Guidance for Industry
Additional copies of this guidance are available on the Internet at http://www.fda.gov/oc/guidance/thirdpartycert.html or http://www.regulations.gov or from the Office of Policy and Planning, Food and Drug Administration, U.S. Department of Health and Human Services 10903 New Hampshire Avenue, White Oak Building 1, Silver Spring, MD 20993, (301) 796-4840.
For questions on the content of this guidance, contact the Office of Policy and Planning at to (301) 796-4840.
United States Department of Health and Human Services
Food and Drug Administration
Office of Policy
Table of Contents
This guidance represents the Food and Drug Administration’s (FDA’s) current thinking on this topic. It does not create or confer any rights for or on any person and does not operate to bind FDA or the public. You can use an alternative approach if the approach satisfies the requirements of the applicable statutes and regulations. If you want to discuss an alternative approach, contact the appropriate FDA staff. If you cannot identify the appropriate FDA staff, call the appropriate number listed on the title page of this guidance.
This document is intended to provide guidance about voluntary third-party certification programs for foods and animal feeds (hereinafter foods). An increasing number of establishments that sell foods to the public, such as retailers and food service providers, are independently requesting, as a condition of doing business, that their suppliers, both foreign and domestic, become certified as meeting safety (as well as other) standards. In addition, domestic and foreign suppliers (such as producers, co-manufacturers, or re-packers) are increasingly looking to third-party certification programs to assist them in meeting U.S. regulatory requirements. The Federal government supports voluntary certification programs as one way to help ensure products meet U.S. safety and security standards and to allow Federal agencies to target their resources more effectively.
This guidance is intended as one of the steps in FDA’s future recognition of one or more voluntary third-party certification programs for particular product types. It describes the general attributes FDA believes a certification program should have to provide quality verification of product safety. If FDA has confidence in a certification program, we may choose to recognize the program. Recognition does not make the certification body an agent of FDA or grant the certification body any regulatory or enforcement authority. Rather, recognition in this context means only that FDA has determined that certification may be a reliable reflection that the foods from an establishment certified by that certification body meet applicable FDA requirements, as well as other certification criteria. We recognize that there are many established third-party certification programs designed for various reasons that are currently being used by industry. We anticipate that some of those programs that focus on food safety will be eligible for recognition as FDA moves forward in this area, either in their present form or with program modifications. Recognition of existing programs may lessen the need for establishments to be subject to audits from multiple certification bodies in the future.
FDA may provide greater detail about recognition in future guidance documents pertaining to particular product areas. Such guidance documents would contain recommendations for product-specific criteria against which a certification body would audit. In addition, such a future guidance may provide incentives for food establishments to obtain certification by recognized certification programs for particular categories of products. Participation in certification programs would be voluntary, and the fact as to whether an establishment participates would not affect the establishment’s rights or obligations. Participation may, however, be beneficial. For example, FDA may take into consideration an establishment’s product-specific certification by a recognized certification body when determining our establishment inspection priorities, as well as our entry admissibility decisions and field exam and sampling priorities. We may also take certification into consideration when determining “may proceed” rates1 for imported products, which may result in expediting entry for certain product types from particular establishments. Moreover, we may publicly acknowledge certified establishments by developing a publicly accessible database.2 Certification may also be useful during a foodborne illness outbreak. Establishments that are certified and have effective product tracing systems in place may be more easily and quickly investigated to be excluded by FDA. In addition to these types of benefits, voluntary third certification could be used in other ways. For example, in appropriate circumstances we may take such certification into account when considering requests by establishments to have their products removed from an FDA Import Alert that is for Detention Without Physical Examination (DWPE).
While FDA may provide incentives for participation, neither establishments nor certifying bodies are under an obligation to participate. FDA does not intend to target uncertified establishments or products for inspection or sampling, for example, based solely on their lack of certification.
FDA’s guidance documents, including this guidance, do not establish legally enforceable responsibilities. Instead, guidances describe FDA’s current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited. The use of the word should in FDA’s guidances means that something is suggested or recommended, but not required.
Ensuring the safety and security of food products is a shared responsibility between the public and private sectors. FDA has the authority to establish regulatory standards, inspect facilities, and take action if there are violations, but industry has the primary responsibility to ensure that food products intended for human and animal consumption in the United States are safe and meet applicable FDA requirements. Certification programs can help industry fulfill its responsibility by providing an independent evaluation of an establishment’s food safety system and, if a problem is discovered, by providing information that can help a firm to fix the problem. This document is intended to support the process for FDA’s recognition of one or more third-party certification programs and builds upon the following actions.
On July 18, 2007, the President issued Executive Order 13439 to establish the Interagency Working Group on Import Safety (hereinafter referred to as the “Working Group”). On November 6, 2007, the Working Group released an “Action Plan for Import Safety: A Roadmap for Continual Improvement” (Action Plan) (http://www.importsafety.gov/report/actionplan.pdf). The Action Plan contains 14 broad recommendations and 50 specific short- and long-term action steps to better protect consumers and enhance the safety of the increasing volume of imports entering the United States. The Action Plan stresses the importance of the private sector's responsibility for the safety of its products and the importance of ongoing private-sector mechanisms and experience as a basis for ongoing, substantive public-private collaboration. The public and private sectors have a shared interest in import safety, and substantive improvement will require the careful collaboration of the entire importing community.
Recommendation 2 of the Action Plan is to “verify compliance of foreign producers with U.S. safety and security standards through certification.'' Third-party certification programs can augment ability of the Federal government and the importing community to help ensure that products imported into the United States meet Federal safety and security standards. The Action Plan states “[f]or foreign producers, the ability to participate in voluntary certification programs could allow products from establishments that comply with U.S. safety and security standards to enter the United States more quickly. This would facilitate trade, while allowing Federal departments and agencies to focus their resources on products from non-certified establishments or for which information suggests there may be safety or security concerns. This would allow Federal departments and agencies to more effectively target their resources.” Action Steps 2.2 and 2.4 of the Action Plan call for the development of voluntary third-party certification programs, based on risk, for foreign producers of certain products who export to the United States, and the creation of incentives for foreign establishments to participate in voluntary certification programs, and for importers to purchase only from certified establishments.
In conjunction with the Action Plan, on November 6, 2007, FDA released our Food Protection Plan (hereinafter referred to as the “FPP”), a comprehensive strategy designed to bolster efforts to better protect the Nation's food supply (http://www.fda.gov/oc/initiatives/advance/food/plan.html ). The FPP emphasizes certification as a way to help verify the safety of products from a growing food establishment inventory, both domestic and foreign.
B. Federal Register Notice Requesting Comment on Third-Party Certification Programs for Foods and Feeds
On April 2, 2008, FDA issued a Federal Register notice requesting comments on the use of third-party certification programs for foods and animal feeds. [Federal Register Vol. 73 No. 64 pg. 17989 (April 2, 2008)] In addition to general information about existing programs, we asked four specific questions:
1. What domestic and foreign third-party certification programs for suppliers are currently in use by U.S. companies?
2. Do the current third-party certification programs ensure compliance with FDA requirements?
3. What are the obstacles to private sector participation in these third-party certification programs?
4. What incentives would increase participation in these third-party certification programs?
FDA received approximately 70 comments in response to that notice. Many of the comments note that U.S. suppliers currently use various third-party certification programs in part because of customer demand. The certification programs audit to the required criteria, which vary by product and client. The audits include both a document review and an on-site visit. Several comments provide details on criteria that the establishment must meet to receive certification. There is extensive support for certification programs that audit to determine compliance with internationally recognized criteria. Compliance with these criteria may include conduct or actions that exceed requirements under applicable U.S. law. Procedures to prevent conflicts of interest are also discussed. A few comments also address how governments interface with or recognize these certification bodies.
Many comments state that FDA’s recognition of third-party programs will encourage expanded, voluntary participation. The comments vary on whether we should make modifications to the existing programs. Certain obstacles to participation are mentioned, most notably the added costs of the certification process, especially for small businesses, and the redundancy created by suppliers requiring different criteria. Most comments agree that expedited treatment at ports of entry, making the names of certified establishments publicly available, and FDA’s consideration of certification as one factor in determining inspection priorities will encourage participation. Additionally, several comments express a desire for a set of criteria to reduce redundancy.
For the purposes of this document, the following definitions apply:3
- Accreditation means an attestation related to a certification body (but not by the certification body itself) conveying formal demonstration of its competence to carry out specific certification tasks.
- Accreditation body means an authoritative body that performs accreditation.
- Attributes mean the characteristics of a certification body that FDA intends to consider when evaluating whether its certifications are a reliable reflection that food from establishments a certification body certifies meets the certification criteria.
- Audit means the systematic and functionally independent examination of a product, process, and establishment, including records and laboratory testing, as appropriate, to determine an establishment’s conformance with certification criteria. Audit activities may include a range of activities, such as on-site examinations of establishments, review of records, review of quality assurance systems, and examination or laboratory testing of product samples.
- Auditor means a person acting for the certification body who conducts audits and makes a determination of the degree to which certification criteria have been met by an establishment for a particular product type.
- Certification means the procedure by which a certification body provides assurance that the establishment conforms to certification criteria. Certification should be granted for particular product types produced, manufactured, processed, packed, or held by the establishment. Certification should be, as appropriate, based on a range of audit activities, as discussed in section III.D.
- Certification body means a third-party organization that operates a certification program. A certification body could be a Federal, State, local, or foreign government agency, as well as a non-government entity that is independent of the businesses it certifies and free from conflicts of interest.
- Certification criteria mean those criteria used by the certification body during an audit to determine whether an establishment should receive certification. Certification criteria for the purpose of this document should, at a minimum, include applicable FDA requirements.
- Certification program means a third-party system that verifies, through audits, an establishment’s conformance with certification criteria.
- Certification program assessment means a systematic examination by FDA to assess a certification body’s conformance with the attributes in this document.
- Establishment means a site-specific domestic or foreign facility that produces, manufactures, processes, packs, or holds food for use, consumption, or further processing in the United States.
- Inspection means the examination of a product, process, or establishment, including records and laboratory testing, by FDA (or another governmental entity acting under our authority, such as a State regulatory authority, with which FDA has a contract, partnership arrangement, or Memorandum of Understanding (MOU) for the purpose of conducting inspections that pertain to the establishment's compliance status with FDA requirements).
- Self-assessment means a certification body’s systematic assessment to determine whether its activities and related results meet planned objectives (e.g., the attributes in this document).
- Third party means an organization other than the establishment or FDA (or another governmental entity acting under our authority, such as a State regulatory authority, with which FDA has a contract, partnership arrangement, or MOU for the purpose of conducting inspections that pertain to the establishment's compliance status with FDA requirements). A third party could include a Federal, State, local, or foreign government authority that is not conducting inspections under our authority, as well as a private entity.
The certification body should communicate the conditions for granting and maintaining certification, as well as the conditions under which the certification body may withdraw certification.
The certification body should require completion of an official application form, signed by a duly authorized representative of the establishment, which includes the following:
- Name, address, and contact information of the applicant;
- Affirmation that the establishment is registered as required under 21 C.F.R. §1.225 or that the establishment is exempt under 21 C.F.R. §1.226;
- List of product market forms, packaging, and processes used by the establishment for the product types to be certified;
- Name, address, and unique facility (establishment) identification code, if applicable, of the site-specific establishment(s) to be certified for a particular food product it produces, manufactures, processes, packs, or holds;
- Statement regarding its regulatory standing that includes whether:
- An FDA warning letter has been issued to the establishment and, if one has been issued, whether FDA has concluded that the conditions that resulted in the warning letter have been satisfactorily addressed;
- An FDA legal action has been filed in court against the establishment or its products, such as an injunction, seizure, or prosecution, under any of the laws or regulations administered by FDA, and if one has been filed, whether FDA has concluded that the conditions that resulted in the legal action have been satisfactorily addressed;
- The establishment or any of its officers or employees is not being prosecuted and has not been convicted of a crime relating to FDA regulatory requirements;
- The establishment had been inspected by FDA or by another U.S. or international governmental entity, such as a State regulatory authority and, if it had been so inspected, the date of the inspection and whether the inspection resulted in an adverse classification, such as Official Action Indicated (OAI), and if there was such a finding, whether corrective actions successfully resolved the observed violations or deviations.
- The establishment or its products are subject to an FDA Import Alert;
- Statement that the applicant agrees to comply with the terms established by the certification body, including the certification criteria, and to supply any information needed for the evaluation of the establishment and processes to be certified.
The certification body should review the application to confirm that the establishment has provided all requested information and should determine if any regulatory issues have not been resolved. This includes supplying the certification body with documents requested in conformance with this guidance document, such as copies of FDA inspection reports and previous certification audit reports. Upon satisfactory completion of the application and review by the certification body, an auditor acting for the certification body should then perform an audit of the establishment and records, consistent with the elements set forth in section V.C. below. Certification should not be granted if the establishment unduly delays, limits, or denies the certification body or any auditors acting on its behalf, access to the establishment, processes, product types, or records needed to verify conformance with certification criteria. A decision on certification should be specific to an establishment and processes for particular product types. It should be possible for an establishment to be certified for processes for a particular product type and not for other product types.
The establishment should promptly notify the certification body of any intended significant changes to the safety systems the establishment has in place or any other changes or occurrences that may affect product safety or certification. In addition the establishment should notify the certification body of any new conditions that would cause certification to be withdrawn, as described below in section IV.D.
The purpose of recertification is to confirm the establishment’s continued conformity with the certification criteria. The frequency of recertification may vary depending on the risks posed by the establishment and the processes used. The frequency of recertification should ensure that establishments associated with greater risk are recertified more frequently. Risk factors include those associated directly with the establishment itself, including its compliance history and its internal auditing procedures, as well as the inherent risks associated with the processes and product types for which certification is sought and the processes used to produce, manufacture, process, pack, or hold those products. In general, recertification should occur at least once every two years for most products. Higher risk product types, processes, or establishments should be audited at least annually. FDA may provide further guidance on the frequency of recertification when recognizing certification programs in particular product areas.
- The certification body should have an established, clearly articulated procedure for withdrawing certification. Withdrawing certification should be considered under the following circumstances:
- The auditor determines that there are significant deviations from one or more certification criteria, and the establishment fails to address the deficiencies in a timely and acceptable manner (see section V.E., below).
- The establishment unduly delays, limits, or denies the certification body, or any auditors acting on its behalf, access to the establishment, products, or records needed to verify compliance with certification criteria.
- The certification body discovers that the establishment, or any of its officers or employees, engages in any fraudulent acts related to FDA regulatory requirements, as well as providing false information to the certification body or any auditors acting on its behalf.
- The certification body discovers that the statement regarding the establishment’s regulatory standing made in section IV.A. above has changed (e.g., a warning letter has been issued, an OAI classification has been made, an Import Alert has been issued, etc.)
The certification body should immediately notify FDA if certification has been withdrawn, as well as the basis for withdrawal (see section V.J. below).
FDA would need sufficient confidence in the credibility of the certification program in order to recognize such a program. More specifically, we would need to have confidence in the quality of the audits performed and the validity of the decisions made by the certification bodies and their auditors. Therefore, we have identified the following general attributes that are intended to provide a model that might be tailored for particular categories of products and incorporated by FDA as we develop programs to recognize third-party certification programs for those product types. These attributes incorporate a comprehensive self-assessment by the certification body of its performance in relation to these attributes to encourage continuous improvement and innovation. FDA may perform a certification program assessment to determine a certification body’s level of conformance to these attributes prior to recognition and periodically thereafter. It is expected that the certification body would fully cooperate with FDA during such a certification program assessment, which could include access to the certification body’s documents and records relevant to its conformance with these attributes. The certification program assessment may also include observing on-site audits, in which case it is expected that the certification body would cooperate in arranging such on-site audits for FDA to observe.
To facilitate an FDA assessment, the certification body could seek accreditation froman accreditation body that is operating in accordance with the International Organization for Standardization (ISO) standard ISO/IEC 17011:2004, Conformity assessment – General requirements for accreditation bodies accrediting conformity assessment bodies. Such accreditation can provide an additional assurance that the certification body is reliable.
A certification body should enter into a contract or other arrangement with an establishment that grants the certifying body authority to ensure that the establishments and processes they are hired to certify meet the certification criteria. All certification contracts entered into between a certification body and an establishment should include the following authorities.
The certification body and its auditors should have access to the establishment for the purpose of auditing the production, manufacturing, processing, packing, and holding of product for which certification is sought. The certification body should communicate its audit plan in advance with the establishment and the dates of the initial audit and recertification audits should be agreed upon.4 Nevertheless, the certification body should have the right to perform unannounced audits, as appropriate. The scope of access may be determined by the types of products and processes for which certification is sought. For example, if the establishment is seeking certification for all product types being produced, manufactured, processed, packed, or held there, then the certification body and the auditor should have access to aspects relating to the safety of all those product types, including incoming materials, all aspects of production, manufacturing, processing, packing, or holding, and records relating to compliance with certification criteria. If, however, the establishment is only seeking certification for a subset of product types, access may be more limited.
The certification body and its auditors should be able to examine records and other information relevant to the safety of the product types for which certification is sought. This should include access to relevant records relating to the production, manufacturing, processing, packing, and holding of product types for which certification is sought, including, but not limited to, receiving records, preventive control plans and records, laboratory results, records regarding the upkeep and use of equipment, consumer complaint files, and supply chain records.
The certification body and auditors should have authority to collect and analyze samples as appropriate. These samples should be collected and analyzed in a manner that is consistent with the other aspects of this document, including the use of laboratories, as discussed in section V.I. below. In the future, additional guidance regarding sampling and laboratory testing may be provided as FDA recognizes third-party certification programs in particular product areas.
Certification bodies should have the authority to determine whether to certify, recertify, or withdraw certification based upon information gathered. This includes the authority to determine if the establishment has appropriately addressed problems or deficiencies identified by the certifying body or its auditors. Moreover, they should also have authority to provide information to FDA in accordance with this guidance. Such information should also be available to FDA when requested to perform a certification program assessment.
All auditors should understand the food safety issues related to the processes and products that they audit. This should include knowledge and understanding of current certification criteria (including FDA regulations) and a process to help ensure that this knowledge and understanding are kept up to date.
In order to assist certifying bodies in preparing for future recognition of third-party certification programs, FDA makes the following general recommendations for certification bodies and their auditors. However, FDA recognizes the need for flexibility in auditor qualifications, as well as the importance of prior auditing experience.
FDA recommends that all auditors acting for a certification body meet or exceed the minimum educational requirements applicable to FDA Consumer Safety Officers (CSOs) who perform inspections on behalf of the agency. Therefore, we recommend that the auditors have at least:
- A full course of study at an accredited college or university leading to a bachelor's or higher degree, including 30 semester hours in one or a combination of biological sciences, chemistry, pharmacy, physical sciences, food technology, nutrition, medical science, engineering, epidemiology, veterinary medical science, or related scientific fields that provide knowledge directly related to consumer safety officer work.
- 30 semester hours of course work as described above, plus appropriate experience or additional education. The required 30 semester hours can include up to eight semester hours in statistics or course work that includes the principles, theory, or practical application of computers or computer programming.
In addition, the certification body should have a training plan that ensures that all auditors receive the necessary training to adequately perform their work assignments. The training plan should provide for basic and advanced audit training, as well as continued training for professional development.5 As FDA recognizes third-party certification programs, we may recommend qualifications and training that are tailored to particular product areas.
Training and qualifications may vary depending on the processes and product areas being audited. Each auditor should demonstrate competency in the areas pertaining to the processes and product areas that they are auditing. These may include all or some of the following areas:
- Certification criteria
- Public health principles
- Risk assessment
- Manufacturing techniques and technologies
- Proper audit procedures
- Proper sample collection procedures
- Product Tracing6
- Product security awareness
- Communications skills
- Basics of Hazard Analysis and Critical Control Point (HACCP) or other preventive control systems
- Basics of consumer product labeling
- Sanitation and Good Manufacturing Practices
- Control of allergens and food intolerances
- Ethics and conflicts of interest
It may also be beneficial for auditors to complete more advanced audit training through coursework or other means that are related to specific processes and product areas that an auditor will audit, e.g., seafood HACCP and seafood safety, low acid canned food safety,etc. While coursework is recommended, FDA recognizes that, in certain instances, experience may provide adequate competency.
The certification body should ensure that each auditor receives field training and is evaluated by a qualified and experienced trainer in the field that can ensure competency in the above areas, as applicable. To accomplish this, FDA recommends that each auditor perform a minimum of five joint audits with a qualified and experienced trainer. Joint audits should be conducted in establishments that are representative of the establishments in the certification program’s establishment inventory. At least two of those joint audits should be evaluations during which a qualified, experienced trainer observes the candidate conducting an audit without assistance. The auditor’s performance should be rated acceptable in those evaluations. Each auditor should complete, or be able to demonstrate by prior experience, the minimum field training requirements before conducting independent audits.
Each auditor should also complete more advanced field training in his or her specialized areas, if applicable, such as seafood HACCP. Such advanced training should include three joint audits with a qualified trainer. At least two of those joint audits should be evaluations of the auditors. The auditor’s performance should be rated acceptable in those evaluations. The joint audits should be conducted in establishments that are representative of the specialty area.
Each auditor should also participate in continuing education that includes coursework and joint audits to keep the auditor’s knowledge current. At least every 36-month interval, each auditor should participate in a minimum of 36 hours of classroom training and participate in at least two joint audits with a qualified trainer. These joint audits are intended to help the auditor apply what was learned in the classroom to what should be covered during an audit.
The certification body should ensure that its auditors are consistently meeting established standards for a high quality audit, as well as consistently auditing for conformance with certification criteria when auditing an establishment. The audit program should contain the following elements:
Audits should be performed using a risk-based approach. With respect to the certification process, this means that the auditor should focus the most attention on the elements of the production, manufacturing, processing, packing, and holding that pose the greatest risk to human and/or animal health. An auditor may consider an establishment’s internal auditing practices when determining the level of scrutiny to apply. FDA may provide further guidance on risk prioritization when recognizing certification programs in particular product areas.
The certification body should have written policies and procedures describing the protocol to be used by all auditors during an audit. These procedures should include, but are not limited to:
- Reviewing the certification body’s own previous certification audit reports (at least the previous report and all other reports done in the last year) relating to food safety
- Inquiring as to whether FDA or another U.S. or international governmental entity, such as a State regulatory authority, has inspected the establishment and examining the resulting inspection report relating to food safety
- Inquiring as to whether another third-party recognized by FDA has audited the establishment and examining the resulting report relating to food safety
- Inquiring as to whether the statements made in section IV.A. above are up to date
- Reviewing internal establishment audits and consumer complaints relating to food safety
- Having appropriate equipment and forms needed to conduct audits
- Verifying that the establishment’s employees have the appropriate educational background and training relating to food safety
- Assessing conditions and practices critical to the safe and sanitary production, manufacturing, processing, packing, and holding of the products
- Properly evaluating the likelihood that incoming materials, conditions, practices, ingredients or components, and/or labeling could cause the product to be unsafe or not meet applicable FDA requirements
- Recognizing significant, violative conditions or practices relating to food safety, if present, and recording findings
- Distinguishing between significant and insignificant observations relating to food safety, and isolated incidents versus trends
- Reviewing and evaluating appropriate records and procedures relating to food safety for the establishment's operations and effectively applying the information obtained from this review during the audit
- Collecting adequate information and documentation to support audit observations and certification relating to food safety
- Collecting representative samples, as appropriate, using sampling techniques that prevent contamination of the product and ensure that a representative sample is collected
- Verifying the correction of deficiencies identified during the previous audit;
- Behaving professionally during the audit
- Demonstrating proper sanitary practices during the audit
- Making appropriate introductions, presenting proper identification upon arrival at the establishment, and explaining the purpose and scope of the audit
- Using suitable interviewing techniques
- Explaining findings clearly and adequately throughout the audit
- Alerting the establishment's person in charge when an immediate corrective action relating to food safety is necessary
- Answering questions and providing information in an appropriate manner
- Documenting findings relating to food safety accurately, clearly, and concisely, and providing a copy to the establishment's person in charge
- Requesting assistance for complex technical issues beyond the ability of the auditor
- Dealing effectively with obstacles to the audit or adversarial situations.
The audit should provide the certification body with reasonable assurance that the establishment produces, manufactures, processes, packs, or holds foods that are safe and in compliance with certification criteria. The auditor should have access to the relevant parts of the establishment, processes, and product types, and records relating to food safety in order to make this determination. As FDA recognizes third-party certification programs in particular product areas, FDA plans to provide additional guidance on specific certification criteria for those product areas.
The certification body should have a system to resolve complaints from establishments about audits. This system should include providing contact information, as well as written procedures for receiving, evaluating, answering, and maintaining records of establishment complaints about audits.
The certification body should retain the documentation for all audit findings. Documentation should include, but is not limited to, an audit report, auditor notes, laboratory testing records and results, correspondence with the establishment, as well as follow-up documentation regarding corrective actions taken to address deficiencies that affect certification (i.e., demonstrating whether the corrective action was effectively executed to remedy the problem). The certification body should keep these records for at least three years.7
The certification body should implement a quality assurance program (QAP) that monitors its auditors (including subcontractors), audits, and sample collection processes for consistency and competency, to identify areas that need improvement, and to quickly execute appropriate corrective actions when problems are found. The QAP should include the following components:
The certification body should conduct a field evaluation of audits done on its behalf to verify that audits are consistently performed according to its established policies and procedures. Two field evaluations of audits performed by each auditor should be conducted every 36 months. 8
The certification body should perform periodic reviews of audit reports to verify that audit findings are obtained and reported according to its established procedures and policies.
The certification body should perform periodic reviews of sample reports to verify that samples were properly collected, identified, and submitted according to established procedures and policies and that appropriate information was recorded.
If, during a self-assessment (see section V.H. below), the certification body determines that an auditor is not performing adequately, the certification body should not authorize the auditor to conduct additional audits until such time as the auditor has received sufficient training and an acceptable re-evaluation. It may be appropriate for the certification body to re-evaluate audits that the auditor has performed.
The certification body should have strategies, procedures, and actions to ensure that the establishments and processes for particular product types it certifies comply with FDA requirements and otherwise meet certification criteria. The certification body should take appropriate steps when there is non-compliance. More specifically, the certification body should:
- Use a risk-based system to determine when an investigation, follow-up, or re-audit is needed;
- Evaluate whether the establishment has executed corrective actions that resolve the deviations that would affect certification in a timely and acceptable manner; and
- Withdraw certification if the establishment fails to take corrective actions to address deficiencies that would affect certification in a timely and acceptable manner (see section IV.D. above.).
In addition to notifying FDA consistent with section V.J. below, the certification body should immediately notify the establishment if an auditor finds or discovers a situation in which there is a reasonable probability that the use of, or exposure to, food or feed produced, manufactured, processed, packed, or held in that establishment will cause serious adverse health consequences or death to humans or animals. FDA notes that an establishment that receives this information may be subject to the requirement imposed by section 1005 of the Food and Drug Administration Amendments Act of 2007 to report certain information to FDA via an electronic portal.
At a minimum, the certification body should provide establishments seeking certification with information about current FDA requirements and guidances. The certification body may also conduct activities that foster communication and information exchange among regulators, industry, academia, and consumer representatives on product safety and security. In addition, the certification body may sponsor or participate in meetings where product safety and security topics may be discussed or provide the establishments they certify with other educational materials related to product safety and security, such as scientific literature.
The third party certification body should have sufficient resources, such as equipment and infrastructure, etc., to accomplish the elements of the program described in this guidance.
The certification body should conduct an initial self-assessment to assess its performance in relation to the attributes in this document, including identification of the strengths and weaknesses of the program. Subsequent self-assessments should be done at least every 36 months thereafter and after any significant changes to the certification program, including any changes to the certification criteria used by the certification body.9 After each self-assessment, the certification body should develop an improvement plan based on analysis of the self-assessment and a timeline for implementing improvements. Subsequent self-assessments should be used to track progress toward meeting and maintaining conformance with these attributes. The certification body should maintain records sufficient to document the results of all self-assessments, improvement plans, and verification audits. Such records should be maintained for at least three years.10 Consistent with section V.J. below, FDA should be notified of significant changes to the certification program.
The certification body should have access to the laboratory services needed to support the audit program functions and document these laboratory services, including those obtained through agreements with external laboratories. These laboratories should be capable of analyzing a variety of appropriate samples, using widely recognized methods, for assessing the compliance of establishments with applicable certification criteria, including product and environmental samples. The certification body should maintain a record of tests conducted, as well as a record of the results of the testing.
The certification body should have a contract or written agreement with its servicing laboratories. The laboratories, whether internal or external, should be accredited, and the accreditation should be issued by an accreditation body operating in accordance with the ISO standard ISO/IEC 17011:2004, Conformity assessment – General requirements for accreditation bodies accrediting conformity assessment bodies. The accreditation body should be a signatory to the International Laboratory Accreditation (ILAC) Mutual Recognition Arrangement. This will help ensure that all laboratories that are accredited by the accreditation body comply with appropriate laboratory standards and also should result in consistent standards and requirements among accrediting bodies and laboratories regardless of their location.
Laboratories should conform to ISO/IEC 17025:2005, General requirements for the competence of testing and calibration laboratories, and should be qualified to use the specific method(s) for testing foods. The methods should demonstrate suitable performance and fit for the intended use. Additionally, we recommend that, where appropriate, laboratories incorporate into their implementation of ISO-IEC 17025 the criteria established in the AOAC International Guidelines for Laboratories Performing Microbiological and Chemical Analyses of Food and Pharmaceuticals – An Aid to interpretation of ISO/IEC 17025: 2005. The AOAC document provides a section-by-section interpretation of the ISO/IEC 17025 requirements and following its criteria offers additional assurance that the laboratory’s accreditation includes a sufficient level of detail for the testing being performed and to the laboratory’s implementation of ISO/IEC 17025.
This section outlines the circumstances that warrant notification to FDA, some of which have been mentioned elsewhere in this guidance. While we may elaborate more on notification in future documents that address third-party certification programs in particular product areas, as a general matter the certification body should notify FDA of the following:
The certification body should immediately notify FDA if an auditor finds or discovers a situation in which there is a reasonable probability that the use of, or exposure to, food or feed produced, manufactured, processed, packed, or held in that establishment will cause serious adverse health consequences or death to humans or animals. This information may pertain to intentional or unintentional contamination. The certification body should provide detailed information that describes the extent and nature of the problem, as well as the product and its source.
The certification body should immediately notify FDA if certification has been withdrawn, as well as of the basis for withdrawal.
Once recognized by FDA, the certification body should notify us 60 days prior to any significant change the certification body intends to make in its certification program, including any changes to the certification criteria used by the certification body. The certification body should provide an explanation for the purpose of the change. Some changes may trigger a reassessment of the certification program by FDA and may affect our recognition of the program.
The certification body and its auditors should be free from conflicts of interest. The certification body should have a committee or management structure for safeguarding impartiality. Conflict of interest policies for a certification body and auditors acting for the certification body should be written.
FDA recommends that the following criteria be included in a conflict of interest policy:
- The certification body should not be owned, operated, or controlled by a producer, manufacturer, processor, packer, holder, supplier, or vendor of any article of the type it certifies.
- The certification body should not have any ownership or financial interest in any product, producer, manufacturer, processor, packer, holder, supplier or vendor of the type it certifies.
- No auditor acting for the certification body (or spouse or minor children) should have any significant ownership or other financial interest11 regarding any product of the type it certifies. The certification body should maintain records pertaining to the financial interests of the personnel involved in audits.
- Neither the certification body nor any of its auditors acting for the certification body should participate in the production, manufacture, processing, packing, holding, promotion, or sale of any product of the type it certifies.
- Neither the certification body nor any of its auditors should provide consultative services to any producer, manufacturer, processor, packer, or holder, supplier, or vendor of products of the type it certifies.
- No auditors acting for the certification body should participate in an audit of an establishment they were employed by within the last 12 months.
- Fees charged or accepted should not be contingent or based upon the report made by the certification body or any personnel involved in the audit process.
- Neither the certification body nor any of its auditors should accept anything of value from anyone in connection with the establishment being audited other than the audit fee. The term “anything of value” includes, but is not limited to, gifts, gratuities, reimbursement of expenses, entertainment, loans, or any other form of compensation in cash or in kind.
- The certification body should not be owned, operated, or controlled by a trade association whose member companies operate establishments that it certifies.
- The certification body and its auditors should be free from any other conflicts of interest that threaten impartiality.
The certification body and its auditors should sign a statement attesting to compliance with these conflict of interest criteria. Certification bodies should also ensure that any subcontractors that might be used (laboratories, sampling services, etc.) provide similar assurances.
1The “may proceed” rate means the rate of import entries entered into domestic commerce after electronic review, but without FDA staff review of the entry, including physical examination or sampling. FDA sets this rate based on various considerations, such as product risk and the demonstrated degree of compliance of the commodity/establishment/country.
2 Nothing in this guidance, or any potential future recognition of a particular certification program, would restrict FDA from conducting its own inspections or taking regulatory action, nor would it affect the legal responsibilities of establishments. Moreover, FDA typically would not provide these types of incentives if it had information that a problem existed in a certified establishment.
3The definitions in this guidance are generally consistent with accepted international definitions, such as those used in documents by the International Organization for Standardization (ISO) and the Codex Alimentarius Commission (Codex).
5 This training standard is based on our experience training FDA inspectors and is consistent with the standard we use for our state inspection program. See http://www.fda.gov/ohrms/dockets/dockets/06d0246/06d-0246-gdl0002-vol1.pdf
11By “significant,” we refer to 5 C.F.R. 5501.104, which allows an FDA employee (or a spouse or minor children) to own certain de minimis holdings in a regulated entity, as well as a financial interest, such as a pension, arising from employment with a regulated entity. While this provision does not apply to certification bodies or their auditors, it provides a basis for defining this term.