Like many, I have spent a great deal of time reviewing the recently published proposed rule on Accreditation of Third-Party Auditors/Certification Bodies. There are many interesting provisions warranting in-depth review and discussion, but none raise the amount and degree of concerns as the provision requiring third-party auditor/audit agents to directly report certain findings to their certification body (CB), that the CB report them directly to FDA, and do so prior to reporting them to the audited firm. This information reporting loop is the focus of this discussion.
It’s not clear what additional information would be available by having the auditor and CB bypass the facilities in the reporting process. From a practical perspective, I’m not sure it’s even possible to prevent them from obtaining this knowledge; they are involved in the audit, accompany the auditor throughout the audit, and auditors are instructed to inform plant personnel of nonconformities as they occur. How can they not know something serious has been observed?
If the Food Safety Modernization Act (FSMA) originally intended to give the FDA an opportunity to leverage the sheer quantity of data available in these audit reports, all would agree that still makes sense in today’s economic environment. However, there now appears to be a shift to expecting “too much (from) of a good thing” as the proposed rules attempt to define how that process should look. Actually, the phrase appearing most often when discussing this rule is “unintended consequences.”
FSMA defined two types of audits, regulatory and consultative. The intent appeared to be that in separating them, industry would still be allowed to use consultative audits as a learning tool without ramifications and little would be changed to alter the way they are executed and used.
It seemed only audits used for regulatory purposes (certifications, Foreign Supplier Verification Program, or Voluntary Qualified Importer Program) would carry any additional requirements such as those supported by the framework established in accreditation and certifications rules for ensuring validity of the data.
FDA has done an excellent job of outlining the requirements for a sound, robust accredited certification system in the proposed rule. There are however concerns with the direct reporting component that may negate the good. In fact, we now see that not only will there be direct reporting requirements for both types of audits, those requirements actually exclude the audited site until after FDA has been notified.
If those asserting the number of audits will drop off based on these direct reporting requirements are correct, what does that mean in real numbers? In 2011/12, there were an estimated 35,000 plus audits executed globally against various Global Food Safety Initiative (GFSI) schemes. For arguments sake, let’s assume each audit had a mix of minor and major nonconformities, to make the math easy we’ll use 10 per audit. Theoretically, that’s 350,000 corrective actions completed in a 12 month period that otherwise may not have been addressed. Do the benefits of reporting “immediately” to FDA truly outweigh the potential loss of future improvements? Let’s look at examples of direct reporting to find out.
An auditor was auditing a facility that produces processed fruit products. He was accompanied by the plant manager and the sanitation and quality assurance manager—both of whom were recently hired and unfamiliar with the auditing process. The audit was a certification audit, so in proposed rule terms it would be considered a regulatory audit.
During the audit, multiple flies/insects on raw materials and product contact surfaces were observed. The apparent “violation” is certainly one that meets the basic public health risk threshold and is clearly outlined in FDA’s Compliance Policy Guide as to the exact number and location of insects necessary to be adulterated. This also meets the criteria for a critical violation that would result in the suspension or denial of the sites’ certification in GFSI schemes.
The phrase appearing most often when discussing this rule is “unintended consequences.”
Serious Violations Must be Authenticated
When a potential critical nonconformity is observed by an auditor performing a regulatory/certification audit, he should have internal technical support to ensure the finding is accurate and contains the complete facts of the situation. He should not be alone in making such a key decision—a meeting with all stakeholders during the audit is often used to address this need.
In our example, the CB and the auditor reviewed the entire process flow and determined the area of the insect activity was the initial preparation step of the raw fruit in a separate, isolated area designed for that purpose. The plant manager explained how the fruit was subjected to a series of rigorous washing and sorting steps in an adjacent facility and this was observed by the auditor to be well cleaned before beginning the heat processing. All agreed the washing/sorting process was adequate to control insect contamination and there was no critical nonconformity.
During this process, the plant still has Reportable Food Registry (RFR) obligations that are now complicated by the auditor/CB reporting process. For example, the RFR only gives the facility 24 hours to evaluate and report, so what is its responsibility here? Should it wait until the CB completes the review and officially reports to FDA, then file RFR? Suppose the CB doesn’t complete the review in time? Is it in fact faced with violating RFR obligations by the new reporting requirement?
Thankfully, this case happened before the proposed rules were published. The CB had a standard procedure to follow that included review of all relevant facts and the plants’ input on process and procedures. The audit was completed and certification was granted. Had the initial finding been correct, FDA would know when certification was suspended or denied. Would anyone, FDA included, have been better served by reporting incomplete or incorrect information to FDA before notifying the plant personnel as would be required in the proposed rule? The answer is no.
If this had been a consultative audit, the auditor should observe and document how the plant handles the situation. Does it identify affected product and isolate it promptly? Are procedures followed for correcting this situation? Are the corrections adequate to prevent the situation from happening again? Does it accurately determine if product is potentially in commerce, which would need to be removed and reported? If necessary, does it file an RFR in a timely manner?
Now it would also require the auditor/auditing company to report to FDA. But the consultative auditing company may not have any review procedures. The proposed rule isn’t clear on what the requirements are, if any, for an unaccredited auditor/auditing agent performing a consultative audit, so in reality this could be just one auditor acting alone. If so, is she obligated to report?
For arguments sake, let’s say this is simply one individual, so the auditor stops the audit and files the report to FDA, letting the plant know afterwards what has been reported. After all, a statement that insects were observed on raw materials and product is serious and should be acted on promptly, right? Wrong! The finding was never reviewed prior to finalizing and reporting and the plant didn’t have a chance to explain its processes. The auditor alleging the violation may/may not have the training or experience sufficient to make this decision alone. Ultimately, the finding would be proven to be incorrect, but the legal and liability issues would be messy to say the least.
Unless every auditor/audit agent performing consultative audits are operating under all of the accreditation requirements, their findings and auditing methods are not validated and should not form the basis of any official reports to FDA. There is no value in directly reporting information that is incomplete or has not been vetted.
What if, during this consultative audit, the plant simply refused to file the RFR report? This may be the only situation where direct reporting has value to all stakeholders. Reporting directly to FDA if a plant refuses to could be an incentive for the plant to follow the RFR requirements. But it’s the only one.
Auditors audit and most do it very well. They are not enforcers though, nor are they quasi inspectors or even consultants. And they do not act alone. There is an entire cast of staff at an accredited certification body who provide experience and support to the auditor on the ground. Auditors should not be expected to make serious judgments without the input of these support systems. Let the RFR and consultants play their role, and accredited certification auditors theirs. And allow that system, with all of its checks and balances, to work before requiring any reporting.
Wester is president of PA Wester Consulting. Reach her at email@example.com.