Like many, I have spent a great deal of time reviewing the recently published proposed rule on Accreditation of Third-Party Auditors/Certification Bodies. There are many interesting provisions warranting in-depth review and discussion, but none raise the amount and degree of concerns as the provision requiring third-party auditor/audit agents to directly report certain findings to their certification body (CB), that the CB report them directly to FDA, and do so prior to reporting them to the audited firm. This information reporting loop is the focus of this discussion.
It’s not clear what additional information would be available by having the auditor and CB bypass the facilities in the reporting process. From a practical perspective, I’m not sure it’s even possible to prevent them from obtaining this knowledge; they are involved in the audit, accompany the auditor throughout the audit, and auditors are instructed to inform plant personnel of nonconformities as they occur. How can they not know something serious has been observed?
If the Food Safety Modernization Act (FSMA) originally intended to give the FDA an opportunity to leverage the sheer quantity of data available in these audit reports, all would agree that still makes sense in today’s economic environment. However, there now appears to be a shift to expecting “too much (from) of a good thing” as the proposed rules attempt to define how that process should look. Actually, the phrase appearing most often when discussing this rule is “unintended consequences.”
FSMA defined two types of audits, regulatory and consultative. The intent appeared to be that in separating them, industry would still be allowed to use consultative audits as a learning tool without ramifications and little would be changed to alter the way they are executed and used.
It seemed only audits used for regulatory purposes (certifications, Foreign Supplier Verification Program, or Voluntary Qualified Importer Program) would carry any additional requirements such as those supported by the framework established in accreditation and certifications rules for ensuring validity of the data.
FDA has done an excellent job of outlining the requirements for a sound, robust accredited certification system in the proposed rule. There are however concerns with the direct reporting component that may negate the good. In fact, we now see that not only will there be direct reporting requirements for both types of audits, those requirements actually exclude the audited site until after FDA has been notified.
If those asserting the number of audits will drop off based on these direct reporting requirements are correct, what does that mean in real numbers? In 2011/12, there were an estimated 35,000 plus audits executed globally against various Global Food Safety Initiative (GFSI) schemes. For arguments sake, let’s assume each audit had a mix of minor and major nonconformities, to make the math easy we’ll use 10 per audit. Theoretically, that’s 350,000 corrective actions completed in a 12 month period that otherwise may not have been addressed. Do the benefits of reporting “immediately” to FDA truly outweigh the potential loss of future improvements? Let’s look at examples of direct reporting to find out.
An auditor was auditing a facility that produces processed fruit products. He was accompanied by the plant manager and the sanitation and quality assurance manager—both of whom were recently hired and unfamiliar with the auditing process. The audit was a certification audit, so in proposed rule terms it would be considered a regulatory audit.
During the audit, multiple flies/insects on raw materials and product contact surfaces were observed. The apparent “violation” is certainly one that meets the basic public health risk threshold and is clearly outlined in FDA’s Compliance Policy Guide as to the exact number and location of insects necessary to be adulterated. This also meets the criteria for a critical violation that would result in the suspension or denial of the sites’ certification in GFSI schemes.