As a trade association for auditors and the auditing industry, AFSAP has researched the various references to audits found in all of the FSMA rules, and monitored the steps taken across the auditing community to meet these requirements. In this Q&A, we sit down with Patricia Wester, chief executive officer of AFSAP, to talk FSMA audits, criteria for supplier audits, preventive controls and FDA guidance. She will be running the Pre-Conference AFSAP Food Safety Auditing Fundamentals Course at this year’s Food Safety Consortium.
In July 2016, GFSI announced they would re-open the Guidance document revision process so that FSMA’s requirements could be considered for inclusion. When the final GFSI Guidance document was released, it included most of FSMA’s requirements. At this point, the Schemes still had to accommodate these changes, which were then provided to the CB’s. Depending on the Scheme, a CB also had to consider including content to address any FSMA related gaps. In the end, these audits could take more than a year to reach the market, and depending on the individual site’s renewal period, it could be many more months before a supplier was actually audited.
Patricia Wester moderated the Plenary Panel “What’s Next for Audits”
and running the
Pre-Conference AFSAP Food Safety Auditing Fundamentals Course at the
2017 Food Safety Consortium November 29 – December 1, 2017 in Schaumburg, IL.
Recognizing the need to inform the market, the inaugural Plenary Panel on Auditing, moderated by AFSAP’s Patricia Wester was presented at the 2016 Food Safety Consortium meeting. Dr. Ostroff opened the discussion to share FDA’s perspective on the use of audits for FSMA. His remarks were followed by representatives from GFSI, Schemes and CB’s as each described their role and recent activities to meet the new regulatory requirements, and provide insight into the timelines involved.
Dr. Ostroff has agreed to join us again for the 2017 meeting, and will participate in the Plenary Panel “What’s Next for Audits” as Industry, Retailers and the auditing community prepares for the accredited certification audits necessary for VQIP.
FoodSafetyTech: How are audits used in FSMA?
Patricia Wester: In the Third Party Audit rule, FDA outlines an accredited certification program for imported food that applies in 2 specific situations. The first applies to any imports FDA designates as “a high risk food” and the second is the use of certification audits for importers in The Voluntary Qualified Importer Program, (VQIP). Under VQIP, participating importers are required to source their products from suppliers that are certified under the FDA program.
In addition to the certification audits for VQIP and high-risk foods, audits are one of the options for supplier verification activities under the human and animal food preventive controls rules. When the hazard analysis identifies a raw material has a serious hazard, (SAHCODHA hazard), that ONLY the supplier controls, a supply chain preventive control is required, and the supplier verification activity must be an onsite audit. FDA allows some flexibility here, the audit can be a second or third party audit as long as it meets the requirements listed in 117.435, and is performed by a qualified auditor as defined in 117.3. These requirements are applicable to audits used to verify foreign suppliers (FSVP) as well as domestic suppliers.
FST: Don’t GFSI Scheme audits meet the criteria for Supplier Audits?
Wester: FDA allows the use of any audit that meets FDA’s criteria for audit content. This includes second party audits executed by employees of the receiving facility and third party audits, including GFSI audits, as long as they meet the requirements for audit criteria and are performed by a qualified auditor.
FDA acknowledges that the GFSI Auditor Competence provisions are consistent with the Agency’s findings, but that recognition does not extend to the audit criteria/content of GFSI audits.
In fact, any audit program in use prior to the publication of FSMA’s rules would probably need to be updated for these new requirements. GFSI, the Schemes, the CB’s, and others involved in the delivery of audits have likely all updated their audits to eliminate the major gaps, however, there are still some key FDA requirements that remain unmet.
FST: So, even though audit programs have been updated for FSMA’s new requirements, they are still missing some of FDA’s requirements? Why didn’t they just add everything?
Wester: In most cases, it appears to be due to a misinterpretation of the audit criteria that underpins all FDA’s audits. FDA’s audits focus on assessing a suppliers compliance with “applicable food safety regulations, the HACCP and/or Food Safety Plan and the plan’s implementation”. The Preventive Controls for Human Food Rule states the audit requirements in Subpart G:
If the raw material or other ingredient at the supplier is subject to one or more FDA food safety regulations, an onsite audit must consider such regulations and include a review of the supplier’s written plan (e.g., Hazard Analysis and Critical Control Point (HACCP) plan or other food safety plan), if any, and its implementation, for the hazard being controlled.
We (FDA) have revised phrasing to state “and its implementation” to emphasize that implementation of the plan is distinct from the plan itself (e.g., § 117.126(c). (The PCHF Final rule preamble)
Similar phrasing such as “any applicable FDA regulations” is used elsewhere when FDA discusses audit criteria, such as FSVP and VQIP and the Third Party Certification Audit rules. Further, the PCHF rule, §117.190 provides a comprehensive list of “Implementation Records” that can be used as a guide to understanding what meets this element of the FDA’s requirement.
The auditing community and Industry have assumed the regulatory reference was limited to the FSMA regulations, such as Preventive Controls for Human or Animal Food or the Produce Safety final rules), and has focused on those regulations to update their audit programs. Other FSMA regulations, such as Intentional Adulteration and Sanitary Transport, could easily be considered part of the requirement, so there are a few audit options that include those rules.
FST: What about products that are exempt from the Preventive Controls Rules?
Wester: Audits for products that are exempt from the PCHF (human Food) rule, such as Juice and Seafood HACCP, are probably available under a general HACCP format, but they may not include the level of detail required under FSMA, and would have to specifically requested when arranging a supplier audit.
Audits for other PCHF exempt products, such as bottled water or low acid canned foods, would be audited using a general food safety audit, with the specific product treated as a product category under that audit. Once again, these audits lack the product specific regulatory content and implementation details required by FSMA.
The question becomes, which FDA regulations (beyond FSMA) apply to an audit used for regulatory compliance and how much detail in the audit is necessary?
In other words, what is the full scope of regulations needed for the audit, and what are the audit criteria? Is it just FSMA or does it go further?
FST: Where does one look for this information? Does FDA offer any guidance about the scope of the audit?
Wester: The CFR, or Code of Federal Regulations is the starting place for regulations. Finding the regulatory information would not be difficult, Title 21, CH 1 Parts 1-1499 include FDA’s food regulations. In addition each part can have multiple subparts etc.
Given the sheer quantity of regulations, and that some are product specific while some are not, developing different audits for all of the possible regulatory combinations would be a daunting task and enormously costly. Remember, every auditing company will have to go through this process.
There are FDA references to scope and criteria in several responses to comments:
Audit Criteria means the set of policies, procedures or requirements used as a reference against which audit evidence is compared. During regulatory and consultative audits, accredited third-party certification bodies will examine compliance with applicable food safety requirements of the FD&C Act and FDA regulations within the scope of the audit. In consultative audits, the third-party certification bodies also may be conducting an examination to determine conformance with applicable industry standards and practices.
The applicable requirements that accredited third-party certification bodies and their audit agents will use relate to the food safety standards under the FD&C Act, such as the adulterated food provisions in section 402 of the FD&C Act and the provisions on the misbranding of food allergens in section 403(w) of the FD&C Act. The applicable requirements of the FD&C Act and FDA regulations would depend on the type of eligible entity being audited. Other examples include labeling requirements and the CFR citations listed under scopes.
Certainly, more detail than this is needed, and AFSAP is working to engage all parties, including FDA, in collaborative discussions to resolve these questions and concerns. The auditing community will need to address these issues in the near future, and industry should be vigilant to understand the requirements and make sure any audits used for FSMA are compliant.