of ``audit'' in Sec.  
1.600(c).
    (Comment 6) We received some comments on the definition of 
``audit'' regarding its relationship to the related definitions of 
``consultative audit'' and ``regulatory audit'' in Sec.  1.600(c). Some 
comments recommend that we revise the definition of ``audit'' to mean 
only regulatory audits, and not consultative audits, asserting that is 
how the word ``audit'' is used in the statute. These comments contend 
that the statute must be interpreted in light of the fact that section 
808 of the FD&C Act is directed to food and facility certifications, 
which are only accomplished through regulatory audits. Other comments 
ask us to clarify that the services of an accredited third-party 
certification body that fall short of the definition of an ``audit'' 
(e.g., informal consulting, continuous improvement programs, and 
limited purpose audits) under this rule, are not subject to the 
requirements of the rule.
    (Response 6) We decline the suggestion to interpret section 808 of 
the FD&C Act in a manner that would equate ``audit'' with ``regulatory 
audit.'' Section 808 of the FD&C Act defines two types of audits used 
under the program, consultative audits and regulatory audits, and 
contains requirements relating to each. (See, e.g., section 808(a)(5), 
(7), and (c)(3)(A) of the FD&C Act). In addition, section 808(c)(4)(B) 
of the FD&C Act expressly allows an accredited third-party 
certification body or an audit agent of such auditor to perform 
consultative and regulatory audits of eligible entities.
    To the extent that other comments suggest creating a list of 
exceptions from the definition of ``audit'' in the codified for this 
rule, we decline to do so. To the extent that these comments were 
seeking clarification of the definition of ``consultative audit'' in 
Sec.  1.600(c), and what types of activities might fall outside of that 
definition as well as outside of this program, please see the 
discussion in Response 9 in section III.E.
    (Comment 7) Some comments express confusion about the criteria that 
accredited third-party certification bodies will be using in conducting 
audits under subpart M and ask us to more clearly describe the 
``applicable requirements'' against which compliance will be evaluated. 
Some comments are concerned that eligible entities might be audited 
against requirements that do not apply to their operations. For 
example, some comments note that firms subject to the final animal 
preventive controls regulation should not be assessed for compliance 
with the allergen cross contamination requirements of the final human 
preventive controls regulation. Other comments ask us to clarify 
whether the ``applicable requirements'' are limited to requirements 
that appear in the FD&C Act or FDA regulations, or both.
    (Response 7) During regulatory and consultative audits, accredited 
third-party certification bodies will examine compliance with 
applicable food safety requirements of the FD&C Act and FDA regulations 
within the scope of the audit. In consultative audits, the third-party 
certification bodies also may be conducting an examination to determine 
conformance with applicable industry standards and practices.
    The applicable requirements that accredited third-party 
certification bodies and their audit agents will use relate to the food 
safety standards under the FD&C Act, such as the adulterated food 
provisions in section 402 of the FD&C Act and the provisions on the 
misbranding of food allergens in section 403(w) of the FD&C Act. The 
applicable requirements of the FD&C Act and FDA regulations would 
depend on the type of eligible entity being audited. To use the example 
given by one of the comments, an eligible entity that is subject to the 
requirements of the final animal preventive controls regulation, but 
not the final human preventive controls regulation, would not be 
subject to an audit examining its practices relating to cross-
contamination by food allergens under the final human preventive 
controls regulation because those are not ``applicable food safety 
requirements'' for such an entity.
    To help clarify this rule for eligible entities, third-party 
certification bodies, and accreditation bodies who may be interested in 
participating in the program and who may not yet be familiar with U.S. 
laws and regulations, we are using the phrase ``applicable food safety 
requirements of the FD&C Act and FDA regulations'' in place of the 
phrase ``applicable requirements'' in the definition of ``audit'' in 
Sec.  1.600(c) and elsewhere throughout the rule where we are 
discussing the requirements that will be used in auditing eligible 
entities.\2\
---------------------------------------------------------------------------

    \2\ Although we have elected to cite to both the FD&C Act and 
FDA regulations in this definition, we otherwise will follow the 
conventional practice of using the words ``applicable requirements'' 
to refer the applicable requirements of the FD&C Act and FDA 
regulations.
---------------------------------------------------------------------------

D. Audit Agent

    We proposed to define an ``audit agent'' as an individual who is an 
employee or other agent of an accredited third-party certification body 
who, although not individually accredited, is qualified to conduct food 
safety audits on behalf of an accredited third-party certification 
body. Under the proposed rule we also defined an audit agent to include 
a contractor of the accredited third-party certification body.
    (Comment 8) Some comments express concern about our proposal to 
allow a contractor of an accredited third-party certification body to 
serve as an audit agent, asserting that ``[w]ith each step that is 
further removed in this process, institutional control is lost 
exponentially.'' The comments point out that a subcontractor conducted 
the audit and gave a passing audit score to a cantaloupe farm and 
packing facility that used ``improper and unsafe processing equipment'' 
and subsequently was linked to a deadly outbreak caused by Listeria 
monocytogenes. Other comments mentioning the incident cite to an 
article in Bloomberg News explaining that auditors often outsource to 
independent contractors over whom they do not have direct management 
control (Ref. 15). Still other comments offer the cantaloupe outbreak 
as an example of why auditors must be competent and accountable for 
their activities.
    (Response 8) We understand that third-party certification bodies 
currently work with individual auditors under many different types of 
arrangements. We acknowledge concerns raised by comments about recent 
outbreaks at some domestic facilities that had received satisfactory 
scores in food safety audits. Further, we agree with the comments on 
the importance of an accredited third-party certification body 
exercising adequate control over an audit agent conducting audits on 
its

[[Page 74581]]

behalf. We believe that principle is equally true whether the audit 
agent is an employee or a contract auditor.
    International standards, such as ISO/IEC 17021:2011 (Ref. 6), 
specifically allow accredited third-party certification bodies to use 
contractors to perform audits if certain conditions are met. Among 
other conditions, contract auditors must meet the same level of 
qualifications (e.g., knowledge, skills, and experience) and the same 
requirements for impartiality and objectivity as do the auditors the 
third-party certification body employs. The third-party certification 
body must exercise adequate control and oversight over a contractor 
such that the third-party certification body accepts the result of the 
contractor's audit as its own.
    When we proposed to define ``audit agent'' to include a contractor, 
we were contemplating arrangements such as those described in ISO/IEC 
17021:2011 (Ref. 6) that involve a direct relationship between the 
accredited third-party certification body and its auditors. We are 
revising the definition of ``audit agent'' to clarify that we are 
excluding subcontractors and other types of outsourcing arrangements; 
we have concluded that such arrangements fail to provide the degree of 
control and oversight necessary for an accredited third-party 
certification body to ensure that its audit agents are competent and 
objective. An accredited third-party certification body exercises 
direct supervision over the activities of its employees, and has a 
direct relationship with a contractor; but the relationship between the 
third-party certification body and a subcontractor or other type of 
outsourced staff is attenuated--the third-party certification body may 
not even choose such persons and may not have any direct authority over 
them. We do not believe such diminished oversight is appropriate, given 
the important role of audit agents in this program.
    By revising the definition of ``audit agent'' we are not preventing 
an accredited third-party certification body from subcontracting for 
services in areas other than the conduct of audits. For example, an 
accredited third-party certification body may use subcontractors or 
other outsourcing arrangements to deliver annual training to its audit 
agents under Sec.  1.650 or may use subcontractors or other outsourcing 
arrangements to investigate and decide on appeals of adverse regulatory 
audit results under Sec.  1.651. However, we are limiting the role of 
``audit agent'' to employees and contractors of the accredited third-
party certification body.

E. Consultative Audit

    We proposed to define a ``consultative audit'' as an audit of an 
eligible entity: (1) To determine whether such entity is in compliance 
with applicable requirements of the FD&C Act and industry standards and 
practices and (2) the results of which are for internal purposes only 
and cannot be used to determine eligibility for a food or facility 
certification issued under this subpart or in meeting the requirements 
for an onsite audit of a foreign supplier under subpart L of this part.
    (Comment 9) We received several comments on the definition of 
``consultative audit.'' Many comments express concern that the 
definition of ``consultative audit'' is overly broad and that some of 
the requirements that would apply to consultative audits under the 
proposed rule might create a disincentive to using accredited third-
party certification bodies. Some comments urge FDA to remove all 
requirements associated with consultative audits from the rule. Other 
comments identify two requirements of particular concern: (1) Proposed 
Sec.  1.656, requiring an accredited third-party certification body 
conducting a consultative audit or regulatory audit under the rule to 
notify FDA immediately upon discovering a condition that could cause or 
contribute to a serious risk to public health (the notification 
requirement) and (2) proposed Sec.  1.652, requiring an accredited 
third-party certification body to provide FDA access to a consultative 
audit report when the criteria for records access under section 414 of 
the FD&C Act (21 U.S.C. 350c) are met (the records access requirement). 
The comments explain that many firms use certification bodies (and/or 
their consulting divisions) to help establish, maintain, and improve 
their food safety practices. For example, some firms use certification 
bodies (and/or their consulting divisions) to help in identifying root 
causes and remediating food safety problems. Comments also note that 
certification bodies (and/or their consulting divisions) provide 
informal counseling, perform preliminary evaluations, limited purpose 
audits, and activities in support of firms' continuous improvement 
programs.
    Comments express concern that if these types of activities are 
subject to notification, records access, and other requirements of the 
rule, firms located outside the United States might not use accredited 
third-party certification bodies, instead choosing unaccredited third-
party certification bodies to avoid the requirements of this rule. The 
comments assert that unaccredited third-party certification bodies are 
less likely to have qualified auditors and their independence and 
objectivity is less certain, than third-party certification bodies that 
have been evaluated and issued accreditation.
    Comments also argue that the definition of ``consultative audit,'' 
which states that the results of such an audit are ``for internal 
purposes only,'' is inconsistent with the requirements for notification 
and records access that would apply to consultative audits under the 
proposed rule. Other comments ask us to clarify that audits conducted 
for external purposes--for example, an audit for purposes of compliance 
with FSVP--do not satisfy the definition of a consultative audit 
because consultative audits are for internal purposes only.
    Some comments suggest that the proposed definition of 
``consultative audit,'' taken together with the proposed definitions of 
``food safety audit'' and ``regulatory audit,'' could preclude third-
party certification bodies from conducting any audits that are outside 
the scope of subpart M, once accredited. Based on that interpretation, 
the comments predict that few if any third-party certification bodies 
would want to participate in the program.
    Many of the comments that express concern about disincentives also 
suggest that Congress intended the third-party program to be much 
narrower than our proposed definition of ``consultative audit'' would 
suggest. These comments suggest that the FSMA third-party certification 
program was intended to be focused on regulatory audits and the 
issuance of certifications to be used for two limited purposes: i.e., 
in establishing an importer's eligibility for VQIP and in satisfying a 
condition of admissibility for a food subject to an FDA safety 
determination under section 801(q) of the FD&C Act. These comments 
argue further that Congress inserted the term ``consultative audit'' in 
the statute to be used only in reference to the conflicts of interest 
provisions in section 808(c)(4)(C) and (c)(5) of the FD&C Act; 
therefore, a broad interpretation of ``consultative audit'' is 
inconsistent with Congressional intent. The comments urge us to 
construe the term ``consultative audit'' as narrowly as possible.
    (Response 9) We recognize that food firms use accredited third-
party certification bodies (and their consulting divisions) in various

[[Page 74582]]

capacities that serve the ultimate goal of improving food safety. We do 
not want, nor do we believe Congress intended, for our third-party 
certification program to create disincentives for food firms seeking to 
use accredited third-party certification bodies for various purposes to 
improve food safety practices in their operations. Nevertheless, we 
decline the request to remove all requirements relating to consultative 
audits from this final rule. Section 808(c)(5)(C) of the FD&C Act 
directs us to issue implementing regulations for section 808 of the 
FD&C Act, which includes some specific provisions relating to 
consultative audits (e.g., section 808(c)(3)(A) and (C) on consultative 
audit reports and section 808 (c)(4)(C) of the FD&C Act on audit agents 
performing regulatory audits of eligible entities of which they 
performed consultative or regulatory audits within the preceding 13 
months). We have, however, revised the definition of ``consultative 
audit'' as explained below and have made other revisions to the rule to 
clarify the scope of such audits and help mitigate possible 
disincentives to conduct consultative audits, while fulfilling the 
letter and spirit of the law.
    With regard to the comments expressing concerns about an overly 
broad interpretation of ``consultative audit,'' we remind readers that 
the statute endows both regulatory and consultative audits with certain 
characteristics. For example, section 808(a)(6) of the FD&C Act 
indicates that an eligible entity must choose to be audited by an 
accredited third-party certification body, and section 808(c)(5)(C)(i) 
of the FD&C Act states that audits under this program must be 
unannounced. We understand these provisions to mean that, at the time 
the audit services are arranged, an eligible entity must specifically 
request from an accredited third-party certification body a food safety 
audit under this rule--that is the only way the accredited third-party 
certification body would know that the eligible entity is requesting an 
unannounced subpart M audit to determine compliance with the applicable 
food safety requirements of the FD&C Act and FDA regulations. Further, 
the eligible entity would need to specify whether it is seeking a 
regulatory or consultative audit. (In addition to determining whether 
the eligible entity is in compliance with the food safety requirements 
of the FD&C Act, consultative audits under section 808 of the FD&C Act 
also determine whether the eligible entity is in compliance with 
applicable industry standards and practices). Audits that fall outside 
the purview of this rule--for example, audits that are conducted by 
third-party certification bodies that are not accredited under this 
program, audits that determine compliance with standards other than the 
food safety requirements of the FD&C Act and FDA regulations (e.g., 
audits that determine compliance with private standards), audits that 
are announced, and audits conducted solely for the purposes of supplier 
verification under the final human or animal preventive controls 
regulations or the final FSVP regulations--are not covered by, or 
subject to, the requirements of this rule.
    It is impossible to describe or predict all of the audit scenarios 
that may occur. We emphasize that an accredited third-party 
certification body can continue to offer auditing and certification 
services that are outside the scope of this rule, such as on-site 
supplier verification audits under the final human or animal food 
preventive controls regulations or the final FSVP regulation. Such 
audits would not be subject to the requirements of this rule, including 
the reporting and notification requirements.
    In response to comments, we revised the proposed definition of 
``consultative audit'' to clarify that it is an audit conducted in 
preparation for a regulatory audit under the third-party certification 
program. A consultative audit would thus be a pre-examination or pre-
assessment type of activity imbued with certain characteristics. We 
further clarify the characteristics of a consultative audit, as well as 
of a regulatory audit (the results of which can form the basis for 
issuance of certification under the rule), in the definition of ``food 
safety audit'' discussed in section III.J.

F. Eligible Entity

    We proposed to define an ``eligible entity'' as a foreign entity 
that chooses to be subject to a food safety audit by an accredited 
third-party certification body. We further proposed that eligible 
entities include foreign facilities subject to the registration 
requirements in FDA regulations.
    (Comment 10) We received several comments on the definition of 
``eligible entity.'' Some comments request that we provide examples of 
specific types of entities that satisfy the definition. Some comments 
offer examples of ``eligible entities,'' including orchards or farms, 
packing houses, processing plants, and storage facilities. Other 
comments suggest we add ``and foreign farms'' to the end of the 
definition, to clarify that such entities are eligible to receive 
audits under subpart M. Some comments encourage us to adjust the 
definition of ``eligible entity'' to make it mandatory for foreign food 
facilities to undergo food safety audits by accredited third-party 
certification bodies.
    (Response 10) The proposed definition of ``eligible entity'' was 
based on the statutory definition, which includes facilities subject to 
the registration requirements in section 415 of the FD&C Act that 
choose to be audited under the program. At our own initiative we are 
revising the definition of ``eligible entity'' in the codified to more 
accurately track the statute, and we decline the suggestion to add 
specific examples, such as orchards or farms, that are not included in 
the statutory definition of ``eligible entity.'' However, as explained 
in Response 12 we are revising the definition of ``facility'' in Sec.  
1.600(c) to clarify that entities that grow, harvest, or raise animals 
for food for consumption in the United States are facilities that are 
eligible for auditing and certification under this subpart.
    We disagree with the comment suggesting that we should make audits 
under this program mandatory for all foreign food firms by modifying 
the definition of ``eligible entity.'' The statute clearly indicates 
that participation in this program is intended to be voluntary, and 
only entities that choose to be audited under the program are subject 
to its requirements (see section 808(a)(6) of the FD&C Act).
    (Comment 11) In the proposed rule, we specifically asked for 
comment on whether to allow for food or facility certification to be 
issued to a producer group, offering as an example the criteria for 
groups under the National Organic Program (NOP)--i.e., having multiple 
sites operating under a single management system and whose farms are 
``uniform in most ways.'' Several comments responded to this inquiry in 
relation to the definition of ``eligible entity.''
    Comments in support of certification of a group (e.g., a 
cooperative being audited as a single eligible entity) note that some 
producers are very small and might find it difficult on their own to 
obtain third-party certification, but taken as a group the task would 
likely be more manageable. Other comments note that treating multiples 
sites with a single management system as a single eligible entity could 
be particularly helpful in sectors or regions where there is a scarcity 
of accredited third-party certification bodies. Some comments argue in 
support of groups functioning as a single eligible entity as long as 
the central management system functions effectively, providing 
oversight to the

[[Page 74583]]

members. Comments also note that some multisite sampling protocols have 
been developed by international organizations, such as ISO.
    Other comments encourage us to ensure that cooperatives are subject 
to this rule, so that all the links in a foreign supply chain are 
appropriately inspected, and so that they are subject to any applicable 
regulations before their product is exported to the United States.
    Comments not in support of cooperatives being classified as 
eligible entities note that food safety practices and conditions are 
site-specific and can vary significantly even if the individual farms 
are located in the same geographic area (for example, due to soil 
composition, agricultural water runoff, or the manner in which the land 
was used in the past). They also note that organic production standards 
and scientifically-based food safety standards are not the same, so 
what works for the NOP may not be appropriate here
    Some comments encourage us to provide guidance on the acceptable 
parameters of a cooperative. Some comments encourage us to consider 
guidance available from other sources beyond the NOP, such as the 
International Federation of Organic Agriculture Movements.
    (Response 11) We decline to revise the definition of eligible 
entities to include a group. We acknowledge that some very small 
producers might be daunted by the prospect of working individually with 
an accredited third-party certification body, and there would be 
obvious economies in banding together with other very small producers 
to gain certification. We also acknowledge that some sets of producers 
do currently function as a unit under a centralized management system, 
and that group certification may make it easier for entities to access 
accredited third-party certification bodies in areas or regions where 
they may be scarce. Nevertheless, after reviewing the NOP, the 
International Federation of Organic Agricultural Movements, the Canada 
Organic Office Operation Manual, the USDA Agricultural Marketing 
Service pilot program on group certification, and other recommended 
sources, we conclude that it would not be appropriate to allow groups 
to be certified under this program. Group certification raises a myriad 
of complicated issues such as establishing who may act as a group, 
determining the requisites of a central management system, and 
delineating the minimum requirements for accredited third-party 
certification body audits of a group.
    With regard to the comments contending that certifications from 
individual eligible entities that might otherwise act as a group would 
create redundant and unnecessary paperwork for FDA, we will take that 
sort of information into account as we gain experience with the 
program. Finally, with regard to the comments encouraging us to define 
``eligible entity'' to include groups to ensure that all their members 
are examined for compliance with applicable food safety regulations 
before their food is exported to the United States, we note that this 
rule does not create audit obligations for all foreign suppliers or for 
all importers. The third-party certification program created by this 
rule is a voluntary program for eligible entities who wish to 
participate.

G. Facility

    We proposed to define ``facility'' as any structure, or structures 
of an eligible entity under one ownership at one general physical 
location, or, in the case of a mobile facility, traveling to multiple 
locations, which manufactures/processes, packs, or holds food for 
consumption in the United States. The definition went on to state that: 
(1) Transport vehicles are not facilities if they hold food only in the 
usual course of business as carriers; (2) a facility may consist of one 
or more contiguous structures, and a single building may house more 
than one distinct facility if the facilities are under separate 
ownership; (3) the private residence of an individual is not a 
facility; and (4) non-bottled water drinking water collection and 
distribution establishments and their structures are not facilities.
    On our own initiative, we are clarifying that facilities for the 
purposes of this subpart are not limited to facilities required to be 
registered under Subpart H.
    (Comment 12) Some comments encourage us to align the proposed 
definition of ``facility'' to the definition of ``facility'' in the 
human and animal preventive controls, produce safety, and FSVP 
regulations, to promote consistency and common understanding of the 
rules.
    (Response 12) As previously noted, we agree with the comments on 
the importance of consistency across regulations, where feasible and 
appropriate. We reviewed the definitions of ``facility'' in the final 
FSVP and final human preventive controls regulations, and found those 
definitions to be too narrow in light of the purpose of this rule to 
establish a voluntary program for certification of foods and facilities 
and the broad definition of ``eligible entity'' in section 808(a)(6) of 
the FD&C Act. Of our own initiative, in order to preserve the option 
for broad participation in the third-party program, we are expressly 
including in the definition of ``facility'' those entities that grow, 
harvest, or raise animals for food for consumption in the United 
States.

H. Facility Certification and Food Certification

    We proposed to define ``facility certification'' as an attestation, 
issued for purposes of section 806 of the FD&C Act by an accredited 
third-party certification body, after conducting a regulatory audit and 
any other activities necessary to establish that a facility meets the 
applicable requirements of the FD&C Act. We proposed to define ``food 
certification'' as an attestation, issued for purposes of section 
801(q) of the FD&C Act by an accredited third-party certification body, 
after conducting a regulatory audit and any other activities necessary 
to establish that a food meets the applicable requirements of the FD&C 
Act.
    (Comment 13) We received some comments on the definitions of 
``facility certification'' and ``food certification.'' Some of these 
comments raise group certification issues which we address above, in 
connection with the definition of ``foreign cooperative.'' Some 
comments state that ``food certification'' is improper terminology, 
because it implies a product certification model, whereas audits of 
eligible entities--particularly in the produce sector--generally assess 
processes and/or management systems.
    (Response 13) The term ``food certification'' appears in the 
statute and is specifically discussed in the statute as a type of 
certification that may be used in meeting a condition of admissibility 
under section 801(q) of the FD&C Act. Under section 808(c)(2)(C) of the 
FD&C Act, food certifications may only issue upon conduct of a 
regulatory audit. In light of the statutory language, we decline to 
revise the term ``food certification'' in response to the comments on 
this rule.
    We also note that section 801(q)(1) of the FD&C Act allows for FDA 
to accept ``a listing of certified facilities that manufacture, 
process, pack, or hold food, or other assurances deemed appropriate by 
FDA'' to satisfy the condition of admissibility. Of our own initiative, 
in light of this statutory language, we are clarifying in the 
definition of ``facility certification'' that

[[Page 74584]]

a facility certification may be issued for purposes of 801(q) of the 
FD&C Act.

I. Food

    In proposed Sec.  1.600(b), we stated unless otherwise defined in 
Sec.  1.600(c) of the proposed rule, definitions of terms in section 
201 of the FD&C Act would apply to terms used in this subpart. Section 
201 of the FD&C Act defines ``food'' as ``(1) articles used for food or 
drink for man or other animals, (2) chewing gum, and (3) articles used 
for components of any such article.'' Proposed Sec.  1.600(c) did not 
define the term ``food.''
    (Comment 14) Some comments request that we define ``food'' 
consistent with how it was defined in the FSVP proposed rule for 
consistency and to indicate that producers of food contact substances 
are eligible entities.
    (Response 14) The proposed definition of ``food'' under Sec.  1.600 
would include pesticides when they meet the definition of ``food'' 
under section 201 of the FD&C Act. By contrast, the FSVP rule's 
proposed definition of food explicitly does not include pesticides, as 
defined in 7 U.S.C. 136(u), consistent with the definition of ``food'' 
used in the rulemaking on the Prior Notice of Imported Food Under the 
Public Health Security and Bioterrorism Preparedness Act of 2002 (prior 
notice rule). FDA received comments during that rulemaking questioning 
the applicability of the rule to pesticides, so FDA clarified that 
``food'' for the purposes of that rule did not include pesticides.
    The final FSVP regulation, which is publishing elsewhere in this 
issue of the Federal Register, retains the exclusion of pesticides from 
the definition of ``food.''
    In response to comments suggesting revision of the definition of 
``food'' in this rule to be consistent with the final FSVP regulation, 
we considered the purposes that certifications serve under this program 
and the nature of comments we received on the third-party proposed 
rule, including general comments requesting alignment across the FSMA 
rules and comments specifically requesting that we use the FSVP 
definition of ``food.'' Certifications issued by accredited third-party 
certification bodies may be used in establishing an importer's 
eligibility to participate in VQIP and in satisfying a condition of 
admissibility for an imported food that we determine poses a safety 
risk under section 801(q) of the FD&C Act.
    While certifications may be useful in addressing pesticide 
contamination of food (e.g., pesticide levels in food that exceed 
established tolerances), we have not identified a need for 
certifications to address pesticides as articles of food, nor do we 
anticipate a role for food safety audits in pesticide manufacturing 
facilities. Accordingly, we are revising the final rule by adding to 
Sec.  1.600(c) a definition of ``food'' that excludes pesticides.
    We also agree with the comment that producers of food contact 
substances could be eligible entities under this rule and that food 
contact substances should be considered food for the purposes of this 
rule. Third-party food safety audits and certifications for food 
contact substances could potentially be useful given the possibility of 
migration of harmful food contact substances into food or contamination 
of food contact materials that directly contact food. Accordingly, we 
are revising the proposed definition of ``food'' to exclude pesticides 
and retain ``food contact substances'' in the definition of ``food'' in 
this final rule, consistent with the definition of ``food'' in the 
final FSVP regulation.

J. Food Safety Audit

    We proposed to define ``food safety audit'' as a regulatory audit 
or a consultative audit.
    (Comment 15) We received a few comments on the definition of ``food 
safety audit.'' Some comments request that we remove consultative 
audits from the definition of ``food safety audit,'' asserting that 
consultative audits should not be subject to the reporting and 
notification requirements associated with ``food safety audits.'' Other 
comments say we should replace the term ``food safety audit'' with 
``regulatory audit,'' as a matter of statutory construction and sound 
policy. Finally, some comments suggest that we delete the definition of 
``food safety audit'' altogether.
    (Response 15) We are retaining the definition of ``food safety 
audit'' as a useful definition to describe regulatory and consultative 
audits that fall under the requirements of this rule. As described in 
Response 9, we have revised the definition of ``consultative audit'' to 
clarify that it is an audit conducted in preparation for a regulatory 
audit under the third-party certification program. Although an audit 
meeting that definition would be subject to certain reporting and 
notification requirements, there are many types of audits/arrangements 
that would not fall within the definition of ``consultative audit'' or 
``regulatory audit,'' and would therefore not be subject to the 
requirements of this rule, including the reporting and notification 
requirements. Therefore, including consultative audits in the 
definition of ``food safety audit'' will not prevent eligible entities 
from using accredited third-party certification bodies for auditing 
arrangements that fall outside of the scope of this rule and do not 
trigger the requirements of this rule. To further address comments' 
concerns, we are modifying the definition of ``food safety audit'' to 
provide clarification regarding what types of audits/activities would 
fall outside of the scope of this rule. Specifically, we clarify that a 
food safety audit must be declared by an eligible entity at the time of 
audit planning and must be conducted on an unannounced basis consistent 
with sections 808(b)(6) and 808(c)(5)(C) of the FD&C Act.

K. Foreign Cooperative

    We proposed to define ``foreign cooperative'' as an entity that 
aggregates food from growers or processors that is intended for export 
to the United States.
    On our own initiative, we are replacing the phrase ``entity that 
aggregates'' with ``autonomous association of persons, identified as 
members, who are united through a jointly owned enterprise to 
aggregate'' for clarification purposes.
    (Comment 16) Some comments suggest that we add a definition for 
``consolidator.'' The comments contrast consolidators with cooperatives 
and argue that consolidators act essentially as brokers that purchase 
products from several sources and then export the total set to the 
United States. According to these comments, consolidators do not own or 
manage the individual sites and generally do not have control over or 
even knowledge of the processing procedures.
    (Response 16) We agree with the comment that an entity without a 
single management system that exercises control over the manner in 
which individual sites meet the applicable food safety requirements of 
the FD&C Act and FDA regulations would not be an eligible entity. 
However, we disagree that adding a definition of ``consolidator'' would 
be helpful because whether an entity is a ``consolidator'' has no 
bearing on the requirements of this rule.
    (Comment 17) Some comments point out that while the proposed rule 
indicates a foreign cooperative could be an accreditation body or a 
third-party certification body, in their countries the government is 
the accreditation body. Also, in some places the government authorizes 
certain parties to conduct audit activities and those parties are under 
the control and supervision of the

[[Page 74585]]

government. Accordingly, the comments suggest that we indicate in which 
countries and in which cases a foreign cooperative could be an 
accreditation body or a third-party certification body. Other comments 
recommend more detail on how cooperatives are defined, and how they 
would conform to FDA requirements for third-party certification bodies.
    (Response 17) We currently are not in a position to be able to 
determine which countries or which foreign cooperatives may be 
adequately qualified to become accredited under the third-party 
certification program. We note that section 808 of the FD&C Act 
expressly allows foreign cooperatives to serve as accredited third-
party certification bodies if they are adequately qualified and 
independent of the eligible entities they audit or certify under the 
third-party certification program. Therefore, we are not categorically 
excluding foreign cooperatives from the third-party certification 
program, nor are we making any categorical decisions on whether 
governmental accreditation bodies have conflicts that would preclude 
them from accrediting such foreign cooperatives under the program.

L. Regulatory Audit

    We proposed to define a ``regulatory audit'' as an audit of an 
eligible entity to determine whether such entity is in compliance with 
the provisions of the FD&C Act and the results of which are used in 
determining eligibility for food certification under section 801(q) of 
the FD&C Act or facility certification under section 806 of the FD&C 
Act, and may be used by an importer in meeting the requirements for an 
onsite audit of a foreign supplier under the FSVP program.
    (Comment 18) Some comments request that we clarify the definition 
of ``regulatory audit.''
    (Response 18) The comments requesting clarification failed to 
mention specific characteristics in the definition needing 
clarification and did not offer suggestions for clarification. 
Therefore, we decline to modify the definition based on these comments. 
However, on our own initiative we have revised the definition of 
``regulatory audit'' by removing the clause ``, and may be used by an 
importer in meeting the requirements for an onsite audit of a foreign 
supplier under subpart L of this part'' that does not appear in the 
statute. We did this in part to avoid confusion. We emphasize that an 
audit conducted for the purposes of FSVP would not need to be conducted 
by a third-party certification body under this subpart. See section 
XIII.G. Nor are facilities required to use third-party certification 
bodies accredited under this rule in meeting their supplier 
verification requirements under the final human or animal preventive 
controls regulations. On our own initiative, we are revising the 
definition of ``regulatory audit'' to clarify that the results of a 
regulatory audit may be used to determine eligibility for any 
certifications that may be used for purposes of section 801(q) or 
section 806 of the FD&C Act.

M. Self-Assessment

    We proposed to define ``self-assessment'' as a systematic 
assessment conducted by an accreditation body or by a third-party 
certification body to determine whether it meets the applicable 
requirements of this subpart.
    We received no adverse comments about our proposed definition. 
However, on our own initiative, we are revising the definition of 
``self-assessment'' to improve clarity and to specify what is required 
of a recognized accreditation body and an accredited third-party 
certification body when performing these evaluations.

N. Third-Party Auditor

    We proposed to define a ``third-party auditor'' as a foreign 
government, agency of a foreign government, foreign cooperative, or any 
other third-party that is eligible to be considered for accreditation 
to conduct food safety audits and to certify that eligible entities 
meet the applicable requirements of the FD&C Act. We further proposed 
that a third-party auditor may be a single individual or an 
organization and may use audit agents to conduct food safety audits. 
Finally, we proposed that ``third-party auditor'' has the same meaning 
as ``certification body'' as that term was defined in the proposed 
rule.
    (Comment 19) As described in Comment 1, we received several 
comments urging us to align our definitions and terminology with 
international standards. Some comments state that the term ``third-
party auditor,'' the language of the statute notwithstanding, is not 
correct terminology to use interchangeably with ``third-party 
certification body.''
    (Response 19) As discussed previously, we agree that it is 
beneficial to use terminology in this rule that is consistent with 
terminology used in international standards when feasible and 
appropriate. Therefore, we are deleting the definition of ``third-party 
auditor'' in the final rule and will use the term ``third-party 
certification body'' in this rule except that we will use the term 
``third-party auditor'' in the definitions of ``Accredited third-party 
certification body'' and ``Third-party certification body'' in Sec.  
1.600(c) and in the preamble discussion of those definitions in section 
III.A. We are clarifying in the definition of ``third-party 
certification body'' in Sec.  1.600(c) that the term has the same 
meaning as ``third-party auditor'' as defined in section 808(a)(3) of 
the FD&C Act.

IV. Comments on Who Is Subject to This Subpart (Sec.  1.601)

    We proposed in Sec.  1.601 that this rule would apply to those 
accreditation bodies, third-party certification bodies, and eligible 
entities that seek to participate in this voluntary third-party 
certification program. We proposed two limited exemptions from section 
801(q) of the FD&C Act: One related to alcoholic beverages from an 
eligible entity that is a facility that meets certain conditions, and 
another related to certain food constituting not more than 5 percent of 
the overall sales of a facility meeting the conditions of the first 
exemption.

A. Limiting the Scope of the Rule to Regulatory Audits and 
Certifications

    Under proposed Sec.  1.601(b), we proposed that subpart M would 
apply to third-party certification bodies seeking accreditation to 
conduct food safety audits and issue certifications for purposes of 
sections 801(q) and 806 of the FD&C Act.
    (Comment 20) Some comments suggest we modify the language in Sec.  
1.601(b) regarding third-party certification bodies seeking 
accreditation to clarify that requirements of the rule apply only to 
imported foods that are subject to a condition of admissibility under 
section 801(q) of the FD&C Act and imported foods offered by an 
importer seeking to establish eligibility to participate in VQIP. In 
this view, the requirements of the rule (e.g., the notification 
requirements) should not apply to audits other than regulatory audits 
that are conducted for certification purposes.
    (Response 20) We decline to make the suggested revisions to Sec.  
1.601(b) because Sec.  1.601(b)(2) already describes the two types of 
certifications that may be issued by accredited third-party 
certification bodies under the final rule and the types of audits that 
they would conduct under this program (i.e., food safety audits, which 
include both consultative and regulatory audits). Audits conducted by 
third-party certification bodies that are outside of the scope of this 
program, and eligible entities receiving audits outside of the scope of 
this program, would not be

[[Page 74586]]

subject to the requirements of this final rule. With respect to the 
suggestion that the final rule should apply only to regulatory audits, 
and therefore not to consultative audits, we note, as previously 
discussed, that section 808 of the FD&C Act specifically defines 
``consultative audit'' and contains requirements for the conduct of 
both regulatory and consultative audits (see, e.g., section 808(a)(5) 
and (c)(4)(B) of the FD&C Act). Therefore, this final rule establishes 
requirements for consultative audits that are consistent with the 
provisions on consultative audits in the statute.

B. Exemption for Alcoholic Beverages

    Under proposed Sec.  1.601(d), we proposed to exempt from the 
certification requirements under section 801(q) of the FD&C Act 
alcoholic beverages that are imported from an eligible entity that is a 
facility that meets the following two conditions:
     Under the Federal Alcohol Administration Act or chapter 51 
of subtitle E of the Internal Revenue Code of 1986, the facility is a 
foreign facility of a type that, if it were a domestic facility, would 
require obtaining a permit from, registering with, or obtaining 
approval of a notice or application from the Secretary of the Treasury 
as a condition of doing business in the United States; and
     Under section 415 of the Federal Food, Drug, and Cosmetic 
Act, the facility is required to register as a facility because it is 
engaged in manufacturing/processing one or more alcoholic beverages.
    We also proposed that the certification requirements under section 
801(q) of the FD&C Act would not apply to food other than alcoholic 
beverages that is imported from a facility described in Sec.  
1.601(d)(1) provided that such food:
    (i) Is in prepackaged form that prevents any direct human contact 
with such food; and
    (ii) Constitutes not more than 5 percent of the overall sales of 
the facility, as determined by the Secretary of the Treasury.
    We tentatively concluded that these provisions were consistent with 
the provisions on alcohol-related facilities in section 116 of FSMA.
    (Comment 21) Some comments support the proposed exemption of 
imported beverage alcohol products, but encourage us to clarify and 
amplify the exemption to cover the raw materials and ingredients (e.g., 
grapes, grains, hops, flavors) used to produce alcoholic beverages. The 
comments assert that the requested exemption would provide for 
consistency between domestic and foreign facilities and would be 
consistent with Congressional intent regarding section 116 of FSMA. The 
comments assert that the expanded exemption would be consistent with 
the regulations on preventive controls for human food. The comments 
urge us to consult their comments on the FSVP proposed rule.
    (Response 21) As requested, we consulted comments submitted on 
proposed Sec.  1.501(e) in the FSVP proposed rule, requesting an 
exemption from the FSVP requirements for the importation of the raw 
materials and ingredients (e.g., grapes, grains, hops, flavors) used to 
produce alcoholic beverages, and asserting that such an exemption would 
be consistent with Congressional intent regarding section 116 of FSMA.
    We considered the comments' request in light of the risk-based 
public health principles generally underlying FSMA and have concluded 
that Congress did not intend for FSMA's core requirements to apply to 
the manufacture/processing, packing, and holding of alcoholic 
beverages. Congress may have made such a conclusion in light of the 
potential antimicrobial function of the alcohol content in such 
beverages and the concurrent regulation of alcoholic beverage-related 
facilities by both FDA and the Alcohol and Tobacco Tax and Trade 
Bureau. In light of this context, we have concluded that section 116 of 
FSMA should be interpreted to mean that the manufacturing, processing, 
packing, or holding of alcoholic beverages at most alcohol-related 
facilities should not be subject to this rule.
    We believe the same rationale supports the comments' request. 
Accordingly, and consistent with the final FSVP regulation, we are 
expanding the exemption from certification under section 801(q) of the 
FD&C Act in Sec.  1.601(d) to cover raw materials or other ingredients 
that are used to manufacture/process, pack or hold alcoholic beverages 
by an importer required to be registered under section 415 of the FD&C 
Act, when such facilities are exempt from the preventive controls 
regulations under 21 CFR 117.5(i).
    Also in this final rule, we are replacing the term ``food other 
than alcoholic beverages,'' to describe the applicability of the 
exemption, with the term ``food that is not an alcoholic beverage.''

C. USDA Regulated Products

    (Comment 22) Some comments suggest we explicitly exempt products 
under USDA jurisdiction from the requirements of this rule.
    (Response 22) We agree that an exemption to 801(q) is appropriate 
with respect to meat, poultry, and egg products regulated by USDA at 
the time of importation. The final rule adds a new Sec.  1.601(d)(2) 
which states that any certification under 801(q) does not apply to 
meat, poultry, and egg products that at the time of importation are 
subject to the requirements of the USDA under FMIA (21 U.S.C. 601 et 
seq.), PPIA (21 U.S.C. 451 et seq.), or EPIA (21 U.S.C. 1031 et seq.). 
We conclude that this provision is consistent with section 403 of FSMA, 
entitled ``Rule of Construction,'' which states that nothing in FSMA 
shall be construed to alter or limit the jurisdiction of the Secretary 
of the Department of Agriculture. For many decades, USDA has exercised 
authority and responsibility over the import of such meat, poultry, and 
egg products, and has detailed regulations and procedures implementing 
this authority. In light of USDA's role with respect to the importation 
of these products, and also in light of section 403 of FSMA, we believe 
that Congress did not intend for an FDA determination under section 
801(q) of the FD&C Act to apply to meat, poultry, and egg products that 
at the time of importation are subject to USDA requirements under the 
MPIA, PPIA, and EPIA, respectively. We therefore conclude that final 
Sec.  1.601(d)(2) is consistent with Congress's intent in promulgating 
section 403 of FSMA.
    With respect to the third-party program, we note that the program 
establishes a voluntary system of certification by accredited third-
party certification bodies that food and facilities meet applicable 
requirements of the FD&C Act and FDA regulations. Certifications issued 
under this program will not be used to facilitate entry of meat, 
poultry, and egg products that are regulated by USDA at the time of 
importation, as defined above.

V. Comments on Recognition of Accreditation Bodies Under This Subpart

A. Who is eligible to seek recognition? (Sec.  1.610)

    Proposed Sec.  1.610 states that an accreditation body would be 
eligible for recognition if it could demonstrate that it meets the 
requirements related to legal authority, competency, capacity, 
conflicts of interest, quality assurance, and records in Sec. Sec.  
1.611 through 1.615. In our discussion of this section in the preamble 
of the proposed rule we stated our tentative conclusions that key

[[Page 74587]]

elements of ISO/IEC 17011:2004 (Ref. 5) would form a basis for our 
requirements, and that documented conformance to that standard would be 
relevant in demonstrating that an accreditation body is qualified for 
recognition.
    (Comment 23) Some comments recommend that we require accreditation 
bodies to be signatories to IAF multilateral recognition agreements 
(IAF-MLAs) (which requires signatories, among other things, to conform 
to ISO/IEC 17011:2004) as a condition of recognition, and some contend 
it should be the sole criterion. Comments in favor of including 
signatory status as a requirement note that the process of becoming a 
signatory involves a thorough peer-review process, which helps ensure 
quality outcomes (e.g., signatories have to demonstrate conformance to 
ISO/IEC 17011:2004 as part of the peer review process). Comments note 
other aspects of IAF-MLA signatory status that would be beneficial to 
the program, such as periodic reevaluation by peer signatories to 
ensure continued compliance. These comments argue that when a foreign 
government is the accreditation body, it may be difficult for FDA to 
regulate a peer agency, so reliance on IAF-MLA signatory status would 
be helpful, in part because it would give an independent organization 
(IAF) a role in managing the accreditation body.
    Some comments discourage us from requiring IAF-MLA signatory status 
as a condition of recognition. Some comments suggest that we consider 
signatory status as a factor in favor of recognition, noting many of 
the same advantages touted by proponents of requiring signatory status, 
but suggest that we not make IAF-MLA signatory status a condition of 
program participation.
    Other comments explain that it would be premature to make IAF 
signatory status the sole requirement. The comments note that at the 
time of these comments the IAF-MLA does not yet include subscopes for 
specific food safety standards or schemes. Still other comments 
recommend that FDA study the issues surrounding signatory status 
further before making it a requirement, pointing out that some 
countries may not have signatory IAF-MLA members representing them.
    Some comments cite to third-party food safety audit programs 
administered by other governments, noting those programs do not require 
IAF-MLA status as a condition for program participation. These comments 
argue that it is more important to require conformance to ISO/IEC 
17011:2004.
    (Response 23) The comments uniformly agree on the value of an 
accreditation body's conformance to ISO/IEC 17011:2004 in establishing 
its qualifications for recognition. As discussed in section I.D., we 
agree that an accreditation body may use its documented conformance to 
ISO/IEC 17011:2004 to support its eligibility for recognition under 
this rule, supplemented as necessary (for example, to demonstrate 
capability to meet FDA requirements for reporting and notification 
under Sec.  1.623, if recognized). We also agree that additional 
documentation relating to IAF-MLA signatory status may be useful in 
supporting an accreditation body's application for recognition under 
this program. However, we disagree with comments suggesting that we 
require IAF-MLA signatory status as the sole criterion or one of 
several criteria for recognition to accredit third-party certification 
bodies to conduct food safety audits and to certify that eligible 
entities meet the applicable food safety requirements of the FD&C Act 
and FDA regulations at this time. We currently lack (and the comments 
did not provide) adequate information to conclude that IAF-MLA 
signatory status should be the sole factual basis or one of several 
criteria for determining whether an accreditation body can fulfill the 
roles and responsibilities of a recognized accreditation body under 
this subpart. Further, we also want to allow accreditation bodies that 
are not signatories to participate in the program if they meet the 
statutory and regulatory criteria.
    (Comment 24) As explained in section I.D., several comments support 
FDA's reliance on ISO/IEC 17011:2004 (Ref. 5) in developing the 
proposed rule. Other comments suggest FDA should place greater reliance 
on ISO/IEC 17011:2004 (Ref. 5), including some comments recommending 
that we incorporate the standard by reference into the rule.
    (Response 24) We agree with comments on the value of promoting 
international consistency and tapping into an existing framework that 
is familiar to accreditation bodies, third-party certification bodies, 
and the food industry. Accordingly, in Sec.  1.610 we are adding new 
language to state that an accreditation body may use documentation of 
conformance with ISO/IEC 17011:2004 (Ref. 5), supplemented as 
necessary, to demonstrate that it is eligible for recognition. This new 
language may make it easier for accreditation bodies that already 
conform to ISO/IEC 17011:2004 (Ref. 5) to apply for the program. We are 
also making conforming changes to Sec. Sec.  1.622(d) and 1.623(b), 
1.640(a), and 1.655(e).
    We decline to incorporate ISO/IEC 17011:2004 (Ref. 5) by reference 
as the sole criterion or one of several criteria for recognition, 
because the standard contains some provisions that are inconsistent 
with section 808 of the FD&C Act or impractical for use in our program. 
For example, ISO/IEC 17011:2004 (Ref. 5), clause 4.3.7, allows an 
accreditation body to have ``related bodies'' that provide conformity 
assessment services (e.g., auditing and certification) in areas the 
accreditation body accredits. (A ``related body'' is linked to the 
accreditation body by common ownership or contractual arrangement, 
under clause 4.3.7 NOTE 1.) The only safeguards that a related body is 
expressly required to meet are as follows: (1) It must have different 
top management than the accreditation body's top management; (2) 
different personnel from those involved in the accreditation 
decisionmaking processes; (3) no possibility to influence the outcome 
of an assessment for accreditation; and (4) distinctly different names, 
logos, and symbols. While clause 4.3.7 of ISO/IEC 17011 (Ref. 5) speaks 
to issues of common management and control of the accreditation body 
and its related body, the standard does not expressly prohibit the 
accreditation body from accrediting its related body with which it 
shares common ownership or financial interests. For example, an 
accreditation body that provides financial support (directly or 
indirectly) to a related body could be viewed as lacking the 
impartiality necessary to make an objective decision about whether the 
related body it supports is appropriately qualified. The impartiality 
provisions in ISO/IEC 17011:2004 (Ref. 5) are impractical for our 
purposes because they fail to address the range of possible conflicts 
associated with shared financial interests and ownership between a 
recognized accreditation body and a ``related'' third-party 
certification body under this rule. To help ensure the credibility of 
our program, Sec.  1.624 requires a recognized accreditation body to 
implement a program to ensure that the accreditation body and its 
officers, employees, and other agents involved in accreditation 
activities do not own or have a financial interest in a third-party 
certification body seeking its accreditation. Accordingly, it would be 
inappropriate for us to rely on the conflict of interest safeguards 
contained in ISO/IEC

[[Page 74588]]

17011:2004 (Ref. 5), in the third-party certification program we are 
establishing.
    For the foregoing reasons, we decline the suggestion to incorporate 
ISO/IEC 17011:2004 (Ref. 5) by reference into this rule.
    (Comment 25) Several comments express concern about our proposal to 
allow both public and private accreditation bodies to seek recognition. 
Some comments discourage us from allowing private entities to be 
accreditation bodies because of the concern that allowing for private 
accreditation bodies may cause conflicts of interest. Similarly, some 
comments contend that accreditation bodies must uphold public 
confidence and perform their duties objectively, which is the purview 
of governmental entities.
    Other comments take a contrary view, suggesting that some 
government agencies have missions that may undermine the objectivity 
and independence required of a recognized accreditation body. Some 
comments encourage us to consider which government agency/ministry in a 
given country may be eligible for recognition, and to solicit input 
from stakeholders as to which agencies/ministries are best positioned 
to perform this function.
    Still other comments assert that private and government entities 
are sufficiently different such that we should establish different 
conflict of interest provisions and requirements for each.
    (Response 25) Comments on both sides of this issue express concern 
that any accreditation body we recognize must be independent and 
objective in the performance of its duties. We share that concern. 
However, none of the comments offered substantiation that would lead us 
to bar public or private accreditation bodies, as a class, from seeking 
recognition because of conflicts of interest inherent in the class.
    Section 808 of the FD&C Act defines an ``accreditation body'' as an 
authority that accredits third-party certification bodies and makes no 
distinction between public and private accreditation bodies. We have 
concluded that both public and private accreditation bodies are 
potentially capable of exhibiting the impartiality necessary for 
recognition under this rule. Therefore in light of the broad definition 
of ``accreditation body'' and to maximize the opportunities for 
qualified accreditation bodies to participate in the program, FDA does 
not consider it to be appropriate to limit the program to only certain 
types of accreditation bodies.
    With respect to the comments that suggest we apply different 
conflict of interest requirements to different types of accreditation 
bodies, none of these comments offered an adequate explanation to 
justify different requirements for public and private accreditation 
bodies. Again, we note that section 808 of the FD&C Act does not make 
distinctions for different types of accreditation bodies.
    (Comment 26) Some comments request that we provide additional 
explanation regarding how an accreditation body that does not have 
experience accrediting third-party certification bodies for food safety 
scopes would become eligible for recognition under this program.
    (Response 26) An accreditation body of the type described in the 
comments' hypothetical might face practical difficulties in providing 
adequate substantiation demonstrating that it meets the requirements 
described in Sec.  1.610. However, we will consider each application on 
its own merits and do not foreclose the possibility for such an 
accreditation body to make the showing necessary to be granted 
recognition under this rule.

B. What legal authority must an accreditation body have to qualify for 
recognition? (Sec.  1.611)

    We proposed to require an accreditation body seeking recognition to 
demonstrate that it has adequate legal authority (as a governmental 
entity or through contractual rights) to assess a third-party 
certification body for accreditation, including authority to review 
records and conduct performance assessments (e.g., authority to witness 
the performance of a statistically significant number of employees and 
other agents conducting assessments). We proposed to require that the 
accreditation body have adequate authority to remove or modify an 
accreditation status, once granted. We also proposed to require the 
accreditation body to demonstrate that it would be capable of 
exercising the legal authority necessary to meet the program 
requirements, if we granted recognition.
    On our own initiative, in Sec.  1.611(a)(2) we replaced, 
``personnel and other agents,'' with, ``audit agents, or the third-
party certification body in the case of a third-party certification 
body that is an individual'' for clarity and consistency with section 
808(a)(4) of the FD&C Act. We have also made corresponding changes 
throughout this subpart.
    (Comment 27) Some comments provide support for this provision, and 
others encourage us to ensure that a private accreditation body seeking 
recognition could have adequate legal authority to operate.
    (Response 27) We agree with the comment urging us to ensure that a 
private accreditation body could have the necessary authority to act as 
a recognized accreditation body under this rule. As noted previously, 
we see no inherent reason why private entities could not theoretically 
meet the eligibility requirements for accreditation bodies under this 
rule. Therefore, we are revising Sec.  1.611(a) and (b) to clarify that 
an accreditation body can be a legal entity with contractual rights. By 
the words ``legal entity,'' we mean that the accreditation body must be 
duly authorized to operate as an accreditation body by governmental 
authorities responsible for such authorizations in any country or 
countries in which the accreditation body seeks to perform 
accreditation of third-party certification bodies under this rule.
    (Comment 28) Some comments ask us to clarify what we mean by 
``statistically significant'' as used in Sec.  1.611(a)(2) and 
elsewhere in the proposed rule to provide adequate confidence in the 
results of an analysis of the sample. The comments encourage us to 
abandon the phrase ``statistically significant'' in favor of the 
language of ISO/IEC 17011:2004 (Ref. 5), which requires an 
accreditation body to witness the performance of a representative 
number of third-party certification body staff.
    (Response 28) We understand from the comments that a body of 
knowledge and experience has developed among accreditation bodies 
conforming to ISO/IEC 17011: 2004 (Ref. 5) on the meaning of 
``representative'' numbers of observations and that no similar body of 
knowledge or experience exists on the meaning of ``statistically 
significant'' numbers of observations in this context. Accordingly, we 
are revising Sec.  1.611 to require observations of a ``representative 
sample'' of audit agents and food safety audits. We are making similar 
revisions to other sections of the rule that require onsite 
observations.
    For purposes of an accreditation body's observations of a third-
party certification body under this rule, what constitutes a 
``representative sample'' will be decided on a case-by-case basis, 
depending on various factors. These factors include the scope of 
accreditation, whether the third-party certification body is an 
individual who will conduct audits and make certification decisions, or 
whether the third-party certification body uses agents to conduct 
audits and, if so, whether such agents are centrally managed, 
conducting similar types of

[[Page 74589]]

audits, under a single set of operating procedures or whether the 
agents are managed from various locations, perform different types of 
audits, or follow different procedures such that these various 
locations, activities, or practices must be observed to ensure that the 
sample is sufficiently representative. A representative sample also 
must provide adequate confidence in the results of an analysis of the 
sample.

C. What competency and capacity must an accreditation body have to 
qualify for recognition? (Sec.  1.612)

    We proposed to require an accreditation body seeking recognition to 
demonstrate that it has the resources required to adequately implement 
its accreditation program, including adequate numbers of qualified 
employees and other agents, adequate financial resources for its 
operations, and the capability to meet the resource demands of a 
recognized accreditation body, in the event the accreditation body is 
recognized.
    (Comment 29) We received some comments on this provision, which 
also support the proposed rule's requirement that accreditation bodies 
demonstrate their competence and capacity based on the requirements of 
ISO/IEC 17011:2004 (Ref. 5). However, these comments disagree with our 
statement in the preamble that liability coverage requirements should 
not apply to this rule. The comments argue that we should include a 
requirement for accreditation bodies to carry liability coverage, 
noting that it is one of the requirements in ISO/IEC 17011:2004 (Ref. 
5) and describing it as especially important because of the risks 
associated with food safety.
    (Response 29) We agree with the comments that liability insurance 
may be useful in demonstrating the adequacy of an accreditation body's 
resources, for example, under ISO/IEC 17011:2004 (Ref. 5); however, FDA 
lacks experience in evaluating the adequacy of liability coverage for 
accreditation activities and we do not believe it would be appropriate 
for FDA to make recognition decisions primarily on this basis. We 
believe an accreditation body can demonstrate that it is adequately 
resourced in a number of different ways, including providing 
documentation of liability coverage as part of the information 
submitted to help to demonstrate that accreditation body is adequately 
resourced.

D. What protections against conflict of interest must an accreditation 
body have to qualify for recognition? (Sec.  1.613)

    Proposed Sec.  1.613 requires accreditation bodies to demonstrate 
that they have written measures to protect against conflicts of 
interest with third-party certification bodies and the capability to 
meet the rule's other conflict of interest requirements.
    On our own initiative, we are clarifying that the scope of conflict 
of interest provisions in Sec.  1.613(a) is limited to individuals 
involved in accreditation, auditing, and certification activities and 
not, for example, employees involved in purely administrative 
functions, such as payroll, or in positions that support administrative 
functions, such as computer technicians. Therefore, Sec.  1.613(a) of 
this rule applies to interests between the officers, employees, and 
other agents of the accreditation body that are involved in 
accreditation activities and the officers, employees, and other agents 
of the third-party certification body involved in auditing and 
certification activities. We are making corresponding changes in the 
subsequent provisions for recognized accreditation bodies under Sec.  
1.624(a).
    (Comment 30) Some comments take issue with our decision not to 
include the requirements of clause 4.3.2 of ISO/IEC 17011:2004 (Ref. 
5), which requires the accreditation body to have documented and 
implemented a structure relating to conflicts of interest that provides 
for effective involvement by interested parties with balanced 
representation ensured.
    (Response 30) We decline to require that recognized accreditation 
bodies establish and implement a structure for involving interested 
parties in matters relating to the conflict of interest requirements 
for recognized accreditation bodies. It would be administratively 
burdensome for FDA to establish a mechanism for monitoring the 
activities of interested parties that the accreditation body elects to 
involve to comply with such requirements. In our third-party 
certification program, impartiality will be protected by the conflict 
of interest provisions for accreditation bodies in Sec.  1.624, the 
appeals provisions in Sec.  1.620(d), and FDA's oversight activities.

E. What quality assurance procedures must an accreditation body have to 
qualify for recognition? (Sec.  1.614)

    Proposed Sec.  1.614 requires accreditation bodies to implement a 
written quality assurance program and have the capability to meet the 
rule's other quality assurance requirements.
    (Comment 31) Some comments encourage FDA to more closely align 
Sec.  1.614 with established international standards on quality 
assurance programs. Some ask us to rely on the relevant provisions in 
ISO/IEC 17011:2004 (Ref. 5) in particular.
    (Response 31) We agree with the comments and as described in 
section I.D., we are revising Sec.  1.610 to allow accreditation bodies 
to use their demonstrated conformance to ISO/IEC 17011:2004 (Ref. 5), 
supplemented as necessary, in meeting the requirements for recognition.
    (Comment 32) Some comments ask us to clarify the language in Sec.  
1.614(a)(1) and (2) regarding food safety problems and corrective 
actions.
    (Response 32) We agree and have revised Sec.  1.614(a)(1) and (2) 
to clarify that an accreditation body must demonstrate that it has 
procedures to identify deficiencies and procedures to execute 
corrective actions for such deficiencies, using language that better 
aligns with international standards (see, e.g., clause 5.5 in ISO/IEC 
17011:2004 (Ref. 5)).

F. What records procedures must an accreditation body have to qualify 
for recognition? (Sec.  1.615)

    Proposed Sec.  1.615 would require accreditation bodies seeking 
recognition to demonstrate that they have developed and implemented 
adequate written procedures for establishing, controlling, and 
retaining records and to demonstrate the capability to meet the 
program's records, reporting, and notification requirements, if 
recognized.
    (Comment 33) Some comments voice general concerns about 
confidentiality. Others state their concern with how confidentiality of 
third-party certification body records would be preserved when third-
party certification bodies must share information with recognized 
accreditation bodies and FDA. Noting that such information can be 
sensitive in nature and sometimes includes confidential business 
information, these comments urge us to place certain limits--i.e., only 
information related to food safety would be collected during audits of 
third-party certification bodies and such information would be shared 
only with the recognized accreditation body and FDA. Some comments 
suggest FDA require strict protective measures for information handled 
by third-party certification bodies and accreditation bodies, because 
the release of an eligible entity's confidential business information 
could have detrimental

[[Page 74590]]

effects on U.S. businesses and their foreign suppliers. These comments 
suggest the use of confidentiality protections such as ``confidential 
disclosure agreements'' so that the audit climate remains conducive to 
robust scrutiny and open dialogue.
    Some comments also express concern with the proposed use of 
electronic records, because of the opportunity for sensitive electronic 
information to be compromised. Such comments recommend that the final 
rule include requirements for both third-party certification bodies and 
accreditation bodies to ensure that electronic records remain secure in 
transit and during storage.
    (Response 33) We decline the suggestions to require confidential 
disclosure agreements between recognized accreditation bodies and 
third-party certification bodies under our program and to establish 
data protection requirements for electronic records and communications 
of recognized accreditation bodies and accredited third-party 
certification bodies. We understand that many accreditation bodies and 
third-party certification bodies have contractual agreements regarding 
confidentiality and disclosure by those parties. We expect 
accreditation bodies that become recognized under our program may elect 
to establish contracts that incorporate language on information sharing 
with FDA for third-party certification bodies seeking accreditation 
under this program. For such accreditation bodies, how they choose to 
accomplish this--e.g., whether by establishing a separate 
confidentiality agreement or through revision of current contract 
language or creation of a new contract addendum--is a decision best 
made by the parties to those contracts. Accreditation bodies and third-
party certification bodies will have common interests in safeguarding 
the electronic records they store and transmit to each other; 
therefore, we have no reason to believe that any separate agreements 
will lack adequate protections for confidentiality of information, 
including information stored and shared among the parties 
electronically.
    This rule focuses on confidentiality and disclosure with respect to 
information shared with FDA. As explained in section XIII.F., FDA will 
protect the confidentiality of information accessed by or submitted to 
the Agency in accordance with Sec.  1.695 of this subpart. With respect 
to the storage of electronic records and electronic transmission of 
information by FDA, we note that we are working the FDA IT security 
professionals in establishing the electronic portal for the third-party 
certification program to apply adequate and appropriate controls to 
ensure the confidentiality and integrity of data submitted to FDA 
through the portal.
    (Comment 34) In the proposed rule preamble discussion of this 
section we stated that, ``[a]ccreditation bodies applying for 
recognition must demonstrate their capacity, if recognized, to grant us 
access to confidential information, including information contained in 
records, without prior written consent of the third-party certification 
body involved. Having access to records relating to accreditation 
activities (including confidential information) under this subpart is 
necessary to ensure the rigor, credibility, and independence of the 
program.'' Some comments take issue with this point, arguing that 
accreditation bodies would not be able to grant such access--they would 
only be able to grant access to confidential information with prior 
written consent. That is, the accreditation body would first need to 
make arrangements for FDA access to confidential records with the 
third-party certification bodies it accredits and the eligible entities 
certified by those third-party certification bodies. Comments that 
express doubt about private sector foreign accreditation bodies 
actually granting FDA access to confidential records contend that such 
access is particularly unlikely without the prior written consent of 
the third-party certification body whose records are sought.
    (Response 34) We agree with the comments that the contracts 
accreditation bodies currently use with their third-party certification 
body clients do not contemplate the program we are establishing. As 
comments suggest, we would expect that confidentiality provisions in 
standard contracts would need to be revised such that, in signing a 
contract for accreditation under the FDA program, the third-party 
certification body would be giving the accreditation body its prior 
consent to perform any reporting or notification necessary for the 
recognized accreditation body to fulfill its obligations under the 
rule. Indeed, we expect that accreditation bodies seeking recognition 
will demonstrate their ability to comply with the reporting and 
notification provisions of this rule by providing us examples of 
standard contract language that has been suitably revised as comments 
describe.

VI. Comments on Requirements for Recognized Accreditation Bodies Under 
This Subpart

A. How must a recognized accreditation body evaluate third-party 
certification bodies seeking accreditation? (Sec.  1.620)

    Proposed Sec.  1.620 would establish the criteria and procedures 
that a recognized accreditation body must use in assessing third-party 
certification bodies for accreditation. Paragraph (a) broadly addresses 
the different requirements for foreign governments and foreign 
cooperatives or other third parties. Paragraph (b) requires the 
accreditation body to require third-party certification bodies to 
satisfy the rule's reporting and notification requirements. Paragraph 
(c) requires the accreditation body to maintain certain records, such 
as those related to withdrawal or suspension of a third-party 
certification body. Paragraph (d) requires an accreditation body to 
have written procedures for handling appeals from third-party 
certification bodies, and requires certain minimal appeal procedures.
    On our own initiative, we are revising Sec.  1.620(a)(2) and (3) to 
apply to accredited third-party certification bodies that are comprised 
of a single individual, as applicable. We are also removing, ``and any 
requirements specified in FDA model accreditation standards regarding 
qualifications for accreditation, including legal authority, 
competency, capacity, conflicts of interest, quality assurance, and 
records'' to follow good guidance practice. We are making corresponding 
changes to Sec. Sec.  1.620(a)(1), 1.640(b), and 1.640(c). We are also 
revising Sec.  1.620(c) to specify that recognized accreditation bodies 
must also include the date of the action in their records relating to 
any denial of accreditation or the withdrawal, suspension, or reduction 
in scope of accreditation of a third-party certification body. In 
addition, we are revising Sec.  1.620(d) to clarify that the recognized 
accreditation body must notify any third-party certification body of an 
adverse decision associated with its accreditation under the subpart, 
including denial of accreditation or the withdrawal, suspension, or 
reduction in the scope of its accreditation.
    (Comment 35) In paragraph (a)(3) of this proposed section we stated 
that a recognized accreditation body must observe ``a statistically 
significant number of onsite audits'' conducted by the third-party 
certification body seeking accreditation. Some comments request 
clarification of what we meant by ``statistically significant,'' so 
that accreditation bodies would know what

[[Page 74591]]

would be an adequate number of audits to observe to provide adequate 
confidence in the results of an analysis of such observations. The 
comments suggest that we should explain the criteria for determining 
the number of witness audits to be conducted under proposed Sec.  1.620 
and ask whether site-specific issues such as geographic factors should 
be considered. Other comments encourage us to abandon the phrase 
``statistically significant'' in favor of the language of ISO/IEC 
17011:2004 (Ref. 5), which requires an accreditation body to witness 
the performance of a representative number of third-party certification 
body staff.
    (Response 35) We have removed the phrase ``statistically 
significant'' in Sec.  1.620(a)(3) and inserted the phrase 
``representative sample.'' We explain in Response 28 that comments 
presented compelling arguments that a significant body of knowledge and 
experience has developed around the meaning of a ``representative'' 
number of observations under ISO/IEC 17011:2004 (Ref. 5) to achieve an 
adequate level of confidence in the results. We have revised Sec.  
1.620(a)(3) accordingly. Site-specific issues may be relevant in 
determining the representative number of witness assessments to 
conduct, for example, where audit agents are located in remote offices 
or where food safety audits are managed by remote offices. The 
accrediting body, either a recognized accreditation body or FDA in the 
case of direct accreditation, will be best positioned to determine 
whether geographic issues are relevant for purposes of Sec.  
1.620(a)(3).
    (Comment 36) Some comments ask us to revise Sec.  1.620(d)(2) to 
clarify that the individuals used to hear appeals of adverse decisions 
by a recognized accreditation body could be individuals external to the 
accreditation body.
    (Response 36) We agree with the comments and have revised this 
provision to clarify that individuals used to hear appeals may be 
external to the accreditation body, as well as a similar provision 
applying to appeals by eligible entities of adverse decisions by an 
accredited third-party certification body. We have also revised this 
provision to use language similar to language that is used in Sec.  
16.42(b), which describes the characteristics of a presiding officer 
that may be used for FDA regulatory hearings.
    (Comment 37) In the preamble to the proposed rule we stated that we 
were not proposing to review the decisions of recognized accreditation 
bodies nor were we proposing to hear appeals from third-party 
certification bodies aggrieved by an accreditation body's decision(s). 
We sought comment on these matters. In response, some comments state 
their understanding that FDA would retain the authority to challenge a 
recognized accreditation body's decisions, because we have authority 
over the entire program.
    (Response 37) We agree with comments that our oversight extends to 
any accreditation body or third-party certification body participating 
in the program, including the authority to withdraw accreditation from 
a third-party certification body even if the accreditation was granted 
by a recognized accreditation body. However, FDA does not intend to 
serve as an appellate body for aggrieved third-party certification 
bodies, as this would be unworkable and unnecessary. Withdrawing the 
accreditation of a third-party certification body to remove it from our 
program is quite different than, for example, overturning an 
accreditation body's decision to deny accreditation to a third-party 
certification body in the first place. Our program is designed to 
ensure the competency and independence of accreditation bodies. As part 
of this program, FDA will be recognizing accreditation bodies to make 
accreditation decisions based on a determination that the accreditation 
body is qualified to do so. FDA involvement in accreditation decisions 
would defeat the purpose of the program. Additionally, FDA retains the 
authority to revoke the recognition of accreditation bodies for good 
cause under Sec.  1.634(a)(4) for failure to comply with this rule. For 
all of these reasons, FDA declines to codify a process to review 
appeals challenging recognized accreditation body decisions under this 
program.
    (Comment 38) Several comments encourage us to expand on the 
requirement to use ``independent'' person(s) to hear an appeal of an 
adverse accreditation body decision. Some comments suggest that we 
clarify that an independent person is one who was not involved in the 
decision that is the subject of the appeal. A few comments suggest we 
further require the accreditation body to use person(s) who are 
external to the organization.
    (Response 38) We agree with the suggestions to clarify Sec.  
1.620(d)(2) and are revising it to align with the impartiality 
provisions in 21 CFR part 16, which contains the regulations for 
regulatory hearings that we will generally apply under Sec.  1.693 to 
an appeal of a revocation or withdrawal. Under the part 16 regulations, 
the person presiding over the hearing must be free from bias or 
prejudice and must not have participated in the action that is the 
subject of the hearing or be subordinate to a person who participated 
in the action. We believe that the credibility of the third-party 
certification program will be enhanced by requiring recognized 
accreditation bodies to afford similar protections when considering 
appeals by certification bodies under this rule. While we decline the 
suggestion to require the use of external parties in deciding appeals, 
we note that a recognized accreditation body has flexibility to use an 
external party under Sec.  1.620(d)(2).

B. How must a recognized accreditation body monitor the performance of 
third-party certification bodies it accredited? (Sec.  1.621)

    We proposed to require a recognized accreditation body to conduct 
an annual evaluation of each of its accredited certification bodies 
that includes a review of the certification body's self-assessments, 
its regulatory audit reports, notifications to FDA, and any other 
information reasonably available. We requested comment on whether the 
information we proposed to require would provide a solid basis for an 
evaluation. We asked stakeholders whether we should include a 
requirement in Sec.  1.621 for onsite monitoring of accredited 
certification bodies and, if so, whether we should require the 
accreditation body to observe or visit the certification body's 
headquarters.
    (Comment 39) We received several comments on the annual assessment 
requirements of proposed Sec.  1.621. Some comments agree with the 
requirement for an annual assessment. Some comments mention a 
Government Accountability Office (GAO) report entitled, ``FDA Can 
Better Oversee Food Imports by Assessing and Leveraging Other 
Countries' Oversight Resources'' (GAO 12-933) and dated September 2012, 
which notes ongoing challenges with ensuring the competency of third 
parties to consistently apply standards and argues that annual 
assessments would improve certification body reliability and 
competency. Some of these comments state they would even support more 
frequent certification body evaluations.
    In contrast, some comments argue that annual assessments would be 
burdensome. Comments variously focus on the burden on accreditation 
bodies, certification bodies, and eligible entities. Some comments 
disapprove of the cumulative burden of all the assessments (e.g., self-
assessments and monitoring assessments) required

[[Page 74592]]

throughout the rule. Some comments suggest biennial assessments, and 
note that such a requirement would be consistent with ISO/IEC 
17011:2004 (Ref. 5). Still others argue that when the accreditation 
body or certification body is a government entity we should allow for 
flexibility around the timing of assessments.
    (Response 39) We agree with comments that express the view that 
annual assessments of certification bodies will help build confidence 
in the third-party certification program. Annual assessments will help 
accreditation bodies ensure certification bodies' continued compliance 
with the program requirements and quickly identify and address any 
deficiencies with a certification body before a situation escalates.
    We also acknowledge the concerns about the efforts needed to comply 
with the monitoring and self-assessment requirements of the rule. 
Section 1.621 is part of a set of proposed monitoring and self-
assessment requirements intended to work together in helping to ensure 
that the recognized accreditation bodies and accredited third-party 
certification bodies maintain compliance with the rule's requirements. 
The certification body self-assessment in Sec.  1.655 is intended to 
serve, in part, as information for use in the accreditation body 
monitoring in Sec.  1.621, the results of which we intend the 
accreditation body to use in its self-assessment under Sec.  1.622. We 
do not intend for the assessments to require duplicative efforts, with 
each section requiring a discrete set of activities with no opportunity 
to use the results of one set of activities when performing another. As 
explained in the preamble to the proposed rule, the accreditation body 
assessments of certification bodies will not only help ensure that the 
certification bodies continue to comply with our requirements, but also 
can help the accreditation body identify trends and any deficiencies in 
its own performance. The proposed monitoring and self-assessment 
activities are an essential part of the program's safety net.
    With respect to Sec.  1.621, in particular, we believe this section 
will be far less burdensome in practice than some of the comments 
anticipate, because of the convergence between the ISO/IEC standards 
and this rule. The activities required by Sec.  1.621 are similar in 
substance to surveillance activities under ISO/IEC 17011:2004 (Ref. 5), 
which includes review of audit reports, results of internal quality 
control, and management review records identified in clause 3.18 NOTE, 
and thus are likely to be activities many accreditation bodies already 
perform. In light of the foregoing, we have concluded that requiring 
accreditation bodies to perform annual evaluations of each 
certification body they accredit under the program is not unduly 
burdensome. We disagree with comments suggesting that monitoring should 
be more frequent than once a year, because requiring assessments to be 
performed and reported twice each year, for example, would result in a 
nearly continuous cycle of assessments and reports. Semiannual 
assessments are likely to produce limited data sets that would be less 
helpful for evaluation purposes than would larger data sets, such as 
compilations of 12 months of data, which allow for tracking and 
trending performance over time. Requiring assessments to be performed 
more frequently than once a year also risks creating significant 
disruption of the operations of accredited third-party certification 
bodies and eligible entities and might have the unintended effect of 
serving as a disincentive to participation in the program. For these 
reasons, we have determined that an annual monitoring requirement is 
appropriate to verify the overall effectiveness of the accredited 
third-party certification body's operations and performance in 
activities relevant to the third-party certification program and the 
validity of its certification decisions. Accordingly, we are not 
revising the annual certification body monitoring requirements we 
proposed in Sec.  1.621.
    (Comment 40) We received some comments on proposed Sec.  1.621(b) 
specifically, which would require an accreditation body to consider any 
other ``reasonably available'' information relevant to a determination 
of whether a certification body is in compliance with this rule. 
Comments encourage us to set limits around assessments conducted in the 
wake of an incident, noting that a problem involving one certification/
type of product should not involve review of all certifications/
products. These comments did not want an incident in one sector (e.g., 
human food) to unnecessarily jeopardize an accreditation in a separate 
sector (e.g., animal food). Some comments express concern that proposed 
Sec.  1.621(b) would require an accreditation body to review every 
certificate issued by a certification body if one of the eligible 
entities it certified was placed on FDA import alert.
    (Response 40) We decline the suggestions to narrow the scope of 
proposed Sec.  1.621(b) or to direct how recognized accreditation 
bodies should consider other ``reasonably available'' relevant 
information, because it will depend on the facts of a particular 
situation. In the wake of incidents, we expect the accreditation body 
to take appropriate steps to determine whether the certification body 
is in compliance with this subpart. Such steps may include a review of 
certifications for product areas other than the subject of the incident 
if the accreditation body deems it needed to assess the certification 
body's compliance. We reiterate, as we explained in the preamble to the 
proposed rule, we do not expect a recognized accreditation body launch 
investigations of each certification body it accredited absent cause, 
but we do expect the accreditation body to actively monitor public 
information about their certification bodies and not ignore public 
information about problems that might be associated with a 
certification body it accredited.
    (Comment 41) In response to our preamble questions about whether to 
require observations and certification body headquarters visits in 
Sec.  1.621, some comments state that observations are a useful tool 
and should be required. Similarly, some comments support a requirement 
for visiting the key location of the certification body. Some comments 
state that the accreditation body should visit any location of the 
accredited third-party certification body where the certification body 
manages its staff or agents conducting audits under this program, which 
the comments note may not be the certification body's headquarters. 
Other comments agree that onsite visits can be a useful tool, but 
encourage the use of remote assessments in certain circumstances (e.g., 
after the certification body has successfully completed a set number of 
accreditation cycles).
    Some comments suggest that we follow the requirements of relevant 
ISO/IEC standards in establishing requirements for observations and 
site visits under Sec.  1.621. Some comments express concern about the 
cumulative burden of the monitoring and self-assessments we proposed to 
require of accreditation bodies and certification bodies. A few 
comments express concern we might impose duplicative requirements for 
observations under Sec. Sec.  1.621 and 1.622(b). Some comments request 
guidance on how an eligible entity would be selected as a site for an 
observation.
    (Response 41) We agree with the comments that state that 
observations are useful and should be required as part of accredited 
third-party certification body monitoring. Likewise, we agree with the 
comments that state

[[Page 74593]]

a recognized accreditation body should visit any location of the 
certification body where the certification body manages its staff or 
agents conducting audits under this program, if different than the 
certification body's headquarters, to get a better understanding of how 
different locations operate. While we acknowledge that some 
accreditation bodies may be successfully using remote assessments in 
certain circumstances (e.g., after the certification body has 
successfully completed a set number of accreditation cycles), we 
decline the suggestion to allow for remote assessments in this 
rulemaking.
    In establishing requirements in Sec.  1.621 for observations and 
accredited third-party certification body visits, we considered 
comments' concerns that such requirements might be duplicative of the 
observation requirements in Sec.  1.622(b), might pose practical 
difficulties in arranging to observe audits, and might pose 
difficulties if a certification body had several ``key'' locations. We 
also considered comments' concerns about the cumulative burden of the 
monitoring and self-assessment requirements of the rule and the 
comments that urge us to align the requirements of Sec.  1.621 with the 
relevant international standards.
    Accordingly, in the final rule we are combining all of the 
paragraphs in proposed Sec.  1.621 into new Sec.  1.621(a), and we are 
adding a new paragraph (b) that requires the accreditation body to 
perform a representative sample of onsite observations of regulatory 
audits conducted by each accredited third-party certification body, as 
explained in Response 28, and visit the certification body's 
headquarters (or other certification body location if its audit agents 
are managed by the certification body at a location other than its 
headquarters). The observed audits and site visits must be performed by 
no later than 12 months after the certification body's initial 
accreditation and again every 2 years thereafter for the duration of 
its accreditation, including renewals. The requirements for the 
frequency of observed audits and site visits under Sec.  1.621(b) are 
similar to the intervals for surveillance onsite assessments in one of 
the options under clause 7.11.3 of ISO/IEC 17011:2004 (Ref. 5). We are 
also requiring the accreditation body to consider information from 
activities conducted under paragraph (b) in the annual performance 
report of the accredited third-party certification body.
    We also are making a corresponding revision to Sec.  1.622(b) to 
clarify that the accreditation body should consider the results of 
onsite observations and site visits conducted under Sec.  1.621(b) as 
part of its self-assessment under Sec.  1.622.

C. How must a recognized accreditation body monitor its own 
performance? (Sec.  1.622)

    Proposed Sec.  1.622 would require recognized accreditation bodies 
to conduct self-assessments on an annual basis, and as required under 
proposed Sec.  1.664(g) (following FDA withdrawal of accreditation of a 
certification body it accredited). Under the proposed rule, the 
accreditation body's self-assessment would include evaluating the 
performance of its officers, employees, or other agents; observing 
regulatory audits by a statistically significant number of 
certification bodies it accredited under this program, and creating a 
written report of results.
    (Comment 42) Some comments encourage a broader self-assessment. 
They contend that, in addition to requiring that accreditation bodies 
assess the consistency of their performance and their compliance with 
conflict of interest provisions, we should also require accreditation 
bodies to compare their performance against competitors, compare the 
certification bodies they accredit to other certification bodies, and 
look at industry best practices and benchmarks to set improvement 
objectives.
    (Response 42) The self-assessments are intended to help the 
accreditation body determine whether it is in compliance with the 
requirements of this rule. While the report elements suggested by 
comments might be useful for an accreditation body to consider, we do 
not believe those elements are necessary to a determination of 
compliance with the rule. Therefore, we decline to revise the rule in 
response to these comments.
    (Comment 43) Some comments question whether the requirements for 
accreditation body self-assessment would fit the government-to-
government model. Other comments suggest that the different nature of 
private operators and public administration warrant different 
requirements for each. The comments further contend that the workload 
associated with the program would be significant for any government 
agency; therefore, the time limits and frequencies of reporting should 
be more flexible in the case of government agencies.
    (Response 43) FDA uses self-assessment tools in various government-
to-government programs. As one comment notes, we require State 
governments to conduct annual self-assessments for their work under the 
Manufactured Food Regulatory Program Standards (MFRPS) and the Animal 
Feed Regulatory Program Standards. We also require a foreign government 
seeking a systems-recognition agreement with FDA to begin the process 
by completing the International Comparability Assessment Tool, which is 
a self-assessment tool that we developed based on the approach of the 
MFRPS self-assessment. Our experience in using self-assessment tools 
with foreign and State governments suggests to us that self-assessments 
would be feasible and appropriate in the context of this program as 
well.
    We decline the suggestion to afford more flexibility in deadlines 
for government agencies serving as recognized accreditation bodies than 
we afford to other recognized accreditation bodies. Section 808 of the 
FD&C Act makes no distinction between public and private accreditation 
bodies, and the proposed rule would place the same workload burden on 
private accreditation bodies as it would on public accreditation 
bodies. The comments fail to explain why the differences in nature of 
public and private accreditation bodies justify flexible deadlines for 
governmental accreditation bodies but not private accreditation bodies.
    (Comment 44) Some comments suggest that accreditation body self-
assessments under proposed Sec.  1.622 should be done in concert with 
its monitoring of certification bodies under proposed Sec.  1.621, 
because it would be more efficient and would reduce the burden on 
eligible entities that were observed during regulatory audits. Other 
comments question the need for accreditation body self-assessments to 
include requirements for observations, because they read our preamble 
discussion of proposed Sec.  1.621 as a signal that we would be 
requiring accreditation bodies to conduct annual onsite observations of 
each certification body under that provision.
    (Response 44) We agree that self-assessments under Sec.  1.622 can 
be done in concert with monitoring under Sec.  1.621. As described in 
Response 39, we do not intend the self-assessment and monitoring 
requirements of the rule to be duplicative. Having added requirements 
for observations and certification body site visits to certification 
body monitoring requirements in the final rule, we are revising Sec.  
1.622(b) to clarify that accreditation bodies may consider the results 
of any observations or visits conducted under Sec.  1.621(b) in its 
self-assessments.

[[Page 74594]]

    (Comment 45) Comments also suggest that international standards 
could provide guidance on improving the efficiency and effectiveness of 
an accreditation body's self-assessment. Some comments specifically 
suggest that FDA could rely on the internal audits and management 
reviews that are required under ISO/IEC 17011:2004 (Ref. 5) instead of 
requiring its own self-assessments.
    (Response 45) We agree that documentation of internal audits and 
management reviews required under ISO/IEC 17011:2004 (Ref. 5) could be 
useful to help demonstrate compliance with the requirement for self-
assessments under this program. We have revised Sec.  1.622(d) and made 
a conforming change to Sec.  1.623(b) to specifically allow a 
recognized accreditation body to use reports of internal audits and 
management reviews prepared for conformance with ISO/IEC 17011:2004 
(Ref. 5), supplemented as necessary, to demonstrate compliance with the 
accreditation body self-assessment requirements of Sec.  1.622.

D. What reports and notifications must a recognized accreditation body 
submit to FDA? (Sec.  1.623)

    Proposed Sec.  1.623 would require recognized accreditation bodies 
to submit to FDA reports of its self-assessments and annual re-
assessments of certification bodies within 45 days of completing the 
assessment. The proposed rule also would require notification to FDA of 
matters affecting recognition and accreditation status; notice of 
denials of accreditation and any significant change that would affect 
how the accreditation body complies with this rule would be required 
within 30 days, while immediate notification would be required for 
other matters (e.g., grant or withdrawing accreditation). Under the 
proposed rule the reports and notifications would have to be submitted 
electronically and in English.
    On our own initiative, we are revising Sec.  1.623(c)(1)(i) and 
(d)(1)(i) to require the recognized accreditation body to provide FDA 
the email address of any third-party certification body that was 
granted or denied accreditation (respectively) under our program. 
Having the email address will facilitate FDA's communications with such 
third-party certification bodies. We also are revising Sec.  
1.623(c)(1)(iv) on our own initiative to specify that a recognized 
accreditation body must also notify FDA of the expiration date of 
accreditation upon granting accreditation to a third-party 
certification body under this subpart.
    (Comment 46) Some comments ask whether FDA intends to provide 
feedback in response to self-assessment reports.
    (Response 46) While FDA will not be providing formal responses to 
the self-assessment reports, we will use the information in the reports 
in our oversight of the third-party certification program and will 
address any specific items of concern we identify in an accreditation 
body-self-assessment report directly with the accreditation body.
    (Comment 47) We received several comments related to our proposal 
to require all reports and notifications to be submitted in English. 
Some comments agree that both the notifications and the reports should 
be submitted in English. Some comments agree that notifications should 
be in English, but suggested that reports of self-assessments and re-
assessments of certification bodies could remain in their native 
language, and if FDA had any questions about such reports the 
accreditation body could furnish English translations.
    Some comments note the difficulty and others the expense for 
recognized accreditation bodies in countries that do not officially or 
routinely conduct business in English. Some comments request a longer 
period of time (e.g., up to 4 months) to submit documents that must be 
translated into English. Other comments note that if we require 
documents to be in English, and the translations are not done well, the 
documents may be difficult to understand.
    Some comments propose alternative solutions, including comments 
that suggest that FDA explore technical translation and recognition 
software, which in combination with standardized report/notification 
templates, might facilitate submission in languages other than English. 
Other comments suggest that if reports and notifications are submitted 
in languages other than English, the recognized accreditation body 
should be responsible for all translation costs.
    Some comments ask whether supporting documents that accompany 
reports also would have to be in English. Other comments inquire 
whether there is any flexibility in the language requirement for 
governmental accreditation bodies that do not maintain their records in 
English.
    (Response 47) We decline the suggestion to remove the requirement 
to submit reports and notifications in English. While allowing 
submissions in multiple languages might be helpful to some interested 
parties, the accreditation body reports and notifications required by 
Sec.  1.623 are essential to our oversight and management of the third-
party certification program and the programs that rely on 
certifications issued by accredited third-party certification bodies, 
and thus, must be in English in order for FDA to properly review and 
evaluate. Some comments ask to have up to 4 months to prepare an 
English translation of a submission under proposed Sec.  1.623. Such 
delays would be unworkable. For example, we cannot afford delays in 
translating an accreditation body's notification of withdrawal of 
accreditation, or an accreditation body's notification that a 
certification body has issued a food or facility certification without 
meeting the requirements of this rule. We are requiring immediate 
notification of these and other matters under Sec.  1.623(c) because of 
the implications for the program and possibly for our acceptance of 
certifications issued by the certification body. Unless the 
notification is submitted in English, our actions will be delayed until 
the information is translated. Although the annual certification body 
monitoring reports and the accreditation body self-assessments reports 
are not required to be submitted until 45 days after completion under 
Sec.  1.623(a) and (b)(i) (and 60 days following certification body 
withdrawal for self-assessment reports submitted under Sec.  
1.623(b)(ii)), we will use these reports to identify areas where FDA 
may need to promptly engage with an accreditation body or a 
certification body to address apparent misunderstandings or confusion 
about our program requirements. We plan to use these reports to 
identify emerging issues that need intervention. Therefore any 
additional time allotted for translation purposes would delay and 
possibly hinder our ability to use these reports for program evaluation 
and management.
    (Comment) 48) Some comments address the proposed timeframes for 
submitting reports and notifications, and suggest that instead of 
requiring reports within 45 days of completing the assessment/re-
assessment, we should require submission every 6 months or annually.
    (Response 48) We disagree with comments suggesting that we modify 
the timeframe for submission of reports of annual self-assessments and 
annual certification body monitoring reports from 45 days after 
completion to every 6 months or every year. We are concerned that the 
information could be outdated and our ability to use the

[[Page 74595]]

reports for early intervention would be significantly diminished.
    (Comment 49) Some comments contend that the volume of reports and 
notifications we proposed to require would be burdensome to FDA to 
review and maintain. They suggest that instead we require recognized 
accreditation bodies and their certification bodies to maintain reports 
of self-assessment/re-assessment, and provide prompt access to FDA upon 
request.
    (Response 49) We disagree. We are establishing an electronic portal 
for submission of applications, reports, notifications, and other 
information under this rule and an electronic repository of this 
information, which will allow us to access and use the information as 
needed. Therefore, we decline to revise Sec.  1.623 is response to 
these comments.
    (Comment 50) Some comments ask if all reports and notifications 
submitted to FDA will be subject to the Freedom of information Act 
(FOIA) or if these submissions will be considered confidential 
information with reasonable protections from disclosure. Other comments 
suggest the importance of striking the appropriate balance between 
disclosure and confidentiality and note the following statements in 
ISO/IEC 17021:2011 (Ref. 6), clause 4.1.3 and NOTE: ``Principles for 
inspiring confidence include: Impartiality, competence, responsibility, 
openness, confidentiality, and responsiveness to complaints . . . An 
appropriate balance between the principles of openness and 
confidentiality, including responsiveness to complaints, is necessary 
in order to demonstrate integrity and credibility to all users of 
certification.''
    (Response 51) We agree with comments suggesting the importance of 
striking the appropriate balance between providing transparency to the 
public and maintaining the confidentiality of any trade secrets and 
confidential commercial information included in the applications, 
reports, notifications, and other information submitted to FDA. We are 
guided in this effort by FOIA as well as laws that protect trade 
secrets and confidential commercial information from disclosure. In 
response to comments, we are adding new Sec.  1.695 on public 
disclosure, which is discussed in section XIII.F.
    (Comment 51) Some comments urge us to eliminate or reduce the 
proposed reporting requirements in proposed Sec.  1.623(a) and (b), for 
various reasons. Some of these comments suggest that we should only 
require regular submission of a report or other document that shows the 
third-party certification bodies are maintaining their accreditation. 
Other comments recommend that when a certification body is first 
accredited, it should submit translated accreditation documents within 
3 to 4 months of the accreditation body's decision. Then, as long as 
the accreditation is unchanged, it should not be necessary for the 
accreditation body to submit its--assessment reports under Sec.  
1.623(a).
    Some comments suggest it should not be necessary for accreditation 
bodies to submit their self-assessment reports under Sec.  1.623(b) if 
there is no significant change in their recognition. Other comments 
assert that signatories to IAF MLAs should not have to submit self-
assessment reports to FDA, because IAF monitors accreditation bodies 
for continued compliance with ISO/IEC 17011:2004 (Ref. 5).
    (Response 51) We disagree. As described in Response 47, the reports 
of annual certification body monitoring and accreditation body self-
assessments are essential to our oversight and management of the third-
party certification program and the programs that rely on 
certifications issued by accredited third-party certification bodies. 
We are not requiring accredited third-party certification bodies to 
submit their self-assessments to FDA (except for directly accredited 
third-party certification bodies); therefore, the reports that we 
receive of the recognized accreditation bodies' assessments of 
accredited third-party certification bodies are a fundamental piece of 
the monitoring system we are establishing, as are the self-assessment 
reports submitted by accreditation bodies we have recognized. Reducing 
or eliminating either of these reporting requirements would hinder our 
ability to properly oversee the program.
    (Comment 52) We received some requests for clarification regarding 
required content of the accreditation self-assessment reports and 
reports of certification body annual monitoring. Some comments request 
that FDA either suggest a format for the reports, provide an 
opportunity for accreditation bodies to propose a format, or at least 
indicate the minimum required elements.
    (Response 52) We believe we provided minimum requirements on the 
content of these reports in this rule and plan to provide additional 
information on the format and submission of these reports on our Web 
site.
    (Comment 53) Comments suggest that to be consistent with ISO/IEC 
17011:2004 (Ref. 5), a recognized accreditation body only would need to 
notify FDA of the approval, suspension, or withdrawal of accreditation 
of a third-party certification body, as well as any changes in its 
scope of the accreditation scope or reduction of authorization. The 
comments assert that the notification should not need to include such 
details as the address and name of third-party certification body 
employees under Sec.  1.624(c)(1).
    (Response 53) We agree that submission of the information described 
in the comment and required by clause 8 of ISO/IEC 17011:2004 (Ref. 5) 
is necessary for our program management and oversight. For example, it 
will help us verify the identity of any certification body before 
taking an action to affect its status in the program based on a 
notification submitted under Sec.  1.623. However, the notifications 
required under Sec.  1.623(c)(3) and (d) are also necessary for our 
program management and oversight. Under Sec.  1.623(c)(3), a recognized 
accreditation body would have to notify FDA if one of its accredited 
third-party certification bodies issued a food or facility 
certification without complying with the requirements of this rule. 
This notification will allow FDA to refuse to accept those improperly 
issued certifications and to coordinate with the accreditation body in 
determining appropriate next steps. Having information on a denial of 
accreditation under Sec.  1.623(d) will allow FDA to monitor 
accreditation activities across the program, including any repeat 
denials of a third-party certification body.
    With respect to providing the names of the audit agents of the 
accredited third-party certification body, we note that section 
808(b)(1)(B) of the FD&C Act requires a recognized accreditation body 
to submit to FDA a list of all third-party certification bodies it 
accredited under the program and the audit agents of such accredited 
certification bodies. The list of audit agents we proposed to require a 
recognized accreditation body to submit under Sec.  1.623(c)(1)(iii) is 
necessary for verification of compliance with the conflict of interest 
requirements by audit agents under section 808(c)(5)(A)(iii) and (B) of 
the FD&C Act and by proposed Sec.  1.657, among other things. With 
respect to the proposed requirement to provide the address and name of 
one or more of the officers of the accredited third-party certification 
body, this information will be helpful in communicating with the 
accredited third-party certification body.
    For the foregoing reasons, we decline the suggestion to eliminate 
the requirements for the recognized

[[Page 74596]]

accreditation body to provide FDA the name of one or more officers of 
the accredited third-party certification body under Sec.  
1.623(c)(1)(ii) and a list of audit agents of the accredited third-
party certification body under Sec.  1.623(c)(1)(iii).

E. How must a recognized accreditation body protect against conflicts 
of interest? (Sec.  1.624)

    Proposed Sec.  1.624 would require a recognized accreditation body 
to take certain steps to safeguard against conflicts of interest, 
including the requirement to implement a written conflict of interest 
program. The accreditation body would be prohibited from owning, having 
a financial interest in, or managing/controlling a certification body. 
Under the proposed rule, accreditation body employees would be unable 
to accept money, gifts or other items of value from the certification 
body, though we did exempt meals of de minimis value onsite where the 
assessment occurs. We also proposed to require that a recognized 
accreditation body maintain on its Web site a list of certification 
bodies it accredited under this program, the duration and scope of 
accreditation, and the date on which the certification bodies paid 
their fee or reimbursement associated accreditation. We sought comment 
on alternative approaches for public disclosure of payments.
    On our own initiative, we are adding new provision Sec.  1.624(b) 
to clarify when a recognized accreditation body can accept the payment 
of fees for its services so that the payment is not considered a 
conflict of interest for purposes of Sec.  1.624(a).
    (Comment 54) Some comments agree that a recognized accreditation 
body should be required to have a written program to protect against 
conflict of interest. Comments suggest that the written plans should 
include assurances of independence and safeguards to address any 
possibility of conflicts. Some comments state FDA should require 
accreditation bodies to make their conflict of interest policies 
public.
    (Response 54) We agree with comments about the importance of a 
recognized accreditation body having a written program to safeguard 
against conflicts of interest that meets the requirements of this rule. 
While a recognized accreditation body may choose to make its conflicts 
of interest program publicly available, we are not imposing that as a 
program requirement because we do not believe it is necessary to ensure 
that accreditation bodies safeguard against conflicts of interest.
    (Comment 55) We received several comments related to allowing 
certification bodies to provide onsite meals of de minimis value to 
accreditation body representatives conducting an audit. Several 
comments agree with the general concept of allowing meals of de minimis 
value. Some supporting comments state that allowing such meals would 
expedite the assessment, and could be necessary if the certification 
body is distant from meal service providers. With respect to the 
question of what constitutes ``de minimis'' value for these purposes, 
some comments endorse the idea of defining de minimis value in 
accordance with U.S. Government employee limits on accepting gifts or 
gratuities. Others simply encourage us to define it in some way that 
ensures consistency and clarity. Some comments state that we should not 
set a fixed amount for the de minimis value, because costs vary in 
different locations.
    Some comments disagree with the proposal to allow meals of de 
minimis value, and contend that the financial relationship between the 
accreditation body and the certification body should be strictly 
limited to the fee paid for the accreditation audit/services.
    (Response 55) We agree with the comments that suggest that allowing 
the certification body to provide meals of a de minimis value during an 
assessment and at the site where the assessment is being conducted 
might help facilitate the assessment, particularly for remote sites. We 
also agree with comments that state we should not set a fixed amount 
for the de minimis value because costs vary in different locations.
    We disagree with comments suggesting that by providing meals of a 
de minimis value, a certification body might influence the outcome of 
an accreditation body assessment, particularly if the only allowable 
meals are ones of minimal value that are provided during the course of 
an activity and with the purpose of facilitating timeliness and 
efficiency. FDA follows a similar approach for investigators conducting 
foreign inspections--that is, FDA investigators performing foreign 
inspections are allowed to accept lunches (of little cost) provided by 
the firm during the course of a foreign inspection. We also note that 
the U.S. government allows its employees to accept meals, within per 
diem limits, when on official business in a foreign country, as an 
exception to the prohibition on the acceptance of gifts or gratuities 
from outside sources (5 CFR 2635.204(i)(1)), though we believe the 
FDA's practices for foreign inspections serve as a better model because 
foreign inspections are more analogous to foreign assessments than are 
the range of activities that covered by the general requirements 
applicable to all U.S. government employees on official business in 
foreign countries. Accordingly, in light of the comments received and 
analogous FDA guidelines, we have concluded that it is reasonable and 
appropriate to limit the meal exception in Sec.  1.624(a)(3)(ii) to 
only lunches of de minimis value provided during the course of an 
assessment, on site at the premises where the assessment is being 
conducted, and only if necessary to facilitate the efficient conduct of 
the assessment. We believe these revisions help to address concerns 
regarding the threats to impartiality, while accommodating the 
practical considerations that apply to foreign assessments.
    We offer the following additional input to recognized accreditation 
bodies seeking guidance on the application of Sec.  1.624(a)(3)(ii). In 
considering whether a meal is allowable under this provision, we 
recommend that the assessor first consider whether accepting the lunch 
is necessary to facilitate the efficient conduct of the assessment. We 
recommend the assessor consider: (1) Whether the circumstances 
surrounding the travel would allow the assessor to pack a lunch to 
bring on site; (2) Whether the meal is being provided during the midday 
or early afternoon. A lunch provided in the midst of an assessment is 
different than a lunch or other meal provided at the completion of the 
audit; (3) Whether the site of the assessment is in close proximity to 
a retail food establishment, or is at a remote location far from a 
retail food establishment; (4) What is the estimated value (or cost) of 
the lunch in light of the costs associated with the area where the 
assessment is being conducted; and (5) other similar considerations.
    For assessors seeking additional guidance on determining what 
constitutes a ``de minimis'' amount for purposes of complying with 
Sec.  1.624(a)(3)(ii), we offer the following guidance that is based on 
the requirements applicable to U.S. government employees who accept 
certain meals while on official travel in foreign countries. Such 
employees must deduct from the per diem the value of that meal, 
calculated using a two-step process.
    First, the individual must determine the per diem applicable to the 
foreign area where the lunch was provided, as specified in the U.S. 
Department of State's Maximum Per Diem Allowances for Foreign Areas, 
Per Diem Supplement

[[Page 74597]]

Section 925 to the Standardized Regulations (GC,FA) available from the 
Superintendent of Documents, U.S. Government Printing Office, 
Washington, DC 20402, and available on the Department of State Web site 
at https://aoprals.state.gov/Web920/per_diem.asp. (Foreign per diem 
rates are established monthly by the Department of State's Office of 
Allowances as maximum U.S. dollar rates for reimbursement of U.S. 
Government civilians traveling on official business in foreign areas.)
    Second, the individual must determine the appropriate allocation 
for the meal within the daily per diem rate which is broken down into 
Lodging and M&IE (Meals & Incidental Expenses) that are reported 
separately in Appendix B of the Federal Travel Regulation and available 
on the Department of State's Web site at https://aoprals.state.gov/content.asp?content_id=114&menu_id=78.
    (Comment 56) Our proposal to require accreditation bodies to 
maintain a Web site listing of certification bodies, and information 
about each, drew several comments. Most comments agree with the Web 
site listing in principle. Some comments encourage us to require 
additional information in the Web site listing, such as requiring 
accreditation bodies to include in their Web site listing those 
certification bodies whose accreditations have been suspended or 
revoked. Some comments advise that the ``scope'' information required 
on the Web site should be specific (e.g., whether the accreditation is 
for human food, animal food, or for specific rules).
    Additionally, many comments address the proposed requirement to 
include fee information in the Web site listing. Some comments suggest 
that we require recognized accreditation bodies to specify what is 
included in the fee payment and what costs are reimbursable. We also 
received comments arguing that requiring payment schedules to be posted 
online is not sufficient to ensure that potential conflicts of interest 
will be identified; they suggested we require accreditation bodies to 
submit payment schedule information directly to FDA.
    Some comments disagree with the proposed requirement to require the 
Web site posting of payment schedules contending, among other things, 
that such information is proprietary. Some suggest that, instead, FDA 
should require accreditation bodies to keep records of payments which 
would be available to FDA if we have reason to examine them. Others 
suggest it would be sufficient for the financial payment information to 
be maintained such that FDA could review it during the recognition/
renewal process. Still other comments seek clarification as to whether 
we would be requiring, in addition to the date of payment, the dollar 
value of payment. These comments are not in favor of such a 
requirement; they state such payment details constitute sensitive 
information and argue that FDA should instead require the amount of 
payment to be in the records required under Sec.  1.625.
    (Response 56) We agree with comments that state that an 
accreditation body's Web site posting under Sec.  1.624(c), finalized 
as Sec.  1.624(d), must include specific information about the scope(s) 
of accreditation, for example by relevant part of 21 CFR or by a 
designation, such as ``part 123'' or ``Seafood HACCP'' (Hazard Analysis 
Critical Control Point). We also are revising final Sec.  1.624(d) to 
state that an accreditation body's Web site must identify a 
certification body whose accreditation was suspended, withdrawn, or 
reduced in scope, because we believe that this information would be 
important to eligible entities seeking information on accredited 
certification bodies. The suspension or withdrawal information must be 
maintained on the Web site for 4 years (the maximum duration of an 
accreditation under the rule) or until the suspension is lifted or the 
certification body is reaccredited by that accreditation body, 
whichever occurs first.
    In the interest of transparency, we are maintaining the requirement 
for accreditation bodies to post information on the timing of fee 
payments and direct reimbursements by certification bodies. This 
posting requirement is similar to the posting requirements that apply 
to certification bodies under Sec.  1.657(d) and will help build 
confidence in the impartiality of accreditation body accreditation 
decisions. We are not requiring posting of the amount of fees or 
reimbursement paid, because we do not think it is necessary to help 
build confidence in the impartiality of accreditation body 
accreditation decisions. We agree with the suggestion to specifically 
require fee payment records to be maintained and are revising Sec.  
1.625 accordingly.
    (Comment 57) Some comments contend that Sec.  1.624 is seriously 
flawed because it is inconsistent with ``the latest science on the 
issue'' and a 2009 Institute of Medicine (IOM) Report, ``Conflicts of 
Interest in Medical Research, Education, and Practice.'' They encourage 
FDA to evaluate the most recent scientific research on conflicts of 
interest and consult with leading academicians involved in such work. 
They contend that the fact of payment by the certification body to the 
accreditation body creates a conflict of interest that cannot be 
avoided so we should aim our regulation to minimize it. They recommend 
that we prohibit any financial relationship between the accreditation 
body and a certification body it audits for at least 1 year before 
accreditation was sought and 1 year after the last accreditation 
expires or was denied.
    (Response 57) While we agree with the comments' suggestion to 
remain vigilant in ensuring that our conflict of interest protections 
represent current best practices, we disagree with the assertion that 
Sec.  1.624 is seriously flawed and have concluded that the suggested 
revision would be infeasible and impractical. Third-party certification 
bodies currently accredited for food safety auditing by accreditation 
bodies that become recognized by FDA would have to apply to another 
recognized accreditation body to join our program if the comments' 
suggestion were adopted. This would create a disincentive to 
participation by experienced third-party certification bodies and would 
pose difficulties when the availability of recognized accreditation 
bodies is limited.
    In response to comments citing the 2009 IOM report on financial 
conflicts of interest between medical researchers and medical products 
companies, we note that it identified some conflict of interest issues 
that also are relevant to our third-party certification program, such 
as the need to disclose payments from industry and to place limits on 
meals and gifts. However, the differences between the context of 
medical research and practice and the context of our third-party 
certification program pose difficulties in identifying practical 
implications of the analysis for our purposes--i.e., the analysis of 
data suggesting that the acceptance of meals and gifts and other 
relationships may influence physicians to prescribe a company's 
medicines. Nor are the IOM recommendations readily adaptable to 
conflicts of interest in the third-party certification program. The 
``best practices'' we employ must be suitable for the third-party 
certification program and may differ from the state of the art best 
practices for conflict of interests in medical research. For example, 
the recommendations to place limits on the use of drug samples for 
patients who lack financial access to medications and to prohibit the 
claiming of authorship for ghost-written publications are not 
applicable to this program. For the foregoing reasons, we decline the

[[Page 74598]]

suggestion to prohibit any financial relationship, such as the payment 
of fees, between a recognized accreditation body and a certification 
body for at least 1 year before seeking accreditation and 1 year after 
the last accreditation expires or is denied.
    (Comment 58) Some comments reject the notion that there could be 
effective protections against conflict of interest. Such comments 
consider third-party food safety audits to possess inherent 
shortcomings and believe that FDA itself should conduct any food safety 
inspections required by FSMA.
    (Response 58) We disagree with the notion that it is not possible 
to effectively protect against conflicts of interest. Currently, 
accreditation bodies and certification bodies operate under a number of 
private schemes successfully, with reasonably effective protections 
against conflicts of interest. We note that the primary regulatory 
functions of the third-party certification program are to facilitate 
participation in VQIP and to provide certifications for the purposes of 
section 801(q) of the FD&C Act. At this time, we do not intend for 
private third-parties to conduct food safety inspections required by 
FSMA.

F. What records requirements must an accreditation body that has been 
recognized meet? (Sec.  1.625)

    Proposed Sec.  1.625 identifies specific types of documents a 
recognized accreditation body would be required to establish, control, 
and maintain to document compliance with applicable requirements 
(including applications for accreditation and for renewal; regulatory 
audit reports and supporting information from its accredited auditors/
certification bodies; reports and notifications required under proposed 
Sec.  1.623, along with any supporting information). The recognized 
accreditation body would be required to provide FDA access to such 
records. The rule also proposed to require records to be maintained 
electronically and in English for 5 years.
    In the proposed rule we acknowledged that the contracts between 
accreditation bodies and certification bodies frequently include 
confidentiality provisions that might otherwise prevent disclosure of 
certain records to FDA without prior approval of the certification 
body. We noted that any such contract provisions would need to be 
changed to allow the accreditation body to furnish FDA with the records 
identified in this section.
    On our own initiative, we are including fee payment records as 
another type of record that an accreditation body that has been 
recognized must maintain under Sec.  1.625(a)(8).
    (Comment 59) Several comments disagree with the proposed 
requirement for records to be maintained in English. Some comments, 
while noting their support for submission of reports and notifications 
in English under proposed Sec.  1.623, disagree with our proposal to 
require that records maintained by the accreditation body be kept in 
English as well. Some comments, noting the cost of translating all 
records, request that we allow records to be maintained in the language 
of the country. They propose we could require the accreditation body to 
provide the records in English upon our request within a reasonable 
time; some suggest a reasonable time might be a week, depending on the 
volume of records requested. Other comments argue that the food 
industry is global and in recognition of that fact FDA should accept 
records in other languages. Some comments suggest that we allow three 
or four additional widely-used languages.
    (Response 59) We agree with the recommendation to allow records 
held by the accreditation body to be maintained in a language other 
than English, coupled with a requirement that, upon FDA request, the 
accreditation body must provide an English translation of the records 
within a reasonable time.
    The records required by Sec.  1.625 are necessary to document the 
accreditation body's accreditation activities, and we expect to request 
access to the accreditation body's records as necessary to verify the 
accreditation body's continuing compliance with the requirements of 
this rule, such as when we are considering whether to renew its 
recognition. The accreditation body records also will be useful in 
helping to verify the compliance of certification bodies it accredited 
under the program. However, the records required by Sec.  1.625 are 
generally distinguishable from the reports and notifications that must 
be directly submitted to us under Sec.  1.623, which we are requiring 
to be submitted to FDA in English because the reports and notifications 
submitted directly to us are time sensitive in nature and essential to 
our management and oversight of the third-party certification program. 
For example, under Sec.  1.623(c) we are requiring immediate 
notification, in English, of an accreditation body's withdrawal of 
accreditation from a certification body. We cannot afford delays in 
translating this information, because of its implications for the 
program and possibly for our acceptance of certifications issued by the 
certification body. Unless the notification is submitted in English, 
our actions will be delayed until the information is translated.
    By contrast, the records required under Sec.  1.625 typically 
contain information that is less time sensitive; therefore, reasonable 
delays for translation purposes will not compromise our ability to 
manage or oversee the program. Accordingly, we are revising Sec.  1.625 
to allow other accreditation body records to be maintained and 
submitted to FDA in languages other than English, provided that an 
English language translation of such records is provided within a 
reasonable time thereafter. The circumstances surrounding each request 
will differ; therefore, we decline to set a specific (numerical) 
deadline for submission of the translation.
    (Comment 60) We received several comments expressing 
confidentiality concerns. Some comments note that documents that are 
part of an audit process may contain critical business information that 
warrants some level of proprietary protection.
    (Response 60) We acknowledge comments' concerns and note that we 
are including Sec.  1.695 on public disclosure in section XIII.F. The 
new section explains that records obtained by FDA under this subpart 
are subject to the disclosure requirements under 21 CFR part 20.
    (Comment 61) With regard to the proposed requirement that records 
must be maintained electronically, some comments discourage us from 
requiring compliance with 21 CFR part 11, which are regulations setting 
certain electronic records criteria. Comments contend that imposing 
part 11 requirements would be disproportionate to the need under this 
rule without an appreciable improvement in food safety and would create 
a tremendous and costly burden. They encourage FDA to explicitly 
exclude records under this rule from part 11. Comments propose that 
instead of imposing part 11 requirements, we require documentation of 
the chain of custody by requiring records to be signed and dated when 
created or modified.
    (Response 61) We acknowledge comments' concerns and note that we 
are establishing Sec.  1.694 on electronic records in section XIII.E. 
This new section will generally exempt records that are established or 
maintained to satisfy the requirements of this subpart from the 
requirements of part 11.
    (Comment 61) Some comments express concern that our proposed record 
keeping requirement was too broad; and others express concern about

[[Page 74599]]

how we might use our authority to request records. Some comments 
request clarification of our proposed requirement that accreditation 
bodies' records include any supporting information for the reports and 
notifications required under Sec.  1.623. Other comments suggest that 
our records requests should be narrower when the recognized 
accreditation body is a foreign government than a records request to a 
recognized, nonprofit accreditation body. Still other comments 
encourage us to clarify the circumstances under which FDA staff could 
request records and to include a method for an accreditation body to 
object to an FDA records request.
    (Response 62) The records we are requiring an accreditation body to 
maintain under Sec.  1.625 are necessary to document the accreditation 
body's accreditation activities and its compliance with the 
requirements of this rule. We expect to request access to the 
accreditation body's records in verifying an accreditation body's 
continuing compliance with the requirements of this rule. While the 
details of each records request will vary depending on its 
circumstances, we will tailor our records requests under Sec.  1.625 as 
narrowly as possible to reach program-related records and exclude 
records that are irrelevant or insignificant to this program. For 
example, the information an accreditation body reports under Sec.  
1.623 may prompt us to request the underlying record to supplement the 
report as needed. Or, when an accreditation body is requesting renewal 
of its recognition, we may request records to supplement information 
provided in the application.
    Therefore, we believe it is unnecessary to develop administrative 
procedures for accreditation body challenges to FDA records requests. 
We recommend accreditation bodies to fully consider the program 
requirements before deciding to pursue recognition under the voluntary 
third-party certification program.
    (Comment 63) We proposed that if FDA requests records 
electronically, the recognized accreditation body provide the requested 
records within 10 days. Some comments contend that 10 days is 
insufficient time, and instead request a period of 3 months.
    (Response 63) We believe that 10 days is ample time for 
accreditation bodies to electronically submit any requested records 
they are already required to maintain under this subpart. We note that 
we are revising the final rule to allow accreditation bodies to 
maintain and submit records in languages other than English, provided 
that they electronically submit an English translation within a 
reasonable time thereafter. By allowing records to be submitted in a 
language other than English, accreditation bodies should be able to 
provide requested records electronically within 10 days.

VII. Comments on Procedures for Recognition of Accreditation Bodies 
Under This Subpart

A. How do I apply to FDA for recognition or renewal of recognition? 
(Sec.  1.630)

    We proposed to establish procedures for accreditation bodies to 
follow when applying to FDA for recognition or for renewal of 
recognition. We proposed that the accreditation body must submit a 
signed application, accompanied by any supporting documents, 
electronically and in English, demonstrating that it meets the 
eligibility requirements in proposed Sec.  1.610. We also proposed to 
require an applicant to provide any translation or interpretation 
services we need to process the application.
    (Comment 64) Some comments assert that the proposed rule does not 
differentiate adequately between foreign governments and private 
entities that are serving as accreditation bodies and suggest that we 
provide a separate path for recognition of foreign government 
accreditation bodies that prioritizes their applications over those 
submitted by private accreditation bodies. The comments recommend that 
we draft additional rules to specifically cover recognition of foreign 
government accreditation bodies and/or direct accreditation of foreign 
government certification bodies.
    (Response 64) We disagree with the recommendation to create a 
bifurcated system for recognition, because the line between 
governmental and private accreditation bodies is not always clear. 
Private accreditation bodies comprise approximately one third of the 72 
accreditation bodies that accredit food safety certification bodies 
around the world, according to a report prepared by the Research 
Triangle Institute (RTI) (Ref. 16). In the report, RTI found that the 
distribution of accreditation bodies by private versus government 
agency is as follows: 24 private accreditation bodies, 38 governmental 
accreditation bodies, and 10 accreditation bodies with unknown private 
or government agency status. RTI found that the vast majority of the 
private accreditation bodies were non-profit entities. Many of the 
private accreditation bodies identified by RTI operate under government 
sanction or in quasi-governmental roles. For example, the American 
National Standards Institute (ANSI) is a private, non-profit 
accreditation body that serves as the official U.S. representative to 
ISO (Ref. 17); the United Kingdom Accreditation Services is appointed 
as the national accreditation body for the United Kingdom, though it is 
independent of the government (Ref. 18); and the Danish Accreditation 
and Metrology Fund is a self-described ``business fund'' that is 
appointed by the Danish Safety Technology Authority as the national 
accreditation body for Denmark (Ref. 19). Additionally, we note that 
section 808 of the FD&C Act makes no distinction in the requirements or 
process for recognizing public or private accreditation bodies. 
Furthermore, we do not believe it practical to engage in additional 
rulemaking for foreign government accreditation bodies and 
certification applications, as the comments suggest.
    (Comment 65) Some comments ask us to accept applications in other 
languages common to the major production areas exporting product to the 
United States. These comments assert that due to the global nature of 
produce supply chains allowing applications in other languages would 
encourage supply chain participation in third-party auditing programs 
as a tool to improve food safety. These comments suggest that we could 
develop a phased process where we only accept English applications 
initially, but increase flexibility to accept applications/renewal 
documents in other languages as the program builds up.
    (Response 65) We acknowledge that accepting applications for 
recognition in languages other than English might be beneficial to some 
interested parties. However, requiring applications for recognition to 
be submitted in English will help us make well-informed and timely 
decisions. Further, FDA does not have the resources to translate or 
review documentation in other languages and generally requires 
documents submitted in other languages to be translated to English. 
Therefore, we decline the suggestion to develop long-term plans for 
accepting applications for recognition in languages other than English.
    (Comment 66) Some comments ask what costs are associated with 
getting recognized as an accreditation body.
    (Response 66) Pursuant to section 808(c)(8) of the FD&C Act, we 
issued proposed regulations to establish a reimbursement (user fee) 
program to assess fees and require reimbursement for the work performed 
to establish and administer the third-party certification

[[Page 74600]]

program. The proposed rule provides details on how user fees would be 
computed (80 FR 43987, July 24, 2015).

B. How will FDA review my application for recognition or for renewal of 
recognition and what happens once FDA decides on my application? (Sec.  
1.631)

    We proposed to establish procedures for reviewing and deciding on 
applications for recognition and for renewal of recognition. We 
proposed to order the application queue on a first in, first out basis 
and to only place complete applications in the queue.
    On our own initiative, we are revising paragraph (a) to clarify 
that FDA will review submitted applications for completeness and will 
notify applicants of any identified deficiencies. We also are revising 
paragraph (b) to clarify that FDA's evaluation of any completed 
recognition or renewal application may include an onsite assessment of 
the accreditation body. In addition, we are redesignating proposed 
paragraph (e) as part of paragraph (b) for clarity.
    On our own initiative we are adding new paragraphs (e) through (h) 
to Sec.  1.631 to explain what happens when an accreditation body's 
renewal application is denied. We are adding provisions to clarify what 
the applicant must do, the manner in which FDA will notify accredited 
third-party certification bodies and the public of the denial, the 
effect of denial of an application for renewal of recognition on 
accredited third-party certification bodies, and the effect of denial 
of an application for renewal of recognition on food or facility 
certifications issued to eligible entities.
    (Comment 67) Some comments ask us to clarify how we will recognize 
an accreditation body. Some comments ask that we clearly and 
comprehensively lay out the conditions and requirements governing the 
application for recognition, to ensure transparency, certainty, and 
predictability of the procedures and criteria governing recognition. 
Some comments specifically recommend that we use the IAF/ILAC/
International Laboratory Accreditation Cooperation (ILAC) (A-series) 
documents as the foundation upon which to base our process for 
recognition of accreditation bodies.
    (Response 67) This rule establishes the framework for the third-
party certification program and generally describes procedures involved 
in the submission and processing of applications for recognition and 
will be supplemented by additional instructions. For example, we are 
developing an electronic portal that accreditation bodies will use in 
submitting their applications for recognition, and we will be issuing 
directions for using the portal. We also are developing internal 
operational procedures for recognition of accreditation bodies and will 
consult the IAF/ILAC (A-series) documents in considering the types of 
materials that may be useful to accreditation bodies and other 
stakeholders interested in learning more about our program.
    (Comment 68) Some comments express concern that we are limiting 
ourselves to a ``first in, first out'' review process that gives us no 
discretion to recognize foreign governments before we consider other 
applications from private accreditation bodies that apply. These 
comments recommend that we use guidance to industry or internal 
management documents, rather than this rule, to describe how we will 
establish the queue of applications for review.
    (Response 68) For the reasons described in Response 64, we decline 
the suggestion to prioritize applications submitted by government 
accreditation bodies over applications submitted by private 
accreditation bodies. However, we are modifying the first in, first out 
approach to application review in proposed Sec.  1.631(a) to allow FDA 
to prioritize an application for review based on program needs. We will 
consider the suggestion to use an internal management document to 
establish our procedures for reviewing applications for recognition as 
part of our operational planning.
    (Comment 69) We received several comments on the timeliness of 
application review and decisionmaking. Some comments assert that our 
application review process must be comprehensive but also expedient. 
Some comments ask that our communications with applicants be timely. 
Other comments ask us to establish review timeframes by which 
accreditation bodies and other interested parties may expect a response 
to applications, asserting this will foster enhanced confidence and 
transparency with the review process. Some comments suggest that we 
review and act upon an accurately completed recognition application 
within 90 days and a completed recognition renewal application within 
45 days.
    (Response 69) We agree with the comments suggesting that our 
application review must be comprehensive and as expedient as possible. 
We decline the suggestion to establish review timelines in this rule 
because we lack the experience and data that would allow us to 
reasonably estimate review timeframes. We also recognize that each 
review will differ depending on the circumstances, and we expect to 
become more efficient in application review as we gain experience in 
the program.
    (Comment 70) Some comments express concern about the length of time 
it will take us to recognize and notify an applicant of any 
deficiencies in the application. These comments also assert that 
requiring applicants with deficiencies to resubmit their applications 
and sending them to the bottom of the review list would make for 
significant delays in the recognition and renewal processes.
    (Response 70) FDA agrees that an application for recognition should 
be checked for completeness promptly after submission. The Agency 
intends to notify the submitter in a timely manner if the submission is 
not complete. FDA anticipates that this completeness determination 
could generally be made within 15 business days, because this is not a 
decision on the merits of the application. However, given the competing 
demands on Agency resources, including staff available to conduct 
review, the Agency declines to add a time restriction in the final rule 
for notifying an applicant of deficiencies that cause its application 
to be considered incomplete and thus not ready for processing.
    (Comment 71) Some comments assert that we should include a 
mechanism for stakeholders to provide feedback to the Agency concerning 
the capacity and functioning of accreditation bodies and auditors/
certification bodies because stakeholders have firsthand experience 
with such entities. These comments suggest that we modify Sec.  
1.631(b) to specify that FDA will also ``solicit and consider 
information provided by stakeholders, including importers and foreign 
suppliers subject to the accreditation body's jurisdiction, to assist 
in the recognition or renewal application review process.''
    (Response 71) To the extent the comments suggest that the Agency's 
review and decisionmaking process on recognition applications should 
include a solicitation of comments from the public we disagree, as this 
would create unnecessary delay in the recognition process. FDA believes 
that the information it gains through the application process will be 
sufficient to make a recognition determination, and that this process 
and subsequent monitoring by FDA ensures robust oversight of the 
program. Nevertheless, stakeholders are always free to share with FDA 
any information relevant to the Agency's food safety programs. We

[[Page 74601]]

note that information shared with FDA is subject to the information 
disclosure regulations in part 20, as stated in Sec.  1.695.
    (Comment 72) Some comments note that there are no circumstances or 
conditions in the proposed rule that allow for an accreditation body to 
question or object to an FDA action or request if they believe it is 
not reasonable or relevant to the recognition and performance of the 
accreditation body.
    (Response 72) We do not expect to make requests or actions of an 
accreditation body that are not relevant to the requirements of the 
third-party certification program. FDA's evaluation of accreditation 
bodies, as expressed in Sec. Sec.  1.631(b), 1.633(a), and 1.634(a), is 
premised on the accreditation body's compliance with the applicable 
requirements of this rule.
    We note that in this rulemaking, FDA has established a number of 
mechanisms to address challenges to FDA's decisions, including Sec.  
1.691 (for requests for reconsideration of the denial of an application 
for recognition, renewal, or reinstatement of recognition); Sec.  1.692 
(for internal Agency review of the denial of an accreditation body 
application upon reconsideration); and Sec.  1.693 (for regulatory 
hearings on revocation of recognition).
    We recommend accreditation bodies to fully consider the program 
requirements before deciding to pursue recognition under the voluntary 
third-party certification program.
    (Comment 73) Some comments ask that we provide training and 
education documents regarding the application process as quickly as 
possible to ensure that accreditation bodies are clear on the process 
and its requirements. These comments assert that training and education 
would minimize the need for second reviews due to inaccurate or 
incomplete applications.
    (Response 73) As indicated in Response 67, we are developing 
additional instructions for applications for recognition that will be 
useful to accreditation bodies interested in pursuing recognition.

C. What is the duration of recognition? (Sec.  1.632)

    We proposed to grant recognition to an accreditation body for up to 
5 years, though we will determine the length of recognition on a case-
by-case basis.
    (Comment 74) Some comments support our proposal to recognize 
accreditation bodies for a duration of up to 5 years, with shorter 
durations awarded early in the program for accreditation bodies with 
little experience in accrediting third-party certification bodies.
    (Response 74) We agree with comments suggesting that the duration 
of recognition may vary depending on a number of factors, including the 
accreditation body's history (or lack of history) in accrediting 
certification bodies. We believe the proposal allows FDA to consider 
such factors.
    (Comment 75) Some comments express concern that we are not 
proposing a fixed duration of recognition and ask us to establish a 
specific time limit of 5 years. These comments assert that having a 
standardized duration of recognition for all accreditation bodies is 
administratively more viable for FDA to plan its resource needs and 
would provide consistency across the industry. Additionally, these 
comments assert that 5 years is a reasonable duration given the other 
reporting and monitoring requirements built into the system.
    (Response 75) We acknowledge the advantages that certainty provides 
and, where appropriate, the Agency will grant recognition for the 
maximum duration of 5 years. However, as noted in our previous 
response, we also recognize it may be appropriate for the duration of 
recognition to vary depending on a number of factors. Where, for 
example, an accreditation body has little or no experience in 
accrediting food safety certification bodies, we may decide the initial 
grant of recognition should be less than 5 years.
    (Comment 76) Some comments suggest that the duration of recognition 
for an accreditation body should be 4 years to be consistent with the 
duration proposed for accreditation of certification bodies in Sec.  
1.661. Other comments request clarification about the difference in 
durations proposed for recognition of accreditation bodies and 
accreditation of certification bodies.
    (Response 76) We decline the suggestion to shorten the maximum 
duration of accreditation body recognition to 4 years and note that the 
comments suggesting it should be the same maximum duration as third-
party certification body accreditation offered no information that 
would provide an adequate basis for shortening recognition such that an 
accreditation body could be recognized for no longer than a 
certification body's accreditation. Further, as stated in the proposed 
rule, we noted that other government programs such as the Substance 
Abuse and Mental Health Services Administration program for accredited 
programs that use opioid agonist treatment medications approves 
accreditation bodies for up to 5 years (42 CFR 8.3). Under the FDA 
mammography program, we may approve accreditation bodies for terms up 
to 7 years (21 CFR 900.3(g)). As stated previously, FDA may establish a 
period of recognition of less than 5 years if appropriate for a 
particular applicant.
    (Comment 77) Some comments assert that accreditation bodies that 
maintain their IAF signatory status should not be limited to a 5-year 
duration.
    (Response 77) We decline the suggestion, noting that the comment 
lacks information demonstrating that a longer term of recognition is 
warranted for an accreditation body that is an IAF signatory.

D. How will FDA monitor recognized accreditation bodies? (Sec.  1.633)

    We proposed to establish the frequency and manner for formal 
evaluations of recognized accreditation bodies. Specifically, we 
proposed to evaluate each recognized accreditation body by at least 4 
years after the date of recognition of an accreditation body granted a 
5-year term of recognition and by no later than the mid-term point for 
an accreditation body granted a term of recognition of less than 5 
years. Proposed Sec.  1.633 also notes that FDA may conduct additional 
assessments of recognized accreditation bodies at any time.
    (Comment 78) While the comments generally support FDA performance 
assessments of recognized accreditation bodies, the comments express a 
wide range of views on how frequently such assessments should occur. 
Some comments support the proposed reevaluation frequency for 
recognized accreditation bodies. Some comments assert that we need to 
have a more suitable monitoring mechanism. Other comments suggest we 
incorporate a random, unannounced performance review for recognized 
accreditation bodies as a supplement to the proposed frequency. Some 
comments take a contrary view, asking us to clarify in the final rule 
the circumstances under which we may perform additional performance 
assessments of recognized accreditation bodies. These comments assert 
that FDA's ability to conduct additional audits, assessments, and 
investigations without the requirement to justify such actions creates 
the potential for a confrontational relationship and lack of trust. The 
comments question whether, without such clarification, any refusal by 
an accreditation body to grant FDA access or information would trigger 
revocation

[[Page 74602]]

of their recognition. Still other comments request clarification on the 
frequency of audits that will be conducted on accreditation bodies.
    (Response 78) Monitoring assessments of accreditation bodies are 
one of several tools we will use for program oversight. Section 
1.633(a) implements section 808(f) of the FD&C Act, which states that 
FDA must reevaluate a recognized accreditation body periodically, or at 
least once every 4 years, and take any other measures FDA deems 
necessary to ensure compliance. We anticipate that information gleaned 
from other monitoring tools, such as an accreditation body's self-
assessment, may prompt additional performance assessments in certain 
instances. Although we decline to specifically codify random, 
unannounced performance reviews as a supplement to the proposed 
frequency as suggested by the comment, we note that under Sec.  
1.633(a) FDA may conduct additional assessments of recognized 
accreditation bodies, including unannounced assessments, at any time as 
it deems appropriate. We need to retain flexibility to conduct 
additional audits, assessments and investigations to support the 
credibility of the program.
    With respect to the request to clarify whether any refusal to grant 
FDA access or information for a performance assessment would trigger 
revocation, under section Sec.  1.634(a), refusal to allow FDA to 
conduct an assessment to ensure the accreditation body's continued 
compliance with the requirements of this subpart is grounds for 
revocation.
    (Comment 79) Some comments assert that we should provide additional 
detail on our monitoring procedures under Sec.  1.633(b). Some comments 
express concern about the ambiguity of the term ``statistically 
significant'' as well as the scope of onsite assessments and onsite 
audits for performance evaluation purposes. These comments assert that 
we must provide clear guidance to industry as to what we expect would 
be involved in such onsite assessments and make this guidance available 
for public comment. Other comments specifically request that we outline 
the procedures under which we will conduct audits on accreditation 
bodies and third-party certification bodies and specify a timeframe for 
when we will issue the results of the audits. Still other comments 
assert that we must provide guidance on how an eligible entity might be 
selected for an audit/inspection that relates to an accreditation 
body's reassessment of a certification body.
    (Response 79) The objective of an assessment under Sec.  1.633 will 
be to determine an accreditation body's compliance with the 
requirements of this rule. When planning an assessment, we will 
establish the time period of activities covered by the assessment and 
may request records of an accreditation body under Sec.  1.625. We also 
will develop plans for any locations to be visited, which may include 
the accreditation body's headquarters and any other locations where 
employees and other agents who conduct activities under this program 
are managed.
    In conducting the assessment, we may review records, such as 
records relating to conflicts of interest and may interview officers, 
employees, and other agents of the accreditation body. We also may 
observe regulatory audits by certification bodies the accreditation 
body has accredited. For the reasons explained in Response 28, we have 
removed the phrase, ``statistically significant'' and revised the 
sentence to explain that we may observe a ``representative sample'' of 
certification body regulatory audits when conducting an assessment of 
its accreditation body. We will decide what constitutes a 
``representative sample'' for purposes of Sec.  1.633 on a case-by-case 
basis, based on factors such as how many certification bodies the 
accreditation body has accredited under the program, the scope of 
accreditation of the certification bodies accredited by the 
accreditation body, how many years the accreditation body has been in 
the program, how many prior assessments of the accreditation body we 
have performed, and the length of time since any prior assessments.
    (Comment 80) Some comments ask that we inform recognized 
accreditation bodies prior to doing onsite assessments of accredited 
certification bodies and eligible entities as part of our performance 
evaluations.
    (Response 80) In planning an assessment with onsite observations of 
certification bodies or an audit of certified eligible entities, we 
will consider whether to provide notice to the accreditation body and/
or invite the accreditation body to be present. In some circumstances 
we may determine that it would be necessary or appropriate to conduct 
the assessment or audit without notice to the accreditation body.
    (Comment 81) Some comments assert that to carry out performance 
evaluations for the purpose of monitoring recognized accreditation 
bodies, we must have an agreement directly with the certification 
bodies or request that recognized accreditation bodies include these 
requirements in their agreements with certification bodies they have 
accredited.
    (Response 81) We disagree that we must have an agreement directly 
in place with each accredited certification body for us to carry out 
performance evaluations, as Sec.  1.633(b) states that FDA may include 
onsite assessments of a representative sample of third-party 
certification bodies the recognized accreditation body accredited and 
onsite audits of a representative sample of eligible entities certified 
by such third-party certification bodies under this subpart. We 
recommend that third-party certification bodies fully consider the 
program requirements before deciding to pursue accreditation under this 
voluntary third-party certification program. We also encourage 
recognized accreditation bodies to include language in their standard 
contracts with third-party certification bodies they accredit under 
this program that acknowledges FDA's ability to conduct such 
evaluations.
    (Comment 82) Some comments ask who will cover the costs of audits 
on recognized accreditation bodies.
    (Response 82) As discussed in Response 66, we are proposing in a 
separate rulemaking (80 FR 43987) the costs of FDA monitoring of 
recognized accreditation bodies will be covered by user fees that we 
will establish by regulation.

E. When will FDA revoke recognition? (Sec.  1.634)

    Proposed Sec.  1.634 establishes the criteria and procedures for 
revocation of recognition of an accreditation body, including requests 
for records and notifications. It describes several circumstances that 
warrant revocation of recognition and describes the effects (if any) of 
revocation on accreditations and certifications occurring prior to the 
revocation.
    On our own initiative, we are revising Sec.  1.634(c)(2) to require 
the accreditation body to notify FDA of the name and contact 
information of the custodian who will maintain the records required by 
Sec.  1.625 instead of just providing us with a location to increase 
flexibility. We are making corresponding changes to Sec. Sec.  
1.635(a), 1.664(e)(2), and 1.665(a). We also are revising paragraphs 
(d) through (f) to clarify the manner of FDA's notice to affected 
third-party certification bodies and the public of the revocation, as 
well as the effect of such revocation on the accredited third-party 
certification bodies and certifications they issued prior to issuance 
of the revocation of recognition.
    (Comment 83) Some comments recommend that when an accreditation

[[Page 74603]]

body's recognition is revoked, the information on the Web site includes 
the cause or causes of the revocation.
    (Response 83) We agree and will include on the FDA Web site a brief 
description of the grounds whenever revoking the recognition of an 
accreditation body.
    (Comment 84) Some comments agree that providing the certification 
body 1 year to transition and become accredited with another 
accreditation body is a reasonable concept, but express concerns that 
in many countries a limited number of accreditation bodies may make 
meeting that timeframe difficult. They also note that although audited 
entities' certifications may remain in effect until its expiration, it 
may be difficult for them to maintain their certifications beyond that 
date due to lack of accreditation bodies, or there may be instances in 
which their certification is set to expire in weeks or months following 
the revocation. These comments note a similar concern about the impact 
of a lack of capacity on scheduling certification audits should the 
certification body have to be reaccredited within 1 year. Comments 
recommend that FDA address this issue by performing an assessment of 
accreditation capacity in key production regions around the world and 
using that information as a baseline to inform timeframes on re-
accreditation of third-party certification bodies. Other comments 
suggest that either FDA be required to renew the recognition of the 
recently revoked accreditation body or recognize a new accreditation 
body in time for any affected accredited certification body to comply, 
or FDA would be required to solicit applications for a new 
accreditation body after an accreditation body's recognition is 
revoked. Comments also recommend that certifications issued by a 
certification body accredited by the accreditation body whose 
recognition was revoked remain in effect for 1 year from the date of 
the revocation of the accreditation body in order to reduce the 
likelihood of a lapse in certification of eligible facilities.
    (Response 84) We acknowledge that revocation of the recognition of 
an accreditation body may present difficulties for the certification 
bodies accredited by the accreditation body (and for the eligible 
entities those certification bodies certified), particularly in 
countries that have a single national accrediting authority. In such 
circumstances, we intend to work with recognized accreditation bodies 
and the certification bodies to identify opportunities and challenges. 
We believe 1 year is sufficient time for a certification body to be 
reaccredited in such circumstances. The requirement for an eligible 
entity to become recertified after a certificate terminates by 
expiration is based on section 808(d) of the FD&C Act, which requires 
an eligible entity to apply for annual recertification. In light of the 
foregoing, we are declining the requests to extend the deadlines for 
reaccreditation and for recertification in the case of revocation of 
recognition of an accreditation body.
    (Comment 85) Some comments request FDA provide specific provisions 
to address potential questions that may arise if recognition of an 
accreditation body is revoked, with particular emphasis on the validity 
of certificates or other documentation already issued when revocation 
occurs.
    (Response 85) Section 1.634(d) specifically describes the impact of 
revocation of recognition of an accreditation body on the certification 
bodies that it accredited under this program, including that a 
certification body's accreditation will remain in effect if it provides 
a self-assessment to FDA within 60 days of issuance of the revocation 
and it is accredited by another recognized accreditation body or FDA no 
later than 1 year after the revocation or the original date of 
expiration of the accreditation, whichever comes first. Section 
1.634(e) explains that in the case of revocation of an accreditation 
body's recognition, a food or facility certification issued by a 
certification body accredited by the accreditation body prior to the 
revocation of its recognition will remain in effect until the 
certification terminates by expiration.
    (Comment 86) Some comments request that FDA clarify how individual 
holders of certifications would be made aware of the revocation of 
recognition. For example, they ask if FDA would contact certification 
holders directly or if the certification holder would be required to 
monitor the recognition status of the accreditation and certification 
bodies.
    (Response 86) We will provide notice on the FDA Web site when we 
revoke the recognition of an accreditation body. We also will notify 
certification bodies that have been accredited by the accreditation 
body that has had its recognition revoked through the electronic portal 
we are establishing. Because revocation of recognition will not affect 
the duration of previously issued certificates, we will not directly 
contact eligible entities to inform them of the revocation. If the 
revocation of recognition results in the withdrawal of accreditation of 
a certification body, FDA will provide notice of such withdrawal on our 
Web site as provided in Sec.  1.664(h).
    (Comment 87) Some comments recommend that FDA refer to the 
provisions in ISO/IEC 17011:2004 and ISO/IEC 17021:2011 to inform the 
provisions revocation of recognition in Sec.  1.634 and withdrawal of 
accreditation in Sec.  1.664 and to distinguish those actions from 
reduction in scope of recognition and accreditation and to establish 
the specific grounds and effects for those actions.
    (Response 87) Neither of the ISO/IEC standards cited in the 
comments relate to revocation of recognition of an accreditation body; 
however, we reviewed ISO/IEC 17011:2004 (Ref. 5) for terminology, 
procedures, and grounds that might have relevance for revocation of 
recognition in Sec.  1.634. We decline the suggestion to consider ISO/
IEC 17021:2012 (Ref. 6), which applies to certification bodies, for 
purposes of this analysis as it is inapplicable.
    Having reviewed ISO/IEC 17011:2004, we note that ISO/IEC 17011:2004 
(Ref. 5) gives an accreditation body the flexibility to establish its 
own procedures for suspension, withdrawal, or reduction of the scope of 
an accreditation as explained in clause 7.13.1 and NOTE. FDA's 
procedures for revocation of recognition are thus not inconsistent with 
the ISO standards in this respect. Regarding the grounds for withdrawal 
of accreditation, ISO/IEC 17011:2004 (Ref. 5), clause 7.13, provides 
that an accreditation body must make decisions to suspend and/or 
withdraw accreditation when an accredited conformity assessment body 
(i.e., third-party certification body) has persistently failed to meet 
the requirements of accreditation or to abide by the rules for 
accreditation. The standard for revocation of recognition under this 
program is established by section 808(b)(1)(C) of the FD&C Act, which 
requires FDA to ``promptly revoke the recognition of any accreditation 
body found not to be in compliance with the requirements of this 
section,'' which is the standard that is used in proposed Sec.  1.634. 
Therefore, we cannot incorporate this standard for withdrawal for 
purposes of this program.
    (Comment 88) Some comments suggest FDA revise Sec.  1.634(a)(3) and 
(4) to provide that FDA can make a decision to revoke recognition or 
withdraw accreditation only when it has objective evidence to 
demonstrate that the recognized accreditation body committed fraud or 
submitted material with significant false statements, demonstrated a 
significant bias or significant lack of objectivity when

[[Page 74604]]

conducting activities, or significantly failed to adequately support 
one or more decisions to grant accreditation.
    (Response 88) We disagree. Section 808(b)(1)(C) requires FDA to 
promptly revoke the recognition of any recognized accreditation body 
found not to be in compliance with section 808 of the FD&C Act, which 
establishes the third-party program. This program is a system of 
assurances that begins with the recognition of qualified accreditation 
bodies, which in turn accredit certification bodies to make judgments 
about the compliance of eligible entities and the food they produce 
with the applicable food safety requirements of the FD&C Act and FDA 
regulations. FDA's ability to have swift recourse when a recognized 
accreditation fails to comply with the requirements of the third-party 
program is essential. Limiting FDA's ability to revoke the recognition 
of accreditation bodies to instances of ``significant'' fraud, bias, or 
lack of competence as the comment suggests would render the program 
unreliable to provide the assurance of food safety intended by this 
section.

F. What if I want to voluntarily relinquish recognition or do not want 
to renew recognition? (Sec.  1.635)

    Proposed Sec.  1.635 describes the procedures that an accreditation 
body must follow when it intends to relinquish its recognition.
    FDA received comments in support of the proposed procedures for 
voluntary relinquishment of recognition. FDA received no adverse 
comments on this section. On our own initiative, we are revising the 
voluntary relinquishment provisions in Sec.  1.635 to also address 
situations where a recognized accreditation body decides it does not 
want to renew its recognition once it expires. In addition we are 
including procedures for the certification bodies to follow after their 
accreditation bodies' recognitions are relinquished or not renewed.

G. How do I request reinstatement of recognition? (Sec.  1.636)

    Proposed Sec.  1.636 describes the procedures that an accreditation 
body would have to follow when seeking reinstatement of its 
recognition.
    FDA received comments in support of the proposed procedures for 
reinstatement of recognition. FDA received no adverse comments on this 
section and is not making any substantive changes to this section in 
this final rule.

VIII. Comments on Accreditation of Third-Party Certification Bodies 
Under This Subpart

A. Who is eligible to seek accreditation? (Sec.  1.640)

    Proposed Sec.  1.640 states that a foreign government, agency of a 
foreign government, foreign cooperative, or other third-party would be 
eligible for accreditation from a recognized accreditation body (or, 
where direct accreditation is appropriate, FDA) to conduct food safety 
audits and issue food and facility certifications under the program. 
Proposed Sec.  1.640(b) is based on section 808(c)(1)(A) of the FD&C 
Act and would require a foreign government/agency seeking accreditation 
to demonstrate that its food safety programs, systems, and standards 
would meet the requirements of proposed Sec. Sec.  1.641 to 1.645, as 
specified in FDA's model standards on qualifications for accreditation, 
including legal authority, competency, capacity, conflicts of interest, 
quality assurance, and records. Proposed Sec.  1.640(c) is based on 
section 808(c)(1)(B) of the FD&C Act and would require a foreign 
cooperative or other third-party certification body seeking 
accreditation to demonstrate that the training and qualifications of 
its audit agents and the internal systems used by the certification 
body would meet the requirements of proposed Sec. Sec.  1.641 to 1.645, 
as specified in FDA's model standards on qualifications for 
accreditation, including legal authority, competency, capacity, 
conflicts of interest, quality assurance, and records.
    At our own initiative, we revised Sec.  1.640(c) to apply to 
accredited third-party certification bodies that are comprised of a 
single individual, as applicable.
    (Comment 89) Some comments suggest that FDA should require third-
party certification bodies conducting regulatory audits to be 
accredited to either: (1) ISO 17021:2011 (Ref. 6), with the 
complementary requirements of ISO/TS 22003:2007, Food safety management 
systems--Requirements for bodies providing audit and certification of 
food safety management systems (Ref. 20) or (2) ISO 17065:2012 (Ref. 
7), with conformance to ISO 17021:2011 (Ref. 6) and ISO 22000:2005, 
Food safety management systems--Requirements for any organization in 
the food chain (Ref. 21).
    Other comments suggest that ISO/IEC 17000:2004 (Ref. 4) and ISO/IEC 
17021:2011 (Ref. 6) provide a common framework for managing the 
effectiveness of third-party certification activities and recommend 
incorporating the standards by reference into the final rule. The 
comments assert that FDA's proposed rule, by failing to incorporate by 
reference the ISO standards, appears to unnecessarily establish a 
unique standard in contravention of the NTTAA and OMB Circular A-119 
(63 FR 8546) without adequate justification. The comments include 
recommended revisions to Sec.  1.640. Other comments note that ISO/IEC 
Guide 65:1996 (Ref. 9) will be phased out by September 2015; therefore, 
the wording in the final rule should be changed to reflect the 
successor standard, ISO/IEC 17065:2012 (Ref. 7). Some comments express 
concern about the additional costs to exporters from third-party audits 
and private interests over and above official systems.
    (Response 89) As explained in section I.D., we have revised the 
rule to allow a third-party certification body to offer documentation 
of conformance to ISO/IEC 17021:2011 (Ref. 6) or ISO/IEC 17065:2013 
(Ref. 7) in support of its application for accreditation, supplemented 
as necessary. However, we decline the suggestion to incorporate the 
standards by reference into this rule.
    ISO/IEC ISO 17021:2011 (Ref. 6) and ISO/IEC 17065:2012 (Ref. 7), 
the successor to ISO Guide 65:1996 (Ref. 9), contain requirements that 
are inconsistent with section 808 of the FD&C Act and impractical for 
our program. For example, ISO/IEC 17021:2011 (Ref. 6), clause 5.2.6, 
prohibits a certification body, including a governmental certification 
body, from providing internal audits to its certified clients. Under 
this same clause, a certification body that has provided internal 
auditing services to a client must wait for 2 years before conducting 
an audit for certification purposes. Clause 5.2.5 of the standard also 
prohibits the certification body from offering or providing any 
management systems consultancy (defined as participation in designing, 
implementing, or maintaining a management system). We note that ISO/IEC 
17065:2012 (Ref. 7), clause 4 contains similar requirements, e.g., in 
clauses 4.2.6 and 4.2.10 NOTE 1, as the requirements of clauses 5.2.5 
and 5.2.6 of ISO/IEC 17011:2004 (Ref. 5).
    The requirements of our third-party program are markedly different, 
because section 808 of the FD&C Act expressly allows an accredited 
third-party certification body to conduct both regulatory audits for 
certification purposes and consultative audits for internal purposes. 
Further, section 808(c)(4)(C) of the FD&C Act allows an accredited 
certification body to use the same audit agent in auditing the same

[[Page 74605]]

eligible entity, subject only to a limitation (that FDA may waive) on 
using the agent for a regulatory audit when the agent had conducted a 
consultative audit of the eligible entity in the preceding 13 months.
    As another example, we note that ISO/IEC 17021:2011, clauses 6.2.1 
to 6.2.3 (Ref. 6), require a certification body to establish an 
external committee for safeguarding impartiality that includes 
representation of key interests, such as audited firms. Clause 5.3.2 of 
the standard requires the certification body to demonstrate to the 
external committee that commercial, financial, or other pressures do 
not compromise its impartiality. Under clause 6.2.2(c), the committee 
has the right to take ``independent action'' if the top management of 
the certification body ``does not respect the advice of this 
committee.'' ISO/IEC 17065:2012 (Ref. 7), clause 5, contains similar 
requirements--e.g., clause 5.2.1 NOTE 1 (committee) and 5.2.3 (right to 
take independent action).
    It would be inappropriate and impractical for FDA to require an 
accredited third-party certification body to assemble a committee 
representing interests outside those of this program, and would be 
impractical for FDA to properly manage the program under such 
circumstances. We also are concerned about the disincentive these 
requirements of ISO/IEC 17011:2004 (Ref. 5) and ISO/IEC 17065:2012 
(Ref. 7) might create, for example, for foreign competent authorities 
who have their own processes for stakeholder engagement.
    Based on our review of the standard and explained in the examples 
provided above, we have determined that ISO/IEC 17011:2004 (Ref. 5) and 
ISO/IEC 17065:2012 (Ref. 7) are inconsistent with section 808 of the 
FD&C Act and impractical for purposes of this program and therefore 
deny the suggestion to incorporate by reference into this rule.
    With respect to the suggestion to incorporate ISO/IEC 17000:2004 
(Ref. 4) into this rule, we note that this standard uses terminology 
that is inconsistent with section 808 of the FD&C Act. We are concerned 
that incorporating the terms used in ISO/IEC 17000:2004 (Ref. 4) in 
this rule would create unnecessary confusion as to how the rule relates 
to the statute. For example, clause 7.5 of the standard uses the term 
``recognition'' for the ``acknowledgement of the validity of a 
conformity assessment result provided by another person or body,'' 
while recognition is used in section 808 of the FD&C Act when 
describing FDA's determination that an accreditation body meets the 
requirements of this rule.
    Based on our review of the standard and explained in the example 
provided above, we have determined that ISO/IEC 17000:2004 (Ref. 4) is 
inappropriate for incorporation by reference into this rule.
    Although we decline to incorporate the standards mentioned in the 
comments, we are revising Sec.  1.640 to allow a third-party 
certification body to offer documentation of its conformance to ISO/IEC 
17021:2011 (Ref. 6) or ISO/IEC 17065: 2013 (Ref. 7), supplemented as 
necessary, in support of its application for accreditation under the 
final rule. We conclude that this will serve to promote international 
consistency and allow third-party certification bodies to use a 
framework that is familiar to them when it can be used to meet the 
requirements of this rule.
    (Comment 90) Some comments suggest the rule should impose different 
requirements on foreign government certification bodies and on other 
third-party certification bodies (i.e., foreign cooperatives and other 
third-party certification bodies), because of the different nature of 
private operators and public administration.
    (Response 90) Under section 808(a)(3) of the FD&C Act third-party 
certification bodies include Foreign government certification bodies, 
foreign cooperatives, and other third-party certification bodies. 
Section 808 of the FD&C Act for the most part does not distinguish 
between public and private certification bodies and states that both 
are subject to the same model accreditation standards discussed in 
808(b)(2). The only difference in treatment of public and private 
certification bodies is set forth in section 808(c)(1) of the FD&C Act, 
describing what elements of oversight be assessed for accreditation. 
This difference is reflected in the eligibility criteria set forth in 
Sec.  1.640(b) and (c). In all other areas, we decline the suggestion 
to impose different requirements on foreign government certification 
bodies and other third-party certification bodies.
    (Comment 91) Some comments express skepticism about private 
auditing companies. Some comments note that foreign cooperatives have 
rarely if ever been engaged in true accredited third-party auditing/
certification activities and are thus unproven in that role.
    (Response 91) As stated above, section 808 of the FD&C Act 
expressly provides for both public and private accredited third-party 
certification bodies. FDA believes the system of oversight established 
under this rulemaking will be sufficient to ensure the reliability of 
private certification bodies that are able to participate in the 
program. Foreign cooperatives are specifically listed in section 808 of 
the FD&C Act as a third party that could be a certification body, and 
must meet the same rigorous criteria to qualify for accreditation.

B. What legal authority must a third-party certification body have to 
qualify for accreditation? (Sec.  1.641)

    Proposed Sec.  1.641 would require third-party certification bodies 
to demonstrate that they have adequate legal authority, which may 
include authority established by contract or as a government entity to 
evaluate eligible entities for compliance with the applicable 
requirements of the FD&C Act and FDA regulations.
    FDA received no adverse comments specific to this section. However, 
as discussed in Response 27, we have revised Sec.  1.641 to specify 
that a third-party certification body has to be a legal entity.

C. What competency and capacity must a third-party certification body 
have to qualify for accreditation? (Sec.  1.642)

    Proposed Sec.  1.642 would require a third-party certification body 
to demonstrate it has adequate resources to fully implement its 
auditing and certification program and the capacity to implement the 
requirements of this program, if accredited.
    (Comment 92) Some comments suggest that we require certification 
bodies to be bonded, to cover any Agency costs should the firm go 
bankrupt.
    (Response 92) We decline the suggestion to require certification 
bodies to be bonded to cover any Agency costs if a certification body 
goes bankrupt. This requirement is unnecessary because the program is 
designed to operate using user fees. Additionally, Sec.  1.642 of the 
final rule requires a third-party certification body to demonstrate 
that it has adequate resources to fully implement its auditing and 
certification program.
    (Comment 93) Some comments recommend that we clearly define the 
necessary competencies of certification body staff and auditors. Some 
comments suggest that we require auditors to have at least 1 year of 
work experience in testing and assessing the conditions for food safety 
of certain food manufacturer(s) and to have attended at least 20 audits 
for management systems using hazards analysis and critical control 
point requirements.

[[Page 74606]]

    (Response 93) Section 1.640 of this rule establishes the 
eligibility requirements for third-party certification bodies seeking 
to participate in the third-party certification program. Specific 
recommendations on qualifications such as the years and types of work 
experience in food safety and in conducting audits will be contained in 
FDA's Model Accreditation Standards final guidance, as explained in 
section I.D.
    (Comment 94) Some comments emphasize the importance of having 
certification bodies accredited to the specific areas in which they 
will be conducting audits and issuing certifications. The comment 
explains that accredited auditors/certification bodies auditing pet 
food facilities must be adequately qualified and knowledgeable in pet 
food requirements. The comments express concern that human food 
standards might be misapplied to a facility producing raw materials, 
ingredients or finished food for pet food (e.g., cross-contact for 
allergens, ingredients destined for further processing).
    (Response 94) A recognized accreditation body assessing a 
certification body for accreditation (or FDA under direct 
accreditation) must ensure that the certification body is qualified to 
conduct audits under the food safety requirements of the FD&C Act and 
FDA regulations that apply to the scope of accreditation sought. 
Therefore, a third-party certification body that is accredited to 
conduct audits under part 117 would not be accredited to perform audits 
under 21 CFR part 507, unless the accrediting body has assessed the 
certification body's qualifications and accredited it to perform audits 
under part 507 as well.

D. What protections against conflict interest must a third-party 
certification body have to qualify for accreditation? (Sec.  1.643)

    Proposed Sec.  1.643 would require third-party certification bodies 
to have established programs to safeguard against conflicts of interest 
that might compromise their objectivity and independence.
    On our own initiative, we are clarifying in Sec.  1.643(a) that the 
conflict of interest provisions of this section apply to officers, 
employees, and other agents that are involved in auditing and 
certification activities, as relevant. We are making corresponding 
changes in the subsequent provisions for accredited third-party 
certification bodies under Sec.  1.657(a) and (c).
    (Comment 95) Some comments recommend that FDA ensure that auditors 
are competent and accountable and that there are adequate protections 
against conflicts of interest, with maximum transparency related to 
auditors' activities. The comments support requirements for documented 
safeguards against conflicts of interest to help ensure that decisions 
are accurate and unbiased and that auditors are independent.
    (Response 95) We agree and are requiring third-party certification 
bodies seeking accreditation to demonstrate they have written conflict 
of interest measures and that they have the capacity to meet the 
requirements of the final rule, if accredited.

E. What quality assurance procedures must a third-party certification 
body have to qualify for accreditation? (Sec.  1.644)

    Proposed Sec.  1.644 would require a third-party certification body 
to have a written program for monitoring and assessing its performance, 
identifying deficiencies in its program or performance and quickly 
executing corrective actions.
    FDA received no adverse comments specific to this section. However, 
as discussed in Response 32, we revised Sec.  1.644(a) to clarify that 
a certification body must demonstrate that it has procedures to 
identify deficiencies and procedures to execute corrective actions for 
such deficiencies, which would better align with international 
standards (see, e.g., clause 5.5 in ISO/IEC 17011:2004 (Ref. 5)).

F. What records procedures must a third-party certification body have 
to qualify for accreditation? (Sec.  1.645)

    Proposed Sec.  1.645 would require a third-party certification body 
to have developed and implemented written procedures to establish, 
control, and retain the records. Such records are necessary to provide 
the recognized accreditation body (or FDA under direct accreditation) 
an adequate basis for assessing the certification body for 
accreditation under this program.
    We received no adverse comments specific to Sec.  1.645 and are 
making no substantive revisions to this section.

IX. Comments on Requirements for Third-Party Certification Bodies That 
Have Been Accredited Under This Subpart

A. How must an accredited third-party certification body ensure its 
audit agents are competent and objective? (Sec.  1.650)

    Proposed Sec.  1.650 would require an accredited third-party 
certification body that uses audit agents to ensure that each audit 
agent meets certain requirements for competency and objectivity under 
the final rule. Under paragraph (a), the audit agent would need to have 
knowledge and experience relevant to determining an eligible entity's 
compliance with the applicable food safety requirements of the FD&C Act 
and FDA regulations and, for consultative audits, conformance with 
industry standards and practices. The accredited certification body 
would have to determine the audit agent's competency to conduct food 
safety audits in part by observing a representative number of audits 
performed by the audit agent. The audit agent would have to complete 
annual food safety training under the accredited third-party 
certification body's training plan, comply with the conflict of 
interest requirements for audit agents, and agree to notify its 
certification body immediately upon discovering, during a food safety 
audit, any condition that could cause or contribute to a serious risk 
to the public health.
    Under proposed Sec.  1.650(b), the accredited third-party 
certification body would have to assign an audit agent qualified to 
conduct the food safety audit, based on the scope and purpose of the 
audit and the type of facility, its processes, and food. Proposed Sec.  
1.650(c) would prevent an accredited third-party certification body 
from using an audit agent to conduct a regulatory audit of an eligible 
entity if the agent had conducted a regulatory or consultative audit of 
the same eligible entity during the preceding 13 months, except FDA 
could waive the 13-month limitation for an accredited certification 
body that could demonstrate insufficient access to accredited third-
party certification bodies in the country or region where the eligible 
entity is located.
    Of our own initiative, we are revising Sec.  1.650(a) to apply to 
accredited third-party certification bodies that are comprised of a 
single individual, as applicable. Section 808(a)(3) of the FD&C Act 
specifically allows an accredited third-party certification body to be 
an individual, which would not fall within the definition of ``audit 
agent'' in the statute or this rule.

[[Page 74607]]

Therefore, as part of establishing eligibility under Sec.  1.640, an 
individual seeking accreditation must fulfill the requirements of Sec.  
1.650(a)(1) to become accredited under this rule and, once accredited, 
must comply with the annual food safety training requirements of Sec.  
1.650(a)(3). Pursuant to Sec.  1.650(a)(4), an accredited third-party 
certification body also must comply with the conflict of interest 
provisions applicable to audit agents under Sec.  1.657(a)(3).
    We note that a recognized accreditation body that is assessing an 
individual seeking accreditation under this program also must assess 
the individual's knowledge and experience under Sec.  1.650(a)(1) for 
the scope of accreditation requested and must consider the results of 
such assessment in determining the individual's eligibility for 
accreditation under Sec.  1.640. The onsite observations of an 
individual seeking accreditation that are performed under Sec.  
1.620(a)(3) must be sufficient to determine competency consistent with 
Sec.  1.650(a)(2).
    (Comment 96) Some comments strongly support the proposed 
requirements of Sec.  1.650, which would require an accredited 
certification body to ensure that the audit agents it uses have the 
knowledge and experience, within the scope of its accreditation, to 
examine facilities, processes, and foods for compliance with the FD&C 
Act and FDA regulations. The comments assert that audits are only as 
good as the education, training, and experience of the auditor. Other 
comments recommend that food safety audits under this rule should be 
performed by individuals that have training equivalent to FDA 
investigator training standards.
    (Response 96) We agree with comments emphasizing the importance of 
ensuring that audit agents an accredited third-party certification body 
uses to conduct audits under the program are appropriately qualified 
within the scope of the third-party certification body's accreditation. 
Proposed Sec.  1.650 would comprise the elements of a comprehensive 
assessment that an accredited third-party certification body would need 
to perform for each audit agent it would use to conduct a food safety 
audit under this rule. We further agree with comments suggesting that 
an auditor determined by a third-party certification body to be 
competent to conduct audits under private food safety schemes must 
nonetheless be assessed by the accredited third-party certification 
body for competency to conduct audits using the applicable food safety 
requirements of the FD&C Act and FDA regulations as the audit criteria. 
Therefore, under Sec.  1.650(a), an audit agent would need to 
demonstrate substantive knowledge of the applicable food safety 
requirements of the FD&C Act and FDA regulations relevant to the scope 
and purpose of the food safety audits the agent would conduct under the 
program. We do not agree to go so far as to require that all audit 
agents or individuals accredited as third-party certification bodies 
must have training equivalent to FDA investigator training standards, 
as we acknowledge that some investigator training would not be 
necessary to conduct audits under this program (e.g., evidence 
collection for enforcement purposes). Such a requirement would impose 
unnecessary costs and might serve as a disincentive to participation in 
the program.
    (Comment 97) Some comments specifically endorse proposed Sec.  
1.650(a)(2), which would require each audit agent to be observed 
conducting audits to examine compliance with the FD&C Act in a 
representative number of facilities and foods. Other comments recommend 
that an accredited third-party certification body should observe an 
audit agent before the agent begins to conduct food safety audits of a 
different type of food, followed by random, periodic spot audits to 
confirm that the audit agent is applying the audit criteria 
consistently. The comments interpret proposed Sec.  1.650(a)(2) to mean 
that the accredited third-party certification bodies would be required 
to ``continually witness'' each audit agent they use.
    (Response 97) We agree that observations of audit agents under 
proposed Sec.  1.650(a)(2) are essential in determining the competency 
of audit agents. We are revising proposed Sec.  1.650(a)(2) to require 
the observation of a representative ``sample'' of audits, instead of a 
representative ``number'' of audits, because the focus of this 
provision was not intended to be on the number of audits the audit 
agents would be expected to conducted. Rather, we intend for the 
accredited third-party certification body to observe a sample of audits 
that are representative of the range of audits the audit agent might be 
assigned.
    In determining what would constitute a ``representative sample'' 
for purposes of final Sec.  1.650(a)(2), the accredited third-party 
certification body should consider the various types of food facilities 
that might be audited and the range of FDA regulations that would apply 
to such facilities. An accredited third-party certification body would 
need to observe the audit agent conducting a number of audits across 
the range of facilities identified by the certification body, and the 
range of FDA regulations that would apply to those facilities, such 
that, taken together, the observed audits would be adequately 
representative of the facilities, processes, and foods the audit agent 
may be assigned to conduct. Generally, the more complex the regulations 
or the more complex the processes used by the facility, the greater the 
sample size should be, to help ensure the audit agent can apply the 
audit criteria consistently and reliably in various situations. The 
accredited third-party certification also should gather sufficient 
information to provide confidence in its determination of the audit 
agent's competency to conduct audits under this rule.
    Contrary to the interpretation suggested by some comments, proposed 
Sec.  1.650(a)(2) would not require an accredited third-party 
certification body to ``continually witness'' each of its audit agents. 
Such an approach is not practical, efficient, or necessary. However, we 
are clarifying in Sec.  1.650(a)(2) that before an audit agent is used 
to conduct food safety audits under this rule the audit agent must be 
observed by the accredited third-party certification body and found to 
be competent to conduct food safety audits relevant to the audits they 
will be assigned to perform under this program. Such observations also 
must be performed whenever an audit agent will be assigned to perform 
food safety audits to determine compliance with additional food safety 
requirements under the FD&C Act and FDA regulations beyond what the 
certification body has previously observed.
    Under this approach, once an accredited third-party certification 
body has determined an audit agent's competency and objectivity under 
Sec.  1.650, the audit agent can be assigned to conduct audits for 
which they are qualified under Sec.  1.650(a)(1) and (2), subject to 
requirements such as the annual training requirements in Sec.  
1.650(a)(3) and the accredited third-party certification body's self-
assessment under Sec.  1.655. Although we decline to require periodic 
observations of audit agents, once the accredited certification body 
has determined the competency of its audit agents under Sec.  
1.650(a)(2), we acknowledge the value of such observations in verifying 
audit agent competency and the rigor of the certification body's 
program for evaluating its audit agents.
    (Comment) 98) Some comments recommend that we include

[[Page 74608]]

requirements focusing on the performance of individual audit agents 
because, the comments assert, many audit complaints arise from 
individual auditor conduct and focusing on individual performance may 
help create more consistency in the process.
    (Response 98) We agree, and have received similar input from other 
stakeholders during our public meetings. The comments and other 
stakeholder input underscore the importance of the requirements for an 
accredited third-party certification body to observe a representative 
sample of audits conducted by each audit agent under Sec.  1.650(a)(2), 
to ensure that any audit agent it assigns to an audit is appropriately 
qualified under Sec.  1.650(b), and to assess the performance of its 
audit agents and the consistency of performance across all its audit 
agents as part of the certification body's self-assessment under Sec.  
1.655.
    (Comment 99) Some comments support the proposed requirement for 
annual food safety training under proposed Sec.  1.650(a)(3), noting 
the importance of ensuring that audit agents have up-to-date training 
in areas relevant to their audit activities. The comments also suggest 
that FDA should communicate to training institutions any general audit 
agent training needs FDA identifies through its program management and 
oversight. Other comments recommend that the annual training 
requirement should relate to relevant food safety provisions of the 
FD&C Act and FDA regulations.
    (Response 99) We agree and are revising Sec.  1.650(a)(3) to 
clarify that an audit agent, or an individual accredited as a third-
party certification body, must have annual food safety training that is 
relevant to activities conducted under this program. FDA works with a 
number of Alliances and other organizations to ensure training needs 
for regulatory requirements are met. For instance, having identified 
the need to train regulators and industry in the new FSMA preventive 
controls rules, FDA is working in collaboration with the Food Safety 
Preventive Controls Alliance (FSPCA) to develop training materials and 
establish training and technical assistance programs for the preventive 
controls rules. The Alliance includes members from FDA, state food 
protection agencies, the food industry, and academia and is funded by a 
grant to the Illinois Institute of Technology's Institute for Food 
Safety and Health. For more information about the FSPCA, see e.g., 
http://www.iit.edu/ifsh/alliance/.http://www.iit.edu/ifsh/alliance/.
    (Comment 100) Some comments suggest that in addition to the 
requirements of the proposed rule, we should require conformance to 
ISO/IEC 19011:2011 (Ref. 8) on auditor competency.
    (Response 100) FDA's recommendations on auditor competency, among 
other things, will be contained in FDA's Model Accreditation Standards. 
As noted in section I.D., comments that address matters covered by 
FDA's Model Accreditation Standards are outside the scope of this 
rulemaking.
    The issuance of the Model Accreditation Standards draft guidance 
was announced through publication of a notice of availability in the 
Federal Register of July 24, 2015. We plan to finalize the Model 
Accreditation Standards after receiving public comments on the draft 
guidance.
    (Comment 101) Some comments note that the audit agent's education, 
training, and experience must be specific to the industry or industries 
being audited. Some comments, for example, recommend that audit agents 
who examine eligible entities for compliance with food additive 
requirements should have industry experience with food additives and 
relevant knowledge, experience or training in auditing these types of 
facilities and processes.
    (Response 101) We agree that a certification body must consider an 
audit agent's competency whenever assigning the audit agent to a 
specific audit. Therefore, Sec.  1.650(b) requires the accredited 
third-party certification body to ensure that an audit agent it assigns 
to a specific audit is appropriately qualified, based on the audit 
scope and purpose, the specific type of facility, processes, and foods 
the audit agent would be required to examine, and the food safety 
requirements of the FD&C Act and FDA regulations that would apply.
    We note that an accredited third-party certification body that is 
an individual would be determined during the accreditation process to 
be appropriately qualified to conduct audits within the scope of its 
accreditation.
    (Comment 102) Some comments agree with proposed Sec.  1.650(c) and 
assert that it is needed to protect against conflicts of interest. Some 
comments assert that, under current practices, auditors in many 
countries frequently conduct consecutive audits at the same premises. 
Other comments suggest that the 13-month limit is unnecessary because 
adequate mechanisms already exist to manage conflicts of interest and 
objectivity in ISO/IEC standards. Still other comments express concern 
that the proposed limit of 13 months would be too short to avoid a 
conflict of interest. These comments contend a short interval between 
consultative audits and regulatory audits that are conducted by the 
same audit agent could create the appearance that the audit agent is 
auditing the results of the prior consultation. Other comments assert 
we should impose a 2-year limit, rather than a 13-month limit on audit 
agents conducting regulatory audits of the same eligible entity.
    (Response 102) We disagree with comments opposed to proposed Sec.  
1.650(c). Proposed Sec.  1.650(c) would implement the requirements of 
section 808(c)(4)(C) of the FD&C Act, which limits an accredited third-
party certification body's ability to use an audit agent to conduct a 
regulatory audit of an eligible entity if the agent conducted a 
consultative or regulatory audit for the same eligible entity in the 
preceding 13 months, unless FDA waives the limitation under criteria 
described in the statute. While we recognize this requirement may 
differ from some international standards, it balances the concern of an 
audit agent auditing their own prior results if the subsequent audit 
happens too soon with auditor capacity concerns through a waiver 
provision. Under proposed Sec.  1.663, FDA would issue waivers where we 
determine there is insufficient access to in the country or region 
where the eligible entity is located.
    We note that the proposed rule was unclear with respect to whether 
the showing of insufficient access to support a waiver was based on a 
lack of certification bodies or individual audit agents in a country or 
region, and have therefore clarified in the final rule that the showing 
of insufficient access necessary for FDA to grant a waiver request is 
based on lack of audit agents (or in cases where individuals are 
accredited as third-party certification bodies, those individuals). 
Although we are finalizing additional conflict of interest requirements 
in Sec.  1.657 of this rule, these provisions do not implement the 13-
month limit in section 808(c)(4) of the FD&C Act. Section Sec.  
1.650(c) complements the requirements in Sec.  1.657 to provide 
additional conflict of interest protections. Note that though this 
response uses the term ``audit agent'' this provision also applies to 
accredited third-party certification bodies that are individuals.
    (Comment 103) Several comments assert that proposed Sec.  1.650(c) 
and the waiver process FDA proposes to establish would be impractical. 
The comments note that there is currently a significant shortage of 
experienced food

[[Page 74609]]

safety auditors around the world. Describing it as a ``capacity'' 
issue, the comments suggest that implementation of the FSMA rules will 
further exacerbate the problem. Some comments suggest that proposed 
Sec.  1.650(c) would be impractical for small countries due to auditor 
capacity issues.
    (Response 103) We acknowledge the concerns about the possible 
shortage of skilled food safety auditors to meet current global demand 
and are aware of efforts by GFSI, the food industry, scheme owners, and 
third-party food safety certification bodies to address auditor 
capacity, as described in section I.D. We also understand that FSMA 
implementation is likely to create further demand for auditors. 
Nonetheless, as explained in Response 102, we are required by section 
808(c)(4)(C) of the FD&C Act to limit an accredited third-party 
certification body's ability to use an audit agent; we have clarified 
in the final rule that the showing of insufficient access necessary for 
FDA to grant a waiver request is based on lack of audit agents (or in 
cases where individuals are accredited as third-party certification 
bodies, those individuals).
    We disagree with comments suggesting that the waiver process we 
propose would be impractical. We are developing an IT portal that 
includes the capability for accepting electronic submissions of 
requests and electronic issuance of waivers, which will help facilitate 
the submission of waiver requests by accredited third-party 
certification bodies and FDA's processing of such requests.
    (Comment 104) Some comments contend that the proposal to require 
accredited third-party certification bodies to show insufficient 
accredited third-party certification body resources to obtain an FDA 
waiver of proposed Sec.  1.650(c) would be unnecessarily burdensome 
because the proposed conflict of interest requirements adequately 
protect against concerns about ``industry capture.'' Some comments 
recommend that FDA research global food safety auditor capacity and 
proactively issue waivers of proposed Sec.  1.650(c), absent waiver 
request(s). Still other comments suggest that eligible entities should 
be able to seek waivers of the 13-month limit on behalf of an 
accredited third-party certification body.
    (Response 104) Under section 808(c)(4)(C) of the FD&C Act, the 13-
month limit on audit agents conducting regulatory audits may be waived 
if FDA determines there is insufficient access to audit agents in a 
country or region. While acknowledging capacity concerns raised in 
comments, we decline the suggestion that FDA should gather information 
to support waivers absent a request for a waiver under section 
808(c)(4)(C)(ii) of the FD&C Act. We believe gathering such information 
would not be the best use of our limited resources, and that third-
party certification bodies would be better positioned to inform FDA of 
audit agent capacity issues in their country or region of operation. 
Moreover, the final rule clarifies that accredited third-party 
certification bodies must demonstrate that there is insufficient access 
to audit agents in the country or region where the eligible entity is 
located in order to obtain a waiver. Because the 13-month limit is on 
individual audit agents, and not third-party certification bodies, this 
limitation is likely to be less burdensome than anticipated by the 
comments.
    We decline the suggestion to allow eligible entities to request a 
waiver of proposed Sec.  1.650(c) on behalf of an accredited third-
party certification body, because we believe the accredited third-party 
certification body will be better suited to assess auditor capacity on 
a national or regional basis. Periodic rotation of audit agents is 
intended to help ensure that audits remain objective and do not become 
compromised by familiarity. The requirement to ensure an audit agent's 
objectivity is placed on the accredited third-party certification body, 
not an eligible entity, under proposed Sec.  1.650(a). Further, given 
that the accredited third-party certification body would ultimately 
need to agree to conduct an audit for an eligible entity, requiring the 
accredited third-party certification body to request the waiver would 
ensure that they are willing to accept the request for a food safety 
audit in the first place. In light of the foregoing, we have concluded 
that it is the accredited third-party certification body, not the 
eligible entity, who should seek a waiver of the 13-month limit in 
proposed Sec.  1.650(c).
    We disagree with comments suggesting waiver requests will be unduly 
burdensome or time-consuming for accredited third-party certification 
bodies. The IT portal we are developing for the third-party 
certification program includes the capability for accepting electronic 
submissions of requests and electronic issuance of waivers, which we 
believe will help minimize the administrative burden on certification 
bodies and FDA.

B. How must an accredited third-party certification body conduct a food 
safety audit of an eligible entity? (Sec.  1.651)

    Proposed Sec.  1.651 would establish requirements for planning and 
conducting consultative and regulatory audits in a manner that fulfills 
the purposes of section 808 of the FD&C Act. Under paragraph (a) on 
audit planning, the accredited third-party certification body would 
require the eligible entity to identify whether it was seeking a 
consultative or regulatory audit subject to the requirements of this 
subpart under the third-party certification program. The eligible 
entity would indicate the scope and purpose of the requested audit and, 
in the case of a regulatory audit, would indicate the type of 
certification sought. The accredited third-party certification body 
would also require the eligible entity to provide a 30-day operating 
schedule for the facility that would provide information relevant to 
scope and purpose of the audit. The accredited third-party 
certification body would then consider whether the requested audit is 
within the scope of its accreditation.
    Proposed Sec.  1.651(b) would require the accredited third-party 
certification body to ensure it would have adequate authority to 
conduct the requested audit, including authority to: (1) Conduct an 
unannounced audit; (2) access any area of the facility or any of its 
records relevant to the scope of the audit; (3) use an accredited 
laboratory in accordance with section 422 of the FD&C Act, (21 U.S.C. 
350k), where FDA requires sampling and analysis; (4) notify FDA 
immediately upon discovering, during a consultative or regulatory 
audit, a condition that could cause or contribute to a serious risk to 
the public health; (5) prepare audit reports that would contain certain 
elements and, for regulatory audits, that would be submitted to FDA; 
and (6) allow FDA and its recognized accreditation body to observe any 
food safety audit under the program.
    Proposed Sec.  1.651(c) would require an unannounced audit to be 
conducted in a manner consistent with its scope and purpose and would 
include records review as well as an onsite examination of the 
facility, process(es), and food to determine compliance with the 
applicable food safety requirements of the FD&C Act and FDA 
regulations, and for consultative audits, conformance with include 
industry standards and practices. Proposed Sec.  1.651(c) would require 
the audit agent to document observations and corrective actions and, 
where appropriate, would include

[[Page 74610]]

environmental or product sampling and analysis using validated 
methodologies and a laboratory accredited in accordance with the 
requirements of section 422 of the FD&C Act.
    At our own initiative, we are removing the requirement to use a 
laboratory consistent with section 422 of the FD&C Act and inserting a 
requirement in Sec.  1.651(b)(3) to use a laboratory accredited under 
ISO/IEC 17025:2005 or another laboratory accreditation standard that 
provides at least a similar level of assurance in the validity and 
reliability of sampling methodologies, analytical methodologies, and 
analytical results.
    On our own initiative, we are also revising Sec.  1.651(c)(1) to 
clarify that the audit must be focused on determining whether the 
facility, its process(es), and food are in compliance with the 
applicable food safety requirements of the FD&C Act and FDA 
regulations, and for consultative audits, also includes conformance 
with applicable industry standards and practices. Based on comments 
received on Sec.  1.653 and for the reasons described in Comment/
Response 112 in section IX.C., we are revising Sec.  1.651(c)(3) to 
clarify that an accredited third-party certification body (or its audit 
agent, where applicable) that identifies a deficiency requiring 
corrective action may verify the effectiveness of a corrective action 
once implemented by the eligible entity but must not recommend or 
provide input to the eligible entity in identifying, selecting, or 
implementing the corrective action.
    (Comment 105) Some comments suggest that we should incorporate ISO/
IEC 19011:2011 (Ref. 8), which contains guidelines on auditing 
management systems, by reference into the rule.
    (Response 105) We disagree, because ISO/IEC 19011:2011 (Ref. 8) is 
inconsistent with the requirements of section 808 of the FD&C Act and 
this rule. For example, ISO/IEC 19011:2011 (Ref. 8) is premised on 
announced audits that are scheduled with the client, as described in 
clauses 6.2.2, and 6.2.3 of the standard; however, section 
808(c)(5)(C)(i) of the FD&C Act requires audits conducted under this 
rule to be unannounced. As another example, clause 6.4.9 of ISO/IEC 
19011:2011 (Ref. 8) suggests that an audit team should attempt to 
resolve any ``diverging opinions'' between the team and the audited 
entity regarding the audit conclusions, such as the extent of 
conformity with audit criteria (clause 6.4.8), during the closing 
meeting. We acknowledge that differences of opinions regarding audit 
conclusions are likely to occur between eligible entities and 
accredited third-party certification bodies or audit agents. However, 
the credibility of our program rests in large part on the independence 
and objectivity of accredited third-party certification bodies and 
audit agents. This rule is intended to help ensure they are free from 
the influence of the eligible entities and any appearance that their 
judgment is compromised by eligible entities. Audit conclusions 
regarding an eligible entity's compliance with the applicable food 
safety requirements of the FD&C Act and FDA regulations are the purview 
of the accredited third-party certification body and any audit agents 
it uses. The appropriate mechanism for an eligible entity seeking to 
challenge adverse decisions would be the accredited third-party 
certification body's appeals process.
    For the foregoing reasons, we decline to incorporate ISO/IEC 
19011:2011 (Ref. 8) by reference into this rule.
    (Comment 106) Some comments assert the guidelines for management 
systems auditing in ISO/IEC 19011:2011 (Ref. 8) would provide a useful 
guide for audits conducted under the program. Other comments suggest 
the audit agents should be conducting food safety audits using a 
quality systems approach. Citing the production of food additives as an 
example, these comments note that while it would be preferable to 
conduct an audit while a food additive is being produced it is not 
always feasible. The comments suggest that as long as the audit focuses 
on quality systems it should not be necessary for production of the 
food additive to occur during the audit.
    (Response 106) As explained in Response 105, some elements of ISO/
IEC 19011:2011 (Ref. 8) are inconsistent with the requirements of 
section 808 of the FD&C Act and this rule, thereby limiting its 
applicability for food safety audits conducted under this rule. We 
agree, however, with the general principle that a ``systems'' approach 
to food safety audits with a correctly identified scope and purpose, 
using appropriate audit criteria, and properly executed by a competent 
audit agent (or individual accredited as third-party certification 
body), should be sufficient to cover the food within the audited 
system(s) of the facility, without requiring direct observation of each 
type of food produced. We note that it is essential that the scope of 
the audit covers the appropriate physical locations, activities, and 
processes that are part of the management system to be audited, and 
information collected during the audit must be relevant to the audit 
scope, purpose, and criteria, including information relating to 
interfaces between functions, activities, and processes of the food 
safety system.
    We use the term ``systems audits'' generally, acknowledging that 
``management systems'' audits, ``product certification'' audits, and 
``quality systems'' audits have specific meanings in some contexts, 
such as ISO/IEC standards, but may have different meanings in different 
contexts. To the extent that the comments referencing a ``quality 
systems'' approach are suggesting that food safety audits should be 
conducted using a ``systems auditing'' approach, we agree. Accordingly, 
we are revising Sec.  1.651(c)(1) to better align with the language of 
section 808 of the FD&C Act and this rule, as well as ``systems'' 
auditing principles.
    Our goal is to ensure the rigor of the food safety audits conducted 
under our program, which will be accomplished through compliance with 
the requirements of this rule. It is intended to help ensure that food 
safety audits are conducted by competent audit agents (or individuals 
accredited as a third-party certification bodies), in accordance with a 
properly defined audit scope and purpose, using the applicable audit 
criteria required by this rule. As such, any food safety audit 
conducted under the rule should provide the information necessary for 
the accredited third-party certification body to make a determination 
on compliance with the applicable food safety requirements of the FD&C 
Act and FDA regulations. Whether or not a particular audit does, in 
fact, provide such information, with an appropriate level of 
confidence, is dependent on a number of factors, among them:
    1. At the time that the food safety audit is procured, the eligible 
entity must declare the scope and purpose of the audit consistent with 
the requirements of this rule (and any additional criteria established 
in VQIP guidance for facility certifications for use in that program 
or, for certifications to be used for purposes of section 801(q) of the 
FD&C Act any additional criteria that may be established by FDA 
relating to the safety determination).
    2. The accredited third-party certification body must assign an 
audit agent that is competent to perform the audit (or, for an 
accredited third-party certification body that is an individual, such 
audit must be within the scope of accreditation).
    3. The audit agent (or individual accredited as a third-party 
certification body) must:
    a. Develop and successfully execute an audit plan that includes a 
records

[[Page 74611]]

review, which may be scheduled, and a subsequent onsite facility 
examination performed on an unannounced basis within a 30-day window of 
time according to the facility's operating schedule for the requested 
audit purpose and scope and using the appropriate audit criteria; and
    b. during the audit collect and verify information that is relevant 
to the audit purpose, scope, and criteria and that will form the basis 
for the audit findings and conclusions.
    We note that this rule establishes the requirements for the third-
party certification program but does not establish requirements 
relating to the use of these certifications for purposes of sections 
801(q) and 806 of the FD&C Act. To that end, we urge an eligible entity 
seeking a regulatory audit for certification to be used for VQIP 
purposes or for purposes of satisfying a requirement for certification 
under section 801(q) to ensure that the scope of the regulatory audit 
it procures, and any food and facility certifications that are issued 
as a result, will be sufficient to meet FDA requirements under sections 
801(q) and 806 of the FD&C Act.
    Under section 806 of the FD&C Act, FDA will require facility 
certifications issued by accredited third-party certification bodies 
under section 808 as a condition of an importer's eligibility for VQIP. 
We encourage eligible entities, importers, and accredited third-party 
certification bodies to consult the VQIP guidance, when finalized, to 
ensure the proper scope has been established for any regulatory audit 
conducted to obtain facility certification for VQIP purposes.
    Any requirement for certification to satisfy a condition of 
admissibility under section 801(q) of the FD&C Act would be based on an 
FDA safety determination relating to specific circumstances, as 
described in section 801(q)(2). An eligible entity seeking 
certification from an accredited third-party certification body to meet 
the admissibility requirements under section 801(q) of the FD&C Act 
must ensure the proper scope has been established for the regulatory 
audit it procures to address the circumstances behind the 801(q) 
determination.
    (Comment 107) Some comments assert that the audit requirements in 
proposed Sec.  1.651 are overly detailed and inflexible, contending 
that accreditation bodies have their own requirements for good auditing 
practices. The comments also suggest that proposed Sec.  1.651, would 
be problematic to implement and cite as an example the proposed 
requirement for unannounced audits, which the comments say would be 
inconsistent with the requirements associated with planned audits that 
apply in other programs.
    (Response 107) We understand that some of the requirements in 
proposed Sec.  1.651 differ from the audit protocols currently used in 
conducting many third-party audits of food facilities. The comments do 
not identify the good auditing practices they assert accreditation 
bodies already require certification bodies to use; however, we are not 
incorporating ISO/IEC 17021:2011, ISO/IEC 17065:2012, or ISO/IEC 
19011:2011 by reference into this rule for the reasons explained in 
section I.D. We are unable to identify a voluntary consensus standard 
that would encompass the audit practices required by section 808 of the 
FD&C Act (e.g., unannounced audits and notification of conditions that 
could cause or contribute to a serious risk to public health) as well 
as other practices the statute allows (e.g., audit agents conducting 
both consultative and regulatory audits). In the absence of existing 
standards that would adequately address the food safety audit 
requirements of section 808 of the FD&C Act, Sec.  1.651 offers 
accredited third-party certification bodies and audit agents the 
requirements needed to conduct food safety audits in the manner the 
statute contemplates and requires.
    The comment asserting that proposed Sec.  1.651, would be 
problematic to implement cited as an example the proposed requirement 
for unannounced audits in Sec.  1.651(c)(1). We acknowledge that most 
audits are scheduled, and a program involving unannounced audits will 
require changes in the current usual practices of accredited third-
party certification bodies and eligible entities. However, section 
808(c)(5)(C)(i) of the FD&C Act specifically requires audits performed 
under this rule to be unannounced. As described in Response 106, 
proposed Sec.  1.651(c)(1) was designed to provide flexibility to 
accredited third-party certification bodies and eligible entities, 
while fulfilling this statutory requirement. Without additional 
examples or other details in the comments to explain why the other 
audit protocols in proposedSec.  1.651(a) would be problematic to 
implement, we decline to revise Sec.  1.651(a)(2) to (4) in response to 
the comments.
    (Comment 108) In addition to comments described in section III.E. 
regarding the impracticality of unannounced audits, some comments 
contend that unannounced audits would be impractical and inefficient 
for any food safety audit (e.g., regulatory audits) conducted under 
this rule. Other comments express concern about implementing 
unannounced audits at farms that may be geographically isolated, while 
offering support for unannounced audits in principle.
    Other comments note that unannounced audits are conducted for 
operations participating in the Leafy Greens Marketing Agreements 
(LGMAs) in California and Arizona and in the California Cantaloupe 
Marketing Order (CCMO), asserting it is feasible to conduct audits of 
seasonal operations during harvest activities, observing practices and 
programs in the field and facility. Some comments suggest that 
unannounced audits provide a more realistic view of the entity's 
compliance status than planned audits do.
    Some comments endorse the approach of a planned records review 
prior to an unscheduled site audit occurring at any point during a 30-
day operating window. Other comments ask us to clarify in the final 
rule which parts of a food safety audit may be performed on a scheduled 
basis and which parts must be performed on an unannounced basis within 
a 30-day window.
    (Response 108) We decline to revise our approach to unannounced 
audits under Sec.  1.651, as section 808(c)(5)(C)(i) of the FD&C Act 
explicitly requires that audits be unannounced. We are, however, adding 
language to Sec.  1.651(c)(1) to clarify that the records review 
portion of a food safety audit may be scheduled with an eligible entity 
and, through revisions to Sec.  1.651(c)(2), are requiring the records 
review to occur before the onsite facility examination portion of the 
audit, consistent with the description in the preamble to the proposed 
rule (78 FR 45782 at 45811 to 45812). We are retaining the requirement 
in Sec.  1.651(c)(1) to conduct an unannounced audit through an 
unscheduled onsite facility examination at any time during the 30-day 
timeframe identified pursuant to Sec.  1.651(a)(1)(ii).
    As discussed in the preamble to the proposed rule (78 FR 45782 at 
45811), when developing the audit protocols to implement the statutory 
requirement for unannounced audits, we considered the British Retail 
Consortium (BRC) Global Standard for Food Safety (Ref. 22) unannounced 
audit option to help us ensure that our approach to unannounced audits 
would be practical and feasible to implement. The BRC unannounced audit 
option provides for a ``Good Manufacturing Practices-type audit'' to be 
unannounced, while a separate records review could occur during a 
planned visit. We have concluded that it is reasonable and appropriate 
to interpret the statutory

[[Page 74612]]

requirement for unannounced audits to allow a record review to be 
conducted during a planned visit to the eligible entity, provided that 
the onsite audit is conducted on an unannounced basis. In addition, as 
discussed previously, we have revised Sec.  1.651(c)(2) to require that 
the records review must precede the onsite examination to facilitate 
the facility visit.
    We agree with comments suggesting that unannounced audits are 
feasible and note, for example, that another GFSI-benchmarked scheme, 
the Safe Quality Food Code in July 2014 began implementing an 
unannounced audit component, wherein unannounced audits are mandatory 
for every third audit (Ref. 23). Additionally, while we appreciate the 
concern expressed by comments regarding the implementation of 
unannounced audits at farms that may be geographically isolated, we 
believe the examples cited by comments of unannounced audits of 
participants that are performed at least once each year under the LGMA 
and the CCMO are persuasive in demonstrating the feasibility of 
unannounced audits for primary production. Moreover, the requirements 
for audits specified in the statute and our experiences planning 
foreign inspections lead us to believe that the requirement for a 30-
day operating window will assist in preventing logistic problems 
associated with unannounced audits in geographically isolated areas. 
For the foregoing reasons, we have concluded that the unannounced audit 
protocol in Sec.  1.651(a)(1) is practical and efficient to implement, 
while meeting the requirements of section 808(c)(5)(C)(i) of the FD&C 
Act.
    (Comment 109) Some comments suggest that FDA increase the window of 
time between the records review, which informs the audit planning, and 
the unannounced site audit, which examines the facility, its 
process(es), and food for compliance with the applicable food safety 
requirements of the FD&C Act and FDA regulations. To maximize the 
element of surprise while ensuring the relevance of the records review 
to the conduct of the site audit, the comments suggest we should expand 
the timeframe to allow the audit agent to conduct the site audit any 
time during a 90-day period.
    (Response 109) Food safety audits conducted under this program, 
particularly regulatory audits for certification purposes, often are 
time sensitive in nature, because they are necessary for issuance of 
certifications that are used facilitate trade. Establishing a lengthy 
window of time during which an unannounced audit could occur could have 
significant implications, for example, where certification is used in 
satisfying a condition of admissibility for a food subject an FDA 
safety determination under section 801(q) of the FD&C Act. A lengthy 
window of time for an unannounced audit to be conducted also could 
hinder participation in the VQIP program under section 806 of the FD&C 
Act, which requires an importer to provide facility certification as a 
condition of participation. In light of the foregoing, we do not 
believe it would be reasonable to extend the length of time between 
records review and the site audit from 30 to 90 days.

C. What must an accredited third-party certification body include in 
food safety audit reports? (Sec.  1.652)

    Proposed Sec.  1.652 would implement section 808(c)(3)(A) of the 
FD&C Act, which authorizes FDA to establish the requirements for audit 
reports that an accredited third-party certification body would need to 
prepare as a condition of its accreditation. The statute specifies that 
such report of an audit must include: (1) The identity of the persons 
at the eligible entity responsible for compliance with food safety 
requirements; (2) the dates and scope of the audit; and (3) any other 
information FDA requires that relates to or may influence an assessment 
of compliance.
    Proposed Sec.  1.652(a) would specify the form of consultative 
audit reports, which would include: The name, address, and unique 
facility identifier (UFI) of the facility subject to audit; the name, 
address, and UFI of the eligible entity (if it differs from the 
facility); the contact information for the person(s) responsible for 
food safety compliance at the facility; the dates and scope of the 
consultative audit; and any deficiency(ies) observed during the audit 
that require corrective action(s) and the date on which such corrective 
action(s) were completed. Proposed Sec.  1.652(a) would require that a 
consultative audit report be prepared by no later than 45 days after 
completing the audit and would require preparing the report in English 
and maintaining it as a record under proposed Sec.  1.658.
    Proposed Sec.  1.652(b) would specify the form of regulatory audit 
reports, which would include: (1) The name, address, and UFI of the 
facility subject to audit; (2) the FDA food facility registration 
number (where applicable); (3) the name, address, and UFI of the 
eligible entity (if it differs from the facility); (4) the contact 
information for the person(s) responsible for food safety compliance at 
the facility; (5) the dates and scope of the regulatory audit; (6) the 
process(es) and food(s) observed during the audit; (7) whether sampling 
and laboratory analysis is used in the facility; (8) recent food 
recalls; (9) recent significant changes at the facility; and (10) any 
food or facility certifications recently issued to the entity. With 
respect to deficiencies and corrective actions, proposed Sec.  1.652(b) 
would require the accredited third-party certification body to include 
in the regulatory audit report any deficiency(ies) observed during the 
audit that meet FDA's Class I and Class II recall standards--i.e., the 
deficiency(ies) present(s) a reasonable probability that the use of or 
exposure to the violative product will cause serious adverse health 
consequences or death; or may cause temporary or medically reversible 
adverse health consequences or where the probability of serious adverse 
health consequences is remote, and the corrective action plan for any 
identified deficiency unless the corrective action was implemented 
immediately and verified onsite by the accredited third-party 
certification body. Proposed Sec.  1.652(b) also would require that a 
regulatory audit report be submitted to FDA electronically, in English, 
by no later than 45 days after completing the audit.
    Under proposed Sec.  1.652(c), an accredited third-party 
certification body would have to submit to FDA an audit report for any 
regulatory audit it conducts, regardless of whether the certification 
body issued a certification based on the results of the regulatory 
audit. Proposed Sec.  1.652(d) would require an accredited third-party 
certification body to implement written procedures for receiving and 
addressing challenges from eligible entities contesting adverse 
regulatory audit results and would require them to maintain records of 
such challenges under proposed Sec.  1.658.
    On our initiative, we revised paragraphs (a) and (b) of Sec.  1.652 
to clarify that an accredited third-party certification body must 
provide a copy of a consultative audit report or regulatory audit 
report (respectively) to the eligible entity. We also on our own 
initiative added a requirement for the accredited third-party 
certification body to include in the audit report the FDA Establishment 
Identifier (FEI) of the facility audited and the FEI of the eligible 
entity, if different than the FEI for the audited facility to help 
verify the identity of the facility and eligible entity based on 
information contained in FDA's database of FEIs. Further, we aligned 
the elements of the consultative audit report and regulatory audit 
report; for example, we redesignated proposed paragraph (a)(5) as 
(a)(6) and added a

[[Page 74613]]

new paragraph (a)(5) to require that the consultative audit report 
include the processes and foods observed during the consultative audit. 
Additionally, on our own initiative we revised Sec.  1.652(d) to 
clarify that an accredited third-party certification body must notify 
an eligible entity of a denial of certification.
    (Comment 110) Several comments raise concerns regarding the 
requirements that would apply to consultative audit reports under 
proposed Sec.  1.652(a). The comments assert that because consultative 
audits are specifically intended to be for internal purposes, FDA 
should delete proposed Sec.  1.652(a) and should not propose any 
requirements for consultative audit reports. Other comments suggest 
that we remove the proposed requirement to prepare a consultative audit 
report no later than 45 days after conducting the audit, asserting the 
deadline is infeasible. Still other comments suggested we should allow 
consultative audit reports to be prepared and maintained in languages 
other than English.
    Some comments interpret proposed Sec.  1.652(a) to require 
consultative audit reports to be submitted to FDA. Other comments urge 
us to emphasize to industry that proposed Sec.  1.652(a) would only 
require accredited third-party certification bodies to maintain 
consultative audit reports in their records and not submit them to FDA, 
and that FDA could only access consultative audit reports in 
circumstances meeting the serious adverse health conditions or death to 
humans or animals (SAHCODHA) standard for records access under section 
414 of the FD&C Act. Other comments note that the proposed rule was 
silent on the protection of proprietary information in audit reports.
    (Response 110) We disagree with comments suggesting that because 
consultative audits are for internal purposes only, FDA is precluded 
from imposing any requirements for consultative audit reports prepared 
by accredited third-party certification bodies under this rule. Section 
808(c)(3)(A) of the FD&C Act requires certain elements to be included 
in reports for all food safety audits. This includes both consultative 
audits and regulatory audits, which are the two types of audits 
described in section 808(c)(4)(B) of the FD&C Act. Section 808(c)(3)(A) 
sets a 45-day deadline for the preparation of all audit reports, 
including consultative audit reports, and sets a separate requirement 
that the audit reports for regulatory audits be submitted. Section 
808(c)(3)(A) of the FD&C Act also gives FDA discretion to designate the 
form and manner of audit reports and to require accredited third-party 
certification bodies to include in audit reports other information that 
relates to or may influence an assessment of compliance with the FD&C 
Act. In light of these statutory provisions, we decline the suggestions 
to delete proposed Sec.  1.652(a) or to remove the proposed 45-day 
deadline for preparation of a consultative audit report.
    We are, however, removing the proposed requirement in Sec.  
1.652(a) that consultative audit reports would need to be prepared and 
maintained in English in the accredited third-party certification 
body's records. As explained in Response 59, we are removing the 
proposed requirements for recognized accreditation bodies and 
accredited third-party certification bodies to create and maintain 
records that do not need to be submitted to FDA, outside of a specific 
request, under this rule in English.
    We disagree with comments suggesting that Sec.  1.652(a) should 
require accredited third-party certification bodies to submit 
consultative audit reports to FDA. We note that section 808(c)(3)(A) 
only requires the submission of regulatory audit reports. Because 
consultative audits are for internal purposes, we consider it 
appropriate to require the maintenance of these reports, but not the 
submission of the reports. Under section 808(c)(3)(C) of the FD&C Act, 
we could only access consultative audit reports in circumstances 
meeting the standard for records access under section 414 of the FD&C 
Act.
    With respect to protection of proprietary information in 
consultative audit reports submitted to or obtained by FDA, we note 
that the final rule includes new provision Sec.  1.695, which addresses 
disclosure and the protection of trade secrets and confidential 
commercial information under applicable law.
    (Comment 111) Some comments support our proposal to require that 
consultative audit reports under proposed Sec.  1.652(a)(2) and 
regulatory audit reports under proposed Sec.  1.652(b)(1)(i) and (b)(2) 
include UFIs for audited facilities and for eligible entities (where 
different from audited facilities). In the preamble to the proposed 
rule (78 FR 45782 at 45812), we solicited comment on whether a UFI 
should comprise a Data Universal Numbering System (DUNS[supreg]) number 
and Global Positioning System (GPS) coordinates for an audited facility 
and for the eligible entity (if different from the audited facility).
    Some comments support using DUNS[supreg] numbers in UFIs for 
eligible entities and audited facilities, asserting that approximately 
230 million establishments around the world have DUNS[supreg] numbers. 
The comments assert that DUNS[supreg] numbers are easy to obtain and 
free to the establishment. Comments also emphasize that the use of 
DUNS[supreg] numbers would be particularly helpful under the third-
party certification rule, because the numbers help to determine 
corporate ``families''--e.g., related establishments.
    Other comments oppose using DUNS[supreg] numbers as UFIs, 
contending that DUNS[supreg] numbers are not widely used outside the 
United States and frequently have errors. Some of these comments 
propose alternatives to DUNS[supreg] numbers, including: GPS 
coordinates, FDA's food facility registration numbers, or the U.S. 
Internal Revenue Service taxpayer identification numbers which comments 
suggest foreign companies can request from U.S. Customs and Border 
Protection.
    (Response 111) We received valuable input in response to our 
solicitation of comments on UFIs for audited facilities and eligible 
entities. Having a UFI for eligible entities (and audited facilities if 
different) would be useful to FDA in identifying an eligible entity 
that does not already have a numerical identifier in one of FDA's 
databases. For example, farms generally are not required to register 
with FDA under section 415 of the FD&C Act, so they would not have an 
FDA Food Facility Registration Number, unless they conduct activities 
for which such registration is required, and some eligible entities may 
not have been assigned an FDA Facility Establishment Identifier.
    We note that FDA currently is considering whether to require UFIs 
for regulated establishments, such as facilities as defined in 21 CFR 
1.227, and the types of numbering systems that might be used for UFIs. 
Under this final rule, an accredited third-party certification body 
will be required to include a UFI for an audited facility and for an 
eligible entity (if different from the audited facility) in a 
consultative audit report under Sec.  1.652(a)(1)(i) and (a)(2), and a 
regulatory audit report under Sec.  1.652(b)(1)(i) and (b)(2), if FDA 
designates a UFI system.
    (Comment 112) Some comments focus on proposed Sec.  1.652(a)(5), 
which would require a consultative audit report to include any 
deficiencies observed that require corrective action, the corrective 
action plan, and the date corrective

[[Page 74614]]

actions were completed. Some comments ask us to clarify what 
information about deficiencies should be included in consultative audit 
reports. The comments distinguish between FDA investigators who collect 
physical evidence during inspections and third-party certification 
bodies who typically observe process(es), review records, and cite 
nonconformity to standards--e.g., ``Canning retort time did not meet x 
temperature for y time of the scheduled process.'' Other comments ask 
FDA to clarify that the eligible entity, not the audit agent, would be 
responsible for corrective actions, including analyzing the cause of 
the nonconformity and developing corrective actions to address the 
nonconformity. These comments support the proposed requirement to 
require documentation and verification of corrective actions, whether 
through document review or onsite audits.
    (Response 112) As the comments suggest, third-party certification 
bodies commonly describe their audit findings in terms of conformity or 
nonconformity with audit criteria, such as a GFSI-benchmarked food 
safety scheme or the ISO/TS 22003:2013 series of food safety standards 
(Ref. 24). Under section 808 of the FD&C Act, accredited third-party 
certification bodies examine eligible entities and their foods for 
compliance with the applicable food safety requirements of the FD&C Act 
and FDA regulations and, for consultative audits, also assess 
conformity with applicable industry standards and practices.
    Under proposed Sec.  1.652(a)(5), a consultative audit report would 
identify any deficiencies observed by audit agent, which we intended 
would encompass any deficiency that relates to or may influence the 
accredited third-party certification body's determination of whether 
the eligible entity is in compliance with the applicable food safety 
requirements of the FD&C Act and FDA regulations. We were not proposing 
to require that consultative audit reports include information on an 
observation solely related to a nonconformity with industry standards 
or practices that FDA does not implement or enforce. An observation 
relating to both a nonconformity with an industry standard or practice 
and a deficiency that relates to or may influence a compliance 
determination would need to be included in the audit report as a 
deficiency under proposed Sec.  1.652(a)(5). In response to comments, 
we are revising Sec.  1.652(a)(5), renumbered as Sec.  1.652(a)(6), to 
clarify that a consultative audit report must include any deficiency 
that relates to or may influence a determination of compliance with the 
applicable food safety requirements of the FD&C Act and FDA regulations 
and information on the corrective action(s) to address such deficiency.
    We agree with comments distinguishing between the roles of eligible 
entities (who must identify and implement effective corrective actions) 
and accredited third-party certification bodies and their audit agents 
(who identify deficiencies and verify that effective corrective actions 
have been implemented). After identifying deficiencies that will 
require corrective action, accredited third-party certification bodies 
and their audit agents must maintain their impartiality by allowing 
eligible entities to select the appropriate corrective actions to 
employ. To recommend or suggest corrective actions to eligible entities 
during consultative or regulatory audits would undermine the 
objectivity of the third-party certification bodies or audit agents in 
performing their critical task of verifying the effectiveness of the 
corrective actions once implemented. To address this concern, we have 
elected to revise Sec.  1.651(c)(3) as described in section IX.B., 
because we believe this issue is better addressed as part of the 
protocols for audits conducted under subpart M.
    (Comment 113) Some comments assert that proposed Sec.  1.652(b) is 
unnecessary, because many of the elements of regulatory audit reports 
that we propose already are commonly included in audit reports. The 
comments contend that listing specific elements to be included in a 
regulatory audit report would be too prescriptive and would stifle 
creativity. Other comments suggest that proposed Sec.  1.652(b) is 
overly broad, and the comments object to the elements of the audit 
reports. Some comments assert that reporting of recent recalls is 
unnecessary because this is information already in FDA's possession. 
Still other comments note that documents that are routinely part of an 
audit process may contain critical business information. These comments 
suggest that FDA should consider a ``tiered'' approach, by requiring 
only summary reports on audit results to be submitted to FDA, not 
proprietary information.
    Other comments support proposed Sec.  1.652(b) and the data 
elements we proposed to require in regulatory audit reports. Some of 
these comments seek additional information on the form and manner of 
submitting this information to FDA. The comments also ask whether the 
regulatory audit reports will be publicly released.
    (Response 113) We disagree with comments suggesting that proposed 
Sec.  1.652(b) is unnecessary because the information we proposed to 
require in regulatory audit reports already is included in the audit 
reports prepared by third-party certification bodies. Although many of 
the elements required to be included in the reports under this rule are 
currently being included in audit reports prepared by third-party 
certification bodies, it is important that we require the elements 
included in this final rule because they are essential to the 
preparation of audit reports that are consistent with the purpose of 
this program.
    We disagree with the comments asserting that proposed Sec.  
1.652(b) is overly broad and the comments contending that the provision 
is overly prescriptive. Section 808(c)(3)(A) of the FD&C Act requires 
that audit reports include the dates and scope of the audit and the 
identity of the persons at the audited eligible entity responsible for 
compliance with food safety requirements. Section 808(c)(3)(A) of the 
FD&C Act also gives FDA discretion to require that audit reports 
include other information that relates to or may influence an 
assessment of compliance with the FD&C Act. Under proposed Sec.  
1.652(b), a regulatory audit report would include the elements required 
by the statute, as well as the following information: Identifying 
information for the eligible entity (and for the facility, if different 
from the eligible entity); the food(s) and process(es) observed; any 
deficiencies observed during the audit that relate to an FDA Class I or 
Class II recall situation; and the corrective action plan for such 
deficiencies. We also proposed to require the regulatory audit report 
to indicate whether any sampling and laboratory analysis is used in the 
facility and whether in the 2 years preceding the audit the entity: 
Issued a food safety-related recall; made significant changes in the 
facility, its process(es), or products; or was issued any food or 
facility certifications.
    As to the elements of the regulatory audit report in proposed Sec.  
1.652, we note that paragraphs (b)(1) and (2) provide identifying 
information for the eligible entity (and the facility audited, if 
different than the eligible entity) and paragraphs (b)(3) and (5) 
contain the elements required by section 808(c)(3)(A) of the FD&C Act. 
We agree with comments asserting that it is not be necessary to include 
information in regulatory audit reports that is already in FDA records; 
therefore, we are removing the proposed requirements in Sec.  
1.652(b)(9) and (11) to report information on food-safety related

[[Page 74615]]

recalls conducted by the eligible entity and food and facility 
certifications issued to the eligible entity in the 2 years preceding 
the audit. We are retaining the other elements of the regulatory audit 
report under proposed Sec.  1.652(b)(4), (6) to (8), and (10)--i.e., 
whether the facility uses sampling and laboratory analysis, whether the 
entity has made significant changes to the facility, its process(es), 
or products during the 2 years preceding the audit; the foods and 
process(es) that were observed, as well as any deficiencies related to 
a Class I or Class II recall situation and the corrective action plans 
for deficiencies--because they are related to or influential to a 
determination of compliance with the applicable food safety standards 
of the FD&C Act and FDA regulations.
    As discussed in Response 67, we intend to provide additional 
instructions relating to the form and manner of submitting information 
to FDA. We also acknowledge comments' concerns about the protection of 
proprietary information in regulatory audit reports submitted to FDA. 
Information submitted to FDA is subject to public disclosure and under 
part 20, and we are including new Sec.  1.695 on public disclosure in 
section XIII.F of this final rule.
    (Comment 114) Some comments contend that the submission of 
regulatory audit reports under proposed Sec.  1.652 would ``empower'' 
accredited third-party certification bodies as ``de facto'' regulatory 
authorities.
    (Response 114) We disagree. Nothing in section 808 of the FD&C Act 
or in the proposed rule would empower accredited third-party 
certification bodies to implement or enforce the FD&C Act or FDA 
regulations. Further, section 808(h) of the FD&C Act clearly states 
that audits performed under this section shall not be considered 
inspections under section 704 of the FD&C Act, which governs FDA 
inspections.
    (Comment 115) Some comments assert that regulatory audit reports 
should be submitted to FDA only when there are questions about product 
safety. Some comments suggest that proposed Sec.  1.652(b) could be 
onerous because it would require regulatory audit reports to be 
submitted to FDA in English by no later than 45 days after the audit 
was completed. The comments assert that a lack of auditor capacity in 
countries that export food to the United States could make it difficult 
for accredited third-party certification bodies to meet the 45-day 
deadline and suggest that FDA should consider adjusting the deadline 
for regulatory audit report submission in light of factors such as 
auditor capacity and the needs of seasonal producers. Other comments 
support the proposed 45-day deadline for audit report submission, 
noting that many audit reports currently take more than 45 days to 
complete, some taking nearly a year to be issued. Still other comments 
focus on the proposed requirement in Sec.  1.652(b) to submit 
regulatory audit reports in English, urging us to accept reports in 
various languages, including Spanish.
    (Response 115) Section 808(c)(3)(A) of the FD&C Act requires as a 
condition of accreditation that regulatory audit reports to be 
submitted to FDA within 45 days after conducting the audit. 
Accordingly, we decline the suggestion to limit the submission of 
regulatory audit reports to circumstances where there are questions 
about product safety. We also decline to extend the statutory 45-day 
deadline for submission of a regulatory audit report.
    We believe that allowing regulatory audit reports to be submitted 
in languages other than English, as some comments suggest, would create 
unnecessary obstacles to our program management and oversight. For 
example, we may review a regulatory audit report to assist us in 
deciding whether to accept a certification or to reject the 
certification after determining that is not valid or reliable. If we 
were to allow regulatory audit reports to be submitted in languages 
other than English, we might have to wait weeks for a translation. Such 
a delay would postpone our decision on whether to accept or refuse the 
certification and might have negative effects on the flow of trade.
    (Comment 116) Some comments oppose a proposal to use DUNS[supreg] 
numbers in UFIs for audited facilities and eligible entities that would 
be required to be submitted to FDA in regulatory audit reports under 
proposed Sec.  1.652(b)(1)(i) and (b)(2). The comments suggest that 
using DUNS [supreg] numbers in UFIs would create a monopoly for Dun and 
Bradstreet (D&B) and give D&B an unfair competitive advantage. The 
comments also express concern that establishments will face increased 
pressure to buy other D&B products. Other comments suggest that DUNS 
[supreg] numbers are not used outside the United States because, for 
example, DUNS[supreg] numbers require data such as street names, 
telephone numbers and other data points that small producers located 
outside the United States might not have. Instead, these comments 
suggest, FDA should use GPS latitude and longitude coordinates as UFIs.
    Some other comments express support for UFI requirements that would 
include the use of DUNS[supreg] numbers in UFIs for audited facilities 
and eligible entities. The comments assert that because DUNS[supreg] 
numbers are widely used, it would be reasonable for FDA to require 
DUNS[supreg] numbers to be used in UFIs under the third-party 
certification program.
    (Response 116) As explained in Response 111, FDA currently is 
considering whether to require regulated establishments to have UFIs 
and, if so, whether DUNS[supreg] numbers should be included in UFIs. As 
explained previously, under this final rule, an accredited third-party 
certification body will be required to include a UFI for an audited 
facility and for an eligible entity (if different from the audited 
facility) in a regulatory audit report under Sec.  1.652(b)(1)(i) and 
(b)(2), if FDA designates a UFI system.
    (Comment 117) Some comments agree with proposed Sec.  1.652(b)(4), 
which would require regulatory audit reports to include information on 
the process(es) and food(s) observed during the audit. Some comments 
request clarification of what process(es) and food(s) would need to be 
observed in a facility with several processes, and other comments ask 
what information FDA is seeking about the process(es) that were 
observed during a regulatory audit.
    (Response 117) As explained in Response 106, we do not believe that 
direct observation of each type of food produced under a management 
system is necessary when an audit covers the appropriate physical 
locations, activities, and processes that are part of the management 
system to be audited, and information collected during the audit must 
be relevant to the audit scope, purpose, and criteria, including 
information relating to interfaces between functions, activities, and 
processes of the management system. Therefore, information on the 
process(es) and food(s) observed by the audit agent (or accredited 
third-party certification body that is an individual) is useful in 
light of the scope of the audit and the management system(s) audited.
    (Comment 118) Some comments endorse proposed Sec.  1.652(b)(8), 
which would require the regulatory audit report to include information 
on whether sampling and analysis is used at the facility being audited. 
Of the comments that support proposed Sec.  1.652(b)(8), some would 
further require regulatory audit reports to include reporting of 
sampling and analytical results of sampling by the

[[Page 74616]]

eligible entity. Others suggest including analytical results relating 
to any deficiencies observed during an audit and the effectiveness of 
corrective actions taken to address the deficiency.
    (Response 118) We agree that it is useful for FDA to have 
information on whether an eligible entity uses sampling and analysis as 
a tool for verifying the effectiveness of its controls. Section 1.652 
does not require sampling or analysis on a routine basis; however, 
analytical reports must be included in regulatory audit reports if the 
certification body finds them to be relevant to the any elements of an 
audit report, such as a verification of corrective actions or in 
support of a decision not to certify. We note that sampling or 
analytical reports that are collected as part of a regulatory audit 
must be maintained as required under Sec.  1.658(a)(3).
    (Comment 119) Some comments support proposed Sec.  1.652(b)(9), 
which would require information on recent recalls to be included in 
regulatory audit reports. Other comments suggest that requiring recall 
information to be included in a regulatory audit report might lead to 
questions about the validity of a certification that the accredited 
third-party certification body might issue based on the results of its 
regulatory audit of the eligible entity. Some other comments suggest 
that requiring an accredited third-party certification body to include 
information on recent recalls in a regulatory audit report would be 
duplicative, because FDA should already have information on any recalls 
of regulated product exported to the United States, and recalls of 
product that was not exported to the United States would not be 
relevant to the regulatory audit report.
    (Response 119) We agree with comments suggesting that it would be 
duplicative to require accredited third-party certification bodies to 
include information on recent recalls in regulatory audit reports and 
are removing proposed Sec.  1.652(b)(9) in the final rule.
    (Comment 120) Some comments ask for clarification on proposed Sec.  
1.652(b)(11), which would require information on recent certifications 
to be included in regulatory audit reports. The comments ask whether a 
certification issued outside of the third-party certification program 
should be included in a regulatory audit report and if so, should the 
report identify the standards under which the certification was issued.
    (Response 120) Requiring information on certifications issued under 
the third-party certification program would be duplicative because 
certifications previously issued by the accredited third-party 
certification body under the program already would have been submitted 
to FDA. Further, we see no benefit to requiring the submission of 
information on certifications issued outside of this program. 
Accordingly, we are removing proposed Sec.  1.652(b)(11) from the final 
rule.
    (Comment 121) Some comments urge us to create a clear mechanism for 
eligible entities to appeal adverse audit results.
    (Response 121) Under proposed Sec.  1.652(d) an accredited third-
party certification body would have to implement written procedures for 
receiving, evaluating, and deciding on eligible entity challenges to 
adverse regulatory audit results. We believe this section provides a 
clear mechanism for eligible entities to be able to appeal adverse 
regulatory audit results. As explained in Response 36, we are 
clarifying that persons presiding over such appeals may be internal or 
external to the accredited third-party certification body.

D. What must an accredited third-party certification body do when 
issuing food or facility certifications? (Sec.  1.653)

    The proposed rule describes the activities that an accredited 
third-party certification body would have to perform when issuing food 
and facility certifications. Proposed Sec.  1.653 would require the 
certification body to have conducted a regulatory audit under proposed 
Sec.  1.651 and to conduct any other activities necessary to determine 
compliance under the applicable food safety requirements of the FD&C 
Act and FDA regulations.
    No certificate could be issued until the eligible entity took 
corrective actions to address any deficiencies reported under proposed 
Sec.  1.652(b)(6), and the corrective actions were verified by the 
accredited third-party certification body. The verification would need 
to occur onsite, unless the deficiency was a minor issue. A single 
audit could result in food and facility certifications or multiple food 
certifications only if the regulatory audit requirements were met as to 
each.
    Where a certification body uses audit agents, the certification 
body, not the audit agent, would make the determination whether to 
issue certification. However, the statute allows for individuals to be 
accredited as certification bodies; in that circumstance, the same 
individual would conduct the audit and also determine whether to issue 
certification.
    On our own initiative, we are revising Sec.  1.653(a)(3) to replace 
the phrase ``assessment made during'' with ``the data and other 
information'' to clarify what an accredited third-party certification 
body must consider when determining whether an eligible entity is in 
compliance with the applicable food safety requirements of the FD&C Act 
and FDA regulations.
    On our own initiative, we are making a number of revisions Sec.  
1.653(b). We are revising paragraph (b)(1) to clarify that the 
accredited third-party certification body may issue a food or facility 
certification under this subpart for a term of up to 12 months. 
Throughout paragraph (b)(2) we are specifying that the food or facility 
certification must contain information about regulatory audits. At our 
own initiative, we are revising Sec.  1.653(b)(2)(ii) and (iii) to 
require accredited third-party certification bodies to provide the FEI 
of the audited facility and the FEI of the eligible entity, if 
different from the audited facility, and we revised Sec.  1.653(b)(2) 
(iv) to require accredited third-party certification bodies to assign 
numbers to certifications they issue under the program. We are revising 
paragraph (b)(3) to clarify that FDA may refuse to accept any 
certification for purposes of section 801(q) or 806 of the FD&C Act if 
we determine that the certification is not valid or reliable. We are 
also adding new subparagraph (b)(3)(iii) to specify that if the 
certification was issued without reliable demonstration that the 
requirements of paragraph (a) were met, we may determine that the 
certification is not valid or reliable.
    (Comment 122) Some comments contend that proposed Sec.  1.653(a)(2) 
would require accredited third-party certification bodies to perform 
onsite verifications of corrective actions in situations where other 
methods of verification would be adequate. The comments assert that, by 
requiring onsite verification for any corrective action (other than an 
action taken to address recordkeeping deficiencies), the proposed rule 
would impose undue costs on eligible entities and would exacerbate 
issues of auditor capacity.
    The comments suggest that we allow for remote verification of 
corrective actions through photographs, live web-cam transmissions, and 
any other means that would provide evidence that corrective action has 
been taken and the eligible entity is in compliance with the FD&C Act. 
The comments suggest that FDA may, in its discretion, require onsite 
visits to confirm that corrective actions were taken in extraordinary 
situations where efforts short of onsite

[[Page 74617]]

observation would be insufficient to protect the public, such as in 
Class I recall situations. Some comments urge us to follow the 
requirements of ISO/IEC 17021:2011 (Ref. 6) for verification of 
corrective actions.
    (Response 122) We agree that onsite verification of corrective 
actions would not be necessary to address every deficiency identified 
in a regulatory audit report under proposed Sec.  1.652(b)(6). ISO/IEC 
17021:2011 (Ref. 6) (clauses 9.1.12-9.1.13) describes a range of 
activities--from document review to onsite verification to additional 
full audits--that a third-party certification body may use verifying 
the effectiveness of corrective actions. Remote verification may be 
appropriate where it would provide an adequate basis for the accredited 
third-party certification body to determine that the eligible entity 
had implemented effective corrective action(s) to address the 
identified deficiency or deficiencies. Accordingly, we are revising 
Sec.  1.653(a)(2) to expand the methods of verification an accredited 
third-party certification body may use to verify corrective actions for 
deficiencies identified in Sec.  1.652(b)(6), except that corrective 
actions in a facility that was the subject of a notification under 
Sec.  1.656(c) must be verified onsite.
    (Comment 123) Some comments urge FDA to establish qualifications 
for the individuals accredited third-party certification bodies would 
use to make certification decisions. The comments suggest that an 
accredited third-party certification body should use a panel of experts 
with appropriate industry or regulatory experience to make 
certification decisions on behalf of the body. Other comments urge FDA 
to identify the criteria an accredited third-party certification body 
should use in determining whether to issue certification under section 
808 of the FD&C Act.
    (Response 123) We agree with the comments suggesting that 
individuals involved in compliance determinations and certification 
decisions under section 808 of the FD&C Act must be appropriately 
qualified for those responsibilities. We agree that decisions on 
certification should be made by individuals other than audit agents who 
conducted the regulatory audits that would form the basis for the 
decisions on certification, except individuals accredited as third-
party certification bodies may perform regulatory audits and issue 
certifications based on the results of regulatory audits they 
performed. An assessment for accreditation of a third-party 
certification body under Sec.  1.642 would focus not only on its 
competency and capacity for auditing food facilities but also on its 
capacity to review audit results to determine compliance with 
applicable food safety requirements for purposes of certification. 
While an accredited third-party certification body may wish to use a 
panel of experts for certification decisions, it is not necessary under 
this rule.
    (Comment 124) Some comments suggest that certifications issued 
under section 808 of the FD&C Act should clearly delineate the scope of 
products and processes covered by the certification.
    (Response 124) Proposed Sec.  1.653(b)(2)(iv) and (vi) would 
require the certification to include both the scope of the audit and 
the scope of the food or facility certification. We believe the concern 
about the scope of products and processes covered by the food or 
facility certification is adequately addressed by the proposed rule, 
and we are retaining these provisions in the final rule.

E. When must an accredited third-party certification body monitor an 
eligible entity that it has issued a food or facility certification? 
(Sec.  1.654)

    Proposed Sec.  1.654 would require an accredited third-party 
certification body to conduct monitoring of an eligible entity if the 
certification body has reason to believe that an eligible entity to 
which it issued a certification may no longer be in compliance with the 
FD&C Act.
    (Comment 125) Comments endorsing proposed Sec.  1.654 suggest that 
FDA establish criteria for the ``reason to believe'' standard--that is, 
the circumstances FDA believes would trigger a requirement for an 
accredited third-party certification body to monitor an eligible 
entity. The comment further suggests that FDA should make these 
criteria available for public comment.
    (Response 125) FDA declines to codify specific criteria that would 
trigger the need for an accredited third-party certification body to 
conduct monitoring of an eligible entity to determine whether the 
entity is still in compliance with applicable requirements, as such 
criteria would be fact-specific and FDA cannot contemplate all 
situations that would require such monitoring. FDA envisions that the 
circumstances that might trigger monitoring under Sec.  1.654 are ones 
that may affect the eligible entity's capability to continue to comply 
with the applicable food safety requirements of the FD&C Act and FDA 
regulations, such as: (1) Significant changes to the audited facility, 
such as capital improvements; (2) major changes to the eligible 
entity's management system and processes; or (3) changes to the scope 
of operations, such as changes in manufacturing processes, that may 
affect the compliance status of an eligible entity.
    (Comment 126) Other comments urge FDA to require an accredited 
third-party certification body to notify an eligible entity immediately 
upon determining that monitoring of the eligible entity prior to 
recertification would be necessary.
    (Response 126) We decline the suggestion to require notification of 
an eligible entity prior to monitoring under Sec.  1.654, as we believe 
it is more appropriate for the accredited third-party certification 
body to decide based on the circumstances whether it should alert an 
eligible entity it has certified that monitoring is necessary or 
conduct unannounced monitoring activities. An accredited third-party 
certification body may choose to notify an eligible entity before 
conducting monitoring activities that are unrelated to the eligible 
entity's annual audit for recertification purposes, which must be 
conducted on an unannounced basis pursuant to Sec.  1.651(c)(1).

F. How must an accredited third-party certification body monitor its 
own performance? (Sec.  1.655)

    Proposed Sec.  1.655 would require an accredited third-party 
certification body to conduct self-assessments annually and in the case 
of revocation of the recognition of its accreditation body and prepare 
a report of the results of each self-assessment.
    On our own initiative, we are revising Sec.  1.655(a)(1) to clarify 
that as part of the self-assessment, an accredited third-party 
certification body must evaluate the performance of its audit agents in 
examining facilities, process(es), and food using the applicable food 
safety requirements of the FD&C Act and FDA regulations, which will 
conform with other changes being made to the final rule.
    (Comment 127) Some comments support the proposal to require 
accredited third-party certification bodies to conduct self-
assessments. Other comments recommend that FDA should be more explicit 
in the requirements for self-assessments.
    (Response 127) We decline the suggestion to be more explicit in the 
requirements for self-assessments, as the requirements in Sec.  1.655 
include sufficient details for conducting self-assessments. Comments 
did not provide adequate justification for adding

[[Page 74618]]

additional elements to the self-assessment.
    (Comment 128) Some comments request that accredited governmental 
certification bodies be allowed to conduct self-assessments at a 
frequency different than other accredited third-party certification 
bodies.
    (Response 128) We decline to create different timeframes for self-
assessments for governmental versus private certifications bodies. As 
explained in Response 39, Sec.  1.655 is part of a set of proposed 
monitoring and self-assessment requirements intended to work together 
in helping to ensure that the recognized accreditation bodies and 
accredited third-party certification bodies maintain compliance with 
the rule's requirements. The certification body self-assessment in 
Sec.  1.655 is intended to serve, in part, as information for use in 
the annual accreditation body monitoring in Sec.  1.621, the results of 
which we intend the accreditation body to use in its annual self-
assessment under Sec.  1.622. This system of assessments takes place on 
an annual basis and is an essential part of the program's safety net. 
Allowing different timeframes for assessments by different participants 
would undermine the credibility of the program and create undue 
administrative complexity. We believe this section will be far less 
burdensome in practice than some of the commenters may have 
anticipated. We note that to address general concerns about the burden 
of these requirements, similar to other sections of the final rule, FDA 
is adding a new Sec.  1.655(e) to allow an accredited third-party 
certification body to use documentation of its conformance to ISO/IEC 
17021:2011 or ISO/IEC 17065:2012, supplemented as necessary, to meet 
the requirements of this section.
    (Comment 129) Some comments assert that accredited third-party 
certification bodies should not be required to be prepare self-
assessment reports in English under proposed Sec.  1.655(d).
    (Response 129) In response to comments and consistent with 
revisions made elsewhere in the final rule, we are removing the English 
language requirement in Sec.  1.655(d) for self-assessment reports 
prepared by third-party certification bodies accredited by a recognized 
accreditation body. However, we are now including a requirement in 
Sec.  1.656(b) of submission in English for self-assessment reports 
prepared by third-party certification bodies directly accredited by FDA 
and self-assessments submitted to FDA as a result of an FDA request for 
cause or due to the termination of an accreditation body's recognition 
due to denial of renewal, revocation, or relinquishment/failure to 
renew under Sec.  1.631(f)(1)(i), 1.634(d)(1)(i), or 1.635(c)(1)(i), 
respectively.

G. What reports and notifications must an accredited third-party 
certification body submit? (Sec.  1.656)

    Proposed Sec.  1.656 would establish requirements for various 
reports and notifications that accredited third-party certification 
bodies would have to submit to FDA and, as appropriate, recognized 
accreditation bodies. Proposed Sec.  1.656(a) would establish the 
requirements for submission of regulatory audit reports, and proposed 
Sec.  1.656(b) would establish the requirements for submission of 
reports of accredited third-party certification body self-assessments.
    Proposed Sec.  1.656(c) would require an accredited third-party 
certification body to immediately notify us, in English, of a condition 
that could cause or contribute to a serious risk to the public health 
(notifiable condition) that the certification body (or its audit agent) 
discovered while conducting a regulatory or consultative audit of an 
eligible entity. In the preamble discussion of proposed Sec.  1.656(c) 
(78 FR 45782 at 45815), we solicited examples of conditions that might 
and might not meet the standard in section 808(c)(4)(A) of the FD&C Act 
for notifying FDA. We asked for input on whether the FDA Class I and 
Class II recall standards, taken together, might adequately address any 
condition covered by section 808(c)(4)(A) of the FD&C Act.
    Proposed Sec.  1.656(d) would require an accredited third-party 
certification body to immediately notify us electronically, in English, 
upon withdrawing or suspending the food or facility certification of an 
eligible entity. Proposed Sec.  1.656(e)(1) would require an accredited 
third-party certification body that notified FDA under proposed Sec.  
1.656(c) also to notify the eligible entity where the condition was 
discovered. Proposed Sec.  1.656(e)(2) would require the accredited 
third-party certification body to notify its accreditation body (or, in 
the case of direct accreditation, to us) electronically, in English, 
within 30 days after making any significant change that may affect its 
compliance with the requirements of Sec. Sec.  1.640 through 1.658.
    On our own initiative we are revising Sec.  1.656(c)(1) and (2) to 
clarify if a condition that could cause or contribute to a serious 
public risk to the public health is discovered, that in addition to the 
name of the eligible entity and/or facility, an accredited third-party 
certification body must also provide the physical address, unique 
facility identifier (if designated by FDA), and the registration number 
under subpart H of this part (where applicable).
    (Comment 130) Some comments support proposed Sec.  1.656(a), which 
would require submission of regulatory audit reports to FDA, but would 
not require reports of consultative audits to be submitted. Other 
comments interpret the proposed rule as requiring submission of 
consultative audit reports to FDA and the reporting of laboratory 
analytical results under section 422 of the FD&C Act.
    (Response 130) Under section 808(c)(3)(A) of the FD&C Act, an 
accredited third-party certification body or an audit agent of a third-
party certification body, where applicable, ``shall prepare, and, in 
the case of a regulatory audit, submit, the audit report for each audit 
conducted . . .'' Based on the statutory language, it is clear that 
Congress only desired reports of regulatory audits to be submitted to 
FDA. We also note that section 808(c)(3)(C) of the FD&C Act limits the 
ability for FDA to access the results of consultative audits to 
circumstances described in the records access standard of section 414 
of the FD&C Act. Some comments incorrectly interpreted the proposed 
rule to require the submission of the certification bodies' laboratory 
records and results. We are only requiring maintenance of such records 
and results under Sec.  1.658.
    (Comment 131) Some comments contend that we are interpreting the 
notification standard in section 808(c)(4)(A) of the FD&C Act too 
broadly, because the statute only requires accredited third-party 
certification bodies to notify FDA of notifiable conditions discovered 
during a regulatory audit. The comments assert that Congress did not 
intend us to require notification of conditions found during 
consultative audits, because those audits are for internal purposes; 
therefore, we should revise proposed Sec.  1.656(c) to remove the 
reference to a consultative audit. Other comments assert that 
notifications submitted for conditions found during a consultative 
audit could overwhelm FDA with data that could make it difficult to 
identify the most serious risks to public health. Still other comments 
support our proposal to require notification of conditions found during 
consultative and regulatory audits.
    Some comments describe a range of activities that generally may be 
referred to as consultative audits and suggest

[[Page 74619]]

that requiring notification to FDA of conditions found during these 
types of consultative audits may have unintended consequences. The 
comments note the important role of third-party audits (and 
consultative audits, in particular) in assisting the food industry 
identify and fix internal problems and drive continuous improvements. 
The comments suggest that requiring notification during consultative 
audits might create disincentives for firms who might otherwise use 
accredited third-party certification bodies to perform consultative 
audits and for third-party certification bodies who might otherwise be 
interested in participating in the program.
    (Response 131) We decline the suggestion to limit Sec.  1.656(c) to 
require notification only of conditions found during a regulatory 
audit, because section 808(c)(4)(A) and (B) of the FD&C Act require 
notification based on conditions found ``at any time during an audit'' 
and identifies ``audits'' as both consultative and regulatory audits.
    Although we decline to limit Sec.  1.656(c) as the comment suggests 
we believe that many of the concerns about notification during a 
consultative audit are mitigated by revisions that clarify the scope of 
the consultative audits that are, and are not, covered by the rule (see 
Sections III.E and III.J). Under the final rule, an accredited third-
party certification body would only be required to notify FDA of a 
condition that could cause or contribute to a serious risk to the 
public health if the condition was discovered during an audit that an 
eligible entity has specifically declared to be a regulatory audit for 
certification purposes or a consultative audit in preparation for a 
regulatory audit under this rule.
    (Comment 132) Several comments contend that ``serious risk to the 
public health'' has the same meaning as ``serious adverse health 
conditions or death to humans or animals'' (SAHCODHA) as that phrase is 
used throughout the FD&C Act. Specifically, the comments assert that 
FDA should only require accredited third-party certification bodies to 
notify FDA of conditions that pose a risk of SAHCODHA, as that standard 
is interpreted for purposes of the Reportable Food Registry (RFR) under 
section 417 of the FD&C Act (21 U.S.C. 350f).
    The comments reject our tentative conclusion that the range of 
conditions that require notification under section 808(c)(4)(A) of the 
FD&C Act is broader than SAHCODHA, because the statute describes 
notifiable conditions as ones that ``could'' cause or contribute to a 
serious risk to public health. In response to our request for input, 
the comments specifically reject an interpretation of ``serious risk to 
the public health'' that might include, for example, conditions that 
pose a risk of temporary or medically reversible adverse health 
consequences or where the probability of adverse health consequences is 
remote. Some comments suggest that accredited third-party certification 
bodies and audit agents would be more readily able to identify 
conditions that pose a SAHCODHA risk but would find it more difficult 
to identify other conditions that would need to be notified to FDA 
under proposed Sec.  1.656(c). Other comments support our tentative 
conclusion that a ``condition that could cause or contribute to a 
serious risk to the public health'' is broader than a condition 
relating to a SAHCODHA risk.
    (Response 132) We disagree with comments suggesting that the phrase 
``serious risk to public health'' in section 808(c)(4)(A) of the FD&C 
Act should be interpreted as a risk of SAHCODHA. We note that Congress 
chose to incorporate SAHCODHA in section 808(c)(6)(A) to describe 
outbreak situations that would lead to withdrawal of accreditation, but 
did not use SAHCODHA in describing the conditions that must be notified 
to FDA under section 808(c)(4)(A) of the FD&C Act. Additionally, 
Congress chose to incorporate SAHCODHA in other sections of FSMA, such 
as in provisions on suspension of registration in section 102(b) 
amending section 415 of the FD&C Act. In light of the foregoing, we 
believe that Congress intended for a ``serious risk to the public 
health'' to be distinct from a risk of SAHCODHA and, therefore, reject 
the suggestion that accredited third-party certification bodies would 
only need to notify FDA of conditions that pose a risk of SAHCODHA 
under proposed Sec.  1.656(c). We conclude that notifiable conditions 
include not only those that present a risk of SAHCODHA, but also other 
conditions that ``could cause or contribute to a serious risk to the 
public health.''
    Although it is difficult to predict the range of conditions or 
circumstances that accredited third-party certification bodies and 
audit agents might encounter, we offer some factors that may be useful 
in identifying whether a condition would need to be notified under 
Sec.  1.656(c), such as whether the condition relates to incoming 
ingredients that will be subject to control within the facility, or an 
area of the facility where pre-production materials are held; whether 
the condition relates to the post-processing environment or where 
finished product is held prior to distribution; and whether the 
condition relates to food, process(es), or areas of the facility 
associated with food that is destined for export to the United States, 
and not if it relates solely to food, process(es), or areas of the 
facility associated with food for consumption other than in the United 
States.
    (Comment 133) Some comments urge us to revise proposed Sec.  
1.656(c) to incorporate the limitations on reporting that apply to the 
RFR under section 417(d)(2) of the FD&C Act, such that notification 
would only be submitted if food adulterated as a result of the 
notifiable condition had left the control of the eligible entity. The 
comments assert it would be reasonable for FDA to interpret section 
808(c)(4)(A) of the FD&C Act such that an accredited third-party 
certification body would not need to alert FDA immediately upon 
discovering a notifiable condition if the eligible entity reworked 
adulterated product or destroyed it before the adulterated food was 
transferred to another person. Other comments suggest that proposed 
Sec.  1.656(c) is redundant because such conditions are subject to RFR 
reporting.
    (Response 133) We decline the suggestion to revise Sec.  1.656(c) 
to incorporate an exception similar to section 417(d) of the FD&C Act 
as there is no exception to the notification requirement in section 
808(c)(4) as there is in section 417(d). Further, we believe the 
notification requirement in section 808(c)(4) serves not only to inform 
FDA of potential risks to the public, but also enhances credibility of 
the program by giving FDA, accredited certification bodies, and 
recognized accreditation bodies information that may be relevant to our 
oversight of the food safety and third-party programs. We believe that 
given the statutory language and goals of the third-party certification 
program, it is appropriate for the notification requirement in this 
rule to have different requirements and exceptions than other 
notification provisions in the FD&C Act.
    As such, we also disagree with comments suggesting the obligation 
of a responsible party to submit a report to FDA through the RFR makes 
proposed Sec.  1.656(c) redundant. Among other things, RFR requirements 
only apply to facilities that are required to register with FDA under 
section 415 of the FD&C Act. An eligible entity that is a farm, for 
example, would not be subject to RFR requirements. Additionally, as 
discussed previously, the reporting

[[Page 74620]]

requirement under this rule contains no exception for circumstances 
when the food adulterated as a result of the notifiable condition has 
not left the control of the eligible entity. In light of the foregoing, 
we are retaining Sec.  1.656(c) without the revisions suggested by the 
comments.
    (Comment 134) Some comments urge us to revise proposed Sec.  
1.656(e)(1) to allow for concurrent notification of FDA and the 
eligible entity where the notifiable condition was discovered.
    (Response 134) We agree and are adding to Sec.  1.656(e)(1) a 
provision that allows, where feasible and reliable, for the accredited 
third-party certification body to contemporaneously notify its 
recognized accreditation body and/or the eligible entity when notifying 
FDA. We note that this provision does not affect the obligation for the 
accredited third-party certification body to notify FDA immediately of 
a notifiable condition under Sec.  1.656(c).

H. How must an accredited third-party certification body protect 
against conflicts of interest? (Sec.  1.657)

    Proposed Sec.  1.657 sets out the elements of a conflict of 
interest program that an accredited third-party certification body 
would be required to have. Proposed Sec.  1.657(a) would require the 
accredited third-party certification body to have a written program 
that covers the certification body itself and any of its officers, 
employees, or other agents (e.g., audit agents) conducting audits or 
certification activities under this program. Proposed Sec.  1.657(b) 
would address the requirement, in section 808(c)(5)(C) of the FD&C Act, 
to issue implementing regulations that include a structure to decrease 
the potential for conflicts of interest, including timing and public 
disclosure, for fees paid by eligible entities to accredited third-
party certification bodies. Proposed Sec.  1.657(c) would impute to an 
accredited third-party certification body's officer, employee, or other 
agent the financial interests of his or her spouse and minor children, 
if any. Proposed Sec.  1.657(d) would require an accredited third-party 
certification body to maintain on its Web site an up-to-date list of 
eligible entities to which it issued certifications under this subpart, 
the duration and scope of each such certifications, and the date on 
which the eligible entity paid any fee or reimbursement under proposed 
Sec.  1.657(c).
    On our own initiative, we are revising the accredited third-party 
certification body conflict of interest provisions in Sec.  1.657(a)(1) 
to clarify that the certification body, its officers, employees, and 
other agents involved in auditing and certification activities cannot 
own, operate, have a financial interest in, manage, or otherwise 
control an eligible entity to be certified. We also are redesignating 
proposed paragraphs (a)(2) to (4) as (a)(3) to (5) and adding a new 
paragraph (a)(2) to conform to section 808(c)(5)(A)(i) of the FD&C Act. 
Additionally, we are revising redesignated Sec.  1.657(a)(3) to add 
financial interests, management, or control to the proposed list of 
prohibited interests for audit agents.
    (Comment 135) Some comments support proposed Sec.  1.657, asserting 
that it strikes the right balance between ensuring rigorous protections 
against conflicts of interest and protection of trade secrets and 
confidential commercial information. Other comments oppose the third-
party certification program that is the subject of this rulemaking 
because private auditors are inherently conflicted and food safety 
inspections should be conducted only by FDA.
    Other comments suggest various additional conflict of interest 
restrictions that should be placed, such as requiring an individual 
audit agent or an individual accredited as a third-party certification 
body to divest of all interests in FDA-regulated food firms; 
prohibiting such individual from conducting a regulatory audit of an 
eligible entity where the individual previously conducted a 
consultative audit or where the individual was previously employed; and 
prohibiting the individual from accepting an offer of employment from 
an audited eligible entity for 1 year following an audit. Still other 
comments urge FDA to prohibit meals or beverages from being provided 
during an audit or to define the de minimis value of meals and 
beverages that may be provided onsite during an audit.
    (Response 135) We believe the accredited third-party certification 
program that Congress directed us to establish under section 808 of the 
FD&C Act will provide a valuable complement to FDA inspections and will 
allow us to leverage rigorous, independent third-party audits in 
helping to ensure the safety of the U.S. food supply. We disagree with 
comments contending that third-party certification programs are so 
inherently conflicted that such a program is not worthwhile.
    We believe the conflict of interest restrictions for accredited 
third-party certification bodies and for their audit agents that are 
established by section 808 of the FD&C Act for public and private 
third-party certification bodies, as implemented by this rule, provide 
the safeguards necessary for a credible third-party certification 
program. Accordingly, we decline suggestions to revise Sec.  1.657 to 
place additional conflict of interest limitations that would be 
impractical and unnecessary, such as requiring: (1) Requiring full 
divestment by audit agents of interests in any FDA-regulated food firm; 
(2) prohibiting an individual who conducted a consultative audit of an 
eligible entity from ever conducting a regulatory audit of the same 
eligible entity; (3) prohibiting an individual who audited an eligible 
entity from accepting an offer of employment from the eligible entity 
for 1 year following the audit; and (4) prohibiting an individual 
conducting an audit from accepting a beverage or a meal of de minimis 
value that is provided onsite during audit.
    We disagree with comments suggesting that by providing meals of a 
de minimis value, an eligible entity or facility might influence the 
outcome of an audit by an accredited third-party certification body, 
particularly if the only allowable meals are ones of minimal value that 
are provided during the course of an activity and with the purpose of 
facilitating timeliness and efficiency. As explained in Response 55, 
FDA follows a similar approach for investigators conducting foreign 
inspections--that is, FDA investigators performing foreign inspections 
are allowed to accept lunches (of little cost) provided by firms during 
the course of foreign inspections. We also note that the U.S. 
government allows its employees to accept meals, within per diem 
limits, when on official business in a foreign country, as an exception 
to the prohibition on the acceptance of gifts or gratuities from 
outside sources (5 CFR 2635.204(i)(1)), though we believe the FDA's 
practices for foreign inspections serve as a better model because 
foreign inspections are more analogous to foreign audits than are the 
range of activities that covered by the general requirements applicable 
to all U.S. government employees on official business in foreign 
countries. Accordingly, in light of the comments received and analogous 
FDA guidelines, we have concluded that it is reasonable and appropriate 
to limit the meal exception in Sec.  1.657(a)(4)(ii) to only lunches of 
de minimis value provided during the course of an audit, on site at the 
premises where the assessment is being conducted, and only if necessary 
to facilitate the efficient conduct of the audit. We believe these 
revisions help to address concerns regarding the threats to 
impartiality, while accommodating the practical considerations that 
apply to foreign audits.

[[Page 74621]]

    Consistent with our guidance to recognized accreditation bodies 
under Response 55, we offer the following additional input to 
accredited third-party bodies seeking guidance on the application of 
Sec.  1.657(a)(4)(ii). In considering whether a meal is allowable under 
this provision, we recommend first considering whether accepting the 
lunch is necessary to facilitate the efficient conduct of the audit. We 
recommend considering: (1) Whether the circumstances surrounding the 
travel would allow a lunch to be packed bring on site; (2) Whether the 
meal is being provided during the midday or early afternoon. A lunch 
provided in the midst of an audit is different than a lunch or other 
meal provided at the completion of the audit; (3) Whether the site of 
the audit is in close proximity to a retail food establishment, or is 
at a remote location far from a retail food establishment; (4) What is 
the estimated value (or cost) of the lunch in light of the costs 
associated with the area where the audit is being conducted; and (5) 
other similar considerations.
    For accredited third-party certification bodies or audit agents 
seeking additional guidance on determining what constitutes a ``de 
minimis'' amount for purposes of complying with Sec.  1.624(a)(3)(ii), 
we offer the following guidance that is based on the requirements 
applicable to U.S. government employees who accept certain meals while 
on official travel in foreign countries. Such employees must deduct 
from the per diem the value of that meal, calculated using a two-step 
process.
    First, the individual must determine the per diem applicable to the 
foreign area where the meal was provided, as specified in the U.S. 
Department of State's Maximum Per Diem Allowances for Foreign Areas, 
Per Diem Supplement Section 925 to the Standardized Regulations (GC,FA) 
available from the Superintendent of Documents, U.S. Government 
Printing Office, Washington, DC 20402, and available on the Department 
of State Web site at https://aoprals.state.gov/Web920/per_diem.asp. 
(Foreign per diem rates are established monthly by the Department of 
State's Office of Allowances as maximum U.S. dollar rates for 
reimbursement of U.S. Government civilians traveling on official 
business in foreign areas.)
    Second, the individual must determine the appropriate allocation 
for the meal within the daily per diem rate which is broken down into 
Lodging and M&IE that are reported separately in Appendix B of the 
Federal Travel Regulation and available on the Department of State's 
Web site at https://aoprals.state.gov/content.asp?content_id=114&menu_id=78.
    Accordingly, under Sec.  1.657(a)(4)(ii), an accredited third-party 
certification body that is an individual or an audit agent of an 
accredited third-party certification body who is conducting a food 
safety audit of an eligible entity may accept lunch provided during an 
audit and on the premises where the audit is conducted, if necessary to 
facilitate the efficient conduct of the audit.
    (Comment 136) Some comments raise concerns about possible conflicts 
of interests. Some comments urge us to attach additional controls to 
the accreditation of foreign cooperatives to prevent them from auditing 
and certifying their members' facilities and food. Other comments 
recommend we further consider the difficulties involved with foreign 
governments demonstrating impartiality of their processes in auditing 
and certifying facilities owned by the foreign government.
    (Response 136) We note that under proposed Sec.  1.657, foreign 
cooperatives accredited as third-party certification bodies would not 
be able to audit or certify their members' facilities or foods under 
the program, because of their shared financial interests.
    We decline the suggestion to develop special sets of controls for 
one or more types of third-party certification bodies eligible to be 
considered for accreditation under section 808 of the FD&C Act. We note 
that the conflict of interest requirements in section 808(c)(5) of the 
FD&C Act apply equally to the foreign governments, agencies of foreign 
governments, foreign cooperatives, and other third-parties. That is, a 
foreign government accreditation body that is recognized by FDA under 
this program may accredit government auditors (i.e., the competent 
authority for food safety) from the same nation, provided that the 
conflict of interest requirements in Sec.  1.657 are met. Consistent 
with the approach taken in the statute, we believe that this 
comprehensive, rigorous set of conflict of interest requirements make 
it unnecessary for us to create a different or special controls for 
certain types of certification bodies.
    (Comment 137) Some comments support the proposal to require 
accredited third-party certification bodies to maintain up-to-date 
lists of eligible entities to which food or facility certification were 
issued, together with the duration and scope of each such 
certification. The comments suggest that having this information 
readily available would be helpful to importers seeking to participate 
in VQIP and those seeking to import food that is subject to import 
certification under section 801(q) of the FD&C Act.
    Other comments suggest that requiring an accredited third-party 
certification body to maintain a list of certified eligible entities on 
its Web site, together with the dates each eligible entity paid 
certification fees, could create an unfair competition. The comments 
contend that the statute does not require disclosure of the date of 
payment of fees and seek clarification on the basis for disclosing the 
timing of fee payments. Other comments suggest that information on 
payment of fees should remain confidential between the accredited 
third-party certification body and the eligible entities it audited and 
suggest the information could be made available to FDA on request. 
Still other comments contend that FDA should only have access to 
information on fee payments by eligible entities upon a showing of 
cause.
    (Response 137) We agree with comments suggesting that Web site 
listings of eligible entities to which food or facility certification 
were issued will be helpful to importers. We disagree that such 
information would create unfair competition, and the comment did not 
provide an explanation as to why this would be the case. To the 
contrary, publicizing this information will increase transparency and 
accountability of the program. We are not proposing to require 
disclosure of the amount of fees paid by eligible entities, because we 
are concerned that publicizing the amounts of fee payments may lead to 
certification bodies using this information to gain a competitive 
advantage by offering audits at discount rates. However, we believe 
proposed Sec.  1.657(c) meets the requirement of section 
808(c)(5)(C)(ii) of the FD&C Act to provide information on the timing 
of fee payments and will help build confidence in the third-party 
certification program by providing assurances that payments are not 
related to the results of regulatory audits. We decline to adopt the 
alternative approach suggested by comments--i.e., such information 
should be disclosed to FDA only when needed to investigate problems if 
they occur, and publicly released only if disclosure would improve 
public health--as inadequate to satisfy the requirements of section 
808(c)(5)(C)(ii) of the FD&C Act. In light of the foregoing, we are 
retaining Sec.  1.657(c), redesignated as Sec.  1.657(d), as proposed.

[[Page 74622]]

I. What records requirements must a third-party certification body that 
has been accredited meet? (Sec.  1.658)

    Proposed Sec.  1.658 would require accredited third-party 
certification bodies to maintain the following documents and data 
electronically, in English, for 4 years, to document compliance with 
the rule: (1) Requests for regulatory audits; (2) audit reports and 
other documents resulting from a consultative or regulatory audit; (3) 
any notification of a condition under proposed Sec.  1.650(a)(5) or by 
the accredited third-party certification body to FDA under proposed 
Sec.  1.656(c); (4) any food or facility certification issued under 
this program; (5) any challenge to an adverse regulatory audit decision 
and its disposition; (6) any monitoring it conducted of a certified 
eligible entity; (7) the auditor's/certification body's self-
assessments and corrective actions; and (8) any significant change to 
the auditing and certification program that might affect compliance 
with this rule.
    On our own initiative, we are requiring under Sec.  1.658(a)(3) the 
maintenance of any laboratory testing records and results and 
documentation demonstrating that such laboratory is accredited in 
accordance with Sec.  1.651(b)(3).
    (Comment 138) Some comments recommend that we allow accredited 
third-party certification bodies to maintain their records in languages 
other than English, coupled with a requirement to provide an English 
language translation upon FDA request. Some comments suggest that we 
should allow for flexibility in the timeline for submission of 
translated records in the regulations, rather than establishing a 
specific deadline, because the circumstances of each records request 
will dictate what would be appropriate--e.g., where there is a recall 
involving a certified facility, then the timeframe for providing 
translations should be very stringent, but where records are requested 
for routine verification purposes, the accredited third-party 
certification body should have more time to comply. Other comments note 
that a minimum of 5 business days would be required for English 
language translations of records.
    (Response 138) We agree that records should not be required to be 
maintained in English, for the same reasons as we explained in Response 
64 (regarding the records of recognized accreditation bodies) and are 
revising Sec.  1.658 accordingly. We further agree with comments 
suggesting that we should have a flexible, rather than a fixed timeline 
for providing English language translations of requested records to FDA 
and are requiring translations to be provided within a reasonable time 
after an FDA request.
    (Comment 139) Some comments urge us ensure that Sec.  1.658 fully 
incorporates the limitation on access to reports and documents relating 
to consultative audits in section 808(c)(3)(C) of the FD&C Act.
    (Response 139) Section 808(c)(3)(C) of the FD&C Act states that 
reports or other documents resulting from a consultative audit are 
accessible to us only under circumstances that meet the requirements 
for records access under section 414 of the FD&C Act. Proposed Sec.  
1.658(a)(1) utilizes the language of section 808(c)(3)(C) of the FD&C 
Act in describing the types of records of consultative audits that an 
accredited third-party certification body must maintain, and proposed 
Sec.  1.658(b) states that those records must be made available to FDA 
in accordance with 21 CFR part 1, subpart J, which implements section 
414 of the FD&C Act. Therefore, the requirements in Sec.  1.658 do 
fully incorporate the limitation on access to reports and documents 
relating to consultative audits as specified in section 808(c)(3)(C) of 
the FD&C Act.
    (Comment 140) Some comments urge us to ensure that trade secrets 
and confidential commercial information contained in any records 
submitted to FDA would be adequately protected. The comments note that 
the proposed rule does not contain language on the protection of trade 
secrets, such as the language in 21 CFR parts 120 and 123 indicating 
that HACCP plans are trade secrets exempt from disclosure. Other 
comments suggest that FDA should consider examining accredited third-
party certification body records without taking custody of them. The 
comments further suggest that FDA should establish an administrative 
process for requesting records from accredited third-party 
certification bodies participating in the program.
    Some comments urge us to clarify that we will not be applying the 
records access and submission requirements of subpart M to audits that 
are not conducted under the rule or to records of the audited food 
facilities.
    (Response 140) We acknowledge concerns about protecting proprietary 
information and are adding Sec.  1.695 to address disclosure issues 
(see Section XIII.F).
    We decline the suggestion to review records of accredited third-
party certification bodies without taking custody of the records, 
because such an approach would be inconsistent with the records 
provisions in section 808(c)(3)(B) of the FD&C Act and would undermine 
the credibility of the program. We also decline the suggestion to 
establish separate administrative processes for handling records 
requests that might include, for example, procedures for challenges to 
records requests and appealing adverse decisions on records requests. 
Establishing and administering a process for FDA records requests would 
hinder our program oversight and would be overly burdensome. We note 
that in this rulemaking, FDA has established a number of mechanisms to 
address challenges to FDA's decisions, including Sec.  1.691 (for 
requests for reconsideration of the denial of an application of waiver 
request); Sec.  1.692 (for internal agency review of the denial of an 
application or waiver request upon reconsideration); and Sec.  1.693 
(for regulatory hearings on withdrawal of accreditation).
    We recommend third-party certification bodies to fully consider the 
program requirements before deciding to pursue recognition under the 
voluntary third-party certification program. Once accredited a 
certification body may voluntarily relinquish its accreditation under 
Sec.  1.665.
    We note that the records maintenance and access requirements of 
subpart M apply only to records relating to an accreditation of a 
third-party certification body under this rule and to the audits and 
certification activities conducted under this program. Records of 
audits or certifications issued by an accredited third-party 
certification body for any other purpose outside of the scope of the 
program under subpart M are not covered by Sec.  1.658. We also note 
that the rule does not affect the records maintenance and access 
requirements that apply to facilities under subpart J of this part.

X. Comments on Procedures for Accreditation of Third-Party 
Certification Bodies Under This Subpart

A. Where do I apply for accreditation or renewal of accreditation by a 
recognized accreditation body and what happens once the recognized 
accreditation body decides on my application? (Sec.  1.660)

    Proposed Sec.  1.660 states that auditors/certification bodies must 
apply directly to a recognized accreditation body for accreditation 
(except for circumstances meeting the requirements of Sec.  1.670 for 
direct accreditation).
    On our own initiative, we are adding new provisions (b) through (d) 
to Sec.  1.660 to explain what happens when a third-party certification 
body's renewal

[[Page 74623]]

application is denied. We are adding provisions to clarify what the 
applicant must do, the effect of denial of an application for renewal 
of accreditation on food or facility certifications issued to eligible 
entities, and how FDA will notify the public.
    (Comment 141) Some comments propose that we include a time limit 
for recognized accreditation bodies to issue an accreditation decision. 
They argue a time limit would set measurable standards for the process 
and would also help ensure an adequate supply of accredited auditors/
certification bodies. Comments suggest the timeframe be 90 days. Some 
comments suggest the timeframe could be stipulated in the Model 
Accreditation Standards.
    (Response 141) We acknowledge the interest in having timely 
accreditation decisions. However, the comments failed to provide an 
adequate basis to support a decision to impose a 90-day deadline for 
decisions on accreditation. No other information available to FDA 
provides an adequate basis for us to establish such a deadline, nor do 
we think it would be appropriate to do so at this time. We expect that 
the time required to perform various actions in the program will be 
longer in the early days of the program than it will when FDA, the 
accreditation bodies, and the third-party certification bodies gain 
experience with the program.
    We decline to revise these regulations to impose a deadline for 
accreditation decisions, but may consider addressing the issue of 
deadlines for accreditation decisions in guidance, if we later 
determine it would be appropriate. We are mindful that section 
808(c)(1)(C) of the FD&C Act requires revocation of recognition for 
failure to comply with the applicable requirements of the FD&C Act and 
FDA regulations. We would not want an accreditation body to take 
shortcuts in accreditation assessments to ensure that it could meet a 
regulatory deadline for its accreditation decisions out of concern for 
revocation for failure to comply with the deadline. The final rule 
reflects our view that the rigor of the accreditation assessment is 
essential in helping to ensure the credibility and success of the 
third-party certification program.
    (Comment 142) Some comments ask whether the processes for 
accreditation are the same for governmental and private bodies.
    (Response 142) Section 808(c)(1)(A) and (B) of the FD&C Act 
establishes different requirements for public certification bodies and 
for private certification bodies by specifying different criteria for 
the assessment of foreign governments/agencies than it does for foreign 
cooperatives and other private third-party certification bodies seeking 
accreditation. However, the statute makes no distinction between public 
and private certification bodies in procedural matters for 
accreditation. Therefore, we are establishing a single set of 
accreditation procedures in this rule that apply to both public and 
private third-party certification bodies.
    (Comment 143) Some comments ask how a third-party certification 
body could apply for accreditation under this program.
    (Response 143) Third-party certification bodies seeking to apply 
for accreditation under our program may wish to review Sec.  1.660 of 
this final rule, which describes the general procedures for applying 
for accreditation from a recognized accreditation body, as well as the 
eligibility requirements for certification bodies seeking accreditation 
in Sec. Sec.  1.640 through 1.645. We will post on the FDA Web site a 
list of all recognized accreditation bodies and will include a 
description of the scope of recognition of each.
    As provided in Sec.  1.670(a)(3), FDA will announce on our Web site 
if we determine that the conditions for direct accreditation by FDA in 
section 808(b)(1)(A)(ii) of the FD&C Act have been met. We will accept 
applications for direct accreditation or renewal of direct 
accreditation only if we determine that we have not identified and 
recognized an accreditation body to meet the requirements of section 
808 of the FD&C Act within 2 years after establishing the program. 
Unless and until FDA makes such a determination, third-party 
certification bodies must apply for accreditation from an accreditation 
body that FDA has recognized.
    (Comment 144) Some comments suggest that third-party certification 
bodies who receive an adverse decision on accreditation from a 
recognized accreditation body should have access to a competent, 
independent person outside the recognized accreditation body to whom 
they could appeal.
    Other comments contend that we have the authority to challenge the 
decisions of an accreditation body.
    (Response 144) As explained in Response 36, we are revising Sec.  
1.620(d)(2) to require a recognized accreditation body must use 
competent persons, who may be external to the accreditation body, for 
investigating and deciding on certification body challenges to an 
adverse accreditation body decision. Such competent persons must meet 
the following criteria: (1) Are free from bias or prejudice; (2) did 
not participate in the accreditation decision being appealed; and (3) 
are not subordinate to a person who participated in such accreditation 
decision. Although we are not requiring the accreditation body to use 
an external party for certification body appeals, we believe the 
enhanced requirements of Sec.  1.620(d)(2) will be adequate to ensure 
any person the accreditation body would select for investigating and 
deciding on appeals--whether internal or external--would be objective 
and independent.
    With respect to comments suggesting that we should exercise our 
authority over recognized accreditation bodies to challenge their 
accreditation decisions, we note that the enhanced requirements in 
Sec.  1.620(d) align with the impartiality provisions in part 16, which 
contains the regulations for FDA regulatory hearings that we will 
generally apply under Sec.  1.693 to an appeal of a revocation or 
withdrawal. We also note that FDA retains the authority to revoke the 
recognition of accreditation bodies for good cause under Sec.  
1.634(a)(4) for failure to comply with this rule. For these reasons, we 
decline to establish a process appealing recognized accreditation body 
decisions to FDA.

B. What is the duration of accreditation by a recognized accreditation 
body? (Sec.  1.661)

    Proposed Sec.  1.661 states that the accreditation of a third-party 
certification body may be granted for a period up to 4 years.
    (Comment 145) Most comments agree with our proposed maximum 4-year 
accreditation timeframe. In this regard, some comments state they are 
comfortable with this length of time as long as accreditation bodies 
annually review the accreditation. Some comments contend that instead 
of allowing accreditation to last ``up to 4 years,'' we should 
establish a definite duration period and it should be 5 years. These 
comments contend that would align the duration of accreditation with 
the duration of recognition. They also argue that having a definite 
duration period would be more viable administratively.
    (Response 145) We agree with the comments supporting our proposal 
to allow accreditation to be issued for a term of up to 4 years. The 
comments suggesting accreditation should be granted for 5 years offered 
no information that would provide an adequate basis for extending 
accreditation such that a third-party certification body could be 
accredited for as long as a recognized accreditation body. We note that 
the rigor and credibility of the program rests, in part,

[[Page 74624]]

on the extent of oversight of accredited third-party certification 
bodies. Through the renewal process, recognized accreditation bodies 
(and FDA, for directly accredited third-party certification bodies) 
look closely at all aspects of a certification body's and performance 
and have the opportunity to decide anew whether the certification body 
meets the eligibility requirements.
    With respect to comments suggesting that we establish a definite 
duration of accreditation that would apply to any third-party 
certification body accredited under the program, we acknowledge the 
advantages that certainty provides and, where appropriate, we expect 
that recognized accreditation bodies will issue accreditation for the 
maximum duration of 4 years. Where, for example, a certification body 
has little or no experience conducting audits assessing the safety of 
food, a recognized accreditation body (or FDA under direct 
accreditation) may decide the initial grant of accreditation should be 
less than 4 years. A recognized accreditation body (or FDA under direct 
accreditation) will make its own decision on whether to approve a 
third-party's application for accreditation and has the flexibility to 
issue accreditation for a duration it believes appropriate, up to a 4-
year maximum established by this rule.

C. How will FDA monitor accredited third-party certification bodies? 
(Sec.  1.662)

    We proposed in Sec.  1.662 to monitor directly accredited 
certification bodies annually; we proposed to evaluate certification 
bodies accredited by a recognized accreditation body by not later than 
3 years after the date of accreditation for a 4-year accreditation term 
or by no later than the mid-term point of a less-than-4-year 
accreditation term. We proposed to review a variety of records and 
information such as assessments by a recognized accreditation body, 
information regarding the auditor's/certification body's 
qualifications, and information obtained during onsite observations. We 
proposed to conduct our evaluation through onsite observations of 
performance during a food safety audit of an eligible entity or through 
document review.
    (Comment 146) Some comments advocate for more clarity on the 
frequency and methods by which we'll be providing oversight of 
accredited third-party certification bodies. Some comments question 
whether we have sufficient resources to conduct onsite observation at 
any specific frequency. They advise that we further explain how we are 
going to provide oversight and how compliance will be reported.
    (Response 146) Monitoring assessments of accredited third-party 
certification bodies are one of several tools we will use for program 
oversight. Section 1.662(a) implements section 808(f) of the FD&C Act, 
which states that FDA must evaluate an accredited third-party 
certification body periodically, or at least once every 4 years, and 
take any other measures FDA deems necessary to ensure compliance. We 
anticipate that information gleaned from other monitoring tools, such 
as the accreditation body's annual assessment of the certification 
body, will also aid in program oversight and may perform additional 
assessments of certification bodies in certain instances.
    The objective of an assessment under Sec.  1.662 will be to 
determine the accredited third-party certification body's compliance 
with the requirements of this rule. FDA may conduct an assessment 
through a site visit of the third-party certification body's 
headquarters, onsite observation of an accredited third-party body's 
performance during a food safety audit, document review, or a 
combination of these activities. We will develop plans for assessing 
accredited third-party certification bodies based on risk and informed 
by data and other information available to FDA regarding their programs 
and performance in our program. The starting point for each assessment 
will be document review, and any additional assessment activities 
(e.g., site visits or onsite observations) will be conducted where 
circumstances may warrant or for spot-checks of randomly selected 
third-party certification bodies. When planning an assessment, we will 
establish the time period of activities covered by the assessment. We 
may request records of the certification body under Sec.  1.658. We 
also may develop plans for any site visits or onsite observations, 
including locations to be visited. As part of the assessment, we may 
review records relating to conflicts of interest, and interview 
officers, employees, and audit agents, and other agents who participate 
in decisions on issuance of certification under this program. We are 
revising this section to explicitly state that FDA may visit the 
certification body's headquarters or other locations where audit agents 
are managed.
    (Comment 147) Some comments propose alternative schedules for FDA 
monitoring of accredited third-party certification bodies. Some 
comments propose that if we revise the final rule to establish a fixed, 
5-year duration for accreditation, we should monitor accredited third-
party certification bodies not later than 4 years after the date of 
accreditation. Other comments state that we should conduct our own 
assessments of certification bodies accredited by recognized 
accreditation bodies every 3 years. Still other comments ask who will 
cover the costs of such assessments.
    (Response 147) As explained in Response 145, we decline the 
suggestion to lengthen the maximum duration of accreditation from 4 
years to 5 years. We will use annual performance assessments by 
recognized accreditation bodies and information submitted to FDA as 
part of our ongoing monitoring of accredited third-party certification 
bodies. The FDA monitoring assessment under Sec.  1.662 will occur at 
least once every 4 years and may occur more frequently depending on 
circumstances, including available resources. We are proposing that 
costs for FDA monitoring will be included in the user fees that are 
assessed under section 808(c)(8) of the FD&C Act to recover FDA's costs 
in administering the program (80 FR 43987).
    (Comment 148) Some comments propose that FDA monitoring of 
accredited third-party certification bodies should periodically focus 
on compliance with food additive requirements.
    (Response 148) Our monitoring will be tailored to the scope of 
accreditation under which the accredited third-party certification body 
may conduct food safety audits under this program. We will prioritize 
our monitoring activities to ensure compliance with the requirements of 
section 808(f)(2) based on factors such as our risk-based program 
priorities.
    (Comment 149) Some comments suggest that, in addition to conducting 
onsite observations of accredited certification bodies when conducting 
a food safety audits, we could also do so when the recognized 
accreditation body assesses the auditor/certification body.
    (Response 149) We agree and will do so as appropriate and as 
circumstances allow.
    (Comment 150) Comments suggest that when FDA selects an accredited 
certification body for onsite observation, we should notify it 2 months 
in advance, to allow time to make the arrangements.
    (Response 150) At this time, we have no basis for determining that 
we would be able to provide 2 months' notice prior to each 
certification body onsite observation; therefore, we decline the 
suggestion. We note that we may begin working with an accredited third-
party

[[Page 74625]]

certification body well before we perform onsite observations, as 
feasible.

D. How do I request an FDA waiver or waiver extension for the 13-month 
limit for audit agents conducting regulatory audits? (Sec.  1.663)

    Proposed Sec.  1.663 would allow accredited third-party 
certification bodies to seek an FDA waiver of the limit on audit agents 
conducting regulatory audits of an eligible entity where they conducted 
a regulatory or consultative audit in the preceding 13 months. Under 
section 808(c)(4)(C)(ii) of the FD&C Act, we may waive the limit, which 
appears in Sec.  1.650(c), where there is insufficient access to 
accredited certification bodies in the country or region where an 
eligible entity is located.
    Of our own initiative, we are clarifying in the final rule that the 
showing of insufficient access is based on lack of audit agents (or in 
case where accredited third-party certification bodies are comprised of 
an individual, that individual), consistent with changes made to Sec.  
1.650 (see Section IX.A).
    (Comment 151) Some comments note that capacity issues are currently 
problematic, even in regions with highly developed third-party food 
safety auditing systems, and are likely to increase once the FSMA rules 
are implemented. Some comments contend that we should allow the request 
for the waiver to come from other affected parties in addition to 
accredited certification bodies. In particular, comments suggest we 
should allow the requests to come from a foreign supplier and/or the 
importer. Some comments estimate that, with the increased demand from 
FSMA for audit services, it will take time for capacity to expand 
sufficiently to satisfy the increased demand. Accordingly, they urge us 
to act expeditiously on waiver and waiver extension requests. Other 
comments express concern that FDA will be overwhelmed with waiver 
requests and urge FDA to develop a process for expedited issuance of 
waivers.
    (Response 151) We acknowledge the concerns and are aware capacity 
is an issue the food industry and certification bodies currently face. 
However, we decline the suggestion to allow importers and foreign 
suppliers to seek waivers on behalf of an accredited certification 
body, because we believe the certification body is better positioned to 
determine its own capacity than an importer or foreign supplier would 
be. Further, it would ultimately be the certification body's choice 
regarding whether to take on additional auditing work. If an accredited 
third-party certification body concluded it needed a waiver to be able 
to perform a particular audit, the certification body would be 
motivated to seek a waiver.
    We agree with the comments suggesting it will take time to build 
adequate food safety auditing capacity around the world and will be 
prepared to act on waiver requests as expeditiously as possible. It is 
difficult to estimate the amount of the time required to process waiver 
requests, because the program has not launched. We anticipate that we 
will be able to process most waiver requests within 15 business days, 
as permitted by resources and other program activities. In response to 
comments suggesting that we should prioritize certain types of waiver 
requests, we have modified the first-in, first-out rule of Sec.  
1.663(d) to allow specific waiver requests to be prioritized based on 
program needs.
    We also note that as we gain experience with the program and with 
information offered in support of waiver requests, we expect to be able 
to process waiver requests more quickly and may reevaluate whether FDA 
has adequate information to support issuance of a waiver for a 
particular country or region.

E. When would FDA withdraw accreditation? (Sec.  1.664)

    Proposed Sec.  1.664 would establish the conditions under which we 
could withdraw accreditation from a third-party certification body, 
regardless of whether it was directly accredited or accredited by a 
recognized accreditation body. This section would implement section 
808(c)(6)(A) of the FD&C Act, which requires us to withdraw 
accreditation in certain outbreak situations, whenever we find that an 
accredited third-party certification body is no longer meeting the 
requirements for accreditation, or following a refusal to allow U.S. 
officials to conduct audits and investigations to ensure compliance 
with these requirements. The statute directs us to withdraw 
accreditation if a food or facility certified by an accredited third-
party certification body under our program is linked to an outbreak of 
foodborne illness that has a reasonable probability of causing serious 
adverse health consequences or death in human or animals. There is an 
exception if we conduct an investigation of the material facts of the 
outbreak, review the steps and actions taken by the third-party 
certification body, and determine that the accredited third-party 
certification body satisfied the requirements for issuance of 
certification under this rule.
    Section 808(c)(6)(B) of the FD&C Act allows us to withdraw 
accreditation from an accredited third-party certification body whose 
accrediting body had its recognition revoked, if we determine there is 
good cause for withdrawal. This statutory provision is reflected in 
proposed Sec.  1.664(c), which also provides two examples of 
circumstances we believe provide good cause for withdrawal, including 
bias or lack of objectivity and performance calling into question the 
validity or reliability of its food safety audits and certifications.
    In proposed Sec.  1.664(d) we provide for records access when 
considering possible withdrawal of accreditation. In proposed Sec.  
1.664(e) we provide for notice of withdrawal of accreditation and 
describe the processes to challenge such withdrawal.
    Proposed Sec.  1.664(f) describes the effect of withdrawal on 
eligible entities. Proposed Sec.  1.664(g)(1) explains that FDA will 
notify the recognized accreditation body that accredited the third-
party certification body whose accreditation was withdrawn by FDA. 
Proposed Sec.  1.664(g)(2) explains that FDA may revoke recognition of 
an accreditation body whenever FDA determines there is good cause for 
revocation under proposed Sec.  1.634. Proposed Sec.  1.664(h) provides 
for public notice of withdrawal of accreditation on FDA's Web site.
    At our own initiative, we revised proposed Sec.  1.664(c) on 
discretionary withdrawal of accreditation to allow for partial 
withdrawal of accreditation. For example, if FDA reviews a self-
assessment submitted by an accredited third-party certification body 
following revocation of its accreditation body's recognition and 
determines the third-party certification body has failed to perform 
food safety audits consistent with this rule in some but not all areas 
for which it is accredited, FDA may partially withdraw the third-party 
certification body's accreditation as to those areas in which it has 
failed to comply with this rule.
    (Comment 152) Some comments contend that FDA's interpretation of 
the statutory mandatory withdrawal provisions in section 808(c)(6)(A) 
of the FD&C Act is overly strict. The comments focus specifically on 
mandatory withdrawal when an eligible entity that was issued 
certification by an accredited third-party certification body is linked 
to a foodborne illness outbreak that meets the SAHCODHA standard. The 
comments argue that one adverse event does not necessarily mean the

[[Page 74626]]

third-party certification body should lose its accreditation, 
emphasizing that a single certification body might conduct hundreds of 
audits in various regions of the world and in diverse product areas. 
The comments propose that we limit mandatory withdrawal following an 
SAHCODHA outbreak to the country, region, type of food product and 
process involved in the event.
    Some comments agree that, as described in proposed Sec.  1.664(f), 
certifications issued by a third-party certification body prior to 
withdrawal of its accreditation should remain in effect until they 
expire. Other comments assert that withdrawal of accreditation might 
result in unfairly revoking a significant number of certifications at 
tremendous cost, adversely affect other eligible entities that depend 
on the certification body and its certifications, and disrupt the 
marketplace. Still other comments request greater detail on the 
withdrawal procedures.
    (Response 152) We believe the concerns about mandatory withdrawal 
of accreditation in the outbreak situation described above or similar 
situations are satisfactorily in addressed in Sec.  1.664(b), codifying 
section 808(c)(6)(C) of the FD&C Act, which allows FDA to waive 
mandatory withdrawal if FDA investigates the material facts of the 
outbreak, reviews the steps and actions taken by the certification 
body, and determines that the certification body satisfied the criteria 
for issuance of certification under this subpart.
    Regarding the comments expressing concerns about the possible 
adverse effects of withdrawal of accreditation on certifications issued 
by the certification body to other eligible entities, we note that 
Sec.  1.664(f) states that certifications issued by an accredited 
third-party certification body prior to withdrawal of accreditation by 
FDA will remain in effect until they expire, except that FDA may refuse 
to consider a certification under sections 801(q) or 806 of the FD&C 
Act if FDA has reason to believe such certification is not valid or 
reliable.
    The comments seeking additional detail on our withdrawal procedures 
did not specify what areas of Sec.  1.664 required further explanation. 
We believe the procedures described in Sec.  1.664 offer sufficient 
detail for interested parties to understand the standards for 
withdrawal of accreditation by FDA and the processes involved.
    (Comment 153) Some comments suggest that a recognized accreditation 
body, not FDA, should withdraw accreditation from a certification body 
it accredited, except for certification bodies directly accredited by 
FDA. Other comments urge us to include a requirement, in Sec.  
1.634(a), for FDA to consult with the appropriate accreditation body 
before withdrawal of an accreditation it had issued. The comments argue 
that consultation would facilitate coordination with the recognized 
accreditation body and would complement Sec.  1.664(c), which addresses 
discretionary withdrawal of accreditation in the event we revoke our 
recognition of the accrediting accreditation body. Other comments 
recommend that we meet with the certification body's accrediting body 
when considering possible withdrawal of accreditation and that we allow 
for a formal appeal process.
    (Response 153) We disagree with the comment asserting that only 
accreditation bodies may withdraw accreditations of certification 
bodies they have accredited, as FDA is mandated under section 808(c)(6) 
of the FD&C Act to withdraw accreditation of a certification body under 
the conditions set forth in the section, subject to the waiver 
provision in 808(c)(6)(C). We note that a third-party certification 
body whose accreditation was withdrawn by FDA may appeal the action by 
requesting a regulatory hearing under Sec.  1.693. We further note that 
a recognized accreditation body has far broader authority to suspend, 
withdraw, reduce, or otherwise dispose of an accreditation it issued, 
than FDA does under section 808(c)(6) of the FD&C Act. Even in 
circumstances that meet the statutory criteria for withdrawal of 
accreditation, FDA believes it generally would not need to initiate 
withdrawal unless the recognized accreditation body failed to withdraw 
the certification body's accreditation in a timely manner.
    We agree that in some cases, consultation with a certification 
body's accrediting body before withdrawal could have advantages to FDA 
and the accreditation body, if circumstances allow. Decisions on 
whether to consult with the certification body's accrediting body prior 
to withdrawal will be made on a case-by-case basis. Consultation might 
not be appropriate if, for example, the facts that support withdrawal 
of the third-party certification body's accreditation also support 
revocation of the accreditation body's recognition.
    (Comment 154) Some comments ask how individual holders of food or 
facility certificates would be made aware of the withdrawal of 
accreditation of the third-party certification body that issued the 
certificate. Other comments recommended that FDA post on its Web site 
not only that fact that a certification body's accreditation has been 
withdrawn, but also the reason for the withdrawal.
    (Response 154) If we withdraw accreditation of any third-party 
certification body, whether accredited by a recognized accreditation 
body or by FDA through direct accreditation, we will post information 
regarding the withdrawal, including a description of the basis for the 
action, on the FDA Web site pursuant to Sec.  1.664(h). We do not 
intend to contact each eligible entity that was issued a certification 
by the third-party certification body because, as indicated in Response 
152, certifications issued to eligible entities prior to withdrawal of 
accreditation will remain in effect until they expire, except where FDA 
has reason to believe the certification is not valid or reliable and on 
that basis may refuse to consider the certification under sections 
801(q) or 806 of the FD&C Act.
    (Comment 155) Some comments recommend we use ISO\IEC 17011:2004 as 
the reference document for the requirements of this section.
    (Response 155) We decline the suggestion, because the grounds for 
withdrawal under section 808(c)(6) of the FD&C Act are much broader 
than those described in ISO/IEC 17011:2004 (Ref. 5). For example, under 
section 808(c)(6)(A)(i) and (C) of the FD&C Act FDA may withdraw 
accreditation of a certification body if a food or facility it 
certified under our program is linked to an outbreak of foodborne 
illness that has a reasonable probability of causing SAHCODHA, unless 
FDA determines the certification body satisfied the requirements for 
issuance of such certification. In such an outbreak situation, the 
statute contemplates that withdrawal of accreditation would occur after 
a single--albeit significant--failure by the certification body. By 
contrast ISO/IEC 17011:2004 allows for withdrawal of accreditation only 
when a certification body persistently fails to meet the requirements 
of accreditation or abide by the rules of accreditation.
    We note that by declining to revise Sec.  1.664 based on the 
comments, we are not suggesting that FDA will withdraw accreditation 
when the Agency identifies a single incident or mistake by a 
certification body, except where required by the statute. Any decision 
to withdraw accreditation will be based on the facts and circumstances 
of the situation and following due consideration by FDA.
    (Comment 156) Some comments state that in a case where FDA 
withdraws an accredited certification body, the accreditation body 
should make an investigation and analysis and submit the analysis 
result to FDA within 3

[[Page 74627]]

months after the analysis report has been established.
    (Response 156) We disagree. This rule does not require that the 
accreditation body make a full investigation and analysis and submit 
the analysis result to FDA within 3 months. Section 1.664(g) requires 
the accreditation body to perform a self-assessment and report the 
results of the self-assessment to FDA within 60 days. FDA may revoke 
the recognition of an accreditation body whenever FDA determines there 
is good cause for revocation of recognition under Sec.  1.634. These 
procedures will help ensure that accreditation bodies remain in 
compliance with the requirements of the third-party program.

F. What if I want to voluntarily relinquish accreditation or do not 
want to renew accreditation? (Sec.  1.665)

    Proposed Sec.  1.665 offers a mechanism for an accredited third-
party certification body to voluntarily relinquish its accreditation 
before it terminates by expiration.
    Although we received no adverse comments on this section, we 
received comments on other sections of the rule that led us to identify 
a gap in procedural requirements when an accredited certification body 
decides to allow its accreditation to expire without renewing it. At 
our own initiative, we are revising the voluntary relinquishment 
provisions in Sec.  1.665 to also address situations where a 
certification body decides it does not want to renew its accreditation 
once it expires.

G. How do I request reaccreditation? (Proposed Sec.  1.666)

    Proposed Sec.  1.666 describes the procedures a certification body 
must follow when seeking to be reaccredited after its accreditation was 
withdrawn by FDA or after voluntarily relinquishing its accreditation.
    FDA received no adverse comments on this section. On our own 
initiative we are revising paragraph (a)(2)(i) to conform to the 
changes in Sec.  1.634(d) to clarify that the third-party certification 
body has to become accredited by another accreditation body or by FDA 
through direct accreditation no later than 1 year after the withdrawal 
or accreditation, or the original date of expiration of the 
accreditation, whichever comes first.

XI. Comments on Additional Procedures for Direct Accreditation of 
Third-Party Certification Bodies Under This Subpart

A. How do I apply to FDA for direct accreditation or renewal of direct 
accreditation? (Sec.  1.670)

    Section 808(b)(1)(A)(ii) of the FD&C Act allows us to directly 
accredit third-party auditors/certification bodies if we have not 
identified and recognized an accreditation body to meet the 
requirements of section 808 within 2 years after establishing this 
program. We proposed circumstances and procedures that would apply for 
direct accreditation and renewal of direct accreditation.
    (Comment 157) Some comments assert that the statute anticipates a 
bifurcated system for direct accreditation of certification bodies, 
because the standards for review for accreditation of foreign 
governments are distinct from those of the private auditing entities 
under section 808(c)(1) of the FD&C Act. The comments ask that we draft 
additional rules to specifically cover direct accreditation of foreign 
governments, asserting that we should provide a separate path for 
direct accreditation of foreign governments that prioritizes their 
applications based on, among other things, the language in section 
808(c)(1) of the FD&C Act. Some comments ask whether the same 
eligibility requirements and procedures are required of both 
governmental and private bodies applying for direct accreditation.
    (Response 157) We disagree with the suggestion to create a 
bifurcated system. We acknowledge that section 808(c)(1) of the FD&C 
Act contains different requirements for foreign governments/agencies 
than it does for foreign cooperatives and other private third-party 
certification bodies seeking accreditation. However, we do not 
interpret this language as suggesting a preference for public 
certification bodies over private certification bodies.
    We believe sections 808(c)(1)(A) and (B) of the FD&C Act are 
tailored to reflect the objectives and scope of each type of 
assessment, which would vary because of the differences between public 
and private certification bodies. While governments typically are both 
auditors/inspectors and owners of food safety schemes, private 
certification bodies usually are not scheme owners, because of concerns 
about possible conflicts of interest associated with serving in dual 
roles. Therefore, a private certification body would not be assessed 
for its food safety program or standards; it would be assessed for the 
training and qualifications of its auditors and its internal management 
system. In light of the foregoing, we decline the suggestion to 
interpret sections 808(c)(1)(A) and (B) of the FD&C Act as supporting 
provisions for direct accreditation that would prioritize the 
applications of foreign governments/agencies over applications from 
private third-party certification bodies.
    (Comment 158) Some comments suggest that FDA should not serve as an 
accreditation body for third-party certification bodies because it 
would open the door for other countries with less capability to do the 
same. The comments contend that FDA and its foreign regulatory partners 
need to provide the oversight of the industry, but should not be 
accreditation bodies.
    (Response 158) We disagree. Section 808 of the FD&C Act 
contemplates that FDA can provide proper oversight of the program, 
while directly accrediting third-party certification bodies. We are 
unable to comment on what effects, if any, this would have on the 
actions of other countries. However, we emphasize that FDA will not 
perform direct accreditation unless the circumstances of section 
808(b)(1)(A)(ii) of the FD&C Act are met--that is, if FDA has not 
identified and recognized an accreditation body to meet the 
requirements of section 808 of the FD&C Act within 2 years after 
establishing this program.
    (Comment 159) Some comments ask that we wait for more than 2 years 
after the program is established to accept applications for direct 
accreditation, to allow enough time for accreditation bodies applying 
for recognition to satisfy all the necessary requirements. Other 
comments assert that we should not directly accredit certification 
bodies in a country if we have already recognized an accreditation body 
in that country. Some comments ask us to clarify when, under what 
conditions, and how we would choose to directly accredit a 
certification body.
    (Response 159) Under section 808(b)(1)(A)(ii) of the FD&C Act, 2 
years after establishing the program is the earliest date that FDA may 
begin to directly accredit third-party certification bodies. Further, 
we may only do so if we determine that we have not identified and 
recognized an accreditation body to meet the requirements of section 
808 of the FD&C Act 2 years after establishing the program. In the 
proposed rule, we provided examples of how we may make this 
determination, such identifying a type of expertise or geographic 
location for which a recognized accreditation body is

[[Page 74628]]

lacking, and stated that we will only accept applications for direct 
accreditation and renewal applications that are within the scope of the 
determination. FDA declines to limit itself to a time period longer 
than 2 years before it can consider direct accreditation as any 
decision to directly accredit will depend on the circumstances the 
needs of the program, as determined by FDA under Sec.  1.670(a).
    (Comment 160) Some comments express concern that we will not have 
the capacity to undertake the responsibility of directly accrediting 
certification bodies.
    (Response 160) Section 808(c)(8) of the FD&C Act requires FDA to 
create a user fee program to section 808 of the FD&C Act. FDA is in the 
process of establishing this program by rulemaking (80 FR 43987). For 
more information about the costs of this program, please see the 
regulatory analysis of this final rule.
    (Comment 161) Some comments ask if we will have a contract 
agreement with directly accredited certification bodies. These comments 
assert that if we do, the contract should specify that we have the 
capacity to access confidential information without prior written 
consent of the certification body. The contract should also specify 
that having access to records relating to accreditation activities 
under this subpart is necessary to ensure the rigor, credibility, and 
independence of the program.
    (Response 161) Under Sec.  1.671(d), FDA will list any conditions 
associated with the accreditation in the issuance and may establish an 
agreement with the certification body at that time. With respect to 
access to records, a third-party certification body that is directly 
accredited by FDA must comply with the records maintenance and access 
requirements of Sec.  1.658. Records obtained by FDA will be subject to 
the disclosure requirements of Sec.  1.695.

B. How will FDA review my application for direct accreditation or 
renewal of direct accreditation and what happens once FDA decides on my 
application? (Sec.  1.671)

    Proposed Sec.  1.671 describes a process for reviewing and deciding 
on applications for direct accreditation and renewal that is consistent 
with the procedures for reviewing and deciding on applications under 
other provisions in this rule.
    On our own initiative we are revising paragraph (a) to clarify that 
FDA will review submitted applications for completeness and notify 
applicants of any deficiencies. We also are adding new paragraphs (e) 
through (h) to Sec.  1.671 to explain what happens when a directly 
accredited certification body's renewal application is denied. We are 
adding provisions to clarify what the applicant must do, the effect of 
denial of an application for renewal of direct accreditation on food or 
facility certifications issued to eligible entities, and how FDA will 
notify the public.
    (Comment 162) Some comments express concern that we are limiting 
ourselves to a ``first in, first out'' review process that gives us no 
discretion to accredit foreign governments before we consider other 
applications from private third-party entities that apply.
    Some comments ask that we consider prioritizing approval of 
applications for direct accreditation on areas and regions where it is 
most needed to benefit our food safety mandates.
    Some comments assert that priority for review of applications for 
direct accreditation should be for countries without an accreditation 
body or in circumstances where it is not economically feasible for a 
national accreditation body to expand its scope to include a certain 
single certification body.
    (Response 162) As indicated Response 25, we intend to treat public 
and private certification bodies equally under this program, as both 
public and private certification bodies are capable of meeting the 
requirements of the program. Additionally, because we will only be 
accepting applications for direct accreditation in limited 
circumstances as discussed in Responses 158 and 159, all applications 
for direct accreditation will need to be able to demonstrate that there 
is a need for direct accreditation based on a determination made by FDA 
under Sec.  1.670(a)(1). We note that we have revised Sec.  1.671(a) to 
allow FDA to prioritize specific direct accreditation applications to 
meet the needs of the program.
    (Comment 163) Some comments assert that our application review 
process must be comprehensive but also expedient. Some comments ask 
that our communications with applicants be timely.
    Some comments express concern about the length of time it will take 
us to recognize and notify an applicant of any deficiencies in the 
application. These comments also assert that requiring applicants with 
deficiencies to resubmit their applications and sending it to the 
bottom of the review list would make for significant delays in the 
direct accreditation and renewal of direct accreditation application 
process.
    (Response 163) We understand the concern expressed by comments with 
regard to timeliness. Although we decline to set specific deadlines for 
this review, FDA anticipates that a completeness determination could 
generally be made within 15 business days, because this is not a 
decision on the merits of the application. Nonetheless, the time needed 
to identify deficiencies in any particular individual application will 
depend on a number of factors, including the quality of the submission, 
the availability of resources, and other competing priorities at the 
time the application is submitted. With respect to the concerns about 
requiring incomplete applications to be resubmitted and added to the 
bottom of the review list, we note that from our experience gained from 
the third-party certification pilot for aquacultured shrimp, extensive 
followup was needed with many of the applicants in order to gain 
sufficient information for a complete application. With this in mind, 
we are processing only complete applications so that we are not 
delaying others that have correctly prepared complete applications. 
Further, we are establishing an electronic portal for submission of 
applications, reports, notifications, and other information under this 
rule and an electronic repository of this information, which will allow 
us to communicate with applicants as needed.

C. What is the duration of direct accreditation? (Sec.  1.672)

    We proposed that direct accreditation of a third-party 
certification body may be granted for a period up to 4 years. We 
tentatively concluded that 4 years is an appropriate duration for an 
accreditation because we believe the rigor and credibility of this 
program rests, in part, on the oversight of accredited certification 
bodies to conduct audits and to certify eligible foreign entities. We 
requested comment on this tentative conclusion.
    (Comment 164) Some comments ask that we establish a specific fixed 
duration of 5 years for direct accreditation before renewal is 
required. These comments also ask that the duration for recognition of 
accreditation bodies and accreditation of third-party certifications 
bodies also be fixed at 5 years and assert that having a standardized 
accreditation term for all parties in the third-party program would be 
more administratively viable for us.
    (Response 164) For the reasons we explained in Response 145 we 
decline to establish a fixed duration of accreditation and also decline 
to establish a standard term of 5 years for

[[Page 74629]]

accreditation for all parties in the third-party program.

XII. Comments on Requirements for Eligible Entities Under This Subpart

A. How and when will FDA monitor eligible entities? (Sec.  1.680)

    Proposed Sec.  1.680 would allow FDA to conduct onsite audits of 
eligible entities that have received certification from an accredited 
certification body at any time, with or without the accredited third-
party certification body present. It also proposed that a food safety 
audit by an accredited certification body is not considered an 
inspection under section 704 of the FD&C Act. For clarification 
purposes at our own initiative, we are revising the second sentence of 
Sec.  1.680(a) to add, ``[w]here FDA determines necessary or 
appropriate,'' before ``the audit may be conducted with or without the 
accredited certification body or the recognized accreditation body 
(where applicable) present.''
    (Comment 165) Some comments address the timing of FDA's audits of 
eligible entities. Some comments encourage FDA to conduct audits of 
eligible entities regularly, particularly in the first years of the 
program, to ensure compliance with the program and to verify that 
certification is appropriate. Some comments encourage FDA to conduct 
random as well as targeted audits of eligible entities. For example, 
the comments suggest that if FDA withdraws the accreditation of a 
certification body, the Agency should conduct onsite audits of a sample 
of the eligible entities to which the withdrawn certification body 
issued certifications.
    (Response 165) We agree that robust government oversight of the 
third-party program will be vital to its success and periodic audits of 
eligible entities will be conducted consistent with our risk-based 
priorities and resources.
    (Comment 166) Some comments discuss the substance of FDA's audits 
of eligible entities. Some of these comments encourage FDA to ensure 
that eligible entities implement corrective actions when deficiencies 
are identified. Some comments recommend that company data on tests of 
both products and the environment be made available to FDA auditors, 
and argue that without access to such data, FDA auditors would not be 
able to perform a thorough audit. Comments also maintain that, during 
an audit, FDA should be able to access results of the eligible entity's 
testing of both products and the environment.
    (Response 166) We currently are developing internal operational 
procedures for the third-party certification program and will make 
these procedures public. As part of this process, we are developing 
protocols for FDA audits of eligible entities.
    (Comment 167) Some comments argue that unannounced audits of 
eligible entities by FDA that have been certified by an accredited 
third-party certification body would likely result in incomplete audits 
and urge the agency to consider contacting the eligible entity to 
schedule such audits. Comments state that scheduled audits would be 
more efficient and less burdensome for both eligible entities and FDA 
because eligible entities would have a better understanding of what is 
needed during the audit and which employees should be present.
    (Response 167) Section 808(c)(5)(C) of the FD&C Act directs FDA to 
promulgate regulations requiring that ``audits performed under this 
section be unannounced.'' Section 808(f)(3) of the FD&C Act allows FDA 
to, at any time, conduct an onsite audit of any eligible entity 
certified by an accredited third-party certification body to ensure 
compliance with the requirements of section 808. Given this statutory 
language, we are clarifying in Sec.  1.680 that an FDA audit conducted 
under this section will be conducted on an unannounced basis and may be 
preceded by a request for a 30-day operating schedule. We note that it 
may not be appropriate at all times to precede audits for a 30-day 
operating schedule, such as in the case of a for-cause audit.
    (Comment 168) Some comments state that when FDA has questions about 
eligible entities, it should notify the accreditation bodies and 
certification bodies to conduct a joint audit.
    (Response 168) It is unclear what the comment means by conducting a 
joint audit, but Sec.  1.680 would allow for the certification body and 
accreditation body to be present during the FDA audit when FDA 
determines it is necessary and appropriate.
    (Comment 169) Some comments argue that the monitoring of eligible 
entities should be conducted by the competent authority of the 
exporting country, particularly where a systems recognition agreement 
is in place or where there is a robust national food control system in 
place.
    (Response 169) We intend to coordinate as appropriate with our 
foreign regulatory counterparts; however, section 808(f)(3) of the FD&C 
Act specifically directs FDA to conduct onsite audits of eligible 
entities to ensure compliance with the requirements of section 808 of 
the FD&C Act. We believe onsite audits of certified eligible entities 
are an important component of the robust oversight essential to the 
success of the third-party program. Without the ability to conduct 
onsite audits of a certified eligible entity, FDA would not be able to 
directly ascertain whether the certification body and/or its 
accreditation body are in fact making accurate determinations of 
compliance with FDA requirements. Such oversight is necessary to 
maintain confidence in the certifications issued by accredited 
certification bodies under this program.
    (Comment 170) Some comments ask FDA to clarify why an onsite audit 
of an eligible entity is not considered an inspection under section 704 
of the FD&C Act, particularly since the purpose of the audit is to 
determine if the entity is in compliance with the FD&C Act and since an 
FDA inspection may be used to meet the verification requirements under 
the proposed FSVP regulation. Other comments endorse FDA's decision not 
to consider a food safety audit under this program an inspection under 
section 704 of the FD&C Act.
    (Response 170) Section 808(h)(1) of the FD&C Act explicitly states 
that audits under the third-party certification program ``shall not'' 
be considered inspections under section 704. The inspections done under 
section 704 of the FD&C Act, unlike audits conducted under section 
808(f)(3), are not conducted for the purpose of ensuring compliance 
with section 808 of the FD&C Act. The objective of an audit under Sec.  
1.680(a) extends beyond the eligible entity--through its audit of the 
eligible entity FDA is gathering information to use in its monitoring 
of the accredited certification body that audited the entity and the 
recognized accreditation body that accredited certification body that 
audited the eligible entity. We note that an audit under section 
808(f)(3) is not a ``food safety audit'' under this subpart. As noted 
previously, the audits conducted under section 808(f)(3) are done 
specifically to ensure compliance with section 808 of the FD&C Act. As 
discussed in section III.C., we are clarifying that an audit conducted 
under this subpart is not an inspection under section 704 under the 
FD&C Act. Accordingly, we are removing Sec.  1.680(b).

B. How frequently must eligible entities be recertified? (Sec.  1.681)

    Proposed Sec.  1.681 stated that an eligible entity seeking to 
maintain its facility certification must seek recertification prior to 
expiration of its certification. It also proposed that under

[[Page 74630]]

section 801(q)(4)(A) of the FD&C Act, FDA could require, at any time we 
deem appropriate, that an eligible entity renew a food certification.
    We received no comments on this proposed section. However, to 
clarify certain matters, we are amending this section on our own 
initiative. We are adding to first sentence the words, ``food or'' 
before ``facility certification'' because the maximum duration of 
certifications under section 808(d) of the FD&C Act applies to both 
food and facility certifications. Additionally, we are revising this 
section to state that FDA can require an eligible entity to apply for 
recertification of both food and facility certifications at any time 
that FDA deems appropriate.

XIII. Comments on General Requirements of This Subpart

A. How will FDA make information about recognized accreditation bodies 
and accredited third-party certification bodies available to the 
public? (Sec.  1.690)

    We proposed to post on our Web site a registry of recognized 
accreditation bodies and of accredited third-party certification 
bodies, including the name and contact information for each. The 
registry may provide information on certification bodies accredited by 
recognized accreditation bodies through links to the Web sites of such 
accreditation bodies. We requested comment on our proposed public 
registry.
    (Comment 171) Some comments support our proposal to place a 
registry of recognized accreditation bodies and accredited 
certification bodies on our Web site and to provide links to the Web 
sites of recognized accreditation bodies. Some comments assert that 
such a web-based resource where members of the industry and public 
could access standards associated with accreditation/certification and 
a list of accreditation and certification bodies is a meaningful 
demonstration of FDA oversight. Some comments ask that this list be 
updated regularly so that it stays accurate. These comments also ask 
that we provide appropriate indexing and filtering functions so that 
the registry is easily searchable and stakeholders can conveniently and 
reliably find and use this information.
    (Response 171) FDA agrees that the online registry will be a 
valuable tool. We intend for it to be updated regularly. We also intend 
for it to have indexing and filtering functions which will make 
searches more efficient and productive.
    (Comment 172) Some comments ask that we not include the name(s) of 
audit agent(s) on our Web site or otherwise publicly disclose such 
information could disrupt the marketplace for third-party certification 
services
    Some comments assert that access to detailed, specific, and 
sensitive information is not necessary to gain credibility with 
consumers. These comments refer us to industry models that provide 
detailed information on the requirements of their program and posts a 
list of members in good standing along with a list of companies who 
have been decertified is an example of credible, balanced information 
that is actionable by consumers (i.e., California Leafy Green Products 
Handler Marketing Agreement).
    (Response 172) To clarify, we do not intend to disclose the names 
of audit agents on our Web site. We will be providing the business name 
and business contact information for each recognized accreditation 
body. The business name and business contact information for each 
accredited third-party certification body may be listed on our Web site 
or may be provided by link to Web sites of their accreditation bodies. 
The Web site will contain program information as well and may be 
similar to the industry models recommended by some comments.
    (Comment 173) Some comments seek maximum transparency, asserting 
that we must also post on our Web site the audit reports, self-
assessments, and notifications prepared by the third-party 
certification bodies and submitted to FDA. The comments contend that 
making this information public would increase program transparency and 
help to ensure that imported products do not receive an unfair 
competitive advantage over products available domestically.
    Other comments suggest that we allow accreditation bodies and 
third-party certification bodies to submit redacted versions of these 
documents, where confidential information is blacked out, so that these 
documents can also be made publicly available without compromising 
confidential information. These comments assert that making public 
these reports, self-assessments, and notifications would improve self-
assessments, reduce the Agency's burden of responding to FOIA requests, 
and allow independent analysis to complement the Agency's evaluation. 
Thus, comments ask us to specify in Sec.  1.690 that we will also place 
on our Web site the reports and notifications submitted pursuant to 
Sec. Sec.  1.623 and 1.656 and that we will allow a recognized 
accreditation body and accredited auditors/certification body to submit 
a redacted version of the report or notification that is intended to be 
made publicly available.
    (Response 173) Generally, we do not intend to post redacted 
versions of reports on our Web site. Information submitted to the 
Agency, including reports and notifications submitted pursuant to 
Sec. Sec.  1.623 and 1.656, becomes an Agency record. We have added a 
new Sec.  1.695 to the final rule to clarify that records under this 
subpart are subject to part 20; part 20 provides protections for trade 
secrets and confidential commercial information (CCI) from public 
disclosure (see, e.g., Sec.  20.61).
    (Comment 173) Some comments ask us to take action to ensure that 
third-party certification bodies act with maximum transparency and to 
ensure adequate protections against conflicts of interest. Some 
comments ask that we post on our Web site information concerning the 
scope of the recognized accreditation body recognition and accredited 
certification body accreditation, duration of accreditation, payments 
made to those accreditation bodies and certification bodies, and 
whether accreditation has been withdrawn or suspended. Some comments 
assert that requiring recognized accreditation bodies and accredited 
certification bodies to make this information available on their own 
Web sites does not ensure that all potential conflicts of interest will 
be identified, and suggest that we require that this information be 
submitted directly to us as well.
    (Response 174) FDA agrees that it would be helpful to include on 
our Web site information concerning the scope of accreditation services 
that each recognized accreditation body is recognized for, and the 
scope of accreditation for each accredited certification body is 
accredited for. We also agree it would be useful and increase 
transparency to include the duration of recognition for each 
accreditation body, and the duration of accreditation for each 
certification body. Scope and duration information will make the site 
more practically useful and will increase transparency. Therefore, we 
intend to include this information on our Web site and we are revising 
Sec.  1.690 to reflect this. In addition, we are revising this section 
to state that FDA will post on its Web site a list of accreditation 
bodies for which it has denied renewal of recognition, for which FDA 
has revoked recognition, and that have relinquished their recognition 
or have allowed their recognition to expire. Further, FDA will place on 
its Web site a list of certification bodies whose renewal of 
accreditation has been denied, for which FDA has withdrawn 
accreditation, and that have

[[Page 74631]]

relinquished their accreditations or have allowed their accreditations 
to expire. Finally, FDA will place on its Web site determinations under 
Sec.  1.670(a)(1) and modifications of such determinations under Sec.  
1.670(a)(2). This additional information will help ensure maximum 
transparency under the program.
    With regard to information on dates of payment, we have determined 
there is little additional value to posting such information on the FDA 
Web site, and it would create an additional administrative burden; we 
do not believe the value exceeds the burden. In our view, conflict of 
interest and transparency concerns are sufficiently satisfied by making 
information on dates of payment publicly available online via the Web 
sites of recognized accreditation bodies (see Sec.  1.624(c)) and 
accredited certification bodies (see Sec.  1.657(d)).
    (Comment 175) Some comments request clarification concerning 
whether and what information we collect pursuant to this program will 
be made available to importers and the public. Some comments question 
the extent and format of the audit data that will be shared, and what 
might be held confidential. These comments assert that businesses have 
a need to protect proprietary information (e.g., sales lists, supplier 
lists, equipment designs and specific information about product 
attributes), and any sharing of such information might compromise their 
ability to carry out business functions or to maintain competitive 
advantage. Some comments inquire about the extent and formats of audit 
data we intend to make public, what might be held confidential, and 
whether we will take steps to protect information provided by 
certification bodies from FOIA requests.
    Some comments express concern about our ability to develop and 
maintain a dynamic system that will be able to collect, update, and 
present audit data to consumers, and assert that it is important for 
industry to gain a better understanding of what type of audit data we 
will require.
    Some comments suggest that we look to USDA's Food Safety and 
Inspection Service (FSIS) Public Health Information System for insight 
into how to develop a database system that seeks to define the boundary 
between increasing public access to data and addressing confidentiality 
concerns by companies. Some comments note that the FSIS program is the 
result of several years of effort to establish a mechanism for public 
access to data that can lead to research and analysis that improves 
public health while protecting the proprietary rights of the 
establishments.
    (Response 175) As discussed previously, newly added Sec.  1.695 
clarifies that records under this subpart are subject to part 20; part 
20 provides protections for trade secrets and confidential commercial 
information from public disclosure (see, e.g., Sec.  20.61).
    FDA will provide periodic updates on program activities through our 
Web site, and our disclosures will be consistent with our statutory 
obligations to protect trade secrets and CCI from disclosure. With 
regard to the expressed concern about FDA's ability to develop and 
maintain an adequate data system to collect, update, and present audit 
data to consumers, we are aware of the size and importance of this 
undertaking and are diligently pursuing an effective system. We 
appreciate the suggestion to review the FSIS database system and intend 
to do so.
    (Comment 176) Some comments encourage us to develop communication 
strategies to help consumers view the data in audit reports within the 
context of food production; specifically, to set proper program 
expectations and to provide proper context for consumers to understand 
what the data means. These comments assert that it is important to 
provide a frame of reference so that consumers have a basis for 
understanding what the audit data means and can then proceed to make 
informed decisions. The comments note that audits and certifications 
are not declarations or guarantees that products are safe, and that FDA 
and the industry need to feature this reality in communications 
strategies aimed to assist consumer groups and consumers in using any 
audit data that might be available for review.
    (Response 176) As noted above, we do intend to share updates on 
program activities with the public; we will work to properly 
contextualize the data in our communications about and presentation of 
the information. As noted in Response 173, FDA does not generally 
intend to make audit reports public.
    (Comment 177) Some comments assert that we must clearly describe 
how compliance with the program will be reported to the public.
    (Response 177) As noted above, we intend to provide periodic 
updates on program activities through our Web site. Where appropriate, 
these updates may include aggregated program data. Additional 
information about program updates will be shared as we implement this 
program. Further, as noted in response to Comment 86, FDA will post 
information on its Web site regarding accreditation bodies that have 
had their recognition revoked, accreditation bodies for which FDA fails 
to renew recognition, certification bodies that have had their 
accreditation withdrawn, and certification bodies whose renewal of 
accreditation has been denied.

B. How do I request reconsideration of a denial by FDA of an 
application or a waiver request? (Sec.  1.691)

    We proposed procedures for accreditation bodies and certification 
bodies to seek reconsideration of a denial of an application or a 
waiver request. We also proposed that after completing our review and 
evaluation of the request for reconsideration, we will notify the 
requestor, in writing, of our decision to grant or deny the application 
or waiver request upon reconsideration.
    On our own initiative, we are revising Sec.  1.691(c) to specify 
that a request for reconsideration or a waiver request must be 
submitted electronically. We are making corresponding changes to Sec.  
1.692(b).
    (Comment 178) Some comments suggest that we provide an opportunity 
for interested stakeholders, in addition to the accreditation body or 
third-party certification body seeking reconsideration, to provide 
information to us that will inform our decisionmaking on any 
reconsideration request.
    (Response 178) We decline to adopt comments' suggestion to allow 
for others beyond the accreditation body or third-party certification 
body seeking reconsideration to engage in this process. Our 
reconsideration of a denial is not a public process nor do we wish to 
make it one. Applications often contain confidential information not 
appropriate for public comment. We note that information shared with 
FDA is subject to the information disclosure regulations in part 20, as 
stated in Sec.  1.695.
    (Comment 179) Some comments ask us to specify that we will notify 
the requestor of our decision within 20 business days after receiving a 
request for reconsideration. These comments assert that the open-ended 
timeframe for our review of reconsideration request may place an undue 
burden on the party seeking reconsideration.
    (Response 179) FDA agrees that a request for reconsideration should 
be reviewed in a timely fashion. FDA would anticipate that this review 
will generally be made within 30 business days. However, given the 
conflicting demands on Agency resources at various times, the Agency 
declines to add this time restriction to Sec.  1.691.

[[Page 74632]]

C. How do I request internal agency review of a denial of an 
application or waiver request upon reconsideration? (Sec.  1.692)

    We proposed that the requestor who received a denial upon 
reconsideration under Sec.  1.691 may seek internal Agency review of 
such denial under 21 CFR 10.75(c)(1).
    (Comment 180) Some comments suggest that we provide an opportunity 
for interested stakeholders to provide information to us that will 
inform our decisionmaking on any such reconsideration request.
    (Response 180) As with the parallel suggestion in the context of a 
request for reconsideration, we decline to adopt comments' suggestion. 
The Agency's review of a denial is not a public process nor do we wish 
to make it one. As noted previously, applications often contain 
confidential information not appropriate for public comment. We note 
that information shared with FDA is subject to the information 
disclosure regulations in part 20, as stated in Sec.  1.695.

D. How do I request a regulatory hearing on a revocation of a 
recognition or withdrawal of accreditation? (Sec.  1.693)

    We proposed procedures that would be used for challenges to 
revocation of recognition or withdrawal of accreditation.
    On our own initiative, we revised Sec.  1.693(f) to include the 
standard for denial of a request for a regulatory hearing under 21 CFR 
16.26(a).
    (Comment 181) Some comments suggest that we provide an opportunity 
for interested stakeholders, in addition to the accreditation body or 
third-party certification body seeking a regulatory hearing, to provide 
information to us that will inform our decisionmaking during a 
regulatory hearing.
    (Response 181) Again, we decline to adopt comments' suggestion to 
allow for others beyond the accreditation body or third-party 
certification body seeking to challenge an FDA decision to engage in 
this process. For purposes of this final rule, we are not making the 
regulatory hearing a public process because issues pertaining to 
revocation and withdrawal generally contain confidential or sensitive 
information. We note that information shared with FDA is subject to the 
information disclosure regulations in part 20, as stated in Sec.  
1.695. We are amending proposed Sec.  1.693(g)(3), redesignated as 
Sec.  1.693(g)(2), to state that Sec.  16.60(a) (public process) is 
inapplicable to hearings under this rule.

E. Are electronic records created under this subpart subject to the 
electronic records requirements of part 11? (Sec.  1.694)

    We did not specify requirements for the retention of electronic 
records in the proposed rule. However, as discussed in relation to 
Sec.  1.625, we received several comments regarding the potential 
application of the requirements for electronic records in part 11 to 
records under this subpart; several comments ask that we not apply the 
part 11 requirements here.
    We agree that it would be unnecessarily burdensome to require that 
records under the third-party program comply with the requirements in 
part 11. Therefore, we are adding Sec.  1.694 to the final rule which 
states that records that are established or maintained to satisfy the 
requirements of this subpart and that meet the definition of electronic 
records in Sec.  11.3(b)(6) are exempt from the requirements of part 
11. We further specify that records that satisfy the requirements of 
this subpart, but those that also are required under other applicable 
statutory provisions or regulations, remain subject to part 11 to the 
extent that they are not separately exempted. Consistent with these 
provisions, we are making a conforming change in part 11 to specify in 
Sec.  11.1(m) that part 11 does not apply to records that meet the 
definition of electronic records in Sec.  11.3(b)(6) required to be 
established or maintained under this subpart, and that records that 
satisfy the requirements of this subpart, but that also are required 
under other statutory provisions or regulations, remain subject to part 
11 to the extent that they are not separately exempted.

F. Are the records required by this subpart subject to public 
disclosure? (Sec.  1.695)

    In the proposed rule, we did not specify requirements regarding the 
public disclosure of records created and retained under this subpart. 
However, as discussed previously in the preamble, several comments 
express concerns about whether notifications, records, and reports 
required by this rule would be protected from public disclosure. The 
comments state that notifications, records, and reports will often 
contain commercially sensitive information. Some comments ask that the 
regulations specify that such information under this program have the 
same level of protection from public disclosure under FOIA as juice and 
seafood HACCP records.
    Information submitted to the Agency, including reports and 
notifications submitted pursuant to Sec. Sec.  1.623 and 1.656, becomes 
an Agency record. We note we have added a new Sec.  1.695 to the final 
rule to clarify that records under this subpart are subject to part 20; 
part 20 provides protections for trade secrets and CCI from public 
disclosure (see, e.g., Sec.  20.61).

G. May importers use reports of regulatory audits by accredited 
certification bodies for purposes of subpart L of this part? (Sec.  
1.698)

    We proposed that an importer as defined in Sec.  1.500 of this part 
may use a regulatory audit of an eligible entity, documented in a 
regulatory audit report, in meeting the requirements for an onsite 
audit of a foreign supplier under subpart L of this part.
    (Comment 182) Some comments agree with FDA's proposal to allow 
importers to use regulatory audit reports of foreign suppliers, 
conducted for VQIP or import certification purposes, in meeting the 
verification requirements under the proposed FSVP program. These 
comments state that the use of regulatory audits by accredited third-
party certification bodies should not be required under FSVP. The 
comments assert that importers should be free to choose how best to 
meet the verification requirements. Some comments misunderstood 
proposed Sec.  1.698 to require the use of accredited third-party 
certification bodies for FSVP purposes.
    (Response 182) To clarify that the use of an accredited third-party 
certification body for FSVP purposes is not required by this rule, we 
are removing this provision. This rule establishes the framework and 
procedures for participation in the accredited third-party 
certification program for purposes of sections 808 of the FD&C Act and 
does not create substantive requirements for the FSVP program. However, 
regulatory audits may be used to meet supplier verification 
requirements under FDA's final preventive controls regulations and FSVP 
regulations if they comport with those requirements.

XIV. Editorial and Conforming Changes

    The revised regulatory text includes several changes that we have 
made to clarify requirements and to improve readability. The revised 
regulatory text also includes several conforming changes that we have 
made when a change to one provision affects other provisions. We 
summarize the principal editorial and conforming changes in table 5. We 
also made very minor editorial corrections, such as inserting a

[[Page 74633]]

missing end parenthesis symbol; those changes are not included in this 
chart.

                               Table 5--Principal Editorial and Conforming Changes
----------------------------------------------------------------------------------------------------------------
 Designation in the revised  regulatory
             text  (section)                               Revision                           Explanation
----------------------------------------------------------------------------------------------------------------
Throughout part 1, subpart M............  Where applicable, substituted the term      Conforming change.
                                           ``assessment'', or its derivations, for
                                           the terms ``audit'' or ``review'', or
                                           their derivations, when describing an FDA
                                           evaluation of an accreditation body and
                                           when describing an evaluation of a third-
                                           party certification body performed by a
                                           recognized accreditation body or by FDA.
Throughout part 1, subpart M............  Where applicable, substituted               Conforming change.
                                           ``evaluate'', or its derivations, for
                                           ``assess'' or ``determine'', or their
                                           derivations, when describing the nature
                                           of activities involved in an
                                           ``assessment'' (as defined in this rule)
                                           of an accreditation body or a third-party
                                           certification body.
Throughout part 1, subpart M............  Where applicable, substituted ``examine'',  Conforming change.
                                           or its derivations, for ``audit'',
                                           ``assess'', ``determine'', or
                                           ``evaluate'', or their derivations, when
                                           describing the nature of activities
                                           involved in an ``audit,'' as defined in
                                           this rule, of an eligible entity.
Throughout part 1, subpart M............  Where applicable, revised to refer to       Improve clarity.
                                           ``audit agent'' rather than ``agent''
                                           when describing individuals who conduct
                                           audits for accredited third-party
                                           certification bodies. Use ``agent(s) used
                                           to conduct audits'' rather than, ``audit
                                           agent(s)'' when referring to individuals
                                           who conduct audits for a third-party
                                           certification body prior to its
                                           accreditation under this program.
Throughout part 1, subpart M............  Revised to refer to ``competency'' rather   Improve clarity.
                                           than ``competence''.
Throughout part 1, subpart M............  Where appropriate, revised to refer to      Improve clarity.
                                           ``recognized accreditation bodies''
                                           rather than ``accreditation bodies''.
Throughout part 1, subpart M............  Where appropriate, revised to refer to      Improve clarity.
                                           ``accredited third-party certification
                                           bodies'' rather than ``third-party
                                           certification bodies''.
Throughout part 1, subpart M............  Where appropriate, rephrased ``[i]f FDA     Improve clarity.
                                           has reason to believe that a food
                                           certification issued for purposes of
                                           section 801(q) of the FD&C Act is not
                                           valid or reliable, FDA may refuse to
                                           consider the certification in determining
                                           the admissibility of the article of food
                                           for which the certification was
                                           offered.''
Throughout part 1, subpart M............  Replaced ``personnel'' with ``employees''.  Improve clarity.
Sec.   1.600(c).........................  Deleted ``, including the model             Conforming change.
                                           accreditation standards'' from the
                                           definition of ``accreditation''.
Sec.   1.600(c).........................  Revised the definition of ``accredited      Improve clarity.
                                           third party certification body'' to
                                           replace ``is authorized'' with ``is
                                           accredited''.
Sec.   1.600(c).........................  Revised the definition of ``eligible        Improve clarity.
                                           entity'' to replace ``subject to the
                                           registration requirements of'' with
                                           ``required to be registered under''.
Sec.   1.600(c).........................  Revised the definition of ``facility        Improve clarity.
                                           certification'' to replace ``establish
                                           that a facility meets'' with ``establish
                                           whether a facility complies with''.
Sec.   1.600(c).........................  Revised the definition of ``food            Improve clarity.
                                           certification'' to replace ``establish
                                           that a food meets'' with ``establish
                                           whether a food of an eligible entity
                                           complies with''.
Sec.   1.600(c).........................  Revised the definition of                   Improve clarity.
                                           ``relinquishment'' to state that
                                           relinquishment occurs prior to the
                                           expiration of recognition or
                                           accreditation for accreditation bodies
                                           and certification bodies, respectively.
Sec.   1.601(a).........................  Changed ``for conducting food safety        Improve clarity.
                                           audits and for issuing food and facility
                                           certifications to eligible entities'' to
                                           ``to conduct food safety audits and to
                                           issue food and facility certifications''.
Sec.   1.601(b)(2)......................  Changed ``Issuing food and facility         Improve clarity.
                                           certifications'' to ``Issuing
                                           certifications''.
                                          Changed ``or in meeting the eligibility
                                           requirements'' to ``or issuing a facility
                                           certification for meeting the eligibility
                                           requirements''.
Sec.   1.601(c).........................  Replaced ``except as provided in paragraph  Correction.
                                           (d) of this section'' with ``under this
                                           subpart''.
Sec.   1.601(d).........................  Redesignated paragraphs (1), (1)(i),        Editorial change.
                                           (1)(ii), (2), (2)(i), and (2)(ii) as
                                           paragraphs (1)(i), (1)(i)(A), (1)(i)(B),
                                           (1)(ii), (1)(ii)(A), and (1)(ii)(B).
Sec.   1.601(d)(1)(i)...................  Changed ``[t]he certification of food       Conforming change.
                                           under section 801(q)'' to ``[a]ny
                                           certification required under section
                                           801(q)''.
Sec.   1.601(d)(1)(ii)..................  Changed ``[c]ertification of food under     Conforming change.
                                           section 801(q)'' to ``Any certification
                                           required under section 801(q)''.
Sec.   1.601(d)(1)(ii)..................  Changed ``food other than alcoholic         Improve clarity.
                                           beverages that is from a facility'' to
                                           ``food that is not an alcoholic beverage
                                           that is received and distributed by a
                                           facility''.
Sec.   1.610............................  Section heading changed from ``[w]ho is     Improve clarity.
                                           eligible for recognition,'' to ``[w]ho is
                                           eligible to seek recognition;''
                                          Text changed from ``eligible for
                                           recognition'' to ``eligible to seek
                                           recognition.''.

[[Page 74634]]

 
Sec.   1.611(a).........................  Changed ``through'' to ``as a legal entity  Improve clarity.
                                           with''.
                                          Removed ``such'' from between ``perform''
                                           and ``assessments.''.
                                          Changed ``its capability to audit'' to
                                           ``its capability to conduct audits.''.
Sec.   1.611(a)(2)......................  Replaced ``personnel and other agents,''    Conforming change.
                                           with ``its agents, (or the third-party
                                           certification body in the case of a third-
                                           party certification body that is an
                                           individual, such individual)''.
Sec.  Sec.   1.611(b), 1.612(b),          In sentences referencing requirements for   Improve clarity.
 1.613(b), 1.614(b), 1.615(b),             recognized accreditation bodies or
 1.623(d)(2), 1.630(b), 1.631(b),          accredited third-party certification
 1.641(b), 1.642(b), and 1.645(b).         bodies, replaced specific references to
                                           other sections of this rule with ``the
                                           applicable [* * *] requirements of this
                                           subpart''.
Sec.   1.612(b).........................  Changed ``capability to meet the* * *'' to  Clarify that only the
                                           ``capability to meet the applicable''.      applicable assessment and
                                                                                       monitoring requirements
                                                                                       apply.
Sec.   1.615(a).........................  Added ``pertaining to this subpart''        Improve clarity.
                                           between ``legal obligations'' and ``and
                                           to provide''.
Sec.   1.615(b).........................  Replaced ``[i]s capable of meeting,'' with  Editorial change.
                                           ``The capability to meet''.
Sec.   1.620(a)(2)......................  Removed ``that aggregates the products of   Conforming change.
                                           growers or processor [sic],'' after
                                           ``foreign cooperative''.
Sec.   1.620(d).........................  Replaced ``including,'' with, ``and         Editorial change.
                                           include''.
Sec.   1.621............................  Last word of section heading changed from   Editorial change.
                                           ``accredits'' to ``accredited''.
Sec.   1.621(a).........................  At the end of the previously undesignated   Improve clarity.
                                           paragraph which is now paragraph (a),
                                           moved ``recognized accreditation body . .
                                           . with this subpart''.
Sec.   1.622(a).........................  Added ``compliance with this subpart,       Improve clarity.
                                           including'' at the end of the opening
                                           phrase.
Sec.   1.622(a)(1)......................  Replaced ``or other agents in activities    To clarify that the
                                           under this subpart and the degree of        relevant activities under
                                           consistency among such performances,''      this subpart are
                                           with ``or other agents involved in          accreditation activities.
                                           accreditation activities and the degree
                                           of consistency in conducting
                                           accreditation activities''.
Sec.   1.622(a)(2)......................  Added ``involved in accreditation           Conforming change.
                                           activities,'' between ``other agents,''
                                           and ``with the conflict of interest
                                           requirements''.
Sec.   1.622(c)(1)......................  Changed ``area(s) needing improvement,''    Improve clarity.
                                           to ``area(s) where deficiencies exist''.
Sec.   1.622(c)(2)......................  Changed ``implement effective correction    Improve clarity.
                                           action(s) to address those area(s)'' to
                                           ``implement corrective action(s) that
                                           effectively address those deficiencies''.
Sec.   1.622(c)(3)......................  Inserted ``any'' between ``records of,''    Improve clarity.
                                           and ``such corrective action(s)''.
Sec.   1.622(d).........................  Changed ``includes:'' to ``includes the     Conforming change.
                                           following elements.''.
Sec.   1.622(d)(2)......................  Added ``involved in accreditation           Conforming change.
                                           activities,'' between, ``other agents,''
                                           and ``complied with the conflict of
                                           interest requirements''.
Sec.   1.623(b).........................  Created subparagraphs by inserting,         Improve clarity.
                                           ``(i)'' before ``a report of the results
                                           of an annual self-assessment'' and
                                           ``(ii)'' before ``for a recognized
                                           accreditation body subject to Sec.
                                           1.664(g)((1);''
                                          Removed ``must submit'' from between
                                           ``Sec.   1.664(g)(1),'' and ``a report of
                                           such self-assessment;''.
                                          Changed ``to FDA within 2 months'' to ``to
                                           FDA within 60 days of the third party
                                           certification body's withdrawal.''.
Sec.   1.623(c)(1)......................  Added ``(including expanding the scope      Improve clarity.
                                           of),'' between ``[g]ranting,'' and
                                           ``accreditation''.
Sec.   1.623(d)(1)(iv)..................  Added ``scope and,'' between ``the'' and    Improve clarity.
                                           ``basis for such denial''.
Sec.   1.624(a).........................  Changed from ``other agents)'' to ``other   Conforming change.
                                           agents involved in accreditation
                                           activities)''.
Sec.   1.624(b) redesignated as Sec.      Rephrased ``[t]he financial interests of    Improve clarity.
 1.624(c).                                 the spouses and children younger than 18
                                           years of age of officers, personnel, and
                                           other agents of a recognized
                                           accreditation body will be considered the
                                           financial interests of such officers,
                                           personnel, and other agents of the
                                           accreditation body''.
Sec.   1.624(d).........................  Changed ``and date(s) on each the           Editorial change.
                                           accredited'' to ``and the date(s) on
                                           which the accredited''.
Sec.   1.625 title and paragraphs (a),    Changed from ``A recognized accreditation   To clarify that the duties
 (b), and (c).                             body,'' to ``An accreditation body that     with respect to records
                                           has been recognized''.                      as required under this
                                                                                       subpart adhere to any
                                                                                       accreditation body that
                                                                                       has been recognized,
                                                                                       including accreditation
                                                                                       bodies that are no longer
                                                                                       recognized.
Sec.   1.625(a)(2)......................  Added ``expand or'' after ``withdraw, or''  Improve clarity.
Sec.   1.630(c).........................  Changed from ``needed by FDA to process     Improve clarity.
                                           the application'' to ``needed by FDA
                                           during processing of the application''.

[[Page 74635]]

 
Sec.   1.630(d).........................  Changed from ``signed by the applicant or   Improve clarity.
                                           by any individual authorized'' to
                                           ``signed by an individual authorized''.
Sec.   1.631 heading....................  Changed heading from ``How will FDA review  Improve clarity.
                                           applications for recognition and renewal
                                           of recognition?'' to ``How will FDA
                                           review my application for recognition or
                                           renewal of recognition and what happens
                                           once FDA decides on my application?''
Sec.   1.631(a).........................  Added ``an accreditation body's'' after     Improve clarity.
                                           FDA will review, deleted ``a''.
Sec.   1.631(b).........................  Inserted ``regarding'' before ``whether     Editorial change.
                                           the application has been approved or
                                           denied.''
Sec.   1.631(c).........................  Changed to state that the FDA will notify   Improve clarity.
                                           an applicant that its recognition or
                                           renewal application has been approved
                                           through issuance of recognition that will
                                           list any limitations associated with the
                                           recognition.
Sec.   1.631(d).........................  Changed to state that the FDA will notify   Improve clarity.
                                           an applicant that its recognition or
                                           renewal application has been denied
                                           through issuance of a denial of
                                           recognition that will state the basis for
                                           such denial and provide the procedures
                                           for requesting reconsideration of the
                                           application under Sec.   1.691.
Sec.   1.632............................  Added ``from the date of recognition'' to   Improve clarity.
                                           the end of the sentence.
Sec.   1.633(a).........................  Removed ``periodically''..................  Improve clarity.
Sec.   1.633(a).........................  Rephrased ``date of accreditation for a 5-  Improve clarity.
                                           year term of recognition, or by no later
                                           than mid-term point for recognition
                                           granted for less than 5 years.''
Sec.   1.633(b).........................  Rephrased ``These may be conducted at any   Improve clarity.
                                           time, with or without the accreditation
                                           body or auditor/certification body
                                           present''.
Sec.   1.634(a).........................  Inserted ``found not to be in compliance    Improve clarity.
                                           with the requirements of this subpart,
                                           including'' after ``of an accreditation
                                           body''.
Sec.   1.634(a)(2)(ii)..................  Changed ``problem with the accreditation    Improve clarity.
                                           body'' to ``deficiency''.
Sec.   1.634(a)(2)(iii).................  Inserted ``to do so'' after ``[d]irected''  Improve clarity.
Sec.   1.634(c)(1)......................  Changed ``Upon revocation, FDA will notify  Improve clarity.
                                           that accreditation body, electronically,
                                           in English, stating * * *''.
Sec.   1.634(d)(1)......................  Removed ``electronically and in English''.  Improve clarity.
Sec.   1.634(d)(1)(i)...................  Rephrased from ``[n]o later than 2 months   Improve clarity.
                                           after the revocation'' to ``[n]o later
                                           than 60 days after the date of issuance
                                           of the revocation''.
Sec.   1.634(d)(1)(ii)..................  Added ``or the original date of the         Improve clarity.
                                           expiration of the accreditation,
                                           whichever comes first'' after
                                           ``revocation''.
                                          Changed from ``a recognized'' to,
                                           ``another recognized''.
Sec.   1.634(d)(2)......................  Added ``(c)'' after ``1.664''.............  Improve clarity.
Sec.   1.635 heading....................  Changed heading from ``How do I             Improve clarity.
                                           voluntarily relinquish recognition?'' to
                                           ``What if I want to voluntarily
                                           relinquish recognition or do not want to
                                           renew recognition?''
Sec.   1.636(a).........................  Removed ``or may be required to submit      Improve clarity.
                                           such application after a determination in
                                           a regulatory hearing under Sec.   1.693''.
Sec.   1.640 heading....................  Changed heading from, ``Who is eligible     Improve clarity.
                                           for accreditation?'' to, ``Who is
                                           eligible to seek accreditation?''
Sec.   1.641(a).........................  Changed ``or through contractual rights''   Conforming change.
                                           to ``or as a legal entity with
                                           contractual rights'' and added ``and
                                           conformance with applicable'' before
                                           ``industry standards and practices''.
Sec.   1.642(a)(1)......................  Changed ``industry standards and practices  Improve clarity.
                                           and to issue'' to ``conformance with
                                           applicable industry standards and
                                           practices and issuance of''.
Sec.   1.641(a)(2)......................  Changed ``of the eligible entity'' to ``of  Conforming change.
                                           an eligible entity''.
                                          Removed ``such as witnessing the
                                           performance of a statistically
                                           significant number of personnel and other
                                           agents conducting audits of food
                                           facilities.''.
Sec.   1.643(a).........................  Replaced ``certification body (and its      Improve clarity.
                                           officers, personnel, and other agents)
                                           and eligible entities (and their owners
                                           and operators) seeking assessment and
                                           certification from,''
Sec.   1.644(a)(1)......................  Rephrased ``[i]dentify areas in its         Improve clarity.
                                           auditing and certification program or
                                           performance that need improvement'' to
                                           ``[i]dentify deficiencies in its auditing
                                           and certification program or
                                           performance''.
Sec.   1.644(a)(2)......................  Rephrased from ``Quickly execute            Improve clarity.
                                           corrective actions when problems are
                                           found'' to ``[q]uickly execute corrective
                                           actions that effectively address any
                                           identified deficiencies''.
Sec.   1.650 heading....................  Changed heading from ``How must an          Improve clarity.
                                           accredited auditor/third-party
                                           certification body ensure its audit
                                           agents are competent and objective'', to
                                           ``How must an accredited third-party
                                           certification body ensure competency and
                                           objectivity?''

[[Page 74636]]

 
Sec.   1.650(a)(3)......................  Changed from ``[p]articipates in annual     Improve clarity.
                                           food safety under the accredited
                                           auditor's/certification body's training
                                           plan,'' to ``[c]ompletes annual food
                                           safety training that is relevant to
                                           activities conducted under this subpart''.
Throughout Sec.  Sec.   1.651 and 1.652.  Where appropriate, added ``eligible''       Improve clarity.
                                           before ``entity'' and ``food safety''
                                           before ``audit''.
Sec.   1.651(a)(1)(i)...................  Inserted ``subject to the requirements of   Improve clarity.
                                           this subpart'' after ``be conducted as a
                                           consultative or regulatory audit''.
Sec.   1.651(b)(1)......................  Changed from ``[c]onduct an unannounced     Conforming change.
                                           audit to verify whether the activities
                                           and results'' to ``[c]onduct an
                                           unannounced audit to determine whether
                                           the facility, process(es), and food''.
Sec.   1.651(b)(2)......................  Removed ``and, where appropriate, to issue  Improve clarity.
                                           food and facility certifications'' from
                                           end of phrase.
Sec.   1.651(b)(5)......................  Inserted ``audits conducted under this      Improve clarity.
                                           subpart as follows'' after ``[p]repare
                                           reports of''.
Sec.   1.651(b)(5)(i) (previously Sec.    Inserted ``For'' before ``consultative      Improve clarity.
 1.651(b)(5)).                             audits,''.
                                          Inserted ``maintain such records, subject
                                           to FDA access in accordance with section
                                           414 of the FD&C Act.''.
Sec.   1.651(b)(5)......................  Created (i) and (ii) to more easily         Improve clarity.
                                           distinguish between the different
                                           requirements for consultative and
                                           regulatory audits.
Sec.   1.651(b)(6)......................  Inserted ``under this subpart'' after       Improve clarity.
                                           ``food safety audit''.
Sec.   1.651(c)(2)......................  Changed ``to establish compliance with the  Improve clarity.
                                           FD&C Act'' to ``to determine compliance
                                           with the applicable food safety
                                           requirements of the FD&C Act and FDA
                                           regulations, and, for consultative
                                           audits, also includes conformance with
                                           applicable industry standards and
                                           practices''.
Sec.   1.651(c)(3)......................  Rephrased ``entity would be likely to       Improve clarity.
                                           remain in compliance with the applicable
                                           requirements of the FD&C Act for at least
                                           12 months following the audit, provided
                                           that the facility and its process(es) are
                                           properly maintained and implemented.''
Sec.   1.651(c)(4)......................  Removed ``assessment'' and added ``other    Improve clarity.
                                           data and information from the
                                           examination, including information on''.
                                          Removed ``of the accredited auditor/
                                           certification body.''.
Throughout Sec.  Sec.   1.652, 1.653....  Where appropriate, inserted,                Improve clarity.
                                           ``regulatory'' before, ``audit''.
Sec.   1.652(a).........................  Reformatted requirements in Sec.            Editorial change.
                                           1.652(a)(1) through (6) to more closely
                                           align with formatting of Sec.
                                           1.652(b)(1) through (6);.
                                          Inserted ``subject to FDA access in         Improve clarity.
                                           accordance with the requirements of
                                           section 414 of the FD&C Act.''
Sec.   1.652(b)(1)......................  Replaced ``audited facility'' with ``site   Improve clarity.
                                           or location where the regulatory audit
                                           was conducted''.
Sec.   1.652(b)(6)(i) and (ii)..........  Inserted ``to humans or animals'' after     Improve clarity.
                                           ``serious adverse health consequences or
                                           death''.
Sec.   1.652(b)(8)......................  Rephrased from ``is used in the facility''  Improve clarity.
                                           to ``is performed in or used by the
                                           facility''.
Sec.   1.653 heading....................  Changed heading from ``What must            Improve clarity.
                                           accredited auditor/certification body do
                                           when issuing food or facility
                                           certifications?'' to ``What must an
                                           accredited third-party certification body
                                           do when issuing food or facility
                                           certifications?''
Sec.   1.653(a)(1)......................  Changed ``(or an audit agent'' to ``(or,    Improve clarity.
                                           where applicable, an audit agent''.
                                          Changed ``to establish compliance'' to
                                           ``to determine compliance.''.
Sec.   1.653(a)(2)......................  Changed ``an observation'' to ``a           Improve clarity.
                                           deficiency''.
Sec.   1.654 heading....................  Rephrased language in heading from          Improve clarity.
                                           ``eligible entity with a food or facility
                                           certification'' to ``eligible entity that
                                           it has issued a food or facility
                                           certification''.
Sec.   1.654............................  Added ``with such requirements'' after      Improve clarity.
                                           ``compliance''.
                                          Changed ``if it determines the eligible
                                           entity is no longer'' to ``if it
                                           withdraws or suspends a food or facility
                                           certification because it determines that
                                           the entity is no longer.''.
Sec.   1.655(a).........................  Changed ``must annually, and as required    Improve clarity.
                                           under Sec.   1.631(f)(1)(i) or upon FDA
                                           request made for cause, conduct a self-
                                           assessment that includes evaluation of:''
Sec.  Sec.   1.655(a)(1), 1.655(a)(2),    Added ``involved in auditing and            Improve clarity.
 1.655(a)(3), 1.655(d)(2), 1.657(a),       certification activities,'' after ``other
 1.657(a)(1), 1.657(c).                    agents''.
Sec.  Sec.   1.655(a)(1), 1.655(a)(2)...  Removed ``under this subpart''............  Improve clarity.
Sec.   1.655(a)(5)......................  Inserted ``of'' between ``determination''   Editorial change.
                                           and ``whether''.
Sec.   1.655(c)(1)......................  Replaced ``area(s) needing improvement''    Improve clarity.
                                           with, ``deficiencies in complying with
                                           the requirements of this subpart''.

[[Page 74637]]

 
Sec.   1.655(c)(2)......................  Rephrased from ``effective corrective       Improve clarity.
                                           action(s) to address those area(s)'' to
                                           ``corrective action(s) that effectively
                                           address the identified deficiencies''.
Sec.   1.656(b).........................  Modified submission timeframe from 2        Conforming change.
                                           months to 60 days.
Sec.   1.656(c).........................  Rephrased ``when any of its audit agents    Improve clarity.
                                           or the accredited auditor/third-party
                                           certification body itself, discovers any
                                           condition found during a regulatory or
                                           consultative audit of an eligible entity,
                                           which''.
Sec.   1.657(a)(3) redesignated as Sec.   Added ``accredited third-party              Improve clarity.
  1.657(a)(4).                             certification body's'' after
                                           ``[p]rohibiting an''.
                                          Changed ``other agent of the accredited
                                           auditor/certification body from accepting
                                           any money, gift, gratuity, or item of
                                           value'' to ``other agent involving in
                                           auditing and certification activities
                                           from accepting any money, gift, gratuity,
                                           or other item of value.''.
Sec.   1.657(a)(4) redesignated as Sec.   Changed reference from ``(a)(3)'' to        Editorial change.
  1.657(a)(5).                             ``(a)(4)''.
Sec.   1.657(a)(4)(i) redesignated as     Changed from ``accreditation'' to,          Correction.
 Sec.   1.657(a)(5)(i).                    ``auditing and certification''.
Sec.   1.657(c).........................  Added ``accredited third-party              Improve clarity.
                                           certification body's'' before
                                           ``officers''.
                                          Changed ``other agents of an accredited
                                           auditor/certification body'' to ``other
                                           agents involving in auditing and
                                           certification activities.''.
Sec.   1.658 heading....................  Changed heading to ``What records           Improve clarity.
                                           requirements must an accredited auditor/
                                           certification body that has been
                                           accredited meet?''
Sec.   1.658(a).........................  Rephrased from ``certification body must    Improve clarity.
                                           maintain electronically for 4 years
                                           records'' to ``certification body that
                                           has been accredited must maintain
                                           electronically for 4 years records
                                           created during its period of
                                           accreditation''.
Sec.   1.658(a)(1)......................  Removed ``laboratory testing records and    Conforming change.
                                           results (as applicable).
Sec.  Sec.   1.658(a)(1), 1.658(a)(3)...  Rephrased from ``and corrective actions''   Improve clarity.
                                           to ``verification of any corrective
                                           action(s) taken''.
Sec.   1.658(a)(4)......................  Replaced ``under Sec.   1.650(a)(5) or by   Conforming change.
                                           the accredited auditor/certification body
                                           to FDA under Sec.   1.656(e)'' with ``in
                                           accordance with Sec.   1.650(a)(5)''.
Sec.   1.658(a)(5)-(a)(9) redesignated    Removed paragraph (a)(5)..................  Conforming change.
 as Sec.   1.658(a)(5)-(a)(8).
Sec.   1.658(a)(8) redesignated as Sec.   Rephrased from, ``taken as a result'' to    Improve clarity.
  1.658(a)(7).                             ``taken to address any deficiencies
                                           identified during a self-assessment''.
Sec.   1.658(a)(9) redesignated as Sec.   Changed ``the auditing or certification     Improve clarity.
  1.658(a)(8).                             program'' to ``its auditing or
                                           certification program''.
Sec.   1.658(b).........................  Changed from ``FDA in accordance with the   Correction.
                                           requirements of subpart J of this
                                           chapter'' to ``FDA in accordance with
                                           section 414 of the FD&C Act''.
Sec.   1.660 heading....................  Changed heading to ``Where do I apply for   Improve clarity.
                                           accreditation or renewal of accreditation
                                           by a recognized accreditation body and
                                           what happens once the recognized
                                           accreditation body decides on my
                                           application?''
Sec.   1.661............................  Added ``by a recognized accreditation       Improve clarity.
                                           body'' at end of header.
Sec.   1.662(a).........................  Rephrased ``comply with the requirements    Improve clarity.
                                           of Sec.  Sec.   1.640 to 1.658 and
                                           whether there are deficiencies in the
                                           performance of the accredited auditor/
                                           certification body that, if not
                                           corrected, would warrant withdrawal of
                                           its accreditation under this subpart.''
Sec.   1.662(b)(4)......................  Rephrased from ``regarding the accredited   Improve clarity.
                                           auditor's/certification body's authority,
                                           qualifications (including the expertise
                                           and training of its audit agents),
                                           conflict of interest program, internal
                                           quality assurance program, and monitoring
                                           by its accreditation body (or, in the
                                           case of direct accreditation, FDA);''
Sec.   1.663(d).........................  Rephrased from ``submission was             Improve clarity.
                                           completed'' to ``completed submission is
                                           received''.
Sec.   1.663(e).........................  Removed ``in writing'' and ``Such           Conforming change.
                                           notification may be made
                                           electronically.''
Sec.   1.663(f).........................  Replaced ``conditions'' with                Improve clarity.
                                           ``limitations''.
Sec.   1.663(f).........................  Replaced ``notification'' with ``issuance   Improve clarity.
                                           of the waiver'' and ``issuance of a
                                           denial of a waiver request'' as
                                           appropriate.
                                          Replaced ``conditions'' with
                                           ``limitations.''.
Sec.   1.664(a)(1)......................  Added ``or chemical or physical hazard''..  Correction.
Sec.   1.664(a)(2)......................  Changed ``meets the requirements'' to       Improve clarity.
                                           ``complies with the applicable
                                           requirements''.
Sec.   1.664(b)(2)......................  Replaced ``steps'' with ``relevant audit    Improve clarity.
                                           records''.
                                          Replaced ``to justify the food or facility
                                           certification'' with ``in support of its
                                           decision to certify''.
Sec.   1.664(c)(2)......................  Deleted ``food or facility''..............  For flexibility.

[[Page 74638]]

 
Sec.   1.664(e)(1)......................  Added ``of its accreditation through        Improve clarity.
                                           issuance of a withdrawal that will
                                           state''.
Sec.   1.664(e)(1)......................  Deleted, ``electronically, in English''...  Conforming change.
Sec.   1.664(e)(2)......................  Added ``issuance of the'' between ``date    Improve clarity.
                                           of'' and withdrawal''.
Sec.   1.664(g)(1)......................  Replaced ``bodies'' with ``body it          Improve clarity.
                                           accredited''.
                                          Added ``by FDA.''.........................
                                          Changed ``2 months'' to ``60 days.''......
                                          Removed ``electronically and in English.''
Sec.   1.664(g)(2)......................  Replaced ``such'' with ``an''.............  Editorial change.
Sec.   1.664(h).........................  Replaced ``and the status of recognition    Improve clarity.
                                           and food and facility certifications'' in
                                           the heading with ``accreditation''.
Sec.   1.664(h).........................  Replaced ``under this subpart'' with ``and  Improve clarity.
                                           provide a description of the basis for
                                           withdrawal''.
Sec.   1.665 heading....................  Changed heading from ``How do I             Improve clarity.
                                           voluntarily relinquish accreditation? to
                                           ``what if I want to voluntarily
                                           relinquish accreditation or do not want
                                           to renew?''
Sec.   1.665(a).........................  Changed ``2 months'' to ``60 days''.......  Improve clarity.
Sec.   1.665(b).........................  Added ``The accreditation body must         Clarification.
                                           establish and maintain records of such
                                           notification under Sec.   1.625(a).''
Sec.   1.666(a)(1)......................  Replaced ``requirements for                 Improve clarity.
                                           accreditation'' with ``applicable
                                           requirements of this subpart''.
Sec.   1.666(a)(2)(i)...................  Replaced ``a'' with ``another'' and         Editorial changes.
                                           ``not'' with ``no''.
Sec.   1.670(a)(3)......................  Added ``(a)(1) of this section, as          Correction.
                                           described in paragraph (a)(2)''.
Sec.   1.670(b)(1)......................  Revised to specify provision ``(a)(1)''...  Improve clarity.
Sec.   1.670(b)(2)......................  Added subsection title ``Submission''.....  Improve clarity.
Sec.   1.670(b)(3)......................  Added subsection title ``Signature''......  Improve clarity.
Sec.   1.671 heading....................  Changed title from ``How will FDA review    Improve clarity.
                                           applications for direct accreditation and
                                           for renewal of direct accreditation?'' to
                                           ``How will FDA review my application for
                                           direct accreditation or for renewal of
                                           direct accreditation and what happens
                                           once FDA decides on my application?''
Sec.   1.671(b).........................  Reorganized the provision: Moved original   Improve clarity.
                                           (f) under (b).
Sec.   1.671(c) previously (c) and (d)..  Redesignated as (c) to state that FDA will  Improve clarity.
                                           notify an applicant that its direct
                                           accreditation or renewal application has
                                           been approved through issuance of direct
                                           accreditation that will list any
                                           limitations associated with the
                                           accreditation.
Sec.   1.671(e).........................  Redesignated (e) to (d)...................  Improve clarity.
                                          Replaced ``denies'' with ``issues a
                                           denial''.
                                          Added ``for direct accreditation or for
                                           renewal of direct accreditation.''.
                                          Replaced ``notification'' with ``issuance
                                           of the denial of direct accreditation.''.
                                          Deleted ``address and''...................
Sec.   1.681............................  Combined (a) and (b)......................  Improve clarity.
                                          Replaced ``seek'' with ``apply for''......
Sec.   1.691(a) and (b).................  Replaced ``decision'' with ``the issuance   Improve clarity.
                                           of such denial''.
Sec.   1.691(c).........................  Replaced ``it describes'' with ``described  Editorial change.
                                           in the notice''.
Sec.   1.691(d).........................  Deleted ``in writing''....................  Improve clarity.
                                          Rephrased ``of its decision to grant the
                                           application or waiver request upon
                                           reconsideration, or its decision to deny
                                           the application or waiver request upon
                                           reconsideration.''.
Sec.   1.692(a).........................  Replaced ``FDA issued'' to ``of issuance    Editorial change.
                                           of''.
Sec.   1.692(d).........................  Deleted ``electronically''................  Improve clarity.
                                          Added phrases ``through issuance of an
                                           application or waiver request upon
                                           reconsideration'' and ``application or
                                           waiver request upon reconsideration
                                           through issuance of a denial of.''.
Sec.   1.692(e).........................  Replaced ``Affirmation'' with ``Issuance''  Improve clarity.
Sec.   1.693............................  Replaced ``FDA issued'' and ``written       For consistency and to
                                           notice'' with ``issuance of''.              improve clarity.
Sec.   1.693(a).........................  Rephrased ``the accreditation body or an    Improve clarity.
                                           individual authorized to act on its
                                           behalf'' to ``an individual authorized to
                                           act on the accreditation body's behalf''.
Sec.   1.693(b).........................  Rephrased ``the auditor/certification body  Improve clarity.
                                           or an individual authorized to act on its
                                           behalf'' to ``an individual authorized to
                                           act on the third-party certification
                                           body's behalf''.
----------------------------------------------------------------------------------------------------------------


[[Page 74639]]

XV. Executive Order 13175

    In accordance with Executive Order 13175, FDA has consulted with 
tribal government officials. A Tribal Summary Impact Statement has been 
prepared that includes a summary of Tribal officials' concerns and how 
FDA has addressed them (Ref. 26). Persons with access to the Internet 
may obtain the Tribal Summary Impact Statement at http://www.regulations.gov. Copies of the Tribal Summary Impact Statement also 
may be obtained by contacting the person listed under FOR FURTHER 
INFORMATION CONTACT.

XVI. Analysis of Economic Impact

    FDA has examined the impacts of the final rule under Executive 
Order 12866, Executive Order 13563, the Regulatory Flexibility Act (5 
U.S.C. 601-612), and the Unfunded Mandates Reform Act of 1995 (Pub. L. 
104-4). Executive Orders 12866 and 13563 direct Agencies to assess all 
costs and benefits of available regulatory alternatives and, when 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety, and other advantages; distributive impacts; and 
equity). The Agency believes that this final rule is a significant 
regulatory action under Executive Order 12866.
    The Regulatory Flexibility Act requires Agencies to analyze 
regulatory options that would minimize any significant impact of a rule 
on small entities. Because the Third-Party program will be used 
primarily on voluntary basis where private enterprises determine that 
the benefits of participating in our program outweighs their associated 
user fee and compliance costs, the Agency certifies that the final rule 
will not have a significant economic impact on a substantial number of 
small entities.
    Section 202(a) of the Unfunded Mandates Reform Act of 1995 requires 
that Agencies prepare a written statement, which includes an assessment 
of anticipated costs and benefits, before proposing ``any rule that 
includes any Federal mandate that may result in the expenditure by 
State, local, and tribal governments, in the aggregate, or by the 
private sector, of $100,000,000 or more (adjusted annually for 
inflation) in any one year.'' The current threshold after adjustment 
for inflation is $144 million, using the most current (2014) Implicit 
Price Deflator for the Gross Domestic Product. FDA does not expect this 
final rule to result in any 1-year expenditure that would meet or 
exceed this amount. Annualized cost of the Third-Party final rule is 
estimated at approximately $2.8 to $11.6 million, depending on the 
scenario.

XVII. Paperwork Reduction Act of 1995

    This final rule contains information collection provisions that are 
subject to review by OMB under the Paperwork Reduction Act of 1995 (44 
U.S.C. 3501-3520). The title, description, and respondent description 
of the information collection provisions are shown in the following 
paragraphs with an estimate of the annual reporting and recordkeeping 
burdens. Included in the estimate is the time for reviewing 
instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing each 
collection of information.
    Title: Accreditation of Third-Party Certification Bodies to Conduct 
Food Safety Audits and Issue Certifications (Third-Party final rule)
    Description: FDA is amending its regulations to provide for 
accreditation of third-party certification bodies (CBs) to conduct food 
safety audits of eligible foreign food entities, including foreign food 
facilities, and to issue food and facility certifications, pursuant to 
the FDA Food Safety Modernization Act. Use of accredited third-party 
CBs and food and facility certifications will help us prevent 
potentially harmful food from reaching U.S. consumers and thereby 
improve the safety of the U.S. food supply. We also expect that these 
regulations will increase efficiency by reducing the number of 
redundant audits to assess compliance with applicable food safety 
requirements of the FD&C Act and FDA regulations.
    Description of respondents: The coverage of the Third-Party final 
rule includes eligible entities seeking audits, certification, and/or 
recertification by accredited CBs participating in our program, 
accreditation bodies (ABs) seeking to comply with the recognition 
requirements of the Third-Party final rule, and CBs seeking to comply 
with the accreditation requirements of the Third-Party final rule 
(including those accredited by recognized ABs and those directly-
accredited by FDA). An eligible entity is a foreign entity in the 
import supply chain of food for consumption in the United States that 
chooses to be subject to a food safety audit conducted by an accredited 
third-party certification body.
    Based on FDA Operational and Administration System for Import 
Support database information, we estimate that there are 200,692 
foreign food and feed exporters that offer their food and feed for 
import into the United States. These foreign food and feed exporters 
include 129,757 food and feed production facilities and 70,935 farms. A 
proportion of these foreign food and feed exporters may offer food 
subject to mandatory certification requirements under section 801(q) of 
the FD&C Act. In that case, the eligible entities must either comply 
with the Third-Party final rule in order to obtain certification from a 
CB accredited under the third-party program to continue exporting their 
food products into the United States, or a foreign government 
designated by FDA, or lose their access to U.S. markets. In the 
economic analysis of the Third-Party final rule, we assume that in any 
given year 75 foreign food and feed exporters will be subject to 
section 801(q) of the FD&C Act.
    In addition to the entities subject to Sec.  801(q), some food 
exporters will seek certificates to participate in VQIP under section 
806 of the FD&C Act. We consider three different scenarios for the 
participation rate of VQIP importers and their associated foreign 
suppliers in a 10-year period: (1) Constant number of VQIP importers in 
every year, (2) increasing participation over time, peaking at 20 
percent of all importers of perishable products by the fifth year, with 
stagnant growth in subsequent years, (3) increasing participation over 
time, peaking at 40 percent of all importers of perishable products by 
the 10th year of the program.
    The VQIP draft guidance document caps the acceptance of 
applications by importers for VQIP at 200 for the initial year of the 
program. Under Scenario 1, we consider 200 importers participating in 
each of first 10 years of VQIP (see table 6). Average number of foreign 
suppliers per importers is approximately 5.58; therefore, under 
Scenario 1, we expect that 200 importers and approximately 1,116 
foreign suppliers (200 importers x 5.58 foreign supplier per importer) 
will be participating in VQIP every year for a 10-year period (see 
tables 6 and 7).
    According to FDA's Office of Regulatory Affairs Reporting Analysis 
and Decision Support System database, the number of importers of 
perishable products is approximately 2,759. These importers would have 
an incentive to participate in VQIP in order to expedite entry of their 
perishable food products into the United States. Under Scenario 2, we 
consider 200 importers participating in the initial year of VQIP and 
increasing steadily until the fifth year of the program until 552 
importers (20 percent x 2,759 importers of perishable products) are 
participating in the program. For years 6 through 10, we consider 3 
percent increase in

[[Page 74640]]

participation of new importers in VQIP (see table 6). Multiplying the 
number of importers by the number of foreign suppliers per importers 
(5.58), we expect that the number of foreign supplies participating in 
VQIP, under Scenario 2, would increase from 1,116 to 3,527 in a 10-year 
period (see table 7).
    Under Scenario 3, we consider the number of importers will increase 
from 200 in the initial year of VQIP to 1,104 importers (40 percent x 
2,759 importers of perishable products) in the 10th year of the 
program. Tables 6 and 7 include the number of importers and their 
associated foreign suppliers for scenario 3. Table 9 includes total 
number of eligible entities in the Third-Party final rule based on the 
three considered scenarios in the 10th year of the program.
    The economic analysis of the Third-Party final rule estimates 
compliance costs under the assumption that expected efficiency gains, 
and foreign food suppliers' incentive to maintain continued importation 
of their food to the United States would lead all foreign suppliers 
subject to section 801(q) of the FD&C Act, and foreign suppliers who 
choose to use third-party food safety audits to satisfy requirements of 
FDA's VQIP, to become eligible entities and seek food safety audits 
under the Third-Party final rule.
    Considering the demand for food safety audits under the Third-Party 
program by foreign suppliers subject to section 801(q) of the FD&C Act 
and those wanting to participate in VQIP, we expect that some of the 
ABs and CBs operating globally will also have an incentive to 
participate and comply with the Third-Party final rule. Under the three 
different scenarios discussed above, we have estimated that 11 to 25 
ABs will accredit CBs that will conduct food safety audits of foreign 
eligible entities that offer food or feed for import to the United 
States. We also estimate that approximately 91 to 207 CBs will be 
accredited by the potential 11 to 25 AB applicants; these CBs will 
comply with the Third-Party final rule in order to participate in the 
program. In addition, we expect that one CB will apply and participate 
in the third-party program via direct accreditation by FDA under the 
Third-Party final rule (see table 9).

                                  Table 6--Potential Number of Importers Participating in VQIP in Its Initial 10 Years
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                          Year
                           Scenario                            -----------------------------------------------------------------------------------------
                                                                   1        2        3        4        5        6        7        8        9        10
--------------------------------------------------------------------------------------------------------------------------------------------------------
1.............................................................      200      200      200      200      200      200      200      200      200      200
2.............................................................      200      288      376      464      552      562      579      596      614      632
3.............................................................      200      300      400      500      600      700      800      900    1,000    1,104
--------------------------------------------------------------------------------------------------------------------------------------------------------


               Table 7--Potential Number of Foreign Suppliers (Section 806 of the FD&C Act) Participating in VQIP in Its Initial 10 Years
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                                          Year
                           Scenario                            -----------------------------------------------------------------------------------------
                                                                   1        2        3        4        5        6        7        8        9        10
--------------------------------------------------------------------------------------------------------------------------------------------------------
1.............................................................    1,116    1,116    1,116    1,116    1,116    1,116    1,116    1,116    1,116    1,116
2.............................................................    1,116    1,607    2,098    2,589    3,080    3,136    3,231    3,326    3,426    3,527
3.............................................................    1,116    1,674    2,232    2,790    3,348    3,906    4,464    5,022    5,580    6,160
--------------------------------------------------------------------------------------------------------------------------------------------------------


                          Table 8--Number of Respondents in the Third-Party Final Rule
----------------------------------------------------------------------------------------------------------------
                        Eligible entities                           Scenario 1      Scenario 2      Scenario 3
----------------------------------------------------------------------------------------------------------------
Section 801(q) of FD&C Act......................................              75              75              75
Section 806 of FD&C Act.........................................           1,116           3,527           6,160
                                                                 -----------------------------------------------
    Total eligible entities.....................................           1,191           3,602           6,235
----------------------------------------------------------------------------------------------------------------


                          Table 9--Number of Respondents to the Third-Party Final Rule
----------------------------------------------------------------------------------------------------------------
                                                                                 Number of ABs/CBs
                        Status of ABs/CBs                        -----------------------------------------------
                                                                    Scenario 1      Scenario 2      Scenario 3
----------------------------------------------------------------------------------------------------------------
ABs seeking recognition.........................................              11              17              25
CBs seeking accreditation by recognized ABs.....................              91             140             207
CBs seeking accreditation by FDA................................               1               1               1
                                                                 -----------------------------------------------
    Total CBs accredited........................................              92             141             208
----------------------------------------------------------------------------------------------------------------

    Information Collection Burden Estimate: We estimate the burden for 
this information collection as follows:
Recordkeeping Burden
    In summary, under Scenario 1, total one-time recordkeeping burden 
by 11 recognized ABs and 92 CBs accredited under the third-party 
program is estimated at 25,792 hours (see table 10). Total annual 
recordkeeping burden by 11 recognized ABs and 92 CBs accredited under 
the third-party

[[Page 74641]]

program is estimated at 2,673 hours (see table 13).
    Under Scenario 2, total one-time recordkeeping burden by 17 
recognized ABs and 141 CBs accredited under the third-party program is 
estimated at 41,640 hours (see table 11). Total annual recordkeeping 
burden by 17 recognized ABs and 141 CBs accredited under the third-
party program s is estimated at 4,553 hours (see table 14).
    Under Scenario 3, total one-time recordkeeping burden by 25 
recognized ABs and 208 CBs accredited under the third-party program is 
estimated at 58,570 hours (see table 12). Total annual recordkeeping 
burden by 25 recognized ABs and 208 CBs accredited under the third-
party program is estimated at 6,253 hours (see table 15).
    For the purpose of this analysis we assume that all ABs that apply 
for recognition in the program become recognized and all CBs that apply 
for accreditation are accredited.

                          Table 10--Scenario 1, Estimated One-Time Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                     Number of       Number of    Total one-time    burden per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.615....................              11            1                 11               2              22
Sec.   1.645....................              92            1                 92               2             184
Sec.   1.624(d).................              11            1                 11             160           1,760
Sec.   1.657(d).................              92            1                 92             160          14,720
Contract modification...........              11            8.27              91               2             182
Sec.   1.651....................              92           48              4,416               2           8,832
Sec.   1.653(b)(2)..............              92            1                 92               1              92
                                 -------------------------------------------------------------------------------
    Total One-Time Recordkeeping  ..............  ..............  ..............  ..............          25,792
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.


                          Table 11--Scenario 2, Estimated One-Time Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                     Number of       Number of    Total one-time    burden per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.615....................              17            1                 17               2              34
Sec.   1.645....................             141            1                141               2             282
Sec.   1.624(d).................              17            1                 17             160           2,720
Sec.   1.657(d).................             141            1                141             160          22,560
Contract modification...........              17            8.23             140               2             280
Sec.   1.651....................             141           55.4            7,811               2          15,623
Sec.   1.653(b)(2)..............             141            1                141               1             141
                                 -------------------------------------------------------------------------------
    Total One-Time Recordkeeping  ..............  ..............  ..............  ..............          41,640
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.


                          Table 12--Scenario 3, Estimated One-Time Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                     Number of       Number of    Total one-time    burden per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.615....................              25            1                 25               2              50
Sec.   1.645....................             208            1                208               2             416
Sec.   1.624(d).................              25            1                 25             160           4,000
Sec.   1.657(d).................             208            1                208             160          33,280
Contract modification...........              25            8.79             220               2             440
Sec.   1.651....................             208           48.5           10,088               2          20,176
Sec.   1.653(b)(2)..............             208            1                208               1             208
                                 -------------------------------------------------------------------------------
    Total One-Time Recordkeeping  ..............  ..............  ..............  ..............          58,570
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.


                           Table 13--Scenario 1, Estimated Annual Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                     Number of       Number of    Total one-time    burden per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.625....................              11          397              4,367           0.025           1,092
                                                                                    (15 minutes)
Sec.   1.624(c).................              11            1                 11               8              88

[[Page 74642]]

 
Sec.   1.657(d).................              92            1                 92               8             736
Sec.   1.652....................              92           48              4,416           0.083             367
                                                                                     (5 minutes)
Sec.   1.653(b)(2)..............              92           48              4,416           0.083             367
                                                                                     (5 minutes)
Sec.   1.656(c).................              92            0.25              23               1              23
                                 -------------------------------------------------------------------------------
    Total Annual Recordkeeping    ..............  ..............  ..............  ..............           2,673
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.


                           Table 14--Scenario 2, Estimated Annual Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                     Number of       Number of    Total one-time    burden per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.625....................              17          456              7,752            0.25           1,938
                                                                                    (15 minutes)
Sec.   1.624(c).................              17            1                 17               8             136
Sec.   1.657(d).................             141            1                141               8           1,128
Sec.   1.652....................             141           55.4            7,811           0.083             648
                                                                                     (5 minutes)
Sec.   1.653(b)(2)..............             141           55.4            7,811           0.083             648
                                                                                     (5 minutes)
Sec.   1.656(c).................             141            0.25              35               1              35
                                 -------------------------------------------------------------------------------
    Total Annual Recordkeeping    ..............  ..............  ..............  ..............           4,533
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.


                           Table 15--Scenario 3, Estimated Annual Recordkeeping Burden
----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                     Number of       Number of    Total one-time    burden per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.625....................              25          426             10,650            0.25           2,663
                                                                                    (15 minutes)
Sec.   1.624(c).................              25            1                 25               8             200
Sec.   1.657(d).................             208            1                208               8           1,664
Sec.   1.652....................             208           48.5           10,088           0.083             837
                                                                                     (5 minutes)
Sec.   1.653(b)(2)..............             208           48.5           10,088           0.083             837
                                                                                     (5 minutes)
Sec.   1.656(c).................             208            0                 52               1              52
                                 -------------------------------------------------------------------------------
    Total Annual Recordkeeping    ..............  ..............  ..............  ..............           6,253
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time recordkeeping burden.

    Sections 1.615 and 1.645 of the Third-Party final rule require that 
at the time an AB submits an application for recognition (under Sec.  
1.630 of the Third-Party final rule) or a CB submits an application for 
direct accreditation (under Sec.  1.660, or where applicable under 
Sec.  1.670), the AB or CB must demonstrate that it has implemented 
written procedures to adequately establish, control, and maintain 
records for the period of time necessary to meet its contractual and 
legal obligations pertaining to the third-party program. Currently, ABs 
maintain recordkeeping protocols relating to their operations; however, 
we expect that ABs will review their recordkeeping protocols and, if 
necessary, modify them to meet the requirements of Sec.  1.615 of the 
Third-Party final rule before submitting applications for recognition. 
We believe that the records requirements for ABs in Sec.  1.615 and CBs 
in Sec.  1.645 would constitute a new one-time burden for the 11 to 25 
ABs in each of the three considered scenario, and 92 to 208 CBs 
respectively. We expect that it would take no more than 2 hours for an 
AB or a CB to modify its recordkeeping protocol to comply with the 
written recordkeeping requirements described in Sec. Sec.  1.615 and 
1.645 of the Third-Party final rule (see tables 10 to 12). Therefore, 
under Scenario 1, we estimate that it would take 22 hours (2 hours/AB x 
11 ABs) for ABs to comply with Sec.  1.615 (34 hours under Scenario 2, 
and 50 hours under Scenario 3) (see tables 10 to 12). We estimate 184 
hours (2 hours/CB x 92 CBs) for CBs to comply with Sec.  1.645 of the 
Third-Party final rule

[[Page 74643]]

(282 hours under Scenario 2, and 416 hours under Scenario 3) (see 
tables 10 to 12).
    Section 1.625 of the Third-Party final rule requires that an AB 
that has been recognized maintain records documenting requests by CBs 
for accreditation from the AB (per Sec.  1.660), challenges to adverse 
accreditation decisions (Sec.  1.620(c)), monitoring activities of its 
accredited CBs (Sec.  1.621), self-assessments and corrective actions 
(Sec.  1.622), copies of regulatory audit reports submitted by its 
accredited CBs (Sec.  1.656), and copies of records of reports or 
notifications made to us, as required by Sec.  1.623. A recognized AB's 
requirements for reporting and notifications per Sec.  1.623 of the 
Third-Party final rule include submission of results of its annual 
performance assessment of each of its accredited CBs (Sec.  1.623(a)) 
and the results of its self-assessment (Sec.  1.623(b)) (see tables 20 
to 22). A recognized AB also must notify us immediately upon granting, 
withdrawing, suspending, reducing the scope of accreditation of a CB or 
upon its determination that a CB it accredited issued a food or 
facility certification in violation of subpart M, pursuant to Sec.  
1.623(c) of the Third-Party final rule. Additionally, a recognized AB 
must notify us within 30 days after making significant changes to its 
operations that would affect the manner in which it complies with the 
Third-Party final rule (Sec.  1.623(d)).
    Under current practice, ABs maintain records documenting requests 
by CBs for accreditation, monitoring activities of CBs they have 
accredited, and self-assessments and corrective actions. The records 
currently maintained by ABs are similar to those that would be required 
of a recognized AB under Sec.  1.623 of the Third-Party final rule. 
However, CBs do not currently send copies of audit reports of their 
clients (food facilities) to their ABs. Therefore, an AB's maintenance 
of records pertaining to regulatory audit reports submitted by CBs they 
have accredited is considered as a new recordkeeping burden for 
recognized ABs. We expect that it would take no more than 15 minutes 
(0.25 hour) for a recognized AB to file a regulatory audit report 
submitted by its accredited CBs. Under Scenario 1, we estimate the 
burden for 11 recognized ABs to maintain regulatory audit reports that 
were submitted to them by their accredited CBs. We estimate that 
following the implementation of the Third-Party final rule, under 
Scenario 1, each recognized AB will accredit approximately 8.27 CBs 
under the program (average of 10-year period) (8.23 CBs/AB under 
Scenario 2; 8.79 CBs/AB under Scenario 3). In addition, under Scenario 
1, we estimate that each CB accredited under the third-party program, 
on average, will conduct regulatory audits on approximately 48 eligible 
entities a year (average of 10-year period) (55.4 foreign suppliers per 
CB under Scenario 2; 48.5 foreign suppliers per CB under Scenario 3). 
Under Scenario 1, we expect that each recognized AB will receive, on 
average, 397 regulatory audit reports (48 regulatory audit reports/CB x 
8.27 CBs/AB) from its CBs annually resulting in a total of 4,367 
records per year (397 audit reports/AB x 11 ABs). Under Scenario 2, we 
expect that each recognized AB will receive, on average, 456 regulatory 
audit reports (55.4 regulatory audit reports/CB x 8.23 CBs/AB) from its 
CBs annually resulting in a total of 7,752 records per year (456 audit 
reports/AB x 17 ABs). Under Scenario 3, we expect that each recognized 
AB will receive, on average, 426 regulatory audit reports (48.5 
regulatory audit reports/CB x 8.79 CBs/AB) from its CBs annually 
resulting in a total of 10,650 records per year (426 audit reports/AB x 
25 ABs). Total annual burden of recordkeeping requirement for 
recognized AB under Sec.  1.625 of the Third-Party final rule is 
estimated at 1,092 hours (4,367 records x 0.25 hours/record) under 
Scenario 1 (1,938 hours under Scenario 2; 2,663 hours under Scenario 3) 
(see tables 13 to 15).
    Section 1.624(d) of the Third-Party final rule requires each 
recognized AB maintain on its Web site an up-to-date list of CBs it has 
accredited under the Third-Party final rule and for each CB identify 
the duration and scope of accreditation and date(s) on which the CB 
paid the AB any fee or reimbursement associated with such 
accreditation. Recognized ABs must also include information about 
changes in accreditation status of third-party certification bodies. 
Our review of AB Web sites found that none of the ABs reviewed publish 
all the information that is required by Sec.  1.620(d) of the Third-
Party final rule on their Web sites. We estimate that each AB, on 
average, would initially spend approximately 160 hours to update its 
Web page to conform with this section of the Third-Party final rule. 
Under Scenario 1, the one-time burden of conforming to Sec.  1.624(d) 
of the Third-Party final rule by 11 recognized ABs is estimated at 
approximately 1,760 hours (11 ABs x 160 hours/AB) (see table 10). Under 
Scenario 2, the one-time burden of conforming to Sec.  1.624(d) of the 
Third-Party final rule by 17 recognized ABs is estimated at 
approximately 2,720 hours (17 ABs x 160 hours/AB) (see table 11). Under 
Scenario 3, the one-time burden of conforming to Sec.  1.624(d) of the 
Third-Party final rule by 25 recognized ABs is estimated at 
approximately 4,000 hours (25 ABs x 160 hours/AB) (see table 12). In 
addition, we estimate that each recognized AB would spend 8 hours 
annually, following the initial year, to update information as required 
by Sec.  1.624(d) of the Third-Party final rule. Under Scenario 1, the 
annual hourly burden for 11 recognized ABs to update their Web pages to 
conform to disclosure of information requirement per Sec.  1.624(d) of 
the Third-Party final rule is estimated at 88 hours (8 hours/AB x 11 
ABs) (136 hours under Scenario 2; 200 hours under Scenario 3) (see 
tables 13 to 15).
    Similarly, Sec.  1.657(d) of the Third-Party final rule requires a 
CB accredited in compliance with the Third-Party final rule to maintain 
on its Web site an up-to-date list of eligible entities which it has 
issued certifications under this subpart. For each such eligible entity 
the Web site also must identify the duration and scope of the 
certification and date(s) on which the eligible entity paid the CB 
accredited under the third-party program any fee or reimbursement 
associated with such audit or certification. In the Third-Party final 
Regulatory Impact Analysis, we estimate that following the 
implementation of the Third-Party final rule and VQIP draft guidance, 
there will be approximately 91 CBs accredited by recognized ABs and 1 
directly-accredited CB under Scenario 1 (140 CBs and one directly-
accredited CB under Scenario 2; 207 CBs and 1 directly-accredited CB 
under Scenario 3). Under Scenario 1, the one-time recordkeeping burden 
of 92 CBs accredited under the third-party program to comply with Sec.  
1.657(d) of the Third-Party final rule is estimated at 14,720 hours 
(160 hours/CB x 92 CBs) (22,560 hours under Scenario 2; 33,280 hours 
under Scenario 3) (see tables 10 to 12). In addition, we estimate that 
each CB would spend 8 hours annually, following the initial year, to 
update information as required by Sec.  1.657(d) of the Third-Party 
final rule. Under Scenario 1, annual hourly burden for 92 CBs 
accredited under the third-party program to update their Web pages to 
conform to disclosure of information requirement per Sec.  1.657(d) of 
the Third-Party final rule is estimated at 736 hours (8 hours/CB x 92 
CBs) (1,128 hours under Scenario 2; 1,664 hours under Scenario 3) (see 
tables 13 to 15).
    There are certain provisions within the Third-Party final rule that 
may require ABs to modify their contracts

[[Page 74644]]

with their CBs in order to comply with the Third-Party final rule. 
Therefore, it is expected that recognized ABs will modify their 
contracts with their accredited CBs to be able to conduct activities 
such as conducting unannounced audits of their accredited CBs' 
facilities. Minor modifications or addenda to contracts with standard 
language provided by provisions in the Third-Party final rule would 
consist of no more than 1 hour by an AB executive and 1 hour by a legal 
counsel representing the AB. As we discussed, following the 
implementation of the Third-Party final rule, we expect that each 
recognized AB will accredit approximately 8.27 CBs (8.23 CBs/AB under 
Scenario 2; 8.79 CBs/AB under Scenario 3). Therefore, under Scenario 1, 
a total of 91 contracts (8.27 contracts/AB x 11 ABs) (140 contracts 
under Scenario 2; 220 contracts under Scenario 3) are expected to be 
modified to reflect changes in contractual obligations between each 
recognized AB and its accredited CBs under the Third-Party final rule 
(see tables 10 to 12). The one-time burden of initial modification of 
91 contracts between 11 recognized ABs and their respective accredited 
CBs is approximately 182 hours (91 contracts x 2 hours/contract) (280 
hours under Scenario 2; 440 hours under Scenario 3) (see tables 10 to 
12).
    Similarly, CBs accredited by recognized ABs would need to modify or 
create new contracts with their client eligible entities in order to 
gain access to any records and any area of the facility, its 
process(es), and food of the eligible entity relevant to the scope and 
purpose of audit being performed by the CB (Sec.  1.651). Considering 
that each of the expected 92 CBs accredited under the third-party 
program, under Scenario 1, will each have approximately 48 client 
eligible entities, we expect that approximately 4,416 contracts (48 
contracts/CB x 92 CBs) between CBs accredited under the third-party 
program and eligible entities will be modified (7,811 contracts 
scenario 2; 10,088 contracts under Scenario 3) (see tables 10 to 12). 
Under Scenario 1, the one-time burden of initial modification of 4,416 
contracts between 92 CBs accredited under the third-party program and 
their respective client eligible entities is approximately 8,832 hours 
(4,416 contracts x 2 hours/contract) (15,623 hours under Scenario 2; 
20,176 hours under Scenario 3) (see tables 10 to 12).
    Section 1.652 of the Third-Party final rule requires that CBs 
accredited under the third-party program include certain information in 
reports of food safety audits. We believe that some information such as 
the FDA food facility registration number (where applicable) of the 
facility subject to the audit are currently not included in food safety 
audits conducted by CBs accredited under other programs. Although this 
information may not be required as part of the Third-Party program, we 
have conservatively included the burden of providing such information 
in this analysis. We expect that it would take about 5 minutes (0.083 
hour), on average, by a CB accredited under the third-party program to 
include additional information, as required in Sec.  1.652, in reports 
of food safety audits. Therefore, at a minimum, under Scenario 1, each 
CB accredited under the third-party program must modify a regulatory 
audit report for each of its 48 eligible entities (55.4 eligible 
entities per CB in Scenario 2; 48.5 eligible entities per CB in 
Scenario 3) every year. Under Scenario 1, total annual records of 92 
CBs accredited under the third-party program modifying regulatory audit 
reports of their client eligible entities is estimated at 4,416 records 
(92 CBs x 48 eligible entities/CB x 1 record/eligible entity) (7,811 
records under Scenario 2; 10,088 records under Scenario 3). Annual 
recordkeeping burden of CBs accredited under the third-party program, 
per Sec.  1.652 of the Third-Party final rule, is estimated at 367 
hours (4,416 records x 0.083 hour/record) for Scenario 1 (648 hours for 
Scenario 2; 837 hours for Scenario 3) (see tables 13 to 15).
    Accredited third-party CBs will incur additional recordkeeping 
costs associated with modifying existing certification templates to 
meet the requirements of Sec.  1.653(b)(2). For example, we are 
requiring accredited CBs to provide a certification number that follows 
an FDA numeric designation. We have included the burden of providing 
such information in this analysis because we know that CBs currently do 
not use an FDA designation in numbering their certificates. To the 
extent that any of the elements in Sec.  1.653(b)(2) are already 
included in current certificates issued by some CBs, such as the 
date(s) and scope of the audit, the recordkeeping burden may be 
overestimated. We expect that it will take no more than 1 hour, on 
average, to change the design of certifications issued by CBs 
accredited under the third-party program. Under Scenario 1, we estimate 
a one-time recordkeeping burden of modifying the design of the 
certifications of 92 CBs accredited under the third-party program at 92 
hours (92 CBs x 1 hour/CB) (141 hours under Scenario 2; 208 hours under 
Scenario 3) (see tables 16 to 18).
    We expect that the burden to fill additional information on a 
certification that is issued is 5 minutes (0.083 hour). Therefore, 
under Scenario 1, the annual burden of Sec.  1.653(b)(2) is estimated 
at 367 hours (92 CBs x 1 certificate/entity x 48 entities/CB x 0.083 
hour/certificate) (see table 19). Under Scenario 2, the annual burden 
of Sec.  1.653(b)(2) is estimated at 648 hours (141 CBs x 1 
certificate/entity x 55.4 entities/CB x 0.083 hour/certificate) (see 
table 20). Finally, under Scenario 3, the annual burden of Sec.  
1.653(b)(2) is estimated at 837 hours (208 CBs x 1 certificate/entity x 
48.5 entities/CB x 0.083 hour/certificate) (see table 21).
    Section 1.656(c) of the Third-Party final rule requires that CBs 
accredited under the third-party program report to us any condition, 
found during a regulatory or consultative audit of an eligible entity, 
which could cause or contribute to a serious risk to the public health. 
We believe that these occurrences are rare and may occur once every 4 
years, or 0.25 times per year. Reporting serious hazard conditions 
would consist of the onsite audit agent of a CB accredited under the 
third-party program to document the event as a record and to 
immediately submit the record to us. Therefore, under Scenario 1, the 
annual number of records prepared by 92 CBs accredited under the third-
party program is estimated at 23 (0.25 records/CB x 92 CBs) (35 records 
under Scenario 2; 52 records under Scenario 3). It is expected that a 
CB accredited under the third-party program would take no more than 1 
hour to prepare such record (notification). Under Scenario 1, annual 
burden of preparation of records per Sec.  1.656(c) of the Third-Party 
final rule by 92 CBs accredited under the third-party program is 
estimated at 23 hours (23 records x 1 hour/record; see table 13) (35 
hours for Scenario 2, and 52 hours for Scenario 3; see tables 14 to 
15).
    We also acknowledge that an accreditation body seeking to challenge 
a denial of its application for recognition, renewal of recognition, or 
reinstatement of recognition will incur costs in compiling information 
to support its request for reconsideration under Sec.  1.691 or its 
request for internal Agency review under Sec.  1.692. A third-party 
certification body seeking to challenge a denial of its application for 
direct accreditation, renewal of direct accreditation, or 
reaccreditation as a directly accredited third-party certification body 
will incur costs in compiling information to support its

[[Page 74645]]

request for reconsideration under Sec.  1.691 or its request for 
internal Agency review under Sec.  1.692, as will any accredited third-
party certification body seeking to challenge a denial of its request 
for a waiver of the conflict of interest requirement of Sec.  1.650(b) 
or a waiver extension. We anticipate that most accreditation bodies and 
third-party certification bodies who seek to participate in our program 
will carefully consider the program requirements before applying to, or 
joining, the program or before submitting a waiver request. We 
anticipate the submission of challenges under Sec.  1.691 or Sec.  
1.692 to be an infrequent event, and one that most program participants 
will not encounter. Therefore, we are not calculating costs associated 
with the compiling of information to support a request for 
reconsideration under Sec.  1.691 or a request for internal agency 
review under Sec.  1.692 by an accreditation body seeking to challenge 
a denial of its application for recognition, renewal of recognition, or 
reinstatement of recognition; by an third-party certification body 
seeking to challenge a denial of its application for direct 
accreditation, renewal of direct accreditation, or reaccreditation as a 
directly accredited third-party certification body; or by an accredited 
third-party certification body seeking to challenge a denial of its 
request for a waiver of the conflict of interest requirement of Sec.  
1.650(b) or a waiver extension.
Reporting Burden
    In summary, under Scenario 1, total one-time reporting burden by 11 
recognized ABs and 92 CBs accredited under the third-party program is 
estimated at 960 hours (see table 16). Under Scenario 2, total one-time 
reporting burden by 17 recognized ABs and 141 CBs accredited under the 
third-party program is estimated at 1,440 hours (see table 17). Under 
Scenario 3, total one-time reporting burden by 25 recognized ABs and 
208 CBs accredited under the third-party program is estimated at 2,080 
hours (see table 18). Total annual reporting burden, under Scenarios 1 
to 3 is estimated between 3,466 and 7,919 hours (see tables 19 to 21).

                            Table 16--Scenario 1, Estimated One-Time Reporting Burden
----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                     Number of       Number of    Total one-time    burden per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.630....................              11               1              11              80             880
Sec.   1.670(a-b)...............               1               1               1              80              80
                                 -------------------------------------------------------------------------------
    Total One-Time Reporting      ..............  ..............  ..............  ..............             960
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time reporting burden.


                            Table 17--Scenario 2, Estimated One-Time Reporting Burden
----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                     Number of       Number of    Total one-time    burden per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.630....................              17               1              17              80           1,360
Sec.   1.670(a-b)...............               1               1               1              80              80
                                 -------------------------------------------------------------------------------
    Total One-Time Reporting      ..............  ..............  ..............  ..............           1,440
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time reporting burden.


                            Table 18--Scenario 3, Estimated One-Time Reporting Burden
----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                     Number of       Number of    Total one-time    burden per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.630....................              25               1              25              80           2,000
Sec.   1.670(a-b)...............               1               1               1              80              80
                                 -------------------------------------------------------------------------------
    Total One-Time Reporting      ..............  ..............  ..............  ..............           2,080
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with one-time reporting burden.


                             Table 19--Scenario 1, Estimated Annual Reporting Burden
----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                     Number of       Number of    Total one-time    burden per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.634....................              11            1                 11               8              88
Sec.   1.673....................               1            1                  1              10              10
Sec.   1.623(a).................              11            8.27              91            0.25              23
                                                                                    (15 minutes)
Sec.   1.623(b).................              11            1                 11            0.25               3
                                                                                    (15 minutes)

[[Page 74646]]

 
Sec.   1.653(b)(1)..............              92           48              4,416            0.25           1,104
                                                                                    (15 minutes)
Sec.   1.656(a) \1\.............              91           48              4,368            0.25           1,092
                                                                                    (15 minutes)
Sec.   1.656(a) \2\.............              91           48              4,368            0.25           1,092
                                                                                    (15 minutes)
Sec.   1.656(a) \3\.............               1           48                 48            0.25              12
                                                                                    (15 minutes)
Sec.   1.656(b) \4\.............              91            1                 91            0.25              23
                                                                                    (15 minutes)
Sec.   1.656(b) \5\.............               1            1                  1            0.25               1
                                                                                    (15 minutes)
Sec.   1.656(c).................              92            0.25              23            0.25               6
                                                                                    (15 minutes)
Sec.   1.656(e) \6\.............              92            0.25              23            0.25               6
                                                                                    (15 minutes)
Sec.   1.656(e) \7\.............              91            0.25              23            0.25               6
                                                                                    (15 minutes)
                                 -------------------------------------------------------------------------------
    Total Annual Reporting        ..............  ..............  ..............  ..............           3,446
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with annual reporting burden.
\1\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to their accrediting ABs.
\2\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to the FDA.
\3\ Annual reporting of regulatory audit reports by directly accredited CBs to the FDA.
\4\ Annual reporting of self-assessment by accredited CBs to their recognized ABs.
\5\ Annual reporting of self-assessment by directly-accredited CBs to the FDA.
\6\ Annual reporting of serious risk to public health by CBs accredited under the third-party program to
  eligible entities.
\7\ Annual reporting of serious risk to public health by accredited CBs to their recognized ABs.


                             Table 20--Scenario 2, Estimated Annual Reporting Burden
----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                     Number of       Number of    Total one-time    burden per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.634....................              17            1                 17               8             136
Sec.   1.673....................               1            1                  1              10              10
Sec.   1.623(a).................              17            8.23             140            0.25              35
                                                                                    (15 minutes)
Sec.   1.623(b).................              17            1                 17            0.25               4
                                                                                    (15 minutes)
Sec.   1.653(b)(1)..............             141           55.4            7,811            0.25           1,953
                                                                                    (15 minutes)
Sec.   1.656(a) \1\.............             140           55.4            7,756            0.25           1,939
                                                                                    (15 minutes)
Sec.   1.656(a) \2\.............             140           55.4            7,756            0.25           1,939
                                                                                    (15 minutes)
Sec.   1.656(a) \3\.............               1           55.4               55            0.25              14
                                                                                    (15 minutes)
Sec.   1.656(b) \4\.............             140            1                140            0.25              35
                                                                                    (15 minutes)
Sec.   1.656(b) \5\.............               1            1                  1            0.25               1
                                                                                    (15 minutes)
Sec.   1.656(c).................             141            0.25              35            0.25               9
                                                                                    (15 minutes)
Sec.   1.656(e) \6\.............             141            0.25              35            0.25               9
                                                                                    (15 minutes)
Sec.   1.656(e) \7\.............             140            0.25              35            0.25               9
                                                                                    (15 minutes)
                                 -------------------------------------------------------------------------------
    Total Annual Reporting        ..............  ..............  ..............  ..............           6,093
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with annual reporting burden.
\1\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to their accrediting ABs.
\2\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to the FDA.
\3\ Annual reporting of regulatory audit reports by directly-accredited CBs to the FDA.
\4\ Annual reporting of self-assessment by CBs to their recognized ABs.
\5\ Annual reporting of self-assessment by directly-accredited CBs to the FDA.
\6\ Annual reporting of serious risk to public health by CBs accredited under the third-party program to
  eligible entities.
\7\ Annual reporting of serious risk to public health by CBs to their recognized ABs.


[[Page 74647]]


                             Table 21--Scenario 3, Estimated Annual Reporting Burden
----------------------------------------------------------------------------------------------------------------
                                                                                  Average burden
                                     Number of       Number of    Total one-time        per
    21 CFR Part 1, subpart M       recordkeepers    records per       records      recordkeeping    Total hours
                                                   recordkeeper                     (in hours)
----------------------------------------------------------------------------------------------------------------
Sec.   1.634....................              25            1                 25               8             200
Sec.   1.673....................               1            1                  1              10              10
Sec.   1.623(a).................              25            8.79             220            0.25              55
                                                                                    (15 minutes)
Sec.   1.623(b).................              25            1                 25            0.25               6
                                                                                    (15 minutes)
Sec.   1.653(b)(1)..............             208           48.5           10,088            0.25           2,522
                                                                                    (15 minutes)
Sec.   1.656(a) \1\.............             207           48.5           10,040            0.25           2,510
                                                                                    (15 minutes)
Sec.   1.656(a) \2\.............             207           48.5           10,040            0.25           2,510
                                                                                    (15 minutes)
Sec.   1.656(a) \3\.............               1           55.4               55            0.25              14
                                                                                    (15 minutes)
Sec.   1.656(b) \4\.............             207            1                207            0.25              52
                                                                                    (15 minutes)
Sec.   1.656(b) \5\.............               1            1                  1            0.25               1
                                                                                    (15 minutes)
Sec.   1.656(c).................             208            0.25              52            0.25              13
                                                                                    (15 minutes)
Sec.   1.656(e) \6\.............             208            0.25              52            0.25              13
                                                                                    (15 minutes)
Sec.   1.656(e) \7\.............             207            0.25              52            0.25              13
                                                                                    (15 minutes)
                                 -------------------------------------------------------------------------------
    Total Annual Reporting        ..............  ..............  ..............  ..............           7,919
     Burden.....................
----------------------------------------------------------------------------------------------------------------
Note: There are no operations and maintenance costs associated with annual reporting burden.
\1\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to their accrediting ABs.
\2\ Annual reporting of regulatory audit reports by CBs accredited by recognized ABs to the FDA.
\3\ Annual reporting of regulatory audit reports by directly-accredited CBs to the FDA.
\4\ Annual reporting of self-assessment by CBs to their recognized ABs.
\5\ Annual reporting of self-assessment by directly-accredited CBs to the FDA.
\6\ Annual reporting of serious risk to public health by CBs accredited under the third-party program to
  eligible entities.
\7\ Annual reporting of serious risk to public health by CBs to their recognized ABs.

    Section 1.630 of the Third-Party final rule allows for any AB to 
apply for recognition. Under Scenario 1, we estimate that approximately 
11 ABs would apply for recognition. We estimate that it will take 80 
person-hours to compile all the relevant information and complete the 
application for recognition. The initial application for recognition is 
a one-time burden for each AB that applies. Under Scenario 1, the one-
time initial application burden for 11 ABs is estimated at 880 hours 
(11 applications x 80 hours/application) (see table 16). The one-time 
initial application burden for 17 ABs, under Scenario 2 (25 ABs under 
Scenario 3), is estimated at 1,360 hours (2,000 hours under Scenario 3) 
(see tables 17 and 18). The duration of recognition for a recognized AB 
will not exceed 5 years per Sec.  1.632 of the Third-Party final rule. 
Therefore, it is expected that each of the recognized ABs would apply 
to renew its recognition every 5 years per Sec.  1.634 of the Third-
Party final rule. We expect that applications for renewal of 
recognition will take significantly less time to prepare. We use 50 
percent of the amount of effort to prepare and submit an application 
for renewal of recognition. Therefore, it is expected that, on average, 
each recognized AB will spend 40 hours every 5 years (after the initial 
application) to complete and submit an application for renewal of its 
recognition, or approximately 8 hours per year (40 hours / 5 years) for 
each AB. Therefore, the annual burden of completing the renewal of 
recognition application by 11 ABs, under Scenario 1, is 88 hours (11 
applications x 8 hours/application) per year (136 hours per year for 17 
ABs under Scenario 2; 200 per hour for each of 25 ABs under Scenario 3) 
(see tables 19 to 21).
    Similarly, Sec.  1.670(a) and (b) of the Third-Party final rule 
allows for CBs to apply to us for direct accreditation, when the 
criteria for direct accreditation are met. We estimate that 
approximately one CB would apply for direct accreditation. It is 
expected that the application for direct accreditation would require 
the same amount of effort as does an AB's application for recognition. 
Hence, we estimate that the initial application for direct 
accreditation would take 80-person hours. The one-time initial 
application burden for 1 CB, for each scenario, is estimated at 80 
hours (1 application x 80 hours/application) (see tables 16 to 18). The 
duration of accreditation for a directly-accredited CB will not exceed 
4 years, per Sec.  1.671 of the Third-Party final rule. Therefore, it 
is expected that each of the expected directly-accredited CBs would 
apply to renew its accreditation every 4 years, per Sec.  1.673 of the 
Third-Party final rule. We expect that directly accredited CBs use 50 
percent amount of effort, or 40 person-hours, for their initial 
application for direct accreditation, yielding an average of 10 hours 
per year. Therefore, the annual burden of completing the application 
for renewal by 1 directly-accredited CB is 10 hours (1 application x 10 
hours/application) per year (see tables 19 to 21).
    For the purposes of the Third-Party final economic and PRA 
analyses, we have estimated costs assuming that, during the application 
process, affected entities will do their paperwork properly and 
completely the first time. If we assumed a less consistent outcome, one 
that would result in

[[Page 74648]]

recognition denials, the initial burden might increase.
    Section 1.623(a) of the Third-Party final rule requires that 
recognized ABs annually conduct comprehensive assessments of the 
performance of CBs they have accredited and submit the results of the 
assessments to us within 45 days of their completion. We expect that it 
would take no more than 15 minutes (0.25 hour) for a recognized AB to 
electronically submit the assessment of each its accredited CBs. 
Following the implementation of the Third-Party final rule and VQIP 
draft guidance, we expect, on average, each recognized AB would 
accredit approximately 8.27 CBs (8.23 CBs under Scenario 2; 8.79 under 
Scenario 3). Therefore, under Scenario 1, each recognized AB would 
submit, on average, approximately 91 copies of assessments of 
performance of their accredited CBs (8.27 assessments/AB x 11 ABs) (140 
assessments under Scenario 2; 220 under Scenario 3). Under Scenario 1, 
annual reporting of 91 assessments by 11 recognized ABs is estimated at 
23 hours (91 submission of assessments x 0.25 hour/submission) (35 
hours under Scenario 2; 55 hours under Scenario 3) (see tables 19 to 
21).
    Section 1.623(b) of the Third-Party final rule requires that 
recognized ABs annually conduct a self-assessment and submit the 
assessments within 45 days of their completion. We expect that it would 
take no more than 15 minutes for an AB to electronically submit a copy 
of its self-assessment. Under Scenario 1, annual reporting of 11 self-
assessments by 11 recognized ABs is estimated at 3 hours (11 submission 
of self-assessments x 0.25 hour/submission) (4 hours under Scenario 2; 
6 hours under Scenario 3) (see tables 10 to 21).
    Section 1.656(a) of the Third-Party final rule requires that a CB 
accredited under the third-party program must submit the regulatory 
audit reports it conducts to us and to the AB that granted its 
accreditation (where applicable) within 45 days after completing such 
audit. In the Third-Party final economic analysis, we estimate that 
following the implementation of the Third-Party final rule, there will 
be 11 recognized ABs that accredit 91 CBs (17 recognized ABs and 140 
accredited CBs under Scenario 2; 25 recognized ABs and 207 accredited 
CBs under Scenario 3), and we will directly accredit one CB. In 
addition, we estimated that each CB accredited under the third-party 
program, on average, conducts food safety audits and certifies 48 
eligible entities under Scenario 1 (55.4 eligible entities/CB under 
Scenario 2; 48.5 eligible entities/CB under Scenario 3). Therefore, 
under Scenario 1, CBs accredited by recognized ABs will annually submit 
4,368 regulatory audit reports (91 CBs x 48 reports/CB) to their 
accrediting ABs and 4,368 reports to us (see table 19). Similarly, 
under Scenarios 2 and 3, CBs accredited by recognized ABs will annually 
submit 7,756 and 10,040 regulatory audit reports to their accrediting 
ABs and the FDA, respectively (see tables 20 and 21). Under Scenario 1, 
the directly-accredited CB will annually submit 48 regulatory audit 
reports (1 CB x 48 reports/CB) (see table 19). The number of eligible 
entities per directly-accredited CB increases to 55.4 in Scenario 2. We 
assume that the number of eligible entities per directly-accredited CBs 
remains the same for Scenario 3. We expect that it would take no more 
than 15 minutes (0.25 hour) for a CB accredited under the third-party 
program to electronically submit a copy of the regulatory report it 
conducts to us and to its AB (where applicable).
    Under Scenario 1, annual reporting burden for CBs accredited by 
recognized ABs is estimated at 1,092 hours (4,368 reports x 0.25 hours/
report) for submitting copies of regulatory audit reports they have 
conducted to their accrediting ABs and 1,092 hours for submitting the 
same records to us (see table 19). Under Scenario 2, annual reporting 
burden for CBs accredited by recognized ABs is estimated at 1,939 hours 
(7,756 reports x 0.25 hours/report) for submitting copies of regulatory 
audit reports they have conducted to their accrediting ABs and 1,939 
hours for submitting the same records to us (see table 20). Similarly, 
under Scenario 3, annual reporting burden for CBs accredited by 
recognized ABs is estimated at 2,510 hours (10,040 reports x 0.25 
hours/report) for submitting copies of regulatory audit reports they 
have conducted to their accrediting ABs and 2,510 hours for submitting 
the same records to us (see table 21). Under Scenario 1, annual burden 
for submission of regulatory audit reports by directly-accredited CBs 
is estimated at 12 hours (48 reports x 0.25 hours/report) (14 hours for 
Scenarios 2 and 3) (see tables 19 to 21).
    Section 1.656(b) of the Third-Party final rule requires CBs 
accredited under the third-party program to submit reports of their 
annual self-assessments electronically to their ABs, or in the case of 
direct accreditation to us, within 45 days of the anniversary date of 
their accreditation under subpart M. We expect that it would take no 
more than 15 minutes (0.25 hour) for a CB accredited under the third-
party program to electronically send a copy of its annual self-
assessment to its AB or us (as applicable). Under Scenario 1, the 
annual burden for CBs accredited by recognized ABs is estimated at 23 
hours (91 self-assessments x 0.25 hour/self-assessment; see table 19) 
(35 hours under Scenario 2 and 52 hours under Scenario 3; see tables 20 
and 21). Annual burden for submission of self-assessments by one 
directly-accredited CB is estimated at 0.25 hour (1 self-assessment x 
0.25 hour/self-assessment; see tables 19 to 21) (rounded to 1 hour).
    As we discussed, Sec.  1.656(c) of the Third-Party final rule 
requires that a CB accredited under the third-party program report to 
us any condition, found during a regulatory or consultative audit of an 
eligible entity, which could cause or contribute to a serious risk to 
the public health. In the Recordkeeping Burden section above, we 
estimated that such events are expected to occur once every 4 years, or 
0.25 per year. We expect that it would take no more than 15 minutes 
(0.25 hour) for a CB accredited under the third-party program to 
electronically send a copy of its notification to us. Therefore, under 
Scenario 1, the total number of notifications sent to us on an annual 
basis per Sec.  1.656(c) of the Third-Party final rule is estimated at 
23 (92 CBs x 0.25 records/CB) (35 notifications under Scenario 2; 52 
notifications under Scenario 3). Under Scenario 1, annual burden for 
submitting a notification under Sec.  1.656(c) of the Third-Party final 
rule to us by CBs accredited under the third-party program is estimated 
at 6 hours (23 records x 0.25 hour/record) (9 hours under Scenario 2; 
13 hours under Scenario 3) (see tables 19 to 21).
    Following reporting under Sec.  1.656(c), a CB accredited under the 
third-party program is required under Sec.  1.656(e) of the Third-Party 
final rule to immediately notify the eligible entity and its 
accrediting AB of any conditions identified during the audit which 
triggered the reporting requirement per Sec.  1.656(c) of the Third-
Party final rule. Under Scenario 1, total number of notification sent 
to eligible entities by 141 CBs accredited under the third-party 
program is estimated at 23 (92 CBs x 0.25 records/CB) (35 notifications 
under Scenario 2; 52 notifications under Scenario 3) while the number 
of notifications sent to recognized ABs by their accredited CBs is 
estimated at 23 (91 CBs x 0.25 records/CB) (35 under Scenario 2; 52 
under Scenario 3). Under Scenario 1, annual burden of submitting a 
notification under Sec.  1.656(e) of the Third-Party final rule to 
affected eligible entities and ABs by accredited CBs is estimated at 6 
hours (9 hours under Scenario 2; 13 hours under Scenario 3) (see tables 
19 to 21).

[[Page 74649]]

XVIII. Analysis of Environmental Impact

    We have determined under 21 CFR 25.30(j) that this action is of a 
type that does not individually or cumulatively have a significant 
effect on the human environment. Therefore, neither an environmental 
assessment nor an environmental impact statement is required.

XIX. Federalism

    We have analyzed the final rule in accordance with the principles 
set forth in Executive Order 13132. We have determined that the rule 
does not contain policies that have substantial direct effects on the 
States, on the relationship between the National Government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government. Accordingly, we conclude that the rule 
does not contain policies that have federalism implications as defined 
in the Executive Order and, consequently, a federalism summary impact 
statement is not required.

XX. References

    The following references have been placed on display in the 
Division of Dockets Management (see ADDRESSES) and may be seen by 
interested persons between 9 a.m. and 4 p.m., Monday through Friday, 
and are available electronically at http://www.regulations.gov. We have 
verified the Web site addresses, but we are not responsible for any 
subsequent changes to Web sites after this document publishes in the 
Federal Register.

1. FDA, ``Transcript: FSMA Proposed Rules on Foreign Supplier 
Verification Programs and the Accreditation of Third-Party Auditors/
Certification Bodies, Public Meeting, Day One, September 19, 2013.'' 
Available in Docket No. FDA-2011-N-0143.
2. FDA, ``Transcript: FSMA Proposed Rules on Foreign Supplier 
Verification Programs and the Accreditation of Third-Party Auditors/
Certification Bodies, Public Meeting, Day Two, September 20, 2013.'' 
Available in Docket No. FDA-2011-N-0143.
3. FDA, ``FDA Office of Foods and Veterinary Medicine Memorandum to 
the Division of Dockets Management on FDA Records of Outreach 
Sessions,'' November 21, 2013. Available in Docket No. FDA-2011-N-
0920.
4. International Organization for Standardization/International 
Electrotechnical Commission, ``ISO/IEC 17000:2004 Conformity 
Assessment--Vocabulary and General Principles.'' Copies are 
available from the International Organization for Standardization, 
1, rue de Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, 
or on the Internet at http://www.iso.org/iso/catalogue_detail.htm?csnumber=29316 or may be examined at the 
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
5. International Organization for Standardization/International 
Electrotechnical Commission, ISO/IEC ``17011:2004 Conformity 
Assessment--General Requirements for Accreditation Bodies 
Accrediting Conformity Assessment Bodies.'' Copies are available 
from the International Organization for Standardization, 1, rue de 
Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the 
Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=29332 or may be examined at the 
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
6. International Organization for Standardization/International 
Electrotechnical Commission, ``ISO/IEC 17021:2011 Conformity 
Assessment--Requirements for Bodies Providing Audit and 
Certification of Management Systems.'' Copies are available from the 
International Organization for Standardization, 1, rue de Varembe, 
Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet 
at http://www.iso.org/iso/home/store/publication_item.htm?pid=PUB100353 or may be examined at the 
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
7. International Organization for Standardization/International 
Electrotechnical Commission, ``ISO/IEC 17065:2012 Conformity 
Assessment--Requirements for Bodies Certifying Products, Processes 
and Services.'' Copies are available from the International 
Organization for Standardization, 1, rue de Varembe, Case postale 
56, CH-1211 Geneve 20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46568 or may be examined at the 
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
8. International Organization for Standardization, ISO 19011:2011 
Guidelines for Auditing Management Systems.'' Copies are available 
from the International Organization for Standardization, 1, rue de 
Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the 
Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=50675 or may be examined at the 
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
9. International Organization for Standardization/International 
Electrotechnical Commission, ``ISO/IEC Guide 65:1996 General 
Requirements for Bodies Operating Product Certification Systems.'' 
Copies are available from the International Organization for 
Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 
20, Switzerland, or on the Internet at http://www.iso.org/iso/catalogue_detail.htm?csnumber=26796 or may be examined at the 
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
10. International Organization for Standardization/International 
Electrotechnical Commission, ``ISO/IEC 17020:2012 Conformity 
Assessment--Requirements for the Operation of Various Types of 
Bodies Performing Inspection.'' Copies are available from the 
International Organization for Standardization, 1, rue de Varembe, 
Case postale 56, CH-1211 Geneve 20, Switzerland, or on the Internet 
at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=52994 or may be examined at the 
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
11. Global Food Safety Initiative, ``Enhancing Food Safety Through 
Third-Party Certification,'' March 2011.
12. International Organization for Standardization/International 
Electrotechnical Commission, ``ISO/IEC 17040:2005 Conformity 
Assessment--General Requirements for Peer Assessment of Conformity 
Assessment Bodies and Accreditation Bodies.'' Copies are available 
from the International Organization for Standardization, 1, rue de 
Varembe, Case postale 56, CH-1211 Geneve 20, Switzerland, or on the 
Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=31815 or may be examined at the 
Division of Dockets Management (see ADDRESSES) (Ref. Docket No. FDA-
2011-N-0146 and/or RIN 0910-AG66).
13. International Accreditation Forum, ``IAF Endorsed Normative 
Documents, Issue 4 (IAF PR 4:2007),'' http://www.iaf.nu/upFiles/197878.IAF-PR4-2007_Endorsed_NormDocs_Issue_4_Pub.pdf. Accessed on 
October 26, 2015.
14. Codex Alimentarius Commission, ``Principles for Food Import and 
Export Inspection and Certification (CAC/GL 20-1995).'' http://www.codexalimentarius.org/input/download/standards/37/CXG_020e.pdf. 
Accessed on October 26, 2015.
15. Armour, S., Lippert, J., and Smith, M., ``Food Sickens Millions 
as Company-Paid Checks Find It Safe,'' Bloomberg Business, October 
11, 2012. http://www.bloomberg.com/news/articles/2012-10-11/food-sickens-millions-as-industry-paid-inspectors-find-it-safe. Accessed 
on October 26, 2015.
16. Zheng, Y., Muth, M.M., Kosa, K., ``Economic Analysis of Third-
Party Food

[[Page 74650]]

Safety Certification of Imported Food,'' RTI International, June 
2012.
17. American National Standards Institute, ``About ANSI,'' http://www.ansi.org/about_ansi/overview/overview.aspx?menuid=1. Accessed on 
May 6, 2015.
18. United Kingdom Accreditation Service, ``About UKAS,'' http://www.ukas.com/about/. Accessed on October 26, 2015.
19. Danish Accreditation Fund, ``DANAK Home'' http://english.danak.dk/. Accessed on May 4, 2015.
20. International Organization for Standards, ``ISO/TS 22003:2007 
Food Safety Management Systems--Requirements for Bodies Providing 
Audit and Certification of Food Safety Management Systems.'' Copies 
are available from the International Organization for 
Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 
20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=39834 or may be 
examined at the Division of Dockets Management (see ADDRESSES) (Ref. 
Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).
21. International Organization for Standardization/International 
Electrotechnical Commission, ``ISO 22000:2005 Food Safety Management 
Systems--Requirements for Any Organization in the Food Chain.'' 
Copies are available from the International Organization for 
Standardization, 1, rue de Varembe, Case postale 56, CH-1211 Geneve 
20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=35466 or may be 
examined at the Division of Dockets Management (see ADDRESSES) (Ref. 
Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).
22. British Retail Consortium, ``Global Standard for Food Safety, 
Issue 6,'' 2012. Copies are available from the British Retail 
Consortium, Second Floor, 21 Dartmouth Street, London SW1H 9BP, or 
may be examined at the Division of Dockets Management (see 
ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).
23. Safe Quality Food Institute, ``SQF Code, Edition 7.2: A HACCP-
Based Supplier Assurance Code for the Food Industry,'' July 2014. 
https://www.sqfi.com/wp-content/uploads/SQF-Code_Ed-7.2-July.pdf. 
Accessed on October 27, 2015.
24. International Organization for Standardization, ``ISO/TS 
22003:2013 Food Safety Management Systems--Requirements for Bodies 
Providing Audit and Certification of Food Safety Management 
Systems.'' Copies are available from the International Organization 
for Standardization, 1, rue de Varembe, Case postale 56, CH-1211 
Geneve 20, Switzerland, or on the Internet at http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=60605 or 
may be examined at the Division of Dockets Management (see 
ADDRESSES) (Ref. Docket No. FDA-2011-N-0146 and/or RIN 0910-AG66).
25. FDA, ``Tribal Summary Impact Statement: Final Rule on 
Accreditation of Third-Party Certification Bodies to Conduct Food 
Safety Audits and to Issue,'' Docket No. FDA-2011-N-0146.

List of Subjects

21 CFR Part 1

    Cosmetics, Drugs, Exports, Food labeling, Imports, Labeling, 
Reporting and recordkeeping requirements.

21 CFR Part 11

    Administrative practice and procedure, Computer technology, 
Reporting and recordkeeping requirements.

21 CFR Part 16

    Administrative practice and procedure.

    Therefore, under the Federal Food, Drug, and Cosmetic Act and under 
authority delegated to the Commissioner of Food and Drugs, 21 CFR parts 
1, 11, and 16 are amended as follows:

PART 1--GENERAL ENFORCEMENT REGULATIONS

0
1. The authority citation for 21 CFR part 1 is revised to read as 
follows:

    Authority: 15 U.S.C. 1333, 1453, 1454, 1455, 4402; 19 U.S.C. 
1490, 1491; 21 U.S.C. 321, 331, 332, 333, 334, 335a, 343, 350c, 
350d, 350j, 352, 355, 360b, 360ccc, 360ccc-1, 360ccc-2, 362, 371, 
374, 381, 382, 384a, 384b, 384d, 387, 387a, 387c, 393; 42 U.S.C. 
216, 241, 243, 262, 264, 271.


0
2. Add subpart M, consisting of Sec. Sec.  1.600 through 1.695, to read 
as follows:
Subpart M--Accreditation of Third-Party Certification Bodies To Conduct 
Food Safety Audits and To Issue Certifications
Sec.
1.600 What definitions apply to this subpart?
1.601 Who is subject to this subpart?

Recognition of Accreditation Bodies Under This Subpart

1.610 Who is eligible to seek recognition?
1.611 What legal authority must an accreditation body have to 
qualify for recognition?
1.612 What competency and capacity must an accreditation body have 
to qualify for recognition?
1.613 What protections against conflicts of interest must an 
accreditation body have to qualify for recognition?
1.614 What quality assurance procedures must an accreditation body 
have to qualify for recognition?
1.615 What records procedures must an accreditation body have to 
qualify for recognition?

Requirements for Accreditation Bodies That Have Been Recognized Under 
This Subpart

1.620 How must a recognized accreditation body evaluate third-party 
certification bodies seeking accreditation?
1.621 How must a recognized accreditation body monitor the 
performance of third-party certification bodies it accredited?
1.622 How must a recognized accreditation body monitor its own 
performance?
1.623 What reports and notifications must a recognized accreditation 
body submit to FDA?
1.624 How must a recognized accreditation body protect against 
conflicts of interest?
1.625 What records requirements must an accreditation body that has 
been recognized meet?

Procedures for Recognition of Accreditation Bodies Under This Subpart

1.630 How do I apply to FDA for recognition or renewal of 
recognition?
1.631 How will FDA review my application for recognition or renewal 
of recognition and what happens once FDA decides on my application?
1.632 What is the duration of recognition?
1.633 How will FDA monitor recognized accreditation bodies?
1.634 When will FDA revoke recognition?
1.635 What if I want to voluntarily relinquish recognition or do not 
want to renew recognition?
1.636 How do I request reinstatement of recognition?

Accreditation of Third-Party Certification Bodies Under This Subpart

1.640 Who is eligible to seek accreditation?
1.641 What legal authority must a third-party certification body 
have to qualify for accreditation?
1.642 What competency and capacity must a third-party certification 
body have to qualify for accreditation?
1.643 What protections against conflicts of interest must a third-
party certification body have to qualify for accreditation?
1.644 What quality assurance procedures must a third-party 
certification body have to qualify for accreditation?
1.645 What records procedures must a third-party certification body 
have to qualify for accreditation?

Requirements for Third-Party Certification Bodies That Have Been 
Accredited Under This Subpart

1.650 How must an accredited third-party certification body ensure 
its audit agents are competent and objective?
1.651 How must an accredited third-party certification body conduct 
a food safety audit of an eligible entity?
1.652 What must an accredited third-party certification body include 
in food safety audit reports?
1.653 What must an accredited third-party certification body do when 
issuing food or facility certifications?
1.654 When must an accredited third-party certification body monitor 
an eligible entity that it has issued a food or facility 
certification?
1.655 How must an accredited third-party certification body monitor 
its own performance?
1.656 What reports and notifications must an accredited third-party 
certification body submit?

[[Page 74651]]

1.657 How must an accredited third-party certification body protect 
against conflicts of interest?
1.658 What records requirements must a third-party certification 
body that has been accredited meet?

Procedures for Accreditation of Third-Party Certification Bodies Under 
This Subpart

1.660 Where do I apply for accreditation or renewal of accreditation 
by a recognized accreditation body and what happens once the 
recognized accreditation body decides on my application?
1.661 What is the duration of accreditation by a recognized 
accreditation body?
1.662 How will FDA monitor accredited third-party certification 
bodies?
1.663 How do I request an FDA waiver or waiver extension for the 13-
month limit for audit agents conducting regulatory audits?
1.664 When would FDA withdraw accreditation?
1.665 What if I want to voluntarily relinquish accreditation or do 
not want to renew accreditation?
1.666 How do I request reaccreditation?

Additional Procedures for Direct Accreditation of Third-Party 
Certification Bodies Under This Subpart

1.670 How do I apply to FDA for direct accreditation or renewal of 
direct accreditation?
1.671 How will FDA review my application for direct accreditation or 
renewal of direct accreditation and what happens once FDA decides on 
my application?
1.672 What is the duration of direct accreditation?

Requirements for Eligible Entities Under This Subpart

1.680 How and when will FDA monitor eligible entities?
1.681 How frequently must eligible entities be recertified?

General Requirements of This Subpart

1.690 How will FDA make information about recognized accreditation 
bodies and accredited third-party certification bodies available to 
the public?
1.691 How do I request reconsideration of a denial by FDA of an 
application or a waiver request?
1.692 How do I request internal agency review of a denial of an 
application or waiver request upon reconsideration?
1.693 How do I request a regulatory hearing on a revocation of 
recognition or withdrawal of accreditation?
1.694 Are electronic records created under this subpart subject to 
the electronic records requirements of part 11 of this chapter?
1.695 Are the records obtained by FDA under this subpart subject to 
public disclosure?

Subpart M--Accreditation of Third-Party Certification Bodies To 
Conduct Food Safety Audits and To Issue Certifications


Sec.  1.600  What definitions apply to this subpart?

    (a) The FD&C Act means the Federal Food, Drug, and Cosmetic Act.
    (b) Except as otherwise defined in paragraph (c) of this section, 
the definitions of terms in section 201 of the FD&C Act apply when the 
terms are used in this subpart.
    (c) In addition, for the purposes of this subpart:
    Accreditation means a determination by a recognized accreditation 
body (or, in the case of direct accreditation, by FDA) that a third-
party certification body meets the applicable requirements of this 
subpart.
    Accreditation body means an authority that performs accreditation 
of third-party certification bodies.
    Accredited third-party certification body means a third-party 
certification body that a recognized accreditation body (or, in the 
case of direct accreditation, FDA) has determined meets the applicable 
requirements of this subpart and is accredited to conduct food safety 
audits and to issue food or facility certifications to eligible 
entities. An accredited third-party certification body has the same 
meaning as accredited third-party auditor as defined in section 
808(a)(4) of the FD&C Act.
    Assessment means:
    (i) With respect to an accreditation body, an evaluation by FDA of 
the competency and capacity of the accreditation body under the 
applicable requirements of this subpart for the defined scope of 
recognition. An assessment of the competency and capacity of the 
accreditation body involves evaluating the competency and capacity of 
the operations of the accreditation body that are relevant to decisions 
on recognition and, if recognized, an evaluation of its performance and 
the validity of its accreditation decisions under the applicable 
requirements of this subpart.
    (ii) With respect to a third-party certification body, an 
evaluation by a recognized accreditation body (or, in the case of 
direct accreditation, FDA) of the competency and capacity of a third-
party certification body under the applicable requirements of this 
subpart for the defined scope of accreditation. An assessment of the 
competency and capacity of the third-party certification body involves 
evaluating the competency and capacity of the operations of the third-
party certification body that are relevant to decisions on 
accreditation and, if accredited, an evaluation of its performance and 
the validity of its audit results and certification decisions under the 
applicable requirements of this subpart.
    Audit means the systematic and functionally independent examination 
of an eligible entity under this subpart by an accredited third-party 
certification body or by FDA. An audit conducted under this subpart is 
not considered an inspection under section 704 of the FD&C Act.
    Audit agent means an individual who is an employee or other agent 
of an accredited third-party certification body who, although not 
individually accredited, is qualified to conduct food safety audits on 
behalf of an accredited third-party certification body. An audit agent 
includes a contractor of the accredited third-party certification body 
but excludes subcontractors or other agents under outsourcing 
arrangements for conducting food safety audits without direct control 
by the accredited third-party certification body.
    Consultative audit means an audit of an eligible entity:
    (i) To determine whether such entity is in compliance with the 
applicable food safety requirements of the FD&C Act, FDA regulations, 
and industry standards and practices;
    (ii) The results of which are for internal purposes only; and
    (iii) That is conducted in preparation for a regulatory audit; only 
the results of a regulatory audit may form the basis for issuance of a 
food or facility certification under this subpart.
    Direct accreditation means accreditation of a third-party 
certification body by FDA.
    Eligible entity means a foreign entity in the import supply chain 
of food for consumption in the United States that chooses to be subject 
to a food safety audit under this subpart conducted by an accredited 
third-party certification body. Eligible entities include foreign 
facilities required to be registered under subpart H of this part.
    Facility means any structure, or structures of an eligible entity 
under one ownership at one general physical location, or, in the case 
of a mobile facility, traveling to multiple locations, that 
manufactures/processes, packs, holds, grows, harvests, or raises 
animals for food for consumption in the United States. Transport 
vehicles are not facilities if they hold food only in the usual course 
of business as carriers. A facility may consist of one or more 
contiguous structures, and a single building may house more than one

[[Page 74652]]

distinct facility if the facilities are under separate ownership. The 
private residence of an individual is not a facility. Non-bottled water 
drinking water collection and distribution establishments and their 
structures are not facilities. Facilities for the purposes of this 
subpart are not limited to facilities required to be registered under 
subpart H of this part.
    Facility certification means an attestation, issued for purposes of 
section 801(q) or 806 of the FD&C Act by an accredited third-party 
certification body, after conducting a regulatory audit and any other 
activities necessary to establish whether a facility complies with the 
applicable food safety requirements of the FD&C Act and FDA 
regulations.
    Food has the meaning given in section 201(f) of the FD&C Act, 
except that food does not include pesticides (as defined in 7 U.S.C. 
136(u)).
    Food certification means an attestation, issued for purposes of 
section 801(q) of the FD&C Act by an accredited third-party 
certification body, after conducting a regulatory audit and any other 
activities necessary to establish whether a food of an eligible entity 
complies with the applicable food safety requirements of the FD&C Act 
and FDA regulations.
    Food safety audit means a regulatory audit or a consultative audit 
that is conducted to determine compliance with the applicable food 
safety requirements of the FD&C Act, FDA regulations, and for 
consultative audits, also includes conformance with industry standards 
and practices. An eligible entity must declare that an audit is to be 
conducted as a regulatory audit or consultative audit at the time of 
audit planning and the audit will be conducted on an unannounced basis 
under this subpart.
    Foreign cooperative means an autonomous association of persons, 
identified as members, who are united through a jointly owned 
enterprise to aggregate food from member growers or processors that is 
intended for export to the United States.
    Recognized accreditation body means an accreditation body that FDA 
has determined meets the applicable requirements of this subpart and is 
authorized to accredit third-party certification bodies under this 
subpart.
    Regulatory audit means an audit of an eligible entity:
    (i) To determine whether such entity is in compliance with the 
applicable food safety requirements of the FD&C Act and FDA 
regulations; and
    (ii) The results of which are used in determining eligibility for 
certification under section 801(q) or under section 806 of the FD&C 
Act.
    Relinquishment means:
    (i) With respect to an accreditation body, a decision to cede 
voluntarily its authority to accredit third-party certification bodies 
as a recognized accreditation body prior to expiration of its 
recognition under this subpart; and
    (ii) With respect to a third-party certification body, a decision 
to cede voluntarily its authority to conduct food safety audits and to 
issue food and facility certifications to eligible entities as an 
accredited third-party certification body prior to expiration of its 
accreditation under this subpart.
    Self-assessment means an evaluation conducted by a recognized 
accreditation body or by an accredited third-party certification body 
of its competency and capacity under the applicable requirements of 
this subpart for the defined scope of recognition or accreditation. For 
recognized accreditation bodies this involves evaluating the competency 
and capacity of the entire operations of the accreditation body and the 
validity of its accreditation decisions under the applicable 
requirements of this subpart. For accredited third-party certification 
bodies this involves evaluating the competency and capacity of the 
entire operations of the third-party certification body and the 
validity of its audit results under the applicable requirements of this 
subpart.
    Third-party certification body has the same meaning as third-party 
auditor as that term is defined in section 808(a)(3) of the FD&C Act 
and means a foreign government, agency of a foreign government, foreign 
cooperative, or any other third party that is eligible to be considered 
for accreditation to conduct food safety audits and to certify that 
eligible entities meet the applicable food safety requirements of the 
FD&C Act and FDA regulations. A third-party certification body may be a 
single individual or an organization. Once accredited, a third-party 
certification body may use audit agents to conduct food safety audits.


Sec.  1.601  Who is subject to this subpart?

    (a) Accreditation bodies. Any accreditation body seeking 
recognition from FDA to accredit third-party certification bodies to 
conduct food safety audits and to issue food and facility 
certifications under this subpart.
    (b) Third-party certification bodies. Any third-party certification 
body seeking accreditation from a recognized accreditation body or 
direct accreditation by FDA for:
    (1) Conducting food safety audits; and
    (2) Issuing certifications that may be used in satisfying a 
condition of admissibility of an article of food under section 801(q) 
of the FD&C Act; or issuing a facility certification for meeting the 
eligibility requirements for the Voluntary Qualified Importer Program 
under section 806 of the FD&C Act.
    (c) Eligible entities. Any eligible entity seeking a food safety 
audit or a food or facility certification from an accredited third-
party certification body under this subpart.
    (d) Limited exemptions from section 801(q) of the FD&C Act--(1) 
Alcoholic beverages. (i) Any certification required under section 
801(q) of the FD&C Act does not apply with respect to alcoholic 
beverages from an eligible entity that is a facility that meets the 
following two conditions:
    (A) Under the Federal Alcohol Administration Act (27 U.S.C. 201 et 
seq.) or chapter 51 of subtitle E of the Internal Revenue Code of 1986 
(26 U.S.C. 5001 et seq.), the facility is a foreign facility of a type 
that, if it were a domestic facility, would require obtaining a permit 
from, registering with, or obtaining approval of a notice or 
application from the Secretary of the Treasury as a condition of doing 
business in the United States; and
    (B) Under section 415 of the FD&C Act, the facility is required to 
register as a facility because it is engaged in manufacturing/
processing one or more alcoholic beverages.
    (ii) Any certification required under section 801(q) of the FD&C 
Act does not apply with respect to food that is not an alcoholic 
beverage that is received and distributed by a facility described in 
paragraph (d)(1)(i) of this section, provided such food:
    (A) Is received and distributed in prepackaged form that prevents 
any direct human contact with such food; and
    (B) Constitutes not more than 5 percent of the overall sales of the 
facility, as determined by the Secretary of the Treasury.
    (iii) Any certification required under section 801(q) of the FD&C 
Act does not apply with respect to raw materials or other ingredients 
that are imported for use in alcoholic beverages provided that:
    (A) The imported raw materials or other ingredients are used in the 
manufacturing/processing, packing, or holding of alcoholic beverages;
    (B) Such manufacturing/processing, packing, or holding is performed 
by the importer;

[[Page 74653]]

    (C) The importer is required to register under section 415 of the 
Federal Food, Drug, and Cosmetic Act; and
    (D) The importer is exempt from the regulations in part 117 of this 
chapter in accordance with Sec.  117.5(i).
    (2) Certain meat, poultry, and egg products. Any certification 
required under section 801(q) of the FD&C Act does not apply with 
respect to:
    (i) Meat food products that at the time of importation are subject 
to the requirements of the United States Department of Agriculture 
(USDA) under the Federal Meat Inspection Act (21 U.S.C. 601 et seq.);
    (ii) Poultry products that at the time of importation are subject 
to the requirements of the USDA under the Poultry Products Inspection 
Act (21 U.S.C. 451 et seq.); and
    (iii) Egg products that at the time of importation are subject to 
the requirements of the USDA under the Egg Products Inspection Act (21 
U.S.C. 1031 et seq.).

Recognition of Accreditation Bodies Under This Subpart


Sec.  1.610  Who is eligible to seek recognition?

    An accreditation body is eligible to seek recognition by FDA if it 
can demonstrate that it meets the requirements of Sec. Sec.  1.611 
through 1.615. The accreditation body may use documentation of 
conformance with International Organization for Standardization/
International Electrotechnical Commission (ISO/IEC) 17011:2004, 
supplemented as necessary, in meeting the applicable requirements of 
this subpart.


Sec.  1.611  What legal authority must an accreditation body have to 
qualify for recognition?

    (a) An accreditation body seeking recognition must demonstrate that 
it has the authority (as a governmental entity or as a legal entity 
with contractual rights) to perform assessments of a third-party 
certification body as are necessary to determine its capability to 
conduct audits and certify food facilities and food, including 
authority to:
    (1) Review any relevant records;
    (2) Conduct onsite assessments of the performance of third-party 
certification bodies, such as by witnessing the performance of a 
representative sample of its agents (or, in the case of a third-party 
certification body that is an individual, such individual) conducting a 
representative sample of audits;
    (3) Perform any reassessments or surveillance necessary to monitor 
compliance of accredited third-party certification bodies; and
    (4) Suspend, withdraw, or reduce the scope of accreditation for 
failure to comply with the requirements of accreditation.
    (b) An accreditation body seeking recognition must demonstrate that 
it is capable of exerting the authority (as a governmental entity or as 
a legal entity with contractual rights) necessary to meet the 
applicable requirements of this subpart, if recognized.


Sec.  1.612  What competency and capacity must an accreditation body 
have to qualify for recognition?

    An accreditation body seeking recognition must demonstrate that it 
has:
    (a) The resources required to adequately implement its 
accreditation program, including:
    (1) Adequate numbers of employees and other agents with relevant 
knowledge, skills, and experience to effectively evaluate the 
qualifications of third-party certification bodies seeking 
accreditation and to effectively monitor the performance of accredited 
third-party certification bodies; and
    (2) Adequate financial resources for its operations; and
    (b) The capability to meet the applicable assessment and monitoring 
requirements, the reporting and notification requirements, and the 
procedures of this subpart, if recognized.


Sec.  1.613  What protections against conflicts of interest must an 
accreditation body have to qualify for recognition?

    An accreditation body must demonstrate that it has:
    (a) Implemented written measures to protect against conflicts of 
interest between the accreditation body (and its officers, employees, 
and other agents involved in accreditation activities) and any third-
party certification body (and its officers, employees, and other agents 
involved in auditing and certification activities) seeking 
accreditation from, or accredited by, such accreditation body; and
    (b) The capability to meet the applicable conflict of interest 
requirements of this subpart, if recognized.


Sec.  1.614  What quality assurance procedures must an accreditation 
body have to qualify for recognition?

    An accreditation body seeking recognition must demonstrate that it 
has:
    (a) Implemented a written program for monitoring and evaluating the 
performance of its officers, employees, and other agents and its 
accreditation program, including procedures to:
    (1) Identify areas in its accreditation program or performance 
where deficiencies exist; and
    (2) Quickly execute corrective actions that effectively address 
deficiencies when identified; and
    (b) The capability to meet the applicable quality assurance 
requirements of this subpart, if recognized.


Sec.  1.615  What records procedures must an accreditation body have to 
qualify for recognition?

    An accreditation body seeking recognition must demonstrate that it 
has:
    (a) Implemented written procedures to establish, control, and 
retain records (including documents and data) for the period of time 
necessary to meet its contractual and legal obligations pertaining to 
this subpart and to provide an adequate basis for evaluating its 
program and performance; and
    (b) The capability to meet the applicable reporting and 
notification requirements of this subpart, if recognized.

Requirements for Accreditation Bodies That Have Been Recognized Under 
This Subpart


Sec.  1.620  How must a recognized accreditation body evaluate third-
party certification bodies seeking accreditation?

    (a) Prior to accrediting a third-party certification body under 
this subpart, a recognized accreditation body must perform, at a 
minimum, the following:
    (1) In the case of a foreign government or an agency of a foreign 
government, such reviews and audits of the government's or agency's 
food safety programs, systems, and standards as are necessary to 
determine that it meets the eligibility requirements of Sec.  1.640(b).
    (2) In the case of a foreign cooperative or any other third-party 
seeking accreditation as a third-party certification body, such reviews 
and audits of the training and qualifications of agents conducting 
audits for such cooperative or other third party (or in the case of a 
third-party certification body that is an individual, such individual) 
and such reviews of internal systems and any other investigation of the 
cooperative or other third party necessary to determine that it meets 
the eligibility requirements of Sec.  1.640(c).
    (3) In conducting a review and audit under paragraph (a)(1) or (2) 
of this section, an observation of a representative sample of onsite 
audits examining compliance with the applicable food safety 
requirements of the FD&C Act and FDA regulations as conducted by the 
third-party

[[Page 74654]]

certification body or its agents (or, in the case of a third-party 
certification body that is an individual, such individual).
    (b) A recognized accreditation body must require a third-party 
certification body, as a condition of accreditation under this subpart, 
to comply with the reports and notification requirements of Sec. Sec.  
1.652 and 1.656 and to agree to submit to FDA, electronically and in 
English, any food or facility certifications it issues for purposes of 
sections 801(q) or 806 of the FD&C Act.
    (c) A recognized accreditation body must maintain records on any 
denial of accreditation (in whole or in part) and on any withdrawal, 
suspension, or reduction in scope of accreditation of a third-party 
certification body under this subpart. The records must include the 
name and contact information for the third-party certification body; 
the date of the action; the scope of accreditation denied, withdrawn, 
suspended, or reduced; and the basis for such action.
    (d) A recognized accreditation body must notify any third-party 
certification body of an adverse decision associated with its 
accreditation under this subpart, including denial of accreditation or 
the withdrawal, suspension, or reduction in the scope of its 
accreditation. The recognized accreditation body must establish and 
implement written procedures for receiving and addressing appeals from 
any third-party certification body challenging such an adverse decision 
and for investigating and deciding on appeals in a fair and meaningful 
manner. The appeals procedures must provide similar protections to 
those offered by FDA under Sec. Sec.  1.692 and 1.693, and include 
requirements to:
    (1) Make the appeals procedures publicly available;
    (2) Use competent persons, who may or may not be external to the 
recognized accreditation body, who are free from bias or prejudice and 
have not participated in the accreditation decision or be subordinate 
to a person who has participated in the accreditation decision to 
investigate and decide appeals;
    (3) Advise third-party certification bodies of the final decisions 
on their appeals; and
    (4) Maintain records under Sec.  1.625 of appeals, final decisions 
on appeals, and the bases for such decisions.


Sec.  1.621  How must a recognized accreditation body monitor the 
performance of third-party certification bodies it accredited?

    (a) A recognized accreditation body must annually conduct a 
comprehensive assessment of the performance of each third-party 
certification body it accredited under this subpart by reviewing the 
accredited third-party certification body's self-assessments (including 
information on compliance with the conflict of interest requirements of 
Sec. Sec.  1.643 and 1.657); its regulatory audit reports and 
notifications submitted to FDA under Sec.  1.656; and any other 
information reasonably available to the recognized accreditation body 
regarding the compliance history of eligible entities the accredited 
third-party certification body certified under this subpart; or that is 
otherwise relevant to a determination whether the accredited third-
party certification body is in compliance with this subpart.
    (b) No later than 1 year after the initial date of accreditation of 
the third-party certification body and every 2 years thereafter for 
duration of its accreditation under this subpart, a recognized 
accreditation body must conduct onsite observations of a representative 
sample of regulatory audits performed by the third-party certification 
body (or its audit agents) (or, in the case of a third-party 
certification body that is an individual, such individual) accredited 
under this subpart and must visit the accredited third-party 
certification body's headquarters (or other location that manages audit 
agents conducting food safety audits under this subpart, if different 
than its headquarters). The recognized accreditation body will consider 
the results of such observations and visits in the annual assessment of 
the accredited third-party certification body required by paragraph (a) 
of this section.


Sec.  1.622  How must a recognized accreditation body monitor its own 
performance?

    (a) A recognized accreditation body must annually, and as required 
under Sec.  1.664(g), conduct a self-assessment that includes 
evaluation of compliance with this subpart, including:
    (1) The performance of its officers, employees, or other agents 
involved in accreditation activities and the degree of consistency in 
conducting accreditation activities;
    (2) The compliance of the recognized accreditation body and its 
officers, employees, and other agents involved in accreditation 
activities, with the conflict of interest requirements of Sec.  1.624; 
and
    (3) If requested by FDA, any other aspects of its performance 
relevant to a determination whether the recognized accreditation body 
is in compliance with this subpart.
    (b) As a means to evaluate the recognized accreditation body's 
performance, the self-assessment must include onsite observation of 
regulatory audits of a representative sample of third-party 
certification bodies it accredited under this subpart. In meeting this 
requirement, the recognized accreditation body may use the results of 
onsite observations performed under Sec.  1.621(b).
    (c) Based on the evaluations conducted under paragraphs (a) and (b) 
of this section, the recognized accreditation body must:
    (1) Identify any area(s) where deficiencies exist;
    (2) Quickly implement corrective action(s) that effectively address 
those deficiencies; and
    (3) Establish and maintain records of any such corrective action(s) 
under Sec.  1.625.
    (d) The recognized accreditation body must prepare, and as required 
by Sec.  1.623(b) submit, a written report of the results of its self-
assessment that includes the following elements. Documentation of 
conformance to ISO/IEC 17011:2004 may be used, supplemented as 
necessary, in meeting the requirements of this paragraph.
    (1) A description of any corrective actions taken under paragraph 
(c) of this section;
    (2) A statement disclosing the extent to which the recognized 
accreditation body, and its officers, employees, and other agents 
involved in accreditation activities, complied with the conflict of 
interest requirements in Sec.  1.624; and
    (3) A statement attesting to the extent to which the recognized 
accreditation body complied with applicable requirements of this 
subpart.


Sec.  1.623  What reports and notifications must a recognized 
accreditation body submit to FDA?

    (a) Reporting results of assessments of accredited third-party 
certification body performance. A recognized accreditation body must 
submit to FDA electronically, in English, a report of the results of 
any assessment conducted under Sec.  1.621, no later than 45 days after 
completing such assessment. The report must include an up-to-date list 
of any audit agents used by the accredited third-party certification 
body to conduct food safety audits under this subpart.
    (b) Reporting results of recognized accreditation body self-
assessments. A recognized accreditation body must submit to FDA 
electronically, in English:
    (1) A report of the results of an annual self-assessment required 
under Sec.  1.622, no later than 45 days after completing such self-
assessment; and

[[Page 74655]]

    (2) For a recognized accreditation body subject to Sec.  
1.664(g)(1), a report of such self-assessment to FDA within 60 days of 
the third-party certification body's withdrawal. A recognized 
accreditation body may use a report prepared for conformance to ISO/IEC 
17011:2004, supplemented as necessary, in meeting the requirements this 
section.
    (c) Immediate notification to FDA. A recognized accreditation body 
must notify FDA electronically, in English, immediately upon:
    (1) Granting (including expanding the scope of) accreditation to a 
third-party certification body under this subpart, and include:
    (i) The name, address, telephone number, and email address of the 
accredited third-party certification body;
    (ii) The name of one or more officers of the accredited third-party 
certification body;
    (iii) A list of the accredited third-party certification body's 
audit agents; and
    (iv) The scope of accreditation, the date on which it was granted, 
and its expiration date.
    (2) Withdrawing, suspending, or reducing the scope of an 
accreditation under this subpart, and include:
    (i) The basis for such action; and
    (ii) Any additional changes to accreditation information previously 
submitted to FDA under paragraph (c)(1) of this section.
    (3) Determining that a third-party certification body it accredited 
failed to comply with Sec.  1.653 in issuing a food or facility 
certification under this subpart, and include:
    (i) The basis for such determination; and
    (ii) Any changes to accreditation information previously submitted 
to FDA under paragraph (c)(1) of this section.
    (d) Other notification to FDA. A recognized accreditation body must 
notify FDA electronically, in English, within 30 days after:
    (1) Denying accreditation (in whole or in part) under this subpart 
and include:
    (i) The name, address, telephone number, and email address of the 
third-party certification body;
    (ii) The name of one or more officers of the third-party 
certification body;
    (iii) The scope of accreditation requested; and
    (iv) The scope and basis for such denial.
    (2) Making any significant change that would affect the manner in 
which it complies with the applicable requirements of this subpart and 
include:
    (i) A description of the change; and
    (ii) An explanation for the purpose of the change.


Sec.  1.624  How must a recognized accreditation body protect against 
conflicts of interest?

    (a) A recognized accreditation body must implement a written 
program to protect against conflicts of interest between the recognized 
accreditation body (and its officers, employees, and other agents 
involved in accreditation activities) and any third-party certification 
body (and its officers, employees, and other agents involved in 
auditing and certification activities) seeking accreditation from, or 
accredited by, such recognized accreditation body, including the 
following:
    (1) Ensuring that the recognized accreditation body (and its 
officers, employees, or other agents involved in accreditation 
activities) does not own or have a financial interest in, manage, or 
otherwise control the third-party certification body (or any affiliate, 
parent, or subsidiary); and
    (2) Prohibiting officers, employees, or other agents involved in 
accreditation activities of the recognized accreditation body from 
accepting any money, gift, gratuity, or item of value from the third-
party certification body.
    (3) The items specified in paragraph (a)(2) of this section do not 
include:
    (i) Money representing payment of fees for accreditation services 
and reimbursement of direct costs associated with an onsite assessment 
of the third-party certification body; or
    (ii) Lunch of de minimis value provided during the course of an 
assessment and on the premises where the assessment is conducted, if 
necessary to facilitate the efficient conduct of the assessment.
    (b) A recognized accreditation body may accept the payment of fees 
for accreditation services and the reimbursement of direct costs 
associated with assessment of a certification body only after the date 
on which the report of such assessment was completed or the date of 
which the accreditation was issued, whichever comes later. Such payment 
is not considered a conflict of interest for purposes of paragraph (a) 
of this section.
    (c) The financial interests of the spouses and children younger 
than 18 years of age of a recognized accreditation body's officers, 
employees, and other agents involved in accreditation activities will 
be considered the financial interests of such officers, employees, and 
other agents involved in accreditation activities.
    (d) A recognized accreditation body must maintain on its Web site 
an up-to-date list of the third-party certification bodies it 
accredited under this subpart and must identify the duration and scope 
of each accreditation and the date(s) on which the accredited third-
party certification body paid any fee or reimbursement associated with 
such accreditation. If the accreditation of a certification body is 
suspended, withdrawn, or reduced in scope, this list must also include 
the date of suspension, withdrawal, or reduction in scope and maintain 
that information for the duration of accreditation or until the 
suspension is lifted, the certification body is reaccredited, or the 
scope of accreditation is reinstated, whichever comes first.


Sec.  1.625  What records requirements must an accreditation body that 
has been recognized meet?

    (a) An accreditation body that has been recognized must maintain 
electronically for 5 years records created while it is recognized 
(including documents and data) demonstrating its compliance with this 
subpart, including records relating to:
    (1) Applications for accreditation and renewal of accreditation 
under Sec.  1.660;
    (2) Decisions to grant, deny, suspend, withdraw, or expand or 
reduce the scope of an accreditation;
    (3) Challenges to adverse accreditation decisions under Sec.  
1.620(c);
    (4) Its monitoring of accredited third-party certification bodies 
under Sec.  1.621;
    (5) Self-assessments and corrective actions under Sec.  1.622;
    (6) Regulatory audit reports, including any supporting information, 
that an accredited third-party certification body may have submitted;
    (7) Any reports or notifications to FDA under Sec.  1.623, 
including any supporting information; and
    (8) Records of fee payments and reimbursement of direct costs.
    (b) An accreditation body that has been recognized must make 
records required by paragraph (a) of this section available for 
inspection and copying promptly upon written request of an authorized 
FDA officer or employee at the place of business of the accreditation 
body or at a reasonably accessible location. If the records required by 
paragraph (a) of this section are requested by FDA electronically, the 
records must be submitted to FDA electronically not later than 10 
business days after the date of the request. Additionally, if the 
requested records are maintained in a language other than

[[Page 74656]]

English, the accreditation body must electronically submit an English 
translation within a reasonable time.
    (c) An accreditation body that has been recognized must not prevent 
or interfere with FDA's access to its accredited third-party 
certification bodies and the accredited third-party certification body 
records required by Sec.  1.658.

Procedures for Recognition of Accreditation Bodies Under This Subpart


Sec.  1.630  How do I apply to FDA for recognition or renewal of 
recognition?

    (a) Applicant for recognition. An accreditation body seeking 
recognition must submit an application demonstrating that it meets the 
eligibility requirements in Sec.  1.610.
    (b) Applicant for renewal of recognition. An accreditation body 
seeking renewal of its accreditation must submit a renewal application 
demonstrating that it continues to meet the requirements of this 
subpart.
    (c) Submission. Recognition and renewal applications and any 
documents provided as part of the application process must be submitted 
electronically, in English. An applicant must provide any translation 
and interpretation services needed by FDA during the processing of the 
application, including during onsite assessments of the applicant by 
FDA.
    (d) Signature. Recognition and renewal applications must be signed 
in the manner designated by FDA, by an individual authorized to act on 
behalf of the applicant for purposes of seeking recognition or renewal 
of recognition.


Sec.  1.631  How will FDA review my application for recognition or 
renewal of recognition and what happens once FDA decides on my 
application?

    (a) Review of recognition or renewal application. FDA will examine 
an accreditation body's recognition or renewal application for 
completeness and notify the applicant of any deficiencies. FDA will 
review an accreditation body's recognition or renewal application on a 
first in, first out basis according to the date on which the completed 
application was submitted; however, FDA may prioritize the review of 
specific applications to meet the needs of the program.
    (b) Evaluation of recognition or renewal. FDA will evaluate any 
completed recognition or renewal application to determine whether the 
applicant meets the applicable requirements of this subpart. Such 
evaluation may include an onsite assessment of the accreditation body. 
FDA will notify the applicant, in writing, regarding whether the 
application has been approved or denied. FDA may make such notification 
electronically. If FDA does not reach a final decision on a renewal 
application before an accreditation body's recognition terminates by 
expiration, FDA may extend such recognition for a specified period of 
time or until the Agency reaches a final decision on the renewal 
application.
    (c) Issuance of recognition. FDA will notify an applicant that its 
recognition or renewal application has been approved through issuance 
of recognition that will list any limitations associated with the 
recognition.
    (d) Issuance of denial of recognition or renewal application. FDA 
will notify an applicant that its recognition or renewal application 
has been denied through issuance of a denial of recognition or denial 
of a renewal application that will state the basis for such denial and 
provide the procedures for requesting reconsideration of the 
application under Sec.  1.691.
    (e) Notice of records custodian after denial of an application for 
renewal of recognition. An applicant whose renewal application was 
denied must notify FDA electronically, in English, within 10 business 
days of the date of issuance of a denial of a renewal application, of 
the name and contact information of the custodian who will maintain the 
records required by Sec.  1.625(a) and make them available to FDA as 
required by Sec.  1.625(b). The contact information for the custodian 
must include, at a minimum, an email address and the physical address 
where the records required by Sec.  1.625(a) will be located.
    (f) Effect of denial of an application for renewal of recognition 
of an accreditation body on accredited third-party certification 
bodies. (1) FDA will issue a notice of the denial of a recognition 
renewal to any third-party certification bodies accredited by the 
accreditation body whose renewal application was denied. The third-
party certification body's accreditation will remain in effect so long 
as the third-party certification body:
    (i) No later than 60 days after FDA's issuance of the notice of the 
denial of recognition renewal, conducts a self-assessment under Sec.  
1.655 and reports the results of the self-assessment to FDA under Sec.  
1.656(b); and
    (ii) No later than 1 year after issuance of the notice of denial of 
recognition renewal or the original date of the expiration of the 
accreditation, whichever comes first, becomes accredited by another 
recognized accreditation body or by FDA through direct accreditation.
    (2) FDA may withdraw the accreditation of a third-party 
certification body whenever FDA determines there is good cause for 
withdrawal of accreditation under Sec.  1.664(c).
    (g) Effect of denial of an application for renewal of recognition 
of an accreditation body on food or facility certifications issued to 
eligible entities. A food or facility certification issued by a third-
party certification body accredited by a recognized accreditation body 
prior to issuance of a denial of the renewal application will remain in 
effect until the certification expires. If FDA has reason to believe 
that a certification issued for purposes of section 801(q) or 806 of 
the FD&C Act is not valid or reliable, FDA may refuse to consider the 
certification in determining the admissibility of the article of food 
for which the certification was offered or in determining the 
importer's eligibility for participation in the voluntary qualified 
importer program (VQIP).
    (h) Public notice of denial of an application for renewal of 
recognition of an accreditation body. FDA will provide notice on the 
Web site described in Sec.  1.690 of the date of issuance of a denial 
of a renewal application and will describe the basis for the denial.


Sec.  1.632  What is the duration of recognition?

    FDA may grant recognition of an accreditation body for a period not 
to exceed 5 years from the date of recognition.


Sec.  1.633  How will FDA monitor recognized accreditation bodies?

    (a) FDA will evaluate the performance of each recognized 
accreditation body to determine its compliance with the applicable 
requirements of this subpart. Such assessment must occur by at least 4 
years after the date of recognition for a 5-year recognition period, or 
by no later than the mid-term point for a recognition period of less 
than 5 years. FDA may conduct additional assessments of a recognized 
accreditation body at any time.
    (b) An FDA assessment of a recognized accreditation body may 
include onsite assessments of a representative sample of third-party 
certification bodies the recognized accreditation body accredited and 
onsite audits of a representative sample of eligible entities certified 
by such third-party certification bodies under this subpart. These may 
be conducted at any time and, as FDA determines necessary

[[Page 74657]]

or appropriate, may occur without the recognized accreditation body or, 
in the case of an audit of an eligible entity, the accredited third-
party certification body present.


Sec.  1.634  When will FDA revoke recognition?

    (a) Grounds for revocation of recognition. FDA will revoke the 
recognition of an accreditation body found not to be in compliance with 
the requirements of this subpart, including for any one or more of the 
following:
    (1) Refusal by the accreditation body to allow FDA to access 
records required by Sec.  1.625, or to conduct an assessment or 
investigation of the accreditation body or of a third-party 
certification body it accredited to ensure the accreditation body's 
continued compliance with the requirements of this subpart.
    (2) Failure to take timely and necessary corrective action when:
    (i) The accreditation of a third-party certification body it 
accredited is withdrawn by FDA under Sec.  1.664(a);
    (ii) A significant deficiency is identified through self-assessment 
under Sec.  1.622, monitoring under Sec.  1.621, or self-assessment by 
one or more of its accredited third-party certification bodies under 
Sec.  1.655; or
    (iii) Directed to do so by FDA to ensure compliance with this 
subpart.
    (3) A determination by FDA that the accreditation body has 
committed fraud or has submitted material false statements to the 
Agency.
    (4) A determination by FDA that there is otherwise good cause for 
revocation, including:
    (i) Demonstrated bias or lack of objectivity when conducting 
activities under this subpart; or
    (ii) Failure to adequately support one or more decisions to grant 
accreditation under this subpart.
    (b) Records request associated with revocation. To assist in 
determining whether revocation is warranted under paragraph (a) of this 
section, FDA may request records of the accreditation body required by 
Sec.  1.625 or the records, required by Sec.  1.658, of one or more of 
the third-party certification bodies it accredited under this subpart.
    (c) Issuance of revocation of recognition. (1) FDA will notify an 
accreditation body that its recognition has been revoked through 
issuance of a revocation that will state the grounds for revocation, 
the procedures for requesting a regulatory hearing under Sec.  1.693 on 
the revocation, and the procedures for requesting reinstatement of 
recognition under Sec.  1.636.
    (2) Within 10 business days of the date of issuance of the 
revocation, the accreditation body must notify FDA electronically, in 
English, of the name of the custodian who will maintain the records and 
make them available to FDA as required by Sec.  1.625. The contact 
information for the custodian must provide, at a minimum, an email 
address and the physical address where the records will be located.
    (d) Effect of revocation of recognition of an accreditation body on 
accredited third-party certification bodies. (1) FDA will issue a 
notice of the revocation of recognition to any accredited third-party 
certification body accredited by the accreditation body whose 
recognition was revoked. The third-party certification body's 
accreditation will remain in effect if the third-party certification 
body:
    (i) No later than 60 days after FDA's issuance of the notice of 
revocation, conducts a self-assessment under Sec.  1.655 and reports 
the results of the self-assessment to FDA under Sec.  1.656(b); and
    (ii) No later than 1 year after issuance of the notice of the 
revocation, or the original date of expiration of the accreditation, 
whichever comes first, becomes accredited by another recognized 
accreditation body or by FDA through direct accreditation.
    (2) FDA may withdraw the accreditation of a third-party 
certification body whenever FDA determines there is good cause for 
withdrawal of accreditation under Sec.  1.664(c).
    (e) Effect of revocation of recognition of an accreditation body on 
food or facility certifications issued to eligible entities. A food or 
facility certification issued by a third-party certification body 
accredited by a recognized accreditation body prior to issuance of the 
revocation of recognition will remain in effect until the certificate 
terminates by expiration. If FDA has reason to believe that a 
certification issued for purposes of section 801(q) or 806 of the FD&C 
Act is not valid or reliable, FDA may refuse to consider the 
certification in determining the admissibility of the article of food 
for which the certification was offered or in determining the 
importer's eligibility for participation in VQIP.
    (f) Public notice of revocation of recognition. FDA will provide 
notice on the Web site described in Sec.  1.690 of the issuance of the 
revocation of recognition of an accreditation body and will describe 
the basis for revocation.


Sec.  1.635  What if I want to voluntarily relinquish recognition or do 
not want to renew recognition?

    (a) Notice to FDA of intent to relinquish or not to renew 
recognition. A recognized accreditation body must notify FDA 
electronically, in English, at least 60 days before voluntarily 
relinquishing recognition or before allowing recognition to expire 
without seeking renewal. The recognized accreditation body must provide 
the name and contact information of the custodian who will maintain the 
records required under Sec.  1.625(a) after the date of relinquishment 
or the date recognition expires, as applicable, and make them available 
to FDA as required by Sec.  1.625(b). The contact information for the 
custodian must include, at a minimum, an email address and the physical 
address where the records required by Sec.  1.625(a) will be located.
    (b) Notice to accredited third-party certification bodies of intent 
to relinquish or not to renew recognition. No later than 15 business 
days after notifying FDA under paragraph (a) of this section, the 
recognized accreditation body must notify any currently accredited 
third-party certification body that it intends to relinquish 
recognition or to allow its recognition to expire, specifying the date 
on which relinquishment or expiration will occur. The recognized 
accreditation body must establish and maintain records of such 
notification under Sec.  1.625.
    (c)(1) Effect of voluntary relinquishment or expiration of 
recognition on third-party certification bodies. The accreditation of a 
third-party certification body issued prior to the relinquishment or 
expiration of its accreditation body's recognition will remain in 
effect, so long as the third-party certification body:
    (i) No later than 60 days after the date of relinquishment or the 
date of expiration of the recognition, conducts a self-assessment under 
Sec.  1.655 and reports the results of the self-assessment to FDA under 
Sec.  1.656(b); and
    (ii) No later than 1 year after the date of relinquishment or the 
date of expiration of recognition, or the original date of the 
expiration of the accreditation, whichever comes first, becomes 
accredited by another recognized accreditation body or by FDA through 
direct accreditation.
    (2) FDA may withdraw the accreditation of a third-party 
certification body whenever FDA determines there is good cause for 
withdrawal of accreditation under Sec.  1.664(c).

[[Page 74658]]

    (d) Effect of voluntary relinquishment or expiration of recognition 
of an accreditation body on food or facility certifications issued to 
eligible entities. A food or facility certification issued by a third-
party certification body accredited by a recognized accreditation body 
prior to relinquishment or expiration of its recognition will remain in 
effect until the certification expires. If FDA has reason to believe 
that a certification issued for purposes of section 801(q) or 806 of 
the FD&C Act is not valid or reliable, FDA may refuse to consider the 
certification in determining the admissibility of the article of food 
for which the certification was offered or in determining the 
importer's eligibility for participation in VQIP.
    (e) Public notice of voluntary relinquishment or expiration of 
recognition. FDA will provide notice on the Web site described in Sec.  
1.690 of the voluntary relinquishment or expiration of recognition of 
an accreditation body under this subpart.


Sec.  1.636  How do I request reinstatement of recognition?

    (a) Application following revocation. An accreditation body that 
has had its recognition revoked may seek reinstatement by submitting a 
new application for recognition under Sec.  1.630. The accreditation 
body must submit evidence that the grounds for revocation have been 
resolved, including evidence addressing the cause or conditions that 
were the basis for revocation and identifying measures that have been 
implemented to help ensure that such cause(s) or condition(s) are 
unlikely to recur.
    (b) Application following relinquishment. An accreditation body 
that previously relinquished its recognition under Sec.  1.635 may seek 
recognition by submitting a new application for recognition under Sec.  
1.630.

Accreditation of Third-Party Certification Bodies Under This Subpart


Sec.  1.640  Who is eligible to seek accreditation?

    (a) A foreign government, agency of a foreign government, foreign 
cooperative, or any other third party may seek accreditation from a 
recognized accreditation body (or, where direct accreditation is 
appropriate, FDA) to conduct food safety audits and to issue food and 
facility certifications to eligible entities under this subpart. An 
accredited third-party certification body may use documentation of 
conformance with ISO/IEC 17021: 2011 or ISO/IEC 17065: 2012, 
supplemented as necessary, in meeting the applicable requirements of 
this subpart.
    (b) A foreign government or an agency of a foreign government is 
eligible for accreditation if it can demonstrate that its food safety 
programs, systems, and standards meet the requirements of Sec. Sec.  
1.641 through 1.645.
    (c) A foreign cooperative or other third party is eligible for 
accreditation if it can demonstrate that the training and 
qualifications of its agents used to conduct audits (or, in the case of 
a third-party certification body that is an individual, such 
individual) and its internal systems and standards meet the 
requirements of Sec. Sec.  1.641 through 1.645.


Sec.  1.641  What legal authority must a third-party certification body 
have to qualify for accreditation?

    (a) A third-party certification body seeking accreditation from a 
recognized accreditation body or from FDA must demonstrate that it has 
the authority (as a governmental entity or as a legal entity with 
contractual rights) to perform such examinations of facilities, their 
process(es), and food(s) as are necessary to determine compliance with 
the applicable food safety requirements of the FD&C Act and FDA 
regulations, and conformance with applicable industry standards and 
practices and to issue certifications where appropriate based on a 
review of the findings of such examinations. This includes authority 
to:
    (1) Review any relevant records;
    (2) Conduct onsite audits of an eligible entity; and
    (3) Suspend or withdraw certification for failure to comply with 
applicable requirements.
    (b) A third-party certification body seeking accreditation must 
demonstrate that it is capable of exerting the authority (as a 
governmental entity or as legal entity with contractual rights) 
necessary to meet the applicable requirements of accreditation under 
this subpart if accredited.


Sec.  1.642  What competency and capacity must a third-party 
certification body have to qualify for accreditation?

    A third-party certification body seeking accreditation must 
demonstrate that it has:
    (a) The resources necessary to fully implement its certification 
program, including:
    (1) Adequate numbers of employees and other agents with relevant 
knowledge, skills, and experience to effectively examine for compliance 
with applicable FDA food safety requirements of the FD&C Act and FDA 
regulations, conformance with applicable industry standards and 
practices, and issuance of valid and reliable certifications; and
    (2) Adequate financial resources for its operations; and
    (b) The competency and capacity to meet the applicable requirements 
of this subpart, if accredited.


Sec.  1.643  What protections against conflicts of interest must a 
third-party certification body have to qualify for accreditation?

    A third-party certification body must demonstrate that it has:
    (a) Implemented written measures to protect against conflicts of 
interest between the third-party certification body (and its officers, 
employees, and other agents involved in auditing and certification 
activities) and clients seeking examinations or certification from, or 
audited or certified by, such third-party certification body; and
    (b) The capability to meet the conflict of interest requirements in 
Sec.  1.657, if accredited.


Sec.  1.644  What quality assurance procedures must a third-party 
certification body have to qualify for accreditation?

    A third-party certification body seeking accreditation must 
demonstrate that it has:
    (a) Implemented a written program for monitoring and evaluating the 
performance of its officers, employees, and other agents involved in 
auditing and certification activities, including procedures to:
    (1) Identify deficiencies in its auditing and certification program 
or performance; and
    (2) Quickly execute corrective actions that effectively address any 
identified deficiencies; and
    (b) The capability to meet the quality assurance requirements of 
Sec.  1.655, if accredited.


Sec.  1.645  What records procedures must a third-party certification 
body have to qualify for accreditation?

    A third-party certification body seeking accreditation must 
demonstrate that it:
    (a) Implemented written procedures to establish, control, and 
retain records (including documents and data) for a period of time 
necessary to meet its contractual and legal obligations and to provide 
an adequate basis for evaluating its program and performance; and
    (b) Is capable of meeting the reporting, notification, and records 
requirements of this subpart, if accredited.

[[Page 74659]]

Requirements for Third-Party Certification Bodies That Have Been 
Accredited Under This Subpart


Sec.  1.650  How must an accredited third-party certification body 
ensure its audit agents are competent and objective?

    (a) An accredited third-party certification body that uses audit 
agents to conduct food safety audits must ensure that each such audit 
agent meets the following requirements with respect to the scope of its 
accreditation under this subpart. If the accredited third-party 
certification body is an individual, that individual is also subject to 
the following requirements, as applicable:
    (1) Has relevant knowledge and experience that provides an adequate 
basis for the audit agent to evaluate compliance with applicable food 
safety requirements of the FD&C Act and FDA regulations and, for 
consultative audits, also includes conformance with applicable industry 
standards and practices;
    (2) Has been determined by the accredited third-party certification 
body, through observations of a representative sample of audits, to be 
competent to conduct food safety audits under this subpart relevant to 
the audits they will be assigned to perform;
    (3) Has completed annual food safety training that is relevant to 
activities conducted under this subpart;
    (4) Is in compliance with the conflict of interest requirements of 
Sec.  1.657 and has no other conflicts of interest with the eligible 
entity to be audited that might impair the audit agent's objectivity; 
and
    (5) Agrees to notify its accredited third-party certification body 
immediately upon discovering, during a food safety audit, any condition 
that could cause or contribute to a serious risk to the public health.
    (b) In assigning an audit agent to conduct a food safety audit at a 
particular eligible entity, an accredited third-party certification 
body must determine that the audit agent is qualified to conduct such 
audit under the criteria established in paragraph (a) of this section 
and based on the scope and purpose of the audit and the type of 
facility, its process(es), and food.
    (c) An accredited third-party certification body cannot use an 
audit agent to conduct a regulatory audit at an eligible entity if such 
audit agent conducted a consultative audit or regulatory audit for the 
same eligible entity in the preceding 13 months, except that such 
limitation may be waived if the accredited third-party certification 
body demonstrates to FDA, under Sec.  1.663, there is insufficient 
access to audit agents in the country or region where the eligible 
entity is located. If the accredited third-party certification body is 
an individual, that individual is also subject to such limitations.


Sec.  1.651  How must an accredited third-party certification body 
conduct a food safety audit of an eligible entity?

    (a) Audit planning. Before beginning to conduct a food safety audit 
under this subpart, an accredited third-party certification body must:
    (1) Require the eligible entity seeking a food safety audit to:
    (i) Identify the scope and purpose of the food safety audit, 
including the facility, process(es), or food to be audited; whether the 
food safety audit is to be conducted as a consultative or regulatory 
audit subject to the requirements of this subpart, and if a regulatory 
audit, the type(s) of certification(s) sought; and
    (ii) Provide a 30-day operating schedule for such facility that 
includes information relevant to the scope and purpose of the audit; 
and
    (2) Determine whether the requested audit is within its scope of 
accreditation.
    (b) Authority to audit. In arranging a food safety audit with an 
eligible entity under this subpart, an accredited third-party 
certification body must ensure it has authority, whether contractual or 
otherwise, to:
    (1) Conduct an unannounced audit to determine whether the facility, 
process(es), and food of the eligible entity (within the scope of the 
audit) comply with the applicable food safety requirements of the FD&C 
Act and FDA regulations and, for consultative audits, also includes 
conformance with applicable industry standards and practices;
    (2) Access any records and any area of the facility, process(es), 
and food of the eligible entity relevant to the scope and purpose of 
such audit;
    (3) When, for a regulatory audit, sampling and analysis is 
conducted, the accredited third-party certification body must use a 
laboratory that is accredited in accordance with:
    (i) ISO/IEC 17025:2005; or
    (ii) Another laboratory accreditation standard that provides at 
least a similar level of assurance in the validity and reliability of 
sampling methodologies, analytical methodologies, and analytical 
results.
    (4) Notify FDA immediately if, at any time during a food safety 
audit, the accredited third-party certification body (or its audit 
agent, where applicable) discovers a condition that could cause or 
contribute to a serious risk to the public health and provide 
information required by Sec.  1.656(c);
    (5) Prepare reports of audits conducted under this subpart as 
follows:
    (i) For consultative audits, prepare reports that contain the 
elements specified in Sec.  1.652(a) and maintain such records, subject 
to FDA access in accordance with section 414 of the FD&C Act; and
    (ii) For regulatory audits, prepare reports that contain the 
elements specified in Sec.  1.652(b) and submit them to FDA and to its 
recognized accreditation body (where applicable) under Sec.  1.656(a); 
and
    (6) Allow FDA and the recognized accreditation body that accredited 
such third-party certification body, if any, to observe any food safety 
audit conducted under this subpart for purposes of evaluating the 
accredited third-party certification body's performance under 
Sec. Sec.  1.621 and 1.662 or, where appropriate, the recognized 
accreditation body's performance under Sec. Sec.  1.622 and 1.633.
    (c) Audit protocols. An accredited third-party certification body 
(or its audit agent, where applicable) must conduct a food safety audit 
in a manner consistent with the identified scope and purpose of the 
audit and within the scope of its accreditation.
    (1) With the exception of records review, which may be scheduled, 
the audit must be conducted without announcement during the 30-day 
timeframe identified under paragraph (a)(1)(ii) of this section and 
must be focused on determining whether the facility, its process(es), 
and food are in compliance with applicable food safety requirements of 
the FD&C Act and FDA regulations, and, for consultative audits, also 
includes conformance with applicable industry standards and practices 
that are within the scope of the audit.
    (2) The audit must include records review prior to the onsite 
examination; an onsite examination of the facility, its process(es), 
and the food that results from such process(es); and where appropriate 
or when required by FDA, environmental or product sampling and 
analysis. When, for a regulatory audit, sampling and analysis is 
conducted, the accredited third-party certification body must use a 
laboratory that is accredited in accordance with paragraph (b)(3) of 
this section. The audit may include any other activities necessary to 
determine compliance with applicable food safety requirements of the 
FD&C Act and FDA regulations, and, for consultative audits, also 
includes conformance with

[[Page 74660]]

applicable industry standards and practices.
    (3) The audit must be sufficiently rigorous to allow the accredited 
third-party certification body to determine whether the eligible entity 
is in compliance with the applicable food safety requirements of the 
FD&C Act and FDA regulations, and for consultative audits, also 
includes conformance with applicable industry standards and practices, 
at the time of the audit; and for a regulatory audit, whether the 
eligible entity, given its food safety system and practices would be 
likely to remain in compliance with the applicable food safety 
requirements of the FD&C Act and FDA regulations for the duration of 
any certification issued under this subpart. An accredited third-party 
certification body (or its audit agent, where applicable) that 
identifies a deficiency requiring corrective action may verify the 
effectiveness of a corrective action once implemented by the eligible 
entity but must not recommend or provide input to the eligible entity 
in identifying, selecting, or implementing the corrective action.
    (4) Audit observations and other data and information from the 
examination, including information on corrective actions, must be 
documented and must be used to support the findings contained in the 
audit report required by Sec.  1.652 and maintained as a record under 
Sec.  1.658.


Sec.  1.652  What must an accredited third-party certification body 
include in food safety audit reports?

    (a) Consultative audits. An accredited third-party certification 
body must prepare a report of a consultative audit not later than 45 
days after completing such audit and must provide a copy of such report 
to the eligible entity and must maintain such report under Sec.  1.658, 
subject to FDA access in accordance with the requirements of section 
414 of the FD&C Act. A consultative audit report must include:
    (1) The identity of the site or location where the consultative 
audit was conducted, including:
    (i) The name, address and the FDA Establishment Identifier of the 
facility subject to the consultative audit and a unique facility 
identifier, if designated by FDA; and
    (ii) Where applicable, the FDA registration number assigned to the 
facility under subpart H of this part;
    (2) The identity of the eligible entity, if different from the 
facility, including the name, address, the FDA Establishment Identifier 
and unique facility identifier, if designated by FDA, and, where 
applicable, registration number under subpart H of this part;
    (3) The name(s) and telephone number(s) of the person(s) 
responsible for compliance with the applicable food safety requirements 
of the FD&C Act and FDA regulations
    (4) The dates and scope of the consultative audit;
    (5) The process(es) and food(s) observed during such consultative 
audit; and
    (6) Any deficiencies observed that relate to or may influence a 
determination of compliance with the applicable food safety 
requirements of the FD&C Act and FDA regulations that require 
corrective action, the corrective action plan, and the date on which 
such corrective actions were completed. Such consultative audit report 
must be maintained as a record under Sec.  1.658 and must be made 
available to FDA in accordance with section 414 of the FD&C Act.
    (b) Regulatory audits. An accredited third-party certification body 
must, no later than 45 days after completing a regulatory audit, 
prepare and submit electronically, in English, to FDA and to its 
recognized accreditation body (or, in the case of direct accreditation, 
only to FDA) and must provide to the eligible entity a report of such 
regulatory audit that includes the following information:
    (1) The identity of the site or location where the regulatory audit 
was conducted, including:
    (i) The name, address, and FDA Establishment Identifier of the 
facility subject to the regulatory audit and a unique facility 
identifier, if designated by FDA; and
    (ii) Where applicable, the FDA registration number assigned to the 
facility under subpart H of this part;
    (2) The identity of the eligible entity, if different from the 
facility, including the name, address, FDA Establishment Identifier, 
and unique facility identifier, if designated by FDA, and, where 
applicable, registration number under subpart H of this part;
    (3) The dates and scope of the regulatory audit;
    (4) The process(es) and food(s) observed during such regulatory 
audit;
    (5) The name(s) and telephone number(s) of the person(s) 
responsible for the facility's compliance with the applicable food 
safety requirements of the FD&C Act and FDA regulations;
    (6) Any deficiencies observed during the regulatory audit that 
present a reasonable probability that the use of or exposure to a 
violative product:
    (i) Will cause serious adverse health consequences or death to 
humans and animals; or
    (ii) May cause temporary or medically reversible adverse health 
consequences or where the probability of serious adverse health 
consequences or death to humans or animals is remote;
    (7) The corrective action plan for addressing each deficiency 
identified under paragraph (b)(6) of this section, unless corrective 
action was implemented immediately and verified onsite by the 
accredited third-party certification body (or its audit agent, where 
applicable);
    (8) Whether any sampling and laboratory analysis (e.g., under a 
microbiological sampling plan) is performed in or used by the facility; 
and
    (9) Whether the eligible entity has made significant changes to the 
facility, its process(es), or food products during the 2 years 
preceding the regulatory audit.
    (c) Submission of regulatory audit report. An accredited third-
party certification body must submit a completed regulatory audit 
report as required by paragraph (b) of this section, regardless of 
whether the certification body issued a food or facility certification 
to the eligible entity.
    (d) Notice and appeals of adverse regulatory audit results. An 
accredited third-party certification body must notify an eligible 
entity of a denial of certification and must establish and implement 
written procedures for receiving and addressing appeals from eligible 
entities challenging such adverse regulatory audit results and for 
investigating and deciding on appeals in a fair and meaningful manner. 
The appeals procedures must provide similar protections to those 
offered by FDA under Sec. Sec.  1.692 and 1.693, including requirements 
to:
    (1) Make the appeals procedures publicly available;
    (2) Use competent persons, who may or may not be external to the 
accredited third-party certification body, who are free from bias or 
prejudice and have not participated in the certification decision or be 
subordinate to a person who has participated in the certification 
decision, to investigate and decide appeals;
    (3) Advise the eligible entity of the final decision on its appeal; 
and
    (4) Maintain records under Sec.  1.658 of the appeal, the final 
decision, and the basis for such decision.


Sec.  1.653  What must an accredited third-party certification body do 
when issuing food or facility certifications?

    (a) Basis for issuance of a food or facility certification. (1) 
Prior to issuing a food or facility certification to an eligible 
entity, an accredited third-party

[[Page 74661]]

certification body (or, where applicable, an audit agent on its behalf) 
must complete a regulatory audit that meets the requirements of Sec.  
1.651 and any other activities that may be necessary to determine 
compliance with the applicable food safety requirements of the FD&C Act 
and FDA regulations.
    (2) If, as a result of an observation during a regulatory audit, an 
eligible entity must implement a corrective action plan to address a 
deficiency, an accredited third-party certification body may not issue 
a food or facility certification to such entity until after the 
accredited third-party certification body verifies that eligible entity 
has implemented the corrective action plan through methods that 
reliably verify the corrective action was taken and as a result the 
identified deficiency is unlikely to recur, except onsite verification 
is required for corrective actions required to address deficiencies 
that are the subject of a notification under Sec.  1.656(c).
    (3) An accredited third-party certification body must consider each 
observation and the data and other information from a regulatory audit 
and other activities conducted under Sec.  1.651 to determine whether 
the entity was in compliance with the applicable food safety 
requirements of the FD&C Act and FDA regulations at the time of the 
audit and whether the eligible entity, given its food safety system and 
practices, would be likely to remain in compliance for the duration of 
any certification issued under this subpart.
    (4) A single regulatory audit may result in issuance of one or more 
food or facility certifications under this subpart, provided that the 
requirements of issuance are met as to each such certification.
    (5) Where an accredited third-party certification body uses an 
audit agent to conduct a regulatory audit of an eligible entity under 
this subpart, the accredited third-party certification body (and not 
the audit agent) must make the determination whether to issue a food or 
facility certification based on the results of such regulatory audit.
    (b) Issuance of a food or facility certification and submission to 
FDA. (1) Any food or facility certification issued under this subpart 
must be submitted to FDA electronically and in English. The accredited 
third-party certification body may issue a food or facility 
certification under this subpart for a term of up to 12 months.
    (2) A food or facility certification must contain, at a minimum, 
the following elements:
    (i) The name and address of the accredited third-party 
certification body and the scope and date of its accreditation under 
this subpart;
    (ii) The name, address, FDA Establishment Identifier, and unique 
facility identifier, if designated by FDA, of the eligible entity to 
which the food or facility certification was issued;
    (iii) The name, address, FDA Establishment Identifier, and unique 
facility identifier, if designated by FDA, of the facility where the 
regulatory audit was conducted, if different than the eligible entity;
    (iv) The scope and date(s) of the regulatory audit and the 
certification number;
    (v) The name of the audit agent(s) (where applicable) conducting 
the regulatory audit; and
    (vi) The scope of the food or facility certification, date of 
issuance, and date of expiration.
    (3) FDA may refuse to accept any certification for purposes of 
section 801(q) or 806 of the FD&C Act, if FDA determines, that such 
food or facility certification is not valid or reliable because, for 
example:
    (i) The certification is offered in support of the admissibility of 
a food that was not within the scope of the certification;
    (ii) The certification was issued by an accredited third-party 
certification body acting outside the scope of its accreditation under 
this subpart; or
    (iii) The certification was issued without reliable demonstration 
that the requirements of paragraph (a) of this section were met.


Sec.  1.654  When must an accredited third-party certification body 
monitor an eligible entity that it has issued a food or facility 
certification?

    If an accredited third-party certification body has reason to 
believe that an eligible entity to which it issued a food or facility 
certification may no longer be in compliance with the applicable food 
safety requirements of the FD&C Act and FDA regulations, the accredited 
third-party certification body must conduct any monitoring (including 
an onsite audit) of such eligible entity necessary to determine whether 
the entity is in compliance with such requirements. The accredited 
third-party certification body must immediately notify FDA, under Sec.  
1.656(d), if it withdraws or suspends a food or facility certification 
because it determines that the entity is no longer in compliance with 
the applicable food safety requirements of the FD&C Act and FDA 
regulations. The accredited third-party certification body must 
maintain records of such monitoring under Sec.  1.658.


Sec.  1.655  How must an accredited third-party certification body 
monitor its own performance?

    (a) An accredited third-party certification body must annually, 
upon FDA request made for cause, or as required under Sec.  
1.631(f)(1)(i), Sec.  1.634(d)(1)(i), or Sec.  1.635(c)(1)(i), conduct 
a self-assessment that includes evaluation of compliance with this 
subpart, including:
    (1) The performance of its officers, employees, or other agents 
involved in auditing and certification activities, including the 
performance of audit agents in examining facilities, process(es), and 
food using the applicable food safety requirements of the FD&C Act and 
FDA regulations;
    (2) The degree of consistency among its officers, employees, or 
other agents involved in auditing and certification activities, 
including evaluating whether its audit agents interpreted audit 
protocols in a consistent manner;
    (3) The compliance of the accredited third-party certification body 
and its officers, employees, and other agents involved in auditing and 
certification activities, with the conflict of interest requirements of 
Sec.  1.657;
    (4) Actions taken in response to the results of any assessments 
conducted by FDA or, where applicable, the recognized accreditation 
body under Sec.  1.621; and
    (5) As requested by FDA, any other aspects of its performance 
relevant to a determination of whether the accredited third-party 
certification body is in compliance with this subpart.
    (b) As a means to assess its performance, the accredited third-
party certification body may evaluate the compliance of one or more of 
eligible entities to which a food or facility certification was issued 
under this subpart.
    (c) Based on the assessments and evaluations conducted under 
paragraphs (a) and (b) of this section, the accredited third-party 
certification body must:
    (1) Identify any deficiencies in complying with the requirements of 
this subpart;
    (2) Quickly implement corrective action(s) that effectively address 
the identified deficiencies; and
    (3) Under Sec.  1.658, establish and maintain records of such 
corrective action(s).
    (d) The accredited third-party certification body must prepare a 
written report of the results of its self-assessment that includes:
    (1) A description of any corrective action(s) taken under paragraph 
(c) of this section;

[[Page 74662]]

    (2) A statement disclosing the extent to which the accredited 
third-party certification body, and its officers, employees, and other 
agents involved in auditing and certification activities, complied with 
the conflict of interest requirements in Sec.  1.657; and
    (3) A statement attesting to the extent to which the accredited 
third-party certification body complied with the applicable 
requirements of this subpart.
    (e) An accredited third-party certification body may use a report, 
supplemented as necessary, on its conformance to ISO/IEC 17021: 2011 or 
ISO/IEC 17065: 2012 in meeting the requirements of this section.


Sec.  1.656  What reports and notifications must an accredited third-
party certification body submit?

    (a) Reporting results of regulatory audits. An accredited third-
party certification body must submit a regulatory audit report, as 
described in Sec.  1.652(b), electronically, in English, to FDA and to 
the recognized accreditation body that granted its accreditation (where 
applicable), no later than 45 days after completing such audit.
    (b) Reporting results of accredited third-party certification body 
self-assessments. An accredited third-party certification body must 
submit the report of its annual self-assessment required by Sec.  1.655 
electronically to its recognized accreditation body (or, in the case of 
direct accreditation, electronically and in English, to FDA), within 45 
days of the anniversary date of its accreditation under this subpart. 
For an accredited third-party certification body subject to an FDA 
request for cause, or Sec.  1.631(f)(1)(i), Sec.  1.634(d)(1)(i), or 
Sec.  1.635(c)(1)(i), the report of its self-assessment must be 
submitted to FDA electronically, in English, within 60 days of the FDA 
request, denial of renewal, revocation, or relinquishment of 
recognition of the accreditation body that granted its accreditation. 
Such report must include an up-to-date list of any audit agents it uses 
to conduct audits under this subpart.
    (c) Notification to FDA of a serious risk to public health. An 
accredited third-party certification body must immediately notify FDA 
electronically, in English, if during a regulatory or consultative 
audit, any of its audit agents or the accredited third-party 
certification body itself discovers a condition that could cause or 
contribute to a serious risk to the public health, providing the 
following information:
    (1) The name, physical address, and unique facility identifier, if 
designated by FDA, of the eligible entity subject to the audit, and, 
where applicable, the registration number under subpart H of this part;
    (2) The name, physical address, and unique facility identifier, if 
designated by FDA, of the facility where the condition was discovered 
(if different from that of the eligible entity) and, where applicable, 
the registration number assigned to the facility under subpart H of 
this part; and
    (3) The condition for which notification is submitted.
    (d) Immediate notification to FDA of withdrawal or suspension of a 
food or facility certification. An accredited third-party certification 
body must notify FDA electronically, in English, immediately upon 
withdrawing or suspending any food or facility certification of an 
eligible entity and the basis for such action.
    (e) Notification to its recognized accreditation body or an 
eligible entity. (1) After notifying FDA under paragraph (c) of this 
section, an accredited third-party certification body must immediately 
notify the eligible entity of such condition and must immediately 
thereafter notify the recognized accreditation body that granted its 
accreditation, except for third-party certification bodies directly 
accredited by FDA. Where feasible and reliable, the accredited third-
party certification body may contemporaneously notify its recognized 
accreditation body and/or the eligible entity when notifying FDA.
    (2) An accredited third-party certification body must notify its 
recognized accreditation body (or, in the case of direct accreditation, 
FDA) electronically, in English, within 30 days after making any 
significant change that would affect the manner in which it complies 
with the requirements of this subpart and must include with such 
notification the following information:
    (i) A description of the change; and
    (ii) An explanation for the purpose of the change.


Sec.  1.657  How must an accredited third-party certification body 
protect against conflicts of interest?

    (a) An accredited third-party certification body must implement a 
written program to protect against conflicts of interest between the 
accredited third-party certification body (and its officers, employees, 
and other agents involved in auditing and certification activities) and 
an eligible entity seeking a food safety audit or food or facility 
certification from, or audited or certified by, such accredited third-
party certification body, including the following:
    (1) Ensuring that the accredited third-party certification body and 
its officers, employees, or other agents involved in auditing and 
certification activities do not own, operate, have a financial interest 
in, manage, or otherwise control an eligible entity to be certified, or 
any affiliate, parent, or subsidiary of the entity;
    (2) Ensuring that the accredited third-party certification body 
and, its officers, employees, or other agents involved in auditing and 
certification activities are not owned, managed, or controlled by any 
person that owns or operates an eligible entity to be certified;
    (3) Ensuring that an audit agent of the accredited third-party 
certification body does not own, operate, have a financial interest in, 
manage, or otherwise control an eligible entity or any affiliate, 
parent, or subsidiary of the entity that is subject to a consultative 
or regulatory audit by the audit agent; and
    (4) Prohibiting an accredited third-party certification body's 
officer, employee, or other agent involved in auditing and 
certification activities from accepting any money, gift, gratuity, or 
other item of value from the eligible entity to be audited or certified 
under this subpart.
    (5) The items specified in paragraph (a)(4) of this section do not 
include:
    (i) Money representing payment of fees for auditing and 
certification services and reimbursement of direct costs associated 
with an onsite audit by the third-party certification body; or
    (ii) Lunch of de minimis value provided during the course of an 
audit and on the premises where the audit is conducted, if necessary to 
facilitate the efficient conduct of the audit.
    (b) An accredited third-party certification body may accept the 
payment of fees for auditing and certification services and the 
reimbursement of direct costs associated with an audit of an eligible 
entity only after the date on which the report of such audit was 
completed or the date a food or facility certification was issued, 
whichever is later. Such payment is not considered a conflict of 
interest for purposes of paragraph (a) of this section.
    (c) The financial interests of the spouses and children younger 
than 18 years of age of accredited third-party certification body's 
officers, employees, and other agents involved in auditing and 
certification activities will be considered the financial interests of 
such officers, employees, and other agents involved in auditing and 
certification activities.
    (d) An accredited third-party certification body must maintain on 
its Web site an up-to-date list of the eligible

[[Page 74663]]

entities to which it has issued food or facility certifications under 
this subpart. For each such eligible entity, the Web site also must 
identify the duration and scope of the food or facility certification 
and date(s) on which the eligible entity paid the accredited third-
party certification body any fee or reimbursement associated with such 
audit or certification.


Sec.  1.658  What records requirements must a third-party certification 
body that has been accredited meet?

    (a) A third-party certification body that has been accredited must 
maintain electronically for 4 years records created during its period 
of accreditation (including documents and data) that document 
compliance with this subpart, including:
    (1) Any audit report and other documents resulting from a 
consultative audit conducted under this subpart, including the audit 
agent's observations, correspondence with the eligible entity, 
verification of any corrective action(s) taken to address deficiencies 
identified during the audit;
    (2) Any request for a regulatory audit from an eligible entity;
    (3) Any audit report and other documents resulting from a 
regulatory audit conducted under this subpart, including the audit 
agent's observations, correspondence with the eligible entity, 
verification of any corrective action(s) taken to address deficiencies 
identified during the audit, and, when sampling and analysis is 
conducted, laboratory testing records and results from a laboratory 
that is accredited in accordance with Sec.  1.651(b)(3), and 
documentation demonstrating such laboratory is accredited in accordance 
with Sec.  1.651(b)(3);
    (4) Any notification submitted by an audit agent to the accredited 
third-party certification body in accordance with Sec.  1.650(a)(5);
    (5) Any challenge to an adverse regulatory audit decision and the 
disposition of the challenge;
    (6) Any monitoring it conducted of an eligible entity to which food 
or facility certification was issued;
    (7) Its self-assessments and corrective actions taken to address 
any deficiencies identified during a self-assessment; and
    (8) Significant changes to its auditing or certification program 
that might affect compliance with this subpart.
    (b) An accredited third-party certification body must make the 
records of a consultative audit required by paragraph (a)(1) of this 
section available to FDA in accordance with section 414 of the FD&C 
Act.
    (c) An accredited third-party certification body must make the 
records required by paragraphs (a)(2) through (8) of this section 
available for inspection and copying promptly upon written request of 
an authorized FDA officer or employee at the place of business of the 
accredited third-party certification body or at a reasonably accessible 
location. If such records are requested by FDA electronically, the 
records must be submitted electronically not later than 10 business 
days after the date of the request. Additionally, if the records are 
maintained in a language other than English, an accredited third-party 
certification body must electronically submit an English translation 
within a reasonable time.

Procedures for Accreditation of Third-Party Certification Bodies Under 
This Subpart


Sec.  1.660  Where do I apply for accreditation or renewal of 
accreditation by a recognized accreditation body and what happens once 
the recognized accreditation body decides on my application?

    (a) Submission of accreditation or renewal application to a 
recognized accreditation body. A third-party certification body seeking 
accreditation must submit its request for accreditation or renewal of 
accreditation by a recognized accreditation body identified on the Web 
site described in Sec.  1.690.
    (b) Notice of records custodian after denial of application for 
renewal of accreditation. An applicant whose renewal application was 
denied by a recognized accreditation body must notify FDA 
electronically, in English, within 10 business days of the date of 
issuance of a denial of accreditation or denial of the renewal 
application, of the name and contact information of the custodian who 
will maintain the records required by Sec.  1.658(a) and make them 
available to FDA as required by Sec.  1.658(b) and (c). The contact 
information for the custodian must include, at a minimum, an email 
address and the physical address where the records required by Sec.  
1.658(a) will be located.
    (c) Effect of denial of an application for renewal of accreditation 
on food or facility certifications issued to eligible entities. A food 
or facility certification issued by an accredited third-party 
certification body prior to issuance of the denial of its renewal 
application l will remain in effect until the certification expires. If 
FDA has reason to believe that a certification issued for purposes of 
section 801(q) or 806 of the FD&C Act is not valid or reliable, FDA may 
refuse to consider the certification in determining the admissibility 
of the article of food for which the certification was offered or in 
determining the importer's eligibility for participation in VQIP.
    (d) Public notice of denial of an application for renewal of 
accreditation. FDA will provide notice on the Web site described in 
Sec.  1.690 of the date of issuance of a denial of renewal of 
accreditation of a third-party certification body that had previous 
been accredited.


Sec.  1.661  What is the duration of accreditation by a recognized 
accreditation body?

    A recognized accreditation body may grant accreditation to a third-
party certification body under this subpart for a period not to exceed 
4 years.


Sec.  1.662  How will FDA monitor accredited third-party certification 
bodies?

    (a) FDA will periodically evaluate the performance of each 
accredited third-party certification body to determine whether the 
accredited third-party certification body continues to comply with the 
applicable requirements of this subpart and whether there are 
deficiencies in the performance of the accredited third-party 
certification body that, if not corrected, would warrant withdrawal of 
its accreditation under Sec.  1.664. FDA will evaluate each directly 
accredited third-party certification body annually. For a third-party 
certification body accredited by a recognized accreditation body, FDA 
will evaluate an accredited third-party certification body not later 
than 3 years after the date of accreditation for a 4-year term of 
accreditation, or by no later than the mid-term point for accreditation 
granted for less than 4 years. FDA may conduct additional performance 
assessments of an accredited third-party certification body at any 
time.
    (b) In evaluating the performance of an accredited third-party 
certification body under paragraph (a) of this section, FDA may review 
any one or more of the following:
    (1) Regulatory audit reports and food and facility certifications;
    (2) The accredited third-party certification body's self-
assessments under Sec.  1.655;
    (3) Reports of assessments by a recognized accreditation body under 
Sec.  1.621;
    (4) Documents and other information relevant to a determination of 
the accredited third-party certification body's compliance with the 
applicable requirements of this subpart; and
    (5) Information obtained by FDA, including during inspections, 
audits,

[[Page 74664]]

onsite observations, or investigations, of one or more eligible 
entities to which a food or facility certification was issued by such 
accredited third-party certification body.
    (c) FDA may conduct its evaluation of an accredited third-party 
certification body through a site visit to an accredited third-party 
certification body's headquarters (or other location that manages audit 
agents conducting food safety audits under this subpart, if different 
than its headquarters), through onsite observation of an accredited 
third party certification body's performance during a food safety audit 
of an eligible entity, or through document review.


Sec.  1.663  How do I request an FDA waiver or waiver extension for the 
13-month limit for audit agents conducting regulatory audits?

    (a) An accredited third-party certification body may submit a 
request to FDA to waive the requirements of Sec.  1.650(c) preventing 
an audit agent from conducting a regulatory audit of an eligible entity 
if the audit agent (or, in the case that the third-party certification 
body is an individual, the third-party certification body) has 
conducted a food safety audit of such entity during the previous 13 
months. The accredited third-party certification body seeking a waiver 
or waiver extension must demonstrate there is insufficient access to 
audit agents and any third-party certification bodies that are 
comprised of an individual in the country or region where the eligible 
entity is located.
    (b) Requests for a waiver or waiver extension and all documents 
provided in support of the request must be submitted to FDA 
electronically, in English. The requestor must provide such translation 
and interpretation services as are needed by FDA to process the 
request.
    (c) The request must be signed by the requestor or by any 
individual authorized to act on behalf of the requestor for purposes of 
seeking such waiver or waiver extension.
    (d) FDA will review requests for waivers and waiver extensions on a 
first in, first out basis according to the date on which the completed 
submission is received; however, FDA may prioritize the review of 
specific requests to meet the needs of the program. FDA will evaluate 
any completed waiver request to determine whether the criteria for 
waiver have been met.
    (e) FDA will notify the requestor whether the request for a waiver 
or waiver extension is approved or denied.
    (f) If FDA approves the request, issuance of the waiver will state 
the duration of the waiver and list any limitations associated with it. 
If FDA denies the request, the issuance of a denial of a waiver request 
will state the basis for denial and will provide the address and 
procedures for requesting reconsideration of the request under Sec.  
1.691.
    (g) Unless FDA notifies a requestor that its waiver request has 
been approved, an accredited third-party certification body must not 
use the audit agent to conduct a regulatory audit of such eligible 
entity until the 13-month limit in Sec.  1.650(c) has elapsed.


Sec.  1.664  When would FDA withdraw accreditation?

    (a) Mandatory withdrawal. FDA will withdraw accreditation from a 
third-party certification body:
    (1) Except as provided in paragraph (b) of this section, if the 
food or facility certified under this subpart is linked to an outbreak 
of foodborne illness or chemical or physical hazard that has a 
reasonable probability of causing serious adverse health consequences 
or death in humans or animals;
    (2) Following an evaluation and finding by FDA that the third-party 
certification body no longer complies with the applicable requirements 
of this subpart; or
    (3) Following its refusal to allow FDA to access records under 
Sec.  1.658 or to conduct an audit, assessment, or investigation 
necessary to ensure continued compliance with this subpart.
    (b) Exception. FDA may waive mandatory withdrawal under paragraph 
(a)(1) of this section, if FDA:
    (1) Conducts an investigation of the material facts related to the 
outbreak of human or animal illness;
    (2) Reviews the relevant audit records and the actions taken by the 
accredited third-party certification body in support of its decision to 
certify; and
    (3) Determines that the accredited third-party certification body 
satisfied the requirements for issuance of certification under this 
subpart.
    (c) Discretionary withdrawal. FDA may withdraw accreditation, in 
whole or in part, from a third-party certification body when such 
third-party certification body is accredited by an accreditation body 
for which recognition is revoked under Sec.  1.634, if FDA determines 
there is good cause for withdrawal, including:
    (1) Demonstrated bias or lack of objectivity when conducting 
activities under this subpart; or
    (2) Performance that calls into question the validity or 
reliability of its food safety audits or certifications.
    (d) Records access. FDA may request records of the accredited 
third-party certification body under Sec.  1.658 and, where applicable, 
may request records under Sec.  1.625 of an accreditation body that has 
been recognized under Sec.  1.625, when considering withdrawal under 
paragraph (a)(1), (a)(2), or (c) of this section.
    (e) Notice to the third-party certification body of withdrawal of 
accreditation. (1) FDA will notify a third-party certification body of 
the withdrawal of its accreditation through issuance of a withdrawal 
that will state the grounds for withdrawal, the procedures for 
requesting a regulatory hearing under Sec.  1.693 on the withdrawal, 
and the procedures for requesting reaccreditation under Sec.  1.666.
    (2) Within 10 business days of the date of issuance of the 
withdrawal, the third-party certification body must notify FDA 
electronically, in English, of the name of the custodian who will 
maintain the records required by Sec.  1.658, and provide contact 
information for the custodian, which will at least include an email 
address, and the street address where the records will be located.
    (f) Effect of withdrawal of accreditation on eligible entities. A 
food or facility certification issued by a third-party certification 
body prior to withdrawal will remain in effect until the certification 
terminates by expiration. If FDA has reason to believe that a 
certification issued for purposes of section 801(q) or 806 of the FD&C 
Act is not valid or reliable, FDA may refuse to consider the 
certification in determining the admissibility of the article of food 
for which the certification was offered or in determining the 
importer's eligibility for participation in VQIP.
    (g) Effect of withdrawal of accreditation on recognized 
accreditation bodies. (1) FDA will notify a recognized accreditation 
body if the accreditation of a third-party certification body it 
accredited is withdrawn by FDA. Such accreditation body's recognition 
will remain in effect if, no later than 60 days after withdrawal, the 
accreditation body conducts a self-assessment under Sec.  1.622 and 
reports the results of the self-assessment to FDA as required by Sec.  
1.623(b).
    (2) FDA may revoke the recognition of an accreditation body 
whenever FDA determines there is good cause for revocation of 
recognition under Sec.  1.634.
    (h) Public notice of withdrawal accreditation. FDA will provide 
notice on the Web site described in Sec.  1.690 of its withdrawal of 
accreditation of a third-party certification body and

[[Page 74665]]

provide a description of the basis for withdrawal.


Sec.  1.665  What if I want to voluntarily relinquish accreditation or 
do not want to renew accreditation?

    (a) Notice to FDA of intent to relinquish or not to renew 
accreditation. A third-party certification body must notify FDA 
electronically, in English, at least 60 days before voluntarily 
relinquishing accreditation or before allowing accreditation to expire 
without seeking renewal. The certification body must provide the name 
and contact information of the custodian who will maintain the records 
required under Sec.  1.658(a) after the date of relinquishment or the 
date accreditation expires, as applicable, and make them available to 
FDA as required by Sec.  1.658(b) and (c). The contact information for 
the custodian must include, at a minimum, an email address and the 
physical address where the records required by Sec.  1.658(a) will be 
located.
    (b) Notice to recognized accreditation body and eligible entities 
of intent to relinquish or not to renew accreditation. No later than 15 
business days after notifying FDA under paragraph (a) of this section, 
the certification body must notify its recognized accreditation body 
and any eligible entity with current certifications that it intends to 
relinquish accreditation or to allow its accreditation to expire, 
specifying the date on which relinquishment or expiration will occur. 
The recognized accreditation body must establish and maintain records 
of such notification under Sec.  1.625(a).
    (c) Effect of voluntary relinquishment or expiration of 
accreditation on food or facility certifications issued to eligible 
entities. A food or facility certification issued by a third-party 
certification body prior to relinquishment or expiration of its 
accreditation will remain in effect until the certification expires. If 
FDA has reason to believe that a certification issued for purposes of 
section 801(q) or 806 of the FD&C Act is not valid or reliable, FDA may 
refuse to consider the certification in determining the admissibility 
of the article of food for which the certification was offered or in 
determining the importer's eligibility for participation in VQIP.
    (d) Public notice of voluntary relinquishment or expiration of 
accreditation. FDA will provide notice on the Web site described in 
Sec.  1.690 of the voluntary relinquishment or expiration of 
accreditation of a certification body under this subpart.


Sec.  1.666  How do I request reaccreditation?

    (a) Application following withdrawal. FDA will reinstate the 
accreditation of a third-party certification body for which it has 
withdrawn accreditation:
    (1) If, in the case of direct accreditation, FDA determines, based 
on evidence presented by the third-party certification body, that the 
third-party certification body satisfies the applicable requirements of 
this subpart and adequate grounds for withdrawal no longer exist; or
    (2) In the case of a third-party certification body accredited by 
an accreditation body for which recognition has been revoked under 
Sec.  1.634:
    (i) If the third-party certification body becomes accredited by 
another recognized accreditation body or by FDA through direct 
accreditation no later than 1 year after withdrawal of accreditation, 
or the original date of the expiration of accreditation, whichever 
comes first; or
    (ii) Under such conditions as FDA may impose in withdrawing 
accreditation.
    (b) Application following voluntary relinquishment. A third-party 
certification body that previously relinquished its accreditation under 
Sec.  1.665 may seek accreditation by submitting a new application for 
accreditation under Sec.  1.660 or, where applicable, Sec.  1.670.

Additional Procedures for Direct Accreditation of Third-Party 
Certification Bodies Under This Subpart


Sec.  1.670  How do I apply to FDA for direct accreditation or renewal 
of direct accreditation?

    (a) Eligibility. (1) FDA will accept applications from third-party 
certification bodies for direct accreditation or renewal of direct 
accreditation only if FDA determines that it has not identified and 
recognized an accreditation body to meet the requirements of section 
808 of the FD&C Act within 2 years after establishing the accredited 
third-party audits and certification program. Such FDA determination 
may apply, as appropriate, to specific types of third-party 
certification bodies, types of expertise, or geographic location; or 
through identification by FDA of any requirements of section 808 of the 
FD&C Act not otherwise met by previously recognized accreditation 
bodies. FDA will only accept applications for direct accreditation and 
renewal applications that are within the scope of the determination.
    (2) FDA may revoke or modify a determination under paragraph (a)(1) 
of this section if FDA subsequently identifies and recognizes an 
accreditation body that affects such determination.
    (3) FDA will provide notice on the Web site described in Sec.  
1.690 of a determination under paragraph (a)(1) of this section and of 
a revocation or modification of the determination under paragraph 
(a)(1) of this section, as described in paragraph (a)(2) of this 
section.
    (b) Application for direct accreditation or renewal of direct 
accreditation. (1) A third-party certification body seeking direct 
accreditation or renewal of direct accreditation must submit an 
application to FDA, demonstrating that it is within the scope of the 
determination issued under paragraph (a)(1) of this section, and it 
meets the eligibility requirements of Sec.  1.640.
    (2) Applications and all documents provided as part of the 
application process must be submitted electronically, in English. An 
applicant must provide such translation and interpretation services as 
are needed by FDA to process the application, including during an 
onsite audit of the applicant.
    (3) The application must be signed in the manner designated by FDA 
by an individual authorized to act on behalf of the applicant for 
purposes of seeking or renewing direct accreditation.


Sec.  1.671  How will FDA review my application for direct 
accreditation or renewal of direct accreditation and what happens once 
FDA decides on my application?

    (a) Review of a direct accreditation or renewal application. FDA 
will examine a third-party certification body's direct accreditation or 
renewal application for completeness and notify the applicant of any 
deficiencies. FDA will review applications for direct accreditation and 
for renewal of direct accreditation on a first in, first out basis 
according to the date the completed submission is received; however, 
FDA may prioritize the review of specific applications to meet the 
needs of the program.
    (b) Evaluation of a direct accreditation or renewal application. 
FDA will evaluate any completed application to determine whether the 
applicant meets the requirements for direct accreditation under this 
subpart. If FDA does not reach a final decision on a renewal 
application before the expiration of the direct accreditation, FDA may 
extend the duration of such direct accreditation for a specified

[[Page 74666]]

period of time or until the Agency reaches a final decision on the 
renewal application.
    (c) Notice of approval or denial. FDA will notify the applicant 
that its direct accreditation or renewal application has been approved 
through issuance of or denied.
    (d) Issuance of direct accreditation. If an application has been 
approved, the issuance of the direct accreditation that will list any 
limitations associated with the accreditation.
    (e) Issuance of denial of direct accreditation. If FDA issues a 
denial of direct accreditation or denial of a renewal application, the 
issuance of the denial of direct accreditation will state the basis for 
such denial and provide the procedures for requesting reconsideration 
of the application under Sec.  1.691.
    (f) Notice of records custodian after denial of application for 
renewal of direct accreditation. An applicant whose renewal application 
was denied must notify FDA electronically, in English, within 10 
business days of the date of issuance of a denial of a renewal 
application, of the name and contact information of the custodian who 
will maintain the records required by Sec.  1.658(a) and make them 
available to FDA as required by Sec.  1.658(b) and (c). The contact 
information for the custodian must include, at a minimum, an email 
address and the physical address where the records required by Sec.  
1.658(b) will be located.
    (g) Effect of denial of renewal of direct accreditation on food or 
facility certifications issued to eligible entities. A food or facility 
certification issued by an accredited third-party certification body 
prior to issuance of the denial of its renewal application will remain 
in effect until the certification expires. If FDA has reason to believe 
that a certification issued for purposes of section 801(q) or 806 of 
the FD&C Act is not valid or reliable, FDA may refuse to consider the 
certification in determining the admissibility of the article of food 
for which the certification was offered or in determining the 
importer's eligibility for participation in VQIP.
    (h) Public notice of denial of renewal of direct accreditation. FDA 
will provide notice on the Web site described in Sec.  1.690 of the 
issuance of a denial of renewal application for direct accreditation 
under this subpart.


Sec.  1.672  What is the duration of direct accreditation?

    FDA will grant direct accreditation of a third-party certification 
body for a period not to exceed 4 years.

Requirements for Eligible Entities Under This Subpart


Sec.  1.680  How and when will FDA monitor eligible entities?

    FDA may, at any time, conduct an onsite audit of an eligible entity 
that has received food or facility certification from an accredited 
third-party certification body under this subpart. Where FDA determines 
necessary or appropriate, the unannounced audit may be conducted with 
or without the accredited third-party certification body or the 
recognized accreditation body (where applicable) present. An FDA audit 
conducted under this section will be conducted on an unannounced basis 
and may be preceded by a request for a 30-day operating schedule.


Sec.  1.681  How frequently must eligible entities be recertified?

    An eligible entity seeking recertification of a food or facility 
certification under this subpart must apply for recertification prior 
to the expiration of its certification. For certifications used in 
meeting the requirements of section 801(q) or 806 of the FD&C Act, FDA 
may require an eligible entity to apply for recertification at any time 
FDA determines appropriate under such section.

General Requirements of This Subpart


Sec.  1.690  How will FDA make information about recognized 
accreditation bodies and accredited third-party certification bodies 
available to the public?

    FDA will place on its Web site a registry of recognized 
accreditation bodies and accredited third-party certification bodies, 
including the name, contact information, and scope and duration of 
recognition or accreditation. The registry may provide information on 
third-party certification bodies accredited by recognized accreditation 
bodies through links to the Web sites of such recognized accreditation 
bodies. FDA will also place on its Web site a list of accreditation 
bodies for which it has denied renewal of recognition, for which FDA 
has revoked recognition, and that have relinquished their recognition 
or have allowed their recognition to expire. FDA will also place in its 
Web site a list of certification bodies whose renewal of accreditation 
has been denied, for which FDA has withdrawn accreditation, and that 
have relinquished their accreditations or have allowed their 
accreditations to expire. FDA will place on its Web site determinations 
under Sec.  1.670(a)(1) and modifications of such determinations under 
Sec.  1.670(a)(2).


Sec.  1.691  How do I request reconsideration of a denial by FDA of an 
application or a waiver request?

    (a) An accreditation body may seek reconsideration of the denial of 
an application for recognition, renewal of recognition, or 
reinstatement of recognition no later than 10 business days after the 
date of the issuance of such denial.
    (b) A third-party certification body may seek reconsideration of 
the denial of an application for direct accreditation, renewal of 
direct accreditation, reaccreditation of directly accredited third-
party certification body, a request for a waiver of the conflict of 
interest requirement in Sec.  1.650(b), or a waiver extension no later 
than 10 business days after the date of the issuance of such denial.
    (c) A request to reconsider an application or waiver request under 
paragraph (a) or (b) of this section must be signed by the requestor or 
by an individual authorized to act on its behalf in submitting the 
request for reconsideration. The request must be submitted 
electronically in English and must comply with the procedures described 
in the notice.
    (d) After completing its review and evaluation of the request for 
reconsideration, FDA will notify the requestor through the issuance of 
the recognition, direct accreditation, or waiver upon reconsideration 
or through the issuance of a denial of the application or waiver 
request under paragraph (a) or (b) of this section upon 
reconsideration.


Sec.  1.692  How do I request internal agency review of a denial of an 
application or waiver request upon reconsideration?

    (a) No later than 10 business days after the date of issuance of a 
denial of an application or waiver request upon reconsideration under 
Sec.  1.691, the requestor may seek internal agency review of such 
denial under Sec.  10.75(c)(1) of this chapter.
    (b) The request for internal agency review under paragraph (a) of 
this section must be signed by the requestor or by an individual 
authorized to act on its behalf in submitting the request for internal 
review. The request must be submitted electronically in English to the 
address specified in the denial upon reconsideration and must comply 
with procedures it describes.
    (c) Under Sec.  10.75(d) of this chapter, internal agency review of 
such denial must be based on the information in the administrative 
file, which will include any supporting information submitted under 
Sec.  1.691(c).

[[Page 74667]]

    (d) After completing the review and evaluation of the 
administrative file, FDA will notify the requestor of its decision to 
overturn the denial and grant the application or waiver request through 
issuance of an application or waiver request upon reconsideration or to 
affirm the denial of the application or waiver request upon 
reconsideration through issuance of a denial of an application or 
waiver request upon reconsideration.
    (e) Issuance by FDA of a denial of an application or waiver request 
upon reconsideration constitutes final agency action under 5 U.S.C. 
702.


Sec.  1.693  How do I request a regulatory hearing on a revocation of 
recognition or withdrawal of accreditation?

    (a) Request for hearing on revocation. No later than 10 business 
days after the date of issuance of a revocation of recognition of an 
accreditation body under Sec.  1.634, an individual authorized to act 
on the accreditation body's behalf may submit a request for a 
regulatory hearing on the revocation under part 16 of this chapter. The 
issuance of revocation issued under Sec.  1.634 will contain all of the 
elements required by Sec.  16.22 of this chapter and will thereby 
constitute the notice of an opportunity for hearing under part 16 of 
this chapter.
    (b) Request for hearing on withdrawal. No later than 10 business 
days after the date of issuance of a withdrawal of accreditation of a 
third-party certification body under Sec.  1.664, an individual 
authorized to act on the third-party certification body's behalf may 
submit a request for a regulatory hearing on the withdrawal under part 
16 of this chapter. The issuance of withdrawal under Sec.  1.664 will 
contain all of the elements required by Sec.  16.22 of this chapter and 
will thereby constitute the notice of opportunity of hearing under part 
16 of this chapter.
    (c) Submission of request for regulatory hearing. The request for a 
regulatory hearing under paragraph (a) or (b) of this section must be 
submitted with a written appeal that responds to the basis for the FDA 
decision, as described in the issuance of revocation or withdrawal, as 
appropriate, and includes any supporting information upon which the 
requestor is relying. The request, appeal, and supporting information 
must be submitted in English to the address specified in the notice and 
must comply with the procedures it describes.
    (d) Effect of submission of request on FDA decision. The submission 
of a request for a regulatory hearing under paragraph (a) or (b) of 
this section will not operate to delay or stay the effect of a decision 
by FDA to revoke recognition of an accreditation body or to withdraw 
accreditation of a third-party certification body unless FDA determines 
that a delay or a stay is in the public interest.
    (e) Presiding officer. The presiding officer for a regulatory 
hearing for a revocation or withdrawal under this subpart will be 
designated after a request for a regulatory hearing is submitted to 
FDA.
    (f) Denial of a request for regulatory hearing. The presiding 
officer may deny a request for regulatory hearing for a revocation or 
withdrawal under Sec.  16.26(a) of this chapter when no genuine or 
substantial issue of fact has been raised.
    (g) Conduct of regulatory hearing. (1) If the presiding officer 
grants a request for a regulatory hearing for a revocation or 
withdrawal, the hearing will be held within 10 business days after the 
date the request was filed or, if applicable, within a timeframe agreed 
upon in writing by requestor, the presiding officer, and FDA.
    (2) The presiding officer must conduct the regulatory hearing for 
revocation or withdrawal under part 16 of this chapter, except that, 
under Sec.  16.5(b) of this chapter, such procedures apply only to the 
extent that the procedures are supplementary and do not conflict with 
the procedures specified for regulatory hearings under this subpart. 
Accordingly, the following requirements of part 16 are inapplicable to 
regulatory hearings under this subpart: Sec.  16.22 (Initiation of a 
regulatory hearing); Sec.  16.24(e) (timing) and (f) (contents of 
notice); Sec.  16.40 (Commissioner); Sec.  16.60(a) (public process); 
Sec.  16.95(b) (administrative decision and record for decision); and 
Sec.  16.119 (Reconsideration and stay of action).
    (3) A decision by the presiding officer to affirm the revocation of 
recognition or the withdrawal of accreditation is considered a final 
agency action under 5 U.S.C. 702.


Sec.  1.694  Are electronic records created under this subpart subject 
to the electronic records requirements of part 11 of this chapter?

    Records that are established or maintained to satisfy the 
requirements of this subpart and that meet the definition of electronic 
records in Sec.  11.3(b)(6) of this chapter are exempt from the 
requirements of part 11 of this chapter. Records that satisfy the 
requirements of this subpart, but that also are required under other 
applicable statutory provisions or regulations, remain subject to part 
11 of this chapter.


Sec.  1.695  Are the records obtained by FDA under this subpart subject 
to public disclosure?

    Records obtained by FDA under this subpart are subject to the 
disclosure requirements under part 20 of this chapter.

PART 11--ELECTRONIC RECORDS; ELECTRONIC SIGNATURES

0
3. The authority citation for 21 CFR part 11 continues to read as 
follows:

    Authority: 21 U.S.C. 321-393; 42 U.S.C. 262.

0
4. In Sec.  11.1, add paragraph (m) to read as follows:


Sec.  11.1  Scope.

* * * * *
    (m) This part does not apply to records required to be established 
or maintained by subpart M of part 1 of this chapter. Records that 
satisfy the requirements of subpart M of part 1 of this chapter, but 
that also are required under other applicable statutory provisions or 
regulations, remain subject to this part.

PART 16--REGULATORY HEARING BEFORE THE FOOD AND DRUG ADMINISTRATION

0
5. The authority citation for 21 CFR part 16 continues to read as 
follows:

    Authority: 15 U.S.C. 1451-1461; 21 U.S.C. 141-149, 321-394, 
467f, 679, 821, 1034; 28 U.S.C. 2112; 42 U.S.C. 201-262, 263b, 364.

0
6. In Sec.  16.1(b)(2), add the following entry in numerical order to 
read as follows:


Sec.  16.1  Scope.

* * * * *
    (b) * * *
    (2) * * *
    Sec. Sec.  1.634 and 1.664, relating to revocation of recognition 
of an accreditation body and withdrawal of accreditation of third-party 
certification bodies that conduct food safety audits of eligible 
entities in the food import supply chain and issue food and facility 
certifications.
* * * * *

    Dated: October 30, 2015.
Leslie Kux,
Associate Commissioner for Policy.
[FR Doc. 2015-28160 Filed 11-13-15; 8:45 am]
 BILLING CODE 4164-01-P


