Search
Keyword
Search in sections (Example, from 802)
OR
Volume
Find
Product Classification
Reg. Number
Title 21: Food and Drugs
Requirements for Third-Party Certification Bodies That Have Been Accredited Under This Subpart
§ 1.650 How must an accredited third-party certification body ensure its audit agents are competent and objective?

(a) An accredited third-party certification body that uses audit agents to conduct food safety audits must ensure that each such audit agent meets the following requirements with respect to the scope of its accreditation under this subpart. If the accredited third-party certification body is an individual, that individual is also subject to the following requirements, as applicable:

(1) Has relevant knowledge and experience that provides an adequate basis for the audit agent to evaluate compliance with applicable food safety requirements of the FD&C Act and FDA regulations and, for consultative audits, also includes conformance with applicable industry standards and practices;

(2) Has been determined by the accredited third-party certification body, through observations of a representative sample of audits, to be competent to conduct food safety audits under this subpart relevant to the audits they will be assigned to perform;

(3) Has completed annual food safety training that is relevant to activities conducted under this subpart;

(4) Is in compliance with the conflict of interest requirements of § 1.657 and has no other conflicts of interest with the eligible entity to be audited that might impair the audit agent's objectivity; and

(5) Agrees to notify its accredited third-party certification body immediately upon discovering, during a food safety audit, any condition that could cause or contribute to a serious risk to the public health.

(b) In assigning an audit agent to conduct a food safety audit at a particular eligible entity, an accredited third-party certification body must determine that the audit agent is qualified to conduct such audit under the criteria established in paragraph (a) of this section and based on the scope and purpose of the audit and the type of facility, its process(es), and food.

(c) An accredited third-party certification body cannot use an audit agent to conduct a regulatory audit at an eligible entity if such audit agent conducted a consultative audit or regulatory audit for the same eligible entity in the preceding 13 months, except that such limitation may be waived if the accredited third-party certification body demonstrates to FDA, under § 1.663, there is insufficient access to audit agents in the country or region where the eligible entity is located. If the accredited third-party certification body is an individual, that individual is also subject to such limitations.

§ 1.651 How must an accredited third-party certification body conduct a food safety audit of an eligible entity?

(a) Audit planning. Before beginning to conduct a food safety audit under this subpart, an accredited third-party certification body must:

(1) Require the eligible entity seeking a food safety audit to:

(i) Identify the scope and purpose of the food safety audit, including the facility, process(es), or food to be audited; whether the food safety audit is to be conducted as a consultative or regulatory audit subject to the requirements of this subpart, and if a regulatory audit, the type(s) of certification(s) sought; and

(ii) Provide a 30-day operating schedule for such facility that includes information relevant to the scope and purpose of the audit; and

(2) Determine whether the requested audit is within its scope of accreditation.

(b) Authority to audit. In arranging a food safety audit with an eligible entity under this subpart, an accredited third-party certification body must ensure it has authority, whether contractual or otherwise, to:

(1) Conduct an unannounced audit to determine whether the facility, process(es), and food of the eligible entity (within the scope of the audit) comply with the applicable food safety requirements of the FD&C Act and FDA regulations and, for consultative audits, also includes conformance with applicable industry standards and practices;

(2) Access any records and any area of the facility, process(es), and food of the eligible entity relevant to the scope and purpose of such audit;

(3) When, for a regulatory audit, sampling and analysis is conducted, the accredited third-party certification body must use a laboratory that is accredited in accordance with:

(i) ISO/IEC 17025:2005; or

(ii) Another laboratory accreditation standard that provides at least a similar level of assurance in the validity and reliability of sampling methodologies, analytical methodologies, and analytical results.

(4) Notify FDA immediately if, at any time during a food safety audit, the accredited third-party certification body (or its audit agent, where applicable) discovers a condition that could cause or contribute to a serious risk to the public health and provide information required by § 1.656(c);

(5) Prepare reports of audits conducted under this subpart as follows:

(i) For consultative audits, prepare reports that contain the elements specified in § 1.652(a) and maintain such records, subject to FDA access in accordance with section 414 of the FD&C Act; and

(ii) For regulatory audits, prepare reports that contain the elements specified in § 1.652(b) and submit them to FDA and to its recognized accreditation body (where applicable) under § 1.656(a); and

(6) Allow FDA and the recognized accreditation body that accredited such third-party certification body, if any, to observe any food safety audit conducted under this subpart for purposes of evaluating the accredited third-party certification body's performance under §§ 1.621 and 1.662 or, where appropriate, the recognized accreditation body's performance under §§ 1.622 and 1.633.

(c) Audit protocols. An accredited third-party certification body (or its audit agent, where applicable) must conduct a food safety audit in a manner consistent with the identified scope and purpose of the audit and within the scope of its accreditation.

(1) With the exception of records review, which may be scheduled, the audit must be conducted without announcement during the 30-day timeframe identified under paragraph (a)(1)(ii) of this section and must be focused on determining whether the facility, its process(es), and food are in compliance with applicable food safety requirements of the FD&C Act and FDA regulations, and, for consultative audits, also includes conformance with applicable industry standards and practices that are within the scope of the audit.

(2) The audit must include records review prior to the onsite examination; an onsite examination of the facility, its process(es), and the food that results from such process(es); and where appropriate or when required by FDA, environmental or product sampling and analysis. When, for a regulatory audit, sampling and analysis is conducted, the accredited third-party certification body must use a laboratory that is accredited in accordance with paragraph (b)(3) of this section. The audit may include any other activities necessary to determine compliance with applicable food safety requirements of the FD&C Act and FDA regulations, and, for consultative audits, also includes conformance with applicable industry standards and practices.

(3) The audit must be sufficiently rigorous to allow the accredited third-party certification body to determine whether the eligible entity is in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations, and for consultative audits, also includes conformance with applicable industry standards and practices, at the time of the audit; and for a regulatory audit, whether the eligible entity, given its food safety system and practices would be likely to remain in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations for the duration of any certification issued under this subpart. An accredited third-party certification body (or its audit agent, where applicable) that identifies a deficiency requiring corrective action may verify the effectiveness of a corrective action once implemented by the eligible entity but must not recommend or provide input to the eligible entity in identifying, selecting, or implementing the corrective action.

(4) Audit observations and other data and information from the examination, including information on corrective actions, must be documented and must be used to support the findings contained in the audit report required by § 1.652 and maintained as a record under § 1.658.

§ 1.652 What must an accredited third-party certification body include in food safety audit reports?

(a) Consultative audits. An accredited third-party certification body must prepare a report of a consultative audit not later than 45 days after completing such audit and must provide a copy of such report to the eligible entity and must maintain such report under § 1.658, subject to FDA access in accordance with the requirements of section 414 of the FD&C Act. A consultative audit report must include:

(1) The identity of the site or location where the consultative audit was conducted, including:

(i) The name, address and the FDA Establishment Identifier of the facility subject to the consultative audit and a unique facility identifier, if designated by FDA; and

(ii) Where applicable, the FDA registration number assigned to the facility under subpart H of this part;

(2) The identity of the eligible entity, if different from the facility, including the name, address, the FDA Establishment Identifier and unique facility identifier, if designated by FDA, and, where applicable, registration number under subpart H of this part;

(3) The name(s) and telephone number(s) of the person(s) responsible for compliance with the applicable food safety requirements of the FD&C Act and FDA regulations

(4) The dates and scope of the consultative audit;

(5) The process(es) and food(s) observed during such consultative audit; and

(6) Any deficiencies observed that relate to or may influence a determination of compliance with the applicable food safety requirements of the FD&C Act and FDA regulations that require corrective action, the corrective action plan, and the date on which such corrective actions were completed. Such consultative audit report must be maintained as a record under § 1.658 and must be made available to FDA in accordance with section 414 of the FD&C Act.

(b) Regulatory audits. An accredited third-party certification body must, no later than 45 days after completing a regulatory audit, prepare and submit electronically, in English, to FDA and to its recognized accreditation body (or, in the case of direct accreditation, only to FDA) and must provide to the eligible entity a report of such regulatory audit that includes the following information:

(1) The identity of the site or location where the regulatory audit was conducted, including:

(i) The name, address, and FDA Establishment Identifier of the facility subject to the regulatory audit and a unique facility identifier, if designated by FDA; and

(ii) Where applicable, the FDA registration number assigned to the facility under subpart H of this part;

(2) The identity of the eligible entity, if different from the facility, including the name, address, FDA Establishment Identifier, and unique facility identifier, if designated by FDA, and, where applicable, registration number under subpart H of this part;

(3) The dates and scope of the regulatory audit;

(4) The process(es) and food(s) observed during such regulatory audit;

(5) The name(s) and telephone number(s) of the person(s) responsible for the facility's compliance with the applicable food safety requirements of the FD&C Act and FDA regulations;

(6) Any deficiencies observed during the regulatory audit that present a reasonable probability that the use of or exposure to a violative product:

(i) Will cause serious adverse health consequences or death to humans and animals; or

(ii) May cause temporary or medically reversible adverse health consequences or where the probability of serious adverse health consequences or death to humans or animals is remote;

(7) The corrective action plan for addressing each deficiency identified under paragraph (b)(6) of this section, unless corrective action was implemented immediately and verified onsite by the accredited third-party certification body (or its audit agent, where applicable);

(8) Whether any sampling and laboratory analysis (e.g., under a microbiological sampling plan) is performed in or used by the facility; and

(9) Whether the eligible entity has made significant changes to the facility, its process(es), or food products during the 2 years preceding the regulatory audit.

(c) Submission of regulatory audit report. An accredited third-party certification body must submit a completed regulatory audit report as required by paragraph (b) of this section, regardless of whether the certification body issued a food or facility certification to the eligible entity.

(d) Notice and appeals of adverse regulatory audit results. An accredited third-party certification body must notify an eligible entity of a denial of certification and must establish and implement written procedures for receiving and addressing appeals from eligible entities challenging such adverse regulatory audit results and for investigating and deciding on appeals in a fair and meaningful manner. The appeals procedures must provide similar protections to those offered by FDA under §§ 1.692 and 1.693, including requirements to:

(1) Make the appeals procedures publicly available;

(2) Use competent persons, who may or may not be external to the accredited third-party certification body, who are free from bias or prejudice and have not participated in the certification decision or be subordinate to a person who has participated in the certification decision, to investigate and decide appeals;

(3) Advise the eligible entity of the final decision on its appeal; and

(4) Maintain records under § 1.658 of the appeal, the final decision, and the basis for such decision.

§ 1.653 What must an accredited third-party certification body do when issuing food or facility certifications?

(a) Basis for issuance of a food or facility certification. (1) Prior to issuing a food or facility certification to an eligible entity, an accredited third-party certification body (or, where applicable, an audit agent on its behalf) must complete a regulatory audit that meets the requirements of § 1.651 and any other activities that may be necessary to determine compliance with the applicable food safety requirements of the FD&C Act and FDA regulations.

(2) If, as a result of an observation during a regulatory audit, an eligible entity must implement a corrective action plan to address a deficiency, an accredited third-party certification body may not issue a food or facility certification to such entity until after the accredited third-party certification body verifies that eligible entity has implemented the corrective action plan through methods that reliably verify the corrective action was taken and as a result the identified deficiency is unlikely to recur, except onsite verification is required for corrective actions required to address deficiencies that are the subject of a notification under § 1.656(c).

(3) An accredited third-party certification body must consider each observation and the data and other information from a regulatory audit and other activities conducted under § 1.651 to determine whether the entity was in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations at the time of the audit and whether the eligible entity, given its food safety system and practices, would be likely to remain in compliance for the duration of any certification issued under this subpart.

(4) A single regulatory audit may result in issuance of one or more food or facility certifications under this subpart, provided that the requirements of issuance are met as to each such certification.

(5) Where an accredited third-party certification body uses an audit agent to conduct a regulatory audit of an eligible entity under this subpart, the accredited third-party certification body (and not the audit agent) must make the determination whether to issue a food or facility certification based on the results of such regulatory audit.

(b) Issuance of a food or facility certification and submission to FDA. (1) Any food or facility certification issued under this subpart must be submitted to FDA electronically and in English. The accredited third-party certification body may issue a food or facility certification under this subpart for a term of up to 12 months.

(2) A food or facility certification must contain, at a minimum, the following elements:

(i) The name and address of the accredited third-party certification body and the scope and date of its accreditation under this subpart;

(ii) The name, address, FDA Establishment Identifier, and unique facility identifier, if designated by FDA, of the eligible entity to which the food or facility certification was issued;

(iii) The name, address, FDA Establishment Identifier, and unique facility identifier, if designated by FDA, of the facility where the regulatory audit was conducted, if different than the eligible entity;

(iv) The scope and date(s) of the regulatory audit and the certification number;

(v) The name of the audit agent(s) (where applicable) conducting the regulatory audit; and

(vi) The scope of the food or facility certification, date of issuance, and date of expiration.

(3) FDA may refuse to accept any certification for purposes of section 801(q) or 806 of the FD&C Act, if FDA determines, that such food or facility certification is not valid or reliable because, for example:

(i) The certification is offered in support of the admissibility of a food that was not within the scope of the certification;

(ii) The certification was issued by an accredited third-party certification body acting outside the scope of its accreditation under this subpart; or

(iii) The certification was issued without reliable demonstration that the requirements of paragraph (a) of this section were met.

§ 1.654 When must an accredited third-party certification body monitor an eligible entity that it has issued a food or facility certification?

If an accredited third-party certification body has reason to believe that an eligible entity to which it issued a food or facility certification may no longer be in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations, the accredited third-party certification body must conduct any monitoring (including an onsite audit) of such eligible entity necessary to determine whether the entity is in compliance with such requirements. The accredited third-party certification body must immediately notify FDA, under § 1.656(d), if it withdraws or suspends a food or facility certification because it determines that the entity is no longer in compliance with the applicable food safety requirements of the FD&C Act and FDA regulations. The accredited third-party certification body must maintain records of such monitoring under § 1.658.

§ 1.655 How must an accredited third-party certification body monitor its own performance?

(a) An accredited third-party certification body must annually, upon FDA request made for cause, or as required under § 1.631(f)(1)(i), § 1.634(d)(1)(i), or § 1.635(c)(1)(i), conduct a self-assessment that includes evaluation of compliance with this subpart, including:

(1) The performance of its officers, employees, or other agents involved in auditing and certification activities, including the performance of audit agents in examining facilities, process(es), and food using the applicable food safety requirements of the FD&C Act and FDA regulations;

(2) The degree of consistency among its officers, employees, or other agents involved in auditing and certification activities, including evaluating whether its audit agents interpreted audit protocols in a consistent manner;

(3) The compliance of the accredited third-party certification body and its officers, employees, and other agents involved in auditing and certification activities, with the conflict of interest requirements of § 1.657;

(4) Actions taken in response to the results of any assessments conducted by FDA or, where applicable, the recognized accreditation body under § 1.621; and

(5) As requested by FDA, any other aspects of its performance relevant to a determination of whether the accredited third-party certification body is in compliance with this subpart.

(b) As a means to assess its performance, the accredited third-party certification body may evaluate the compliance of one or more of eligible entities to which a food or facility certification was issued under this subpart.

(c) Based on the assessments and evaluations conducted under paragraphs (a) and (b) of this section, the accredited third-party certification body must:

(1) Identify any deficiencies in complying with the requirements of this subpart;

(2) Quickly implement corrective action(s) that effectively address the identified deficiencies; and

(3) Under § 1.658, establish and maintain records of such corrective action(s).

(d) The accredited third-party certification body must prepare a written report of the results of its self-assessment that includes:

(1) A description of any corrective action(s) taken under paragraph (c) of this section;

(2) A statement disclosing the extent to which the accredited third-party certification body, and its officers, employees, and other agents involved in auditing and certification activities, complied with the conflict of interest requirements in § 1.657; and

(3) A statement attesting to the extent to which the accredited third-party certification body complied with the applicable requirements of this subpart.

(e) An accredited third-party certification body may use a report, supplemented as necessary, on its conformance to ISO/IEC 17021: 2011 or ISO/IEC 17065: 2012 in meeting the requirements of this section.

§ 1.656 What reports and notifications must an accredited third-party certification body submit?

(a) Reporting results of regulatory audits. An accredited third-party certification body must submit a regulatory audit report, as described in § 1.652(b), electronically, in English, to FDA and to the recognized accreditation body that granted its accreditation (where applicable), no later than 45 days after completing such audit.

(b) Reporting results of accredited third-party certification body self-assessments. An accredited third-party certification body must submit the report of its annual self-assessment required by § 1.655 electronically to its recognized accreditation body (or, in the case of direct accreditation, electronically and in English, to FDA), within 45 days of the anniversary date of its accreditation under this subpart. For an accredited third-party certification body subject to an FDA request for cause, or § 1.631(f)(1)(i), § 1.634(d)(1)(i), or § 1.635(c)(1)(i), the report of its self-assessment must be submitted to FDA electronically, in English, within 60 days of the FDA request, denial of renewal, revocation, or relinquishment of recognition of the accreditation body that granted its accreditation. Such report must include an up-to-date list of any audit agents it uses to conduct audits under this subpart.

(c) Notification to FDA of a serious risk to public health. An accredited third-party certification body must immediately notify FDA electronically, in English, if during a regulatory or consultative audit, any of its audit agents or the accredited third-party certification body itself discovers a condition that could cause or contribute to a serious risk to the public health, providing the following information:

(1) The name, physical address, and unique facility identifier, if designated by FDA, of the eligible entity subject to the audit, and, where applicable, the registration number under subpart H of this part;

(2) The name, physical address, and unique facility identifier, if designated by FDA, of the facility where the condition was discovered (if different from that of the eligible entity) and, where applicable, the registration number assigned to the facility under subpart H of this part; and

(3) The condition for which notification is submitted.

(d) Immediate notification to FDA of withdrawal or suspension of a food or facility certification. An accredited third-party certification body must notify FDA electronically, in English, immediately upon withdrawing or suspending any food or facility certification of an eligible entity and the basis for such action.

(e) Notification to its recognized accreditation body or an eligible entity. (1) After notifying FDA under paragraph (c) of this section, an accredited third-party certification body must immediately notify the eligible entity of such condition and must immediately thereafter notify the recognized accreditation body that granted its accreditation, except for third-party certification bodies directly accredited by FDA. Where feasible and reliable, the accredited third-party certification body may contemporaneously notify its recognized accreditation body and/or the eligible entity when notifying FDA.

(2) An accredited third-party certification body must notify its recognized accreditation body (or, in the case of direct accreditation, FDA) electronically, in English, within 30 days after making any significant change that would affect the manner in which it complies with the requirements of this subpart and must include with such notification the following information:

(i) A description of the change; and

(ii) An explanation for the purpose of the change.

§ 1.657 How must an accredited third-party certification body protect against conflicts of interest?

(a) An accredited third-party certification body must implement a written program to protect against conflicts of interest between the accredited third-party certification body (and its officers, employees, and other agents involved in auditing and certification activities) and an eligible entity seeking a food safety audit or food or facility certification from, or audited or certified by, such accredited third-party certification body, including the following:

(1) Ensuring that the accredited third-party certification body and its officers, employees, or other agents involved in auditing and certification activities do not own, operate, have a financial interest in, manage, or otherwise control an eligible entity to be certified, or any affiliate, parent, or subsidiary of the entity;

(2) Ensuring that the accredited third-party certification body and, its officers, employees, or other agents involved in auditing and certification activities are not owned, managed, or controlled by any person that owns or operates an eligible entity to be certified;

(3) Ensuring that an audit agent of the accredited third-party certification body does not own, operate, have a financial interest in, manage, or otherwise control an eligible entity or any affiliate, parent, or subsidiary of the entity that is subject to a consultative or regulatory audit by the audit agent; and

(4) Prohibiting an accredited third-party certification body's officer, employee, or other agent involved in auditing and certification activities from accepting any money, gift, gratuity, or other item of value from the eligible entity to be audited or certified under this subpart.

(5) The items specified in paragraph (a)(4) of this section do not include:

(i) Money representing payment of fees for auditing and certification services and reimbursement of direct costs associated with an onsite audit by the third-party certification body; or

(ii) Lunch of de minimis value provided during the course of an audit and on the premises where the audit is conducted, if necessary to facilitate the efficient conduct of the audit.

(b) An accredited third-party certification body may accept the payment of fees for auditing and certification services and the reimbursement of direct costs associated with an audit of an eligible entity only after the date on which the report of such audit was completed or the date a food or facility certification was issued, whichever is later. Such payment is not considered a conflict of interest for purposes of paragraph (a) of this section.

(c) The financial interests of the spouses and children younger than 18 years of age of accredited third-party certification body's officers, employees, and other agents involved in auditing and certification activities will be considered the financial interests of such officers, employees, and other agents involved in auditing and certification activities.

(d) An accredited third-party certification body must maintain on its Web site an up-to-date list of the eligible entities to which it has issued food or facility certifications under this subpart. For each such eligible entity, the Web site also must identify the duration and scope of the food or facility certification and date(s) on which the eligible entity paid the accredited third-party certification body any fee or reimbursement associated with such audit or certification.

§ 1.658 What records requirements must a third-party certification body that has been accredited meet?

(a) A third-party certification body that has been accredited must maintain electronically for 4 years records created during its period of accreditation (including documents and data) that document compliance with this subpart, including:

(1) Any audit report and other documents resulting from a consultative audit conducted under this subpart, including the audit agent's observations, correspondence with the eligible entity, verification of any corrective action(s) taken to address deficiencies identified during the audit;

(2) Any request for a regulatory audit from an eligible entity;

(3) Any audit report and other documents resulting from a regulatory audit conducted under this subpart, including the audit agent's observations, correspondence with the eligible entity, verification of any corrective action(s) taken to address deficiencies identified during the audit, and, when sampling and analysis is conducted, laboratory testing records and results from a laboratory that is accredited in accordance with § 1.651(b)(3), and documentation demonstrating such laboratory is accredited in accordance with § 1.651(b)(3);

(4) Any notification submitted by an audit agent to the accredited third-party certification body in accordance with § 1.650(a)(5);

(5) Any challenge to an adverse regulatory audit decision and the disposition of the challenge;

(6) Any monitoring it conducted of an eligible entity to which food or facility certification was issued;

(7) Its self-assessments and corrective actions taken to address any deficiencies identified during a self-assessment; and

(8) Significant changes to its auditing or certification program that might affect compliance with this subpart.

(b) An accredited third-party certification body must make the records of a consultative audit required by paragraph (a)(1) of this section available to FDA in accordance with section 414 of the FD&C Act.

(c) An accredited third-party certification body must make the records required by paragraphs (a)(2) through (8) of this section available for inspection and copying promptly upon written request of an authorized FDA officer or employee at the place of business of the accredited third-party certification body or at a reasonably accessible location. If such records are requested by FDA electronically, the records must be submitted electronically not later than 10 business days after the date of the request. Additionally, if the records are maintained in a language other than English, an accredited third-party certification body must electronically submit an English translation within a reasonable time.

Skip to content