This website presents questions and answers presented to the EA Certification Committee (CC) by the participating committee members. The answers represent the consensus view of the CC – they are intended for informational purposes and aims for harmonisation between NABs.

When reading questions and answers take into consideration whether transition periods are on-going.

Search in EA FAQ

Table of contents

Questions relating to ISO/IEC 17021-1: 2015 – Management Systems Certification

Question 32.1 Road Traffic Safety MS Scoping

The ISO/IE TS 17021-7 does not refer to differences for scoping purposes. The differences are based on context as referred to in table A 1 in the annex of ISO 39001. Some ABs scope in accordance with NACE codes, others in accordance with Table A1. What would be the appropriate scoping for ISO 39001?

September 2016

Table A 1 would appear to be the most appropriate mans of scoping for ISO 39001

Question 32.2 GFSI

GFSI is requiring Scheme owners to comply with their requirements like additional new audit items, but also to ‘audit’ all elements during every audit. This appears in contradiction with the methodology of MS certification as determined for QMS and EMS through IAF MD5 or FSMS through ISO/TS 22003, which applies the audit time reduction for surveillance and recertification audits (of 2/3 and 1/3 of the initial time respectively). Yet AB’s are giving with their accreditation logo’s the impression that auditing all elements is equally effective as covering them during the whole cycle. The clearest example is comparison of ISO22000 versus FSSC22000.

The question is:

  1. How do we interpret that GFSI based schemes have to ‘audit’ all criteria whereas the methodology of MS certification applies the assessment of all criteria over the certification cycle which therefore allows to give a reduction for surveillance and recertification audits.
  2. To enable the same amount of confidence to these different types of certification audits, should we require that these schemes apply a different time allocation scheme as well (i.e. above ISO/TS 22003)?

September 2016

GFSI Guidance Document – Version 6.4 / November 2015 – Part II § 3.5.1 states :
“The scheme owner shall have a clearly defined and documented audit frequency programme, which
shall ensure a minimum audit frequency of one audit per year of an organisation’s facility and has the scope
to assess all elements of the scheme’s standard.”
General understanding of the clause and the sentence is that the requirements of assessing all elements lies with the audit programme and not with the annual audit (which is in the sentence the first requirement put on the audit programme). There are no contradiction between GFSI requirements and ISO/IEC 17021-1 ISO/TS 22003 and related IAF MD documents.

Question 32.3 Duration

Background: ISO/IEC 17021-1:2015 does not specify requirements for audit time and audit duration. IAF-MD5 and e.g. ISO/TS22003 describe this in more detail. MD5 describes in §4.1 that audit duration (on-site) should not be less than 80% of the audit time indicating that planning and reporting should typically be <20% of the audit time. ISO/TS22003 is a bit clearer by mentioning that preparation (and reporting) are not included in audit time.
In practice it is noted that CAB’s consider to allocate time for reporting (else no report would be made), but time for planning and more importantly preparation of the audit team is not included (nor mentioned) and thus depends on the personal time of the team members.

Question: Could it be considered to suggest an amendment to IAF-MD5 to identify whether preparation time is required, that this be justified and recorded, and potentially indicate a ‘minimum’?

September 2016

Clause 9.1.4 of ISO/IEC 17021-1:2015 specifies the overriding requirements for audit time and requires that ‘for each client the certification body shall determine the time needed to plan and accomplish a complete and effective audit of the client’s management system.’ This is confirmed by clause 0.6 of IAF MD 5 which states that ‘notwithstanding the guidance provided by this document (MD 5) the time allocated for a specific audit should be sufficient to plan and accomplish a complete and effective audit of the client’s management system.’

It is, therefore, clear that preparation time to plan an audit is required by both ISO/IEC 17021-1:2015 and IAF MD 5.

There will be evidence from witnessed audits and reports to determine whether or not the certification body has an effective process for planning audits. Providing the certification body has demonstrated an effective process for planning audits and is allocating sufficient on site time to accomplish a complete and effective audit, there is no need for it to separately justify and record planning time.

Question 32.4 2-Stage

Some of the wording of the standard ISO/IEC 17021-1, related to stage I and stage II, having to be considered as one audit, conducted in two stages (9.3.1.1) cause some interpretation problems.
It is stated in a NOTE under 9.3.1.2.1 that “Stage 1 does not require a formal audit plan (see 9.2.3).”
Secondly, 9.2.3.1 states that “The certification body shall ensure that an audit plan is established prior to each audit identified in the audit programme…”.

Related questions are the following:

  1. What is required as the audit plan for a stage I? Is a telephone conversation acceptable?
  2. Since the stage II audit is not a separate audit, a formal audit plan is not required either?
  3. Or does this mean that the stage II audit (or the overall «initial audit») plan has to be prepared prior to stage I (i.e. prior to «the initial audit»), maybe in a more generic way, but with the objective that the stage I provides further focus/adaptation to this plan (ref. 9.3.1.2.2.f)?
  4. Do the requirements for 9.2.3 (and more specifically 9.2.3.2) apply to the audit plan for a stage II (even though that is not a separate audit)? Particular attention is requested to the requirement in 9.2.3.2.a (objectives) which are quite different for a stage I (9.3.1.2.2) from a stage II ‘audit’ (9.3.1.3).
  5. Can it be required that the CAB prior to the stage I at least will have to inform the client that prior to stage II an audit plan is prepared in line with the requirements of 9.2.3?
  6. A note normally does not contain requirements; how then can a note make requirements not applicable (as is the case here)?

September 2016

The sequence of clauses in ISO/IEC 17021-1 is as follows :

  • § 9.1.3.2 and 9.3.3.1 : the initial audit (part of the audit programme)is a two-stage audit
  • § 9.2.3.1: … an audit plan is established prior to each audit identified in the audit programme to provide the basis for agreement regarding the conduct and scheduling of the audit activities.
  • § 9.2.3.2: “The audit plan shall be appropriate to the objectives and the scope of the audit.”
  • § 9.2.3.2 and 9.2.3.3: give the elements to be found in each formal audit plan for each audit; It may come that some elements are not applicable/ necessary for stage 1.

Then an audit plan is required before the initial audit (then before stage I) so that the organisation to be audited is aware of what is to be audited and when (“agreement regarding the conduct and scheduling of the audit activities”). The CB may choose to draft one unique plan for stage I and II, in the form required per § 9.2.3.2 and 9.2.3.3, the plan addressing all elements of 9.3.1.2.2 and 9.3.1.3. If there is only one plan, it has to be reminded to the client that the plan may be adjusted after stage 1, following the conclusions of stage I.
If the CB chooses to have a plan in 2 parts, one for stage I, and then, after stage I, one specific for stage II it may accommodate the form of the stage I plan, as all points of § 9.2.3.2 and 9.2.3.3 may not apply. What is captured in the NOTE, is not to say that a plan is not required but is only waiving the formal aspects of the plan.

From there answers to questions :

  1. A plan (whether separate or not) is required but does not have to be formal, focusing on the objectives stated in § 9.3.1.2.2. If the plan is specific to stage 1 (where not the full team is present and not all elements are audited) it may waive some points of § 9.2.3.2 (c-d-e-f) as not yet identified at this stage, and of 9.2.3.3 (b-c). As does not have to be formal maybe an email or a phone call is acceptable. Records on what has been agreed with the client needed to demonstrate implementation of requirements (e.g. 9.2.3.1)
  2. See above: stage II plan is required, whether specific or integrated in the global “initial audit” plan
  3. An overall plan may be prepared before stage I (in other words the audit plan communicated before stage 1 may include the elements of stage 2), with the information known by the CB at this stage , to be reviewed after stage I conclusions
  4. All apply
  5. Yes, it has to be required in the case that the plan is not drafted in once
  6. According to ISO, Information marked as “NOTE” is intended to assist the understanding or use of the document. The NOTE intends to waive the “formal aspects” of the plan and not the full requirement

Question 32.5 2-stage

Some of the wording of the standard ISO/IEC 17021-1, related to stage I and stage II, having to be considered as one audit, conducted in two stages (9.3.1.1) cause some interpretation problems.

In 9.3.1.2.3, it is stated in a NOTE that “The stage I output does not need to meet the full requirements of a report (see 9.4.8). “

We do consider that the report of the “initial audit” in its totality (i.e. the full report prepared after conclusion of stage II), does need to comply with the requirements of 9.4.8. This means that it shall also include or refer to the “k) audit findings (see 9.4.5), reference to evidence and conclusions, consistent with the requirements of the type of audit” (i.e. findings, evidence and conclusions consistent with the requirements of stage I and stage II). So although the stage I findings don’t have to be reported immediately after the stage I in a report complying with all requirements of 9.4.8 (since then only “Documented conclusions with regard to fulfilment of the stage I objectives and the readiness for stage II shall be communicated to the client, including identification of any areas of concern that could be classified as a nonconformity during stage 2.” have to be reported), the stage I findings (positive and negative) should find their way into the overall “initial audit” report after stage II.

Please confirm that the above position, i.e. the report (whether consisting from several documents or not) in its totality shall comply with all requirements of 9.4.8 for both stage I and stage II audits.

September 2016

In 9.3.1.2.3, it is stated that “Documented conclusions with regard to fulfilment of the stage 1 objectives and the readiness for stage II shall be communicated to the client, including identification of any areas of concern that could be classified as a nonconformity during stage II.”

Actually “Documented conclusions” refers to “Stage I Audit Report” that does not need to meet the full requirements of a report as given in 9.4.8. That means not all items of audit report given in 9.4.8 are covered.

This report or “documented conclusions” shall be communicated before stage II. Since the standard is not saying “immediately communicated”, it can be communicated immediately or later stage I. However, it shall be communicated before stage II.

According to related requirements of the standard, the CB can prepare one “Initial Audit Report” consisting of two separate parts (e.g. Stage I and Stage II) or prepare two seperate audit reports; “Stage I report” and “Stage II report”. In the second case, most of requirements of 9.4.8 should be covered including sub-item “k)” “audit findings” since there is no need to report the conclusions of Stage I as “nonconformity”, just “identification of any areas of concern that could be classified as a nonconformity during Stage II” is enough.

Since the stage I “documented conclusions” shall be communicated in any format with the client of CB and these have to be based on findings (positive and negative), these (stage I findings) should find their way into the overall “initial audit” report after stage II provided that the conclusions are communicated with the client after or at the end of Stage I, and before Stage II.

Question 32.6 2-stage

Some of the wording of the standard ISO/IEC 17021-1, related to stage I and stage II, having to be considered as one audit, conducted in two stages (9.3.1.1) cause some interpretation problems.

Clause 9.4.1 states that “The certification body shall have a process for conducting on-site audits. This process shall include an opening meeting at the start of the audit and a closing meeting at the conclusion of the audit.”

Does this mean that the initial audit require only an Opening Meeting (meeting the requirements of 9.4.2) at the start of the stage I audit and a Closing Meeting (meeting the requirements of 9.4.7) at the end of the stage II audit (i.e. no Closing Meeting at end of stage I or Opening Meeting at the start of stage II)?
These would seem like a silly consequence as these audits have clear and distinct objectives, i.e. both need full Opening and Closing Meetings.

September 2016

Clause 9.4.2 of ISO/IEC 17021-1:2015 states that the purpose of the opening meeting is to ‘…..provide a short explanation of how the audit activities will be undertaken.’ Since the audit objectives and activities for stage one and stage two are different, the requirement of clause 9.4.2 can only be met if there is an opening meeting for each stage.
The requirement of clause 9.4.7 relate to a formal closing meeting which includes the recommendation regarding certification. A formal meeting complying with clause 9.4.7 is, therefore, not required at the end of stage one. However, clause 9.4.3.1 requires the audit team leader to ‘….periodically communicate the progress of the audit and any concerns to the client.’ Clause 9.3.1.2.2 requires that an objective of stage one is to ‘….undertake discussions with the client’s personnel to determine the preparedness for stage two.’ Whilst a formal closing meeting, in accordance with clause 9.4.7 is not required at the end of stage one, there is clearly a need for a meeting with the client, at the conclusion of stage one, in order that the certification body can meet the requirement for communication with the client and the objectives of stage one.

Question 32.8 logos

ISO/IEC 17021:2015, 8.3.1 denies any possibility of a labelling of products by an enterprise which is certified (only) with its management system.

In contrast, the PEFC rules allow the use of the logo “on product” for forest owners (see PEFC ST 2001:2008 , 7.2.1 : „The PEFC Logo can be used on-product by a PEFC Logo user with valid PEFC Logo usage license for group B (forest owners and managers) and group C (forest related industries).“ This is also possible for the group members respectively members of the Regional Working Groups in Germany.

In practice, the mark of conformity is not placed on the wood coming from forests under PEFC management, but there is one possible exemption to be discussed: a sign marking the entrance of the forest under PEFC management as “This wood is different. Certified and managed based on the accepted PEFC standards. Please ask for wood and paper with the PEFC logo”. This statement is connected with the PEFC logo and the certification number.
This can be interpreted as incorrect logo use.

September 2016

As far as the question is about the use of the phrase “This wood is different. Certified and managed based on the accepted PEFC standards. Please ask for wood and paper with the PEFC logo”, connected with the PEFC logo and the certification number (but no CB marks) as far as the mark of the CB is not used This statement is OK. There are no rules for the use of the Scheme owner marks (PEFC).
The PEFC document was prepared in 2008 and revised in 2010 and “PEFC ST 2001:2008”, date of entry into force is 2010-11-26. As a scheme owner, PEFC marks are different to CBs Marks.

PEFC selected ISO/IEC 17021-1:2015 as accreditation standard for “Sustainable Forest Manegement System” certification bodies. According to EA-1/22 requirements 3.5 and 3.6, the scheme owner shall not contradict or exclude any of requirements of ISO/IEC 17021-1:2015 as EA MLA Level 3 standard.

EA-1/22: 

“3.5 The conformity assessment process described or chosen by the SO shall fall within the scope of one of the EA MLA Level 3 standards (see EA-1/06).

3.6 Scheme specific requirements placed on CABs by the SO shall not contradict, or exclude, any of the requirements included in the standard referred t: o in 3.5.”

All the above mentioned considers that the PEFC logo is not a third party mark of conformity, cl. 3.1, in ISO 17030 (“Conformity assessment. General requirements for third-party marks of conformity applies”).

Question 33.1 Impartiality

This relates to clause 5.2.7 of ISO 17021-1:
5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.

Several CBs accredited by a particular NAB use contracted auditors (not ‘subcontractors,’ but individuals contracted to work for the CB, under the CB’s management system). Most of these auditors also provide consultancy. The NAB has, in the past, accepted that CBs could certify the management systems of clients who received consultancy from one of these contractors, as long as it was demonstrated that satisfactory controls were in place – transparency, different auditors, informing the impartiality committee, etc.

Clause 5.2.7 could be understood to mean that this practice can no longer continue.
However, it is proposed that this clause does not apply in the scenarios described above, because
a) Clause 5.2.7 refers to ‘a body,’ and the consultancy here is provided by individuals; and
b) Furthermore, clause 5.2.7 states that “A recognized mitigation of this threat is…” Because the word recognized is used, it means that there may be other ways of mitigating the threat; it is not mandated that the CB shall not certify the management system for two years.
Does the CC agree with the NAB’s position?

March 2017

An individual that has his/her own consultancy company would be considered as a body in terms of ISO/IEC 17021-1 and in this case clause 5.2.7 should be invoked and the “2 year” rule should be invoked, or a similar mitigation.

Question 33.2 OH@SMS EA-3/13M

As defined in EA 3/13 M: 2016 – G 9.2.1.3:
“Once the scope is defined, the OH&SMS shall include activities, products and services within the organization’s control or influence that can impact the organization’s OH&SMS performance.

Temporary sites, for example construction sites, shall be covered by the OH&SMS of the organization that has control of these sites, irrespective of where they are located. The need to visit such sites and the extent of sampling shall be based on an evaluation of the risks of failure of the management system to control the OH&S risks associated with the client’s operations (see clause B.9 of Appendix B)”.

Question: Considering the same importance and dignity of all the workers of an organization, that can affect the organization’s OH&SMS performance, is it mandatory to include into the scope of the certificate all the sites of the organization? In other words, can an organization decide to certify only a part of the organization, excluding some sites?

Example: An organization has 1 headquarter and a network of 10 sites. The organization applies the OH&SMS only in the headquarters and in 5 sites. Is it acceptable, or the company has to apply for the certification of the OH&SMS of the full organization? In this case, it could be acceptable that the organization establishes a plan in order to certify all sites.

March 2017

Clause G 9.2.1.3 of EA-3/13 relates to audit scope not scope of certification. EA-3/13 does not make any reference to whether or not all sites shall be included in the scope of certification. The core requirement is Clause 8.3.4 (g) of ISO/IEC 17021-1 which states that that the certified client ‘does not imply that the certification applies to activities and sites that are outside the scope of certification’. The existence of this requirement accepts that it is possible that not all sites are covered by the scope of certification. EA-3/13 provides no additional guidance to clause 8.3.4 of ISO/IEC 1702-11, therefore, it is acceptable that some sites could be excluded from the scope of certification.
The CB should report on the rationale/justification for not including all sites.

Question 33.3 OH@SMS EA-3/13M

As defined in EA 3/13 M: 2016 – G 9.2.1.3:
“Once the scope is defined, the OH&SMS shall include activities, products and services within the organization’s control or influence that can impact the organization’s OH&SMS performance”.

Question: Considering that all the activities, products and services within the organization’s control or influence can impact the organization’s OH&SMS performance, is it mandatory to include into the scope of the certificate all the activities, products and services of the organization?
In other words, can an organization decide to certify only a part of its activities, excluding some activities, products and services?

Example: An organization produce cars and trains. The organization applies the OH&SMS only in the cars production. Is it acceptable, or the company has to apply for the certification of the OH&SMS of the full organization? In this case, it could be acceptable that the organization establishes a plan in order to certify all production activities, products and services.

March 2017

Clause G 9.2.1.3 of EA-3/13 relates to audit scope not scope of certification. EA-3/13 does not make any reference to whether or not all activities, products and services shall be included in the scope of certification. The core requirement is Clause 8.3.4 (g) of ISO/IEC 17021-1 which states that that the certified client ‘does not imply that the certification applies to activities and sites that are outside the scope of certification’. The existence of this requirement accepts that it is possible that not all activities, products and services are covered by the scope of certification. EA-3/13 provides no additional guidance to clause 8.3.4 of ISO/IEC 17021, therefore, it is acceptable that some activities, products and services could be excluded from the scope of certification

However the OH&SMS should reflect the core activities of the organisation i.e. a manufacturing company should have the manufacturing activity as part of the OH&SMS, not just for example the office activities.

The CB should report on the rationale/justification for not including all activities.

Question 33.6 Operational Control

If a certification body does not have any agency, representative or branch office, is the Clause 6.2.2 still applicable to check their own operational controls? I mean, is 6.2.2 independent from Clause 6.2.1 or a subclause linked with it?

March 2017

Clause 6.2.2 is independent and that it apples to the certification body’s own operational controls as well as control of activities delivered by branch offices, partnerships, agents, franchisees, etc.,

Question 33.7 Organisational Control

What does the following mean?

“The person(s) [excluding members of committees (see 6.1.4)] assigned by the certification body
to make a certification decision shall be employed by, or shall be under legally enforceable arrangement with either the certification body or an entity under the organizational control of the certification body.”
Who are these persons?
Are these persons from the entities where explained in bullets a, b and c in the same clause? Or these persons can be different?

March 2017

*These persons can be from the entities explained in the bullets a,b,c and also persons employed by, or shall be under legally enforceable arrangement with either the certification body or an entity under the organizational control of the certification body.
IAF Technical Committee Decision 15/10/02 is relevant to this question.
It is acceptable for CB decision taking group to be composed of people who are hired as external personnel; provided the personnel meet the competence requirements outlined in ISO/IEC 17021 and ISO/IEC 17021-1 (e.g. section 7.2.8) and the CB has organizational and operational control outlined ISO/IEC 17021-1, section 6.2 as it relates to the decision making person/s.
There are many examples today of this type of situation and ABs have found it acceptable in accordance with ISO/IEC 17021.
Note: ISO/IEC 17021 (nor ISO/IEC 17021-1) does not differentiate between permanent and non-permanent staff.
This means that the persons do not have to be from the entities listed in bullets a), b) and c), but that they shall be under a legally enforceable arrangement with the certification body or one of the entities listed in bullets a), b) and c) and must be under the certification body’s operational control.

Question 33.8 Operational Control

What is the interaction between clause 6.2 and 7.5?
Does status of an organisation having a relationship with the CB for performing any part of the certification activities of the CB fall in clauses 6.2.1 and 7.5.1?
Under which circumstances such an organization does not fall in the clause 7.5?

March 2017

Clause 6.2 is concerned with the certification body having operational control over its certification activities performed by its branch offices, joint ventures, agents and franchises etc.

Clause 7.5 covers the certification body’s process for outsourcing (subcontracting) of any part of the certification activities to another organisation. Organisations listed in Clause 6.2 which are part of the certification body, for example branch office, joint ventures are not subject to the requirements of Clause 7.5. Organisations listed in Clause 6.2 which are not part of the certification body, for example some particular agents and franchises are subject to the requirements of Clause 7.5.

Question 33.10 Product References Primary Packaging

Is it possible to use the statement (ref requirement 8.3 of ISO/IEC 17021-1:2015) on the primary packaging, the one that is in direct contact with the product like the tomatoes’ can, or the milk bottle?

The standard clearly stat that is not possible to add the certification mark on the packaging but is not so clear about the statement use.
“A certification body shall have rules governing the use of any statement on product packaging or in accompanying information that the certified client has a certified management system. Product packaging is considered as that which can be removed without the product disintegrating or being damaged. Accompanying information is considered as separately available or easily detachable. Type labels or identification plates are considered as part of the product.”

March 2017

It was agreed that according to the standard it is not possible to add the certification mark on the primary product packaging.

Bottles are packaging material, so the statement can appear on the bottle. The statement must refer to the management system not to the product.

Question 33.11 Quoting of 17021 parts

Relating to ISO/IEC17011: 2004 Clause 7.9.4
The accreditation body shall provide an accreditation certificate to the accredited CAB. This accreditation certificate shall identify (on the front page, if possible) the following:
……..
g) a statement of conformity and a reference to the standard(s) or other normative document(s), including
issue or revision used for assessment of the CAB.

The Question: With the recent issuance of requirements document ISO/IEC17021-3: 2016 to support accreditation to ISO/IEC17021-1: 2015 EMS, do AB’s have to make reference to this normative document on EMS accreditation scoping documentation in the same manner as Level 4 documents such as ISO27006.

March 2017

This was discussed at the IAF Technical Committee meeting in Frankfurt in April 2017; the question has been raised before in 2014.

IAF Decision log states

Some ABs reference ISO/IEC 17021 on the certificate with the assumption that it includes the dash standards (e.g. ISO/IEC 17021-2) as it is applicable to the scope of accreditation, and they do not reference all the parts. The ABs feel this is appropriate because the foreword of ISO/IEC 17021 standard states, ISO/IEC 17021 consists of the following parts…

Some ABs include all normative documents used in the assessment of the CB (per ISO/IEC 17011), including all individual parts of ISO/IEC 17021 (e.g. ISO/IEC 17021-2) and IAF MDs. One word of warning with including everything (including versions) is that it can become an issue of maintenance; however, it is the ABs decision on the level of detail included.

The TC reached consensus that the ABs can decide how to manage the accreditation certificate on their own, recognizing accreditation certificates can vary in level of detail. “

Question 33.14 medical Devices Scoping

According to ISO 13485 standard it can be used by organizations involved in one or more stages of the life-cycle of a medical device, including design and development… Furthermore, it can also be used by suppliers or other external parties providing product (e.g. raw materials, components, subassemblies…) to such organizations. The supplier or external party can voluntarily choose to conform to the requirements of ISO 13485 or can be required by contract to confirm.

In case the product cannot be unambiguously defined to be a medical device or any of the related products identified in the ISO 13485 but the manufacturer still wants to certified against ISO 13485 – is this acceptable or not?

And more generally can ISO 13485 be used for certification purposes in the voluntary field outside the proper scope of the standard?

March 2017

Supplier or external party shall demonstrate the intention of its “product” (item such a device, part incorporated in a device, raw material etc.) or service in the context of an application or use of a medical device.

  • CAB (certification body) has to perform a contract review considering the elements stated in this answer (see below) including the national interpretation of medical devices performed by the national regulatory authorities (apply list of medical devices or family of medical devices). .
  • Activity or product shall fall into the definition of (ISO 13485:2016 – 3 Terms and definitions – 3.11 medical device (see also source GHTF/SG1/N071:2012, 5.1 and 5.2 ( note GHTF/SG1/N071:2012 5.2 is not mentioned in ISO 13485:2016. Therefore, ISO 13485:2016 is not fully clear in the non-regulated field of IVD.

The supplier or external party seeking certification according to ISO 13485:2016 shall justify all not applicable clauses of ISO 13485:2016. The CAB shall critically audit the reason for not applying the requirements. Certification bodies shall always avoid certifying when it has some indication that a standard is applied in a way to only pretend compliance in the medical device field and in reality, it does not fit the encountered activity. The contract review of the supplier or external party shall always include an investigation of the purpose of the use of the ordered “product” or service.
Conclusion: If no clarity is reached the supplier or external party should better be certified against ISO 9001:2015 only. Therefore, there shall be no certification outside the proper scope of the standard ISO 13485:2016. The only difficulty lies in the evaluation of the boundary of the scope of the standard ISO 13485:2016 as it will contain some arbitrary components and perhaps some national particularities.

Question 33.15 Consultancy

5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.

Many CB’s external auditors are owners of one man consultancy enterprises and the contracts with the CB are signed by the enterprise.
We have understood the changes in wording of the standard in a way that in such cases the relationship constitutes a significant threat to impartiality as the contractor is the enterprise/body – not an individual and thus 5.2.8 does not apply.

In addition, we recently faced a case where at the same time the CB made an annual surveillance of ISO 9001:2008 certification by auditor X an external auditor Y of the same CB was giving consultancy to the same company for ISO 9001:2015.

What would be your reaction in such cases?

March 2017

Clause 5.2.8 refers to outsourcing (sub-contracting) and this is different to contracting-in external resources.

An individual that has his/her own consultancy company would be considered as a body in terms of ISO/IEC 17021-1 and in this case clause 5.2.8 should be invoked and the CB should not outsource audits to them

An individual used as a contracted-in external resource does not come under 5.2.8 however impartiality rules still apply in terms of ensuring previous relationships do not compromise the impartiality of the audit process.

Question 33.16 Annual Indicators

IAF MD 15 defines the data an AB shall collect on an annual basis as indicators of CBs activities.

The NAB has included the indicators in the request for information we regularly ask the CBs to provide before the assessment. However we have not received relevant information concerning “overdue audits”. According to the NAB’s experiences the CBs have not even defined when an audit is ”overdue” or any consequences of delayed/overdue audits.

The NAB has raised a NC of this type of findings in several assessments.

To be discussed: Have other NABs similar experiences or findings? What actions have been taken? An NC raised against MD15 documents?

March 2017

IAF TC Dec log April 2016 (see below) shows some explanation about what is an “overdue audit” helping to the definition of overdue audits.

The information is collected is for exploitation of the AB during assessments. There are no requirements at the IAF MD 15 about the need to define consequences of delayed/overdue audits. The indicators could provide an insight into the effectiveness of the Certification Body’s processes. The requirements about due date of audits are at the ISO 17021-1 : first surveillance (only for ISO 17021:2006 and 2011) second surveillance and recertification audit (each calendar year and before the expiry date of the certificate)

Question 33.19

The CB shall periodically evaluate the performance of each auditor on-site. The frequency of on-site evaluations shall be based on need determined from all monitoring information available

Is there any upper limit of frequency (in years) recommended? (some CB perform yearly monitoring of personnel audit, other CB extend the frequency to many years.)

March 2017

There is not any specified upper limit for on-site monitoring in ISO/IEC 17021-1:2015, IAF MD-10 and any other relevant normative documents. But, in practice the most of CBs perform at least one on-site monitoring every three years. According to ISO/IEC 17021-1:2015 clause 7.2.9 “There shall be a documented process for monitoring competence and performance of all persons involved, based on the frequency of their usage and the level of risk linked to their activities.”. This frequency should be based on assignment frequency and the level of risk.

Another factor, linked to risk, which should be considered is the results of previous monitoring. It is reasonable to expect that auditors where issues have been identified are monitored more frequently than those where no issues have been raised.

In ILAC P15:07/2016 clause 6.1.9b, for inspection body’ inspectors there is a limit saying that “at least once during the accreditation re-assessment cycle”.
For ABs, ISO/IEC 17011:2004 clause 6.3.2 says that “Each assessor shall be observed on-site regularly, normally every three years.”

Question 34.2 Incorrect References to certification

Due to a delay in the re-certification process (application of clause 9.6.3.2.5) an organization is temporally without a certificate. (delay of audit + closure of non-conformities) but it seems that the certification status could be reinstalled within 6 months from expiry date.

How is ISO/IEC 17021-1:2015, 8.3.5: “The CB shall … take action to deal with incorrect references to certification status” to apply? The organization makes promotion with the certification status on their website and on their business documents (stationery). They state that they need the certification to get business.

Shall the CB enforce clause 8.3.5 for this short period (up to 6 months) that the organization deletes the publicity as “certified company” from the website and shall the CB request stopping the use of the business documentation (stationery) with the certification status as “certified”?

September 2017

During the period between the certificate expiring and the successful completion of the re-certification process, the organization is not certified, according to § 9.6.3.2.4 “then recertification shall not be recommended and the validity of the certification shall not be extended. Τhe client shall be informed and the consequences shall be explained”.

During the suspension period, the status “certified company” as mentioned in its communication, business documentation, but also in the contracts with its own customers (this should not be forgotten), is incorrect, and the CB has to take action in case of incorrect reference to certification status as per § 8.3.5

Question 34.3 Appeals

A CB has a rule for handling complaints and appeals:
“Cost of complaints and appeals will be charged to the complainant/appellant in the case of a negative decision against the complaint or appeal.”
Is this a discriminatory action against the appellant if the CB charges the appellant only in a negative case or decision?

September 2017

This question was subsequently discussed at IAF and an IAF Decision was recorded:

Consensus of the IAF TC: Decision Log: 17/10/05

Charging of Fees for the handling of unsuccessful Appeals

If the entity considers the risk to impartiality and have mitigated any identified risks and the process is considered effective; then it is up to the entity if they are going to charge a fee or not.

Question 34.4 Conflicts of Interest

See

9.5.1.1 The certification body shall ensure that the persons or committees that make the decisions for
granting or refusing certification, expanding or reducing the scope of certification, suspending or restoring certification, withdrawing certification or renewing certification are different from those who carried out the audits.

5.2.12 All certification body personnel, either internal or external, or committees, who could influence
the certification activities, shall act impartially and shall not allow commercial, financial or other pressures to compromise impartiality.

Therefore, there is no requirements that states that the sales person (internal or external sale agent) has to be are different from those who carry out the audits or take decision.
However if the sales person takes a fee from the CB for selling the certification service, there is a high risk of impartiality if the same sales agent is involved also in auditing or decision.

So, is it an acceptable risk the fact that a sales person could act, for the same client, also as an auditor or a decision maker?

Example:

  • Mr. Smith (sales agent) takes the fee of 100 € from the CB for each contract signed by a new client, and other 500 € if the Client maintains the certification for the first certification cycle.
  • After the signature of the contract, the CB assigns to Mr. Smith also the responsibility to perform the audits or the decision
  • if the audit goes well Mr. Smith earn extra 500 €.. a good incentive to grant a certificate!

September 2017

There is no requirement of ISO/IEC 17021 which specifically prevents a sales person being involved in audits or decisions of clients he/she has introduced to a certification body. Clause 5.2.1 of ISO/IEC 17021 requires that certification body shall be responsible for the impartiality of its conformity assessment activities and shall not allow commercial, financial or other pressures to compromise impartiality. In the example quoted, there will clearly be a potential conflict of interest which could compromise the impartiality of the certification process and Clause 5.2.3 of ISO/IEC 17021 requires the certification body to:

  • have a process to identify, analyse, evaluate, treat, monitor, and document the risks related to conflict of interests arising from provision of certification;
  • document and demonstrate how it eliminates or minimizes such threats and document any residual risk
  • (top management) shall review any residual risk to determine if it is within the level of acceptable risk
    This is reinforced by Clause 5.2.13 of ISO/IEC 17021 which requires the certification body to
  • require personnel, internal and external, to reveal any situation known to them that can present them or the certification body with a conflict of interests;
  • record and use this information as input to identifying threats to impartiality raised by the activities of such personnel or by the organizations that employ them;
  • not use such personnel, internal or external, unless they can demonstrate that there is no conflict of interest.

It may be possible that a sales person could be involved in the certification process, provided the certification body can demonstrate that its process for managing impartiality has evaluated that there is no conflict of interest. The fact that for clients the sales person has introduced to the certification body, he/she will receive payment depending on a positive audit/decision, means there is a conflict of interest and he/she cannot be used in the certification process (ref. ISO/IEC 17021 Clause 5.2.13). This would not, necessarily, prevent the sales person being used for clients he/she did not introduce to the certification body.

Clause 5.2 note 1 should also be noted: Source of threats to impartiality of the certification body can be based on :payment of a sales commission or other inducement for the referral of a new clients etc.

Question 34.5 Certification Marks

The CB would like use a mark accompanied with the picture where only the name of the corporate appears together with letters indicating the country. Of course the certification requirement is referenced too e.g. ISO 9001 or ISO 14001.

The problem is that XXXXXX has a lot of other activities outside certification (training, advisory services etc.) and the certification activities are performed by the daughter company of XXXXXX, the legal entity XXXXXX Certification Ltd which is the CAB (legal entity) accredited.

We would appreciate view of other NABs on implementation of clause 8.3.1 of ISO/IEC 17021-1 which the proposal maybe doesn’t comply with.

I think the traceability to the certification body is becoming more and more important once the references to certification can appear also in product packages.

Unfortunately send the model cannot be attached for confidentiality reasons.

September 2017

The important factor to take into account here is the traceability of the certificate to the accredited Certification Body

Quesiton 34.6 IAF MD5

IAF MD 5:2015 clause 4.4:”The CAB shall provide the audit time determination and the justification to the client organization as a part of the contract and make it available to its Accreditation Body upon request”.

To what extent does the information supplied to the client need to be client specific? See below examples:

Question part 1; Which of below listed alternatives can be accepted as audit time determination and justification to be provided to the client organization as part of the contract-

  • To state the total days offered and refer to IAF MD 5:2015 and the factors specified in the document? Example “Audit time has been calculated in accordance with requirements in the document IAF MD5:2015, available at iaf.nu”
  • To state the total days offered and refer to IAF MD 5:2015 and the factors specified in the document, complemented with information that a more detailed explanation will be included in the audit report of Stage 1?
  • To state the total days offered and include a general explanation on the calculation method with examples of factors that may potentially be used as a basis of addition/reduction for audit time calculation?
  • To state the total days offered and include information on the number of personnel used, the complexity level used and a specification of the actual factors that has affected the audit time calculation of the client?
  • The full man-day calculation shall be included, fully traceable with adjustments in percentages etc. (This “determination and justification” would in this case have the same level of detail as the one available to the Accreditation Body at assessment)

Question part 2; Is it acceptable to state in the contract that, due to confidentiality reasons, the information will be made available for the client upon request?

September 2017

This question was subsequently discussed at the IAF Technical Committee in Vancouver October 2017, the recorded decision was: –

Consensus of the IAF TC: Decision Log: 17/10/02

MD5 clauses 2.3.2 and 4.4

The justification included in the written contract must be enough for the client to understand the calculation and may not include all of the calculations the CAB used to determine the audit time (which can be reviewed by the AB within the CAB records).
The detail in the contract may include; determination and number of effective personnel, the number of audit days, and the factors without the percentage that were applied based on the information supplied by the organization seeking certification, for all of the requirement documents (e.g. IAF MD 11).
It is not acceptable for the contract to just refer to IAF MD 5 to understand the audit time determination.
Note; the contract may include annexes that include this level of detail. As long as the annex is part of the contract this would be acceptable in meeting IAF MD 5.

Additional Discussion
The reason for the new requirements in IAF MD 5 was to make sure the CAB was open and transparent with the clients, as well as the ABs (upon request). And to prevent unfair competition by withholding information from the client.
If we focus too much on the numbers, we have lost the intent as it relates to the value of the audit and it will be lost on the client. We question getting too prescriptive.
There is a need to build awareness with the clients to understand the outliers and the jeopardy that has on the certification. The information should be enough to understand the outliers.

Question 34.7 Assessment for Notification Purposes

Are the IAF Mandatory Documents obliged to use as the criteria of the conformity assessment (IAF MD 1, IAF MD 2, IAF MD 5) when accreditation for notification purposes is according to ISO/IEC 17021-1?

September 2017

A new revision of EA 2/17 will begin soon, managed by the HHC, this point will be clarified as part of that revision process.

The consensus of the CC was that the Mandatory documents apply for Accreditation for Notification wherever that standard is used as the preferred standard. But care should be taken because, for example, for Module D and E ISO/IEC 17065 has been identified as the preferred standard and so the MDs in question would not apply. The only Module with ISO/IEC 17021-1 as the preferred standard is Module H.

Question 34.9 Identification of revised certification documents

ISO 17021-1, clause 8.2.2 The certification body shall provide by any means it chooses certification documents to the certified client
i) in the event of issuing any revised certification documents, a means to distinguish the revised documents from any prior obsolete documents.
Can this requirement be considered as fulfilled if the revised certification document has a unique serial number/date different from the obsolete document or shall the revised document have a reference to the obsolete document

September 2017

Both cases can be acceptable.
The CB can use any means to distinguish or differentiate these two versions of the obsolete document.

Question 35.1 Decision Making Competence

The expected knowledge of the decision-making committee or person includes all the criteria and procedures for certification, shall this also include the knowledge of the various industrial scopes.

Shall the person(s) or committee(s) who will take the decision have the competence:

  • in accreditation scheme requirement (ISO/IEC 17021-1 & ISO/IEC 17021-3)
  • the conformity assessment scheme requirements (ISO 9001)
  • as well as in the industrial scope (39 fields)?

If yes what is the difference between an assessor and the decision-making person.

March 2018

According to: ISO/IEC 17011 clause 6.2.1 “6.1.2.1 The accreditation body shall have a documented process for determining and documenting the competence criteria for personnel involved in the management and performance of assessments and other accreditation activities. Competence criteria shall be determined with regard to the requirements”

Therefore, with regard to the items in the question:

–           Yes, they should have competence in the conformity assessment standard

–           Yes, they should have knowledge of the scheme requirements

–           No, generally there would be no requirements for the m to have detailed knowledge of the industrial scope

It is not expected that the decision makers should have the same level of knowledge as an assessor, but they need to now sufficient to ensure that everything relevant has been covered by the assessment. Decision makers can call on expertise as part of their review.

Question 35.2 ISO 27001 ISMS Scoping

We have a certification body with an client for ISO 27001 that has within its (client of the CB) scope ‘cloud storage’ but this is hosted by a third party company. We have required evidence of how this can be included in the scope and how it can be incorporated into the client’s ISMS. We have accepted this situation if the third-party company carrying out the ‘cloud storage’ has an accredited ISO 27001 certificate for this activity and the CB’s client has to ensure that this is current and maintained.

Does the committee consider this acceptable?

March 2018

It is the responsibility of the certified client to ensure the cloud storage provider meets requirements:

ISO 27001 requires in #8.1 Operational planning and control

“The organization shall ensure that outsourced processes are determined and controlled.”

Although ensuring the cloud storage provider holds an accredited ISO 27001 certificates is, of course, one means to control that process (“cloud storage”) is not the only one possibility.

Question 35.3 ISO 27001 ISMS calculation of audit time

This question concerns how the calculation of auditor time for ISMS audits should be carried out. One CB we have is applying a formula to calculate ‘effective personnel’ and then applying the tables in Annex B and Annex C of ISO 27006. There is a concept of ‘effective personnel’ contained in ISO 50003 but there is no such term used in ISO 27006. IAF MD 5 also includes the concept of ‘effective personnel’ for QMS and EMS audits.

Does the committee consider this acceptable?

March 2018

Annex B of ISO 27006 states:

“The total number of persons doing work under the organization’s control for all shifts is the starting

point for determination of audit time.”

The concept in the 2 documents is the same: the effective personnel is the personnel falling into the scope of the QMS or ISMS, which means potentially each and every person who is utilizing the ISMS or the QMS.

The concept in ISO 50003(Annex A) is different as the effective personnel is defined as personnel “who materially impact the EnMS”.

The criteria of IAF MD5, i.e. the effective number of personnel, should be the one taken into account for implementing ISO 27006.

Question 35.6 Accreditation to Draft Standards

When we had the transition from ISO 9001:2008 and ISO 14001:2008 to the new revision, we had some accreditation bodies that accredited CABs already on the draft of the 2015 revision.

So, we had CABs accredited on the F-DIS before the publication of the standard.

Soon we will have the publication of ISO 45001:2018, and we are facing the same situation.

Questions:

  1. Can an AB accredit against a draft of the standard already circulated for public consultation (but not yet published)?
  2. Can an AB accredit against a draft of the standard not yet circulated for public consultation but available as a draft within the working group?

March 2018

The consensus of the Certification Committee is that accreditation can only be delivered against a formal, published, standard, not against a DIS or FDIA.

  1. According to 765 Reg:
    • Accreditation shall mean an attestation by a national accreditation body that a conformity assessment body meets the requirements set by harmonised standards and, where applicable, any additional requirements including those set out in relevant sectoral schemes, to carry out a specific conformity assessment activity;
  1. EA MLA Coverage
    • Conformity Assessment Schemes (CAS) covered by the EA-MLA (according to EA MLA Coverage) are:
      • Accreditation according to ISO/IEC 17025
      • Accreditation according to ISO/IEC 15189
      • Accreditation according to ISO/IEC 17020
      • Accreditation according to ISO/IEC 17024, etc.

Question 35.8 Exclusion of “design and development”

With the requirements of ISO 9001:2015, is it still possible to exclude “design and development” in the application phase and to give an a-priori reduction on the time allocation?

In the opinion of RvA, the new standard requires that “The organization shall establish, implement and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services.” Though it is accepted that for some organisations, an appropriate process may be a simple process to audit, however, all organisations will perform some form of design and development (if only to enable changes to the internal processes and services). The appropriateness of the process will have to be audited (especially in initial audits).

It is our opinion that a statement like “the scope of certification does not specify ‘design and development’ and therefore we reduce 10 – 30 % of audit time” is not in line with the current requirements and intent of ISO 9001:2015 and of ISO 17021-1, cl. 9.1.4. 2.a.

March 2018

The consensus view of the CC is that YES, it is possible to exclude design and development but that such an exclusion must be justified.

It is agreed that most organisations carry out some type of design and development although it may not always be Recognised as such.

Design and development could be excluded of the scope of the QMS of an organization provided the organization has demonstrated (§ 4.3 and annex A5 of ISO 9001) that it has not to fulfill the requirement of § 8.3 of ISO 9001.

But the CB shall evaluate this demonstration and the real scope of the organization before deciding it can or not reduce audit time; This could be an output of stage I.

Question 35.9 Accreditation Cycle for MD17

Would it be possible to harmonise the concept of accreditation cycle for the purpose of equivalent application of the requirements for NAB’s in IAF MD17 (and others such as MD16, etc.).

MD17 requires NAB’s to determine the number of witness audits per accreditation cycle. For the purposes of harmonization, could we state that this should be read as the number of witness audits per 4 years and that if NAB’s have an accreditation cycle of 5 years, that the number of witness audits in the cycle should be 20% higher. The discrepancy between the cycle lengths would negate part of the harmonization efforts that are intended by this IAF MD.

March 2018

This question was put to the IAF Technical Committee in Frankfurt in March 2018, IAF MD17 was subsequently updated and is in draft form.

The draft introduced a standard first period of 5 years of accreditation for witnessing irrespective of the accreditation cycle, this was subsequently agreed at the IAF TC.

But the CB shall evaluate this demonstration and the real scope of the organization before deciding it can or not reduce audit time; This could be an output of stage I.

Question 35.10 Definition of nonconformity

During the assessment of a certification dossier (initial certification), RvA noted the following: though generally the nonconformities are rated and resolved appropriately, for one of the nonconformities the following is noted. Minor nonconformity X reads “The Management Review does not demonstrably include inputs “the effectiveness of actions taken to address risks and opportunities” and “opportunities for improvement” (ref. 9.3.2 e and f). The nonconformity was classified as minor, because the topics related to these sub elements could be shown to have been managed within the QA dept.

The client had taken the following (paraphrased) corrective action: The management review template was changed to include these topics (demonstrated); and new method will be implemented next year. This had resulted in closing the minor nonconformity and issuing the ISO 9001 certificate (effective implementation to be verified at the first surveillance).

The CAB had used the definitions in line with ISO/IEC 17021-1 (3.12 and) 3.13 to the letter. However, this means that the CAB has certified a client, while they have demonstrated that a nonconforming situation had not yet been demonstrably closed, i.e. it had demonstrated that the client does not comply with all requirements.

In our opinion, this is a clear and straightforward example of where the current definition of nonconformity does not function properly. Under the requirements of ISO/IEC 17021:2011, the CAB should have raised a major nonconformity, because, in line with cl. 9.1.15 b1, the “nonconformity represented 1) failure to fulfil one or more requirements of the management system standard” and the CAB was required to verify effective implementation of corrective actions prior to closure.

It is our opinion that in this type of cases “non-fulfillment of the requirement of the standard”, even though it is not demonstrable (or even if it is just not clear whether) this nonconformity affects the capability of the management system to achieve the intended results, should be raised as major nonconformities.

This topic may be as applicable to many other nonconformities, e.g.

“The organization did not define the audit criteria and scope for each internal audit” (9.2.2.b);

“The organization did not retain documented information that identifies the authority deciding the action in respect of the nonconformity”(8.7.2.d);

“It is not demonstrable that, in determining the extent of post-delivery activities that are required, the organization has considered customer feedback or customer requirements (cl. 8.5.5 d and e).

“It is not demonstrable that the organization has taken into consideration, the effectiveness of the controls applied by the external provider” (8.4.2.c.2);

Etc.

We ask if this item can be raised as a broader concern with the aim of ensuring that if a nonconformity is raised which represents “a failure to fulfill one or more requirements of the standard”, then the consequence is that such a nonconformity shall be closed only after effective implementation of corrective action has been demonstrated. This is to ensure that the CAB’s statement of conformity is not supported with an audit that has demonstrated a failure to fulfill a requirement of the standard.

March 2018

In the soul of the standard, writers concern two type nonconformities (see 3.11, 3.12 and 3.13 of ISO/IEC 17021-1:2015). One can be closed conditionally (without reviewing corrective action evidences for effective implementation), the other one can not (reviewing corrective action evidences for effective implementation is MUST).

Actually, it depends on the nature or context or content of the NC. According to new High Level Structure approach, the intended results can be changed from one organization to other one. Even the organisations are almost at the same size and in the same business sector. Their intended results may vary depending on what they want or expect from the implementation of ISO 9001 or any MS standard.

To support this comment, we should take into consideration Clause 9.5.2 b) and c) of ISO/IEC 17021-1:2015 given below.

3.11

nonconformity

non-fulfilment of a requirement

 

3.12

major nonconformity

nonconformity (3.11) that affects the capability of the management system to achieve the intended results

Note 1 to entry: Nonconformities could be classified as major in the following circumstances:

  •  if there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements;
  •  a number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.

 

3.13

minor nonconformity

nonconformity (3.11) that does not affect the capability of the management system to achieve the intended results

 

9.5.2 Actions prior to making a decision

The certification body shall have a process to conduct an effective review prior to making a decision for granting certification, expanding or reducing the scope of certification, renewing, suspending or restoring, or withdrawing of certification, including, that:

  1. b) for any major nonconformities, it has reviewed, accepted and verified the correction and corrective actions; (actually the decision is not conditional)
  1. c) for any minor nonconformities it has reviewed and accepted the client’s plan for correction and corrective action. (actually the decision is conditional, effective implementation of correction or corrective action will be verified during the next audit e.g. first surveillance)

Question 36.4 Scope of Accreditation for ISO 13485

Scope of Accreditation for ISO 13485 is defined to Annex 1 of IAF MD8:2017. The category 1.7 (parts or services) has explicit reference to Calibration Services along with the note “Organizations providing calibration services should be accredited to ISO/IEC 17025”. (We consider that Organizations providing calibration services shall be accredited to ISO/IEC 17025.) This IAF MD8 reference can easily create confusion to people who are not fully aware about the difference of accreditation and accredited certification.

Question

Is it ok for a NAB not to accept accreditation for calibration services based on ISO 13485?

September 2018

Accreditation of calibration services shall be made to ISO 17025. A NAB can not use ISO 13485 to accredit calibration services. EA and ILAC MLA for calibration are based on ISO 17025

The NOTE tries to explain that situation.

The accreditation of a CB according to ISO 17021 to certify ISO 13485 is limited to certification services and is not intended for accreditation (for example a testing lab may be certified to ISO 9001 under accreditation and this does not mean that is accredited for testing).

It should be also remembered:

Annex 1: IAF-ILAC JGA 2007 Sydney Resolution 7 – Certification to accreditation standards The IAF and ILAC Joint General Assembly, acting on the recommendation of the JCCC, resolves that when a Conformity Assessment Body (CAB), accredited by an Accreditation Body (AB), is providing certification to any standard used as a basis for accrediting CABs (e.g. ISO/IEC 17025 or ISO 15189), the AB shall initiate its process for suspension of accreditation, as this behaviour of the CAB will put the AB, against its will, in the condition of providing the same service that a CAB performs, in violation of clause 4.3.6 of ISO/IEC 17011. Further decisions shall be based on the actions taken by the CAB. All IAF and ILAC AB members shall include a suitable provision on such a possibility in their contracts with CABs. Note: It is accepted that a CAB may have to assess subcontractors to confirm that they meet the CABs’ requirements, which may include accreditation standards e.g. ISO/IEC 17025. Documentation issued to subcontractors as a result of a successful assessment should clearly state that this is only for the purposes of the subcontract and is not certification or accreditation in accordance with ISO/IEC 17011.

Question 36.5

Is the time requirement of a mandatory extra day for certification bodies necessary for recertification audits when all requirements will be audited anyway?

“Where migration audits are carried out in conjunction with scheduled surveillance or recertification (i.e. progressive or staged approach) then a minimum of 1 auditor man-day is required to be added to cover existing and new requirements implied by ISO  45001:2018”

September 2018

Yes.

According to IAF MD 21:2018, 4.2.2

“Based on the agreement with the organizations certified to OHSAS 18001:2007, CB’s can conduct migration activities during a routine surveillance, recertification audit or a special audit.

Where migration audits are carried out in conjunction with scheduled surveillance or recertification (i.e. progressive or staged approach) then a minimum of 1 auditor man-day is required to be added to cover existing and new requirements implied by ISO 45001:2018.

Recognizing that each client and migration audit is unique and audit duration will be increased above the minimum as needed to sufficiently demonstrate conformity to ISO 45001:2018”.

The recertification audit covers the requirements of the old standard.

The new standard is clear: “Minimum one-man day is required to be added to cover existing and new requirements implied by ISO 45001:2018”.

Question 36.7 Statistical Sampling

Is there a good practice on application of statistical sampling on the number of certification files that are to be evaluated during the on-site assessment by the assessment team in order to provide a representative assessment of accredited CAB activities?

What practical experience do ABs have on this matter?

September 2018

It was agreed that there are certain principles that are important such as coverage of scope.

Reconsider the question focusing on “sampling” instead of statistical sampling.

If the CAB considers introduce statistical techniques, then statistics as a tool can be applied to sampling.

Think about the question in terms of things to take into account.

Question 36.8 Audit time for ISO/IEC 27006

Does the numbers of personnel in Table ISMS B.1 should be seen as a continuum rather than a stepped change? There is no note in the standard as in the IAF MD 5 document

September 2018

It was agreed at the IAF TC that this would be a continuum.

Question 36.10 Scopes of Certification

IAF Decision Number 16/10/03 on Scopes of Certification states that ‘Referencing a standard/normative document/code of practice that is outside of the scope of accreditation is not allowed due to being misleading on an accredited certificate.  Refer to ISO/IEC 17021-1, 8.2.2 e & f.’

What is the meaning of “that is outside the scope of accreditation”?

For example, a nonconformity was raised by an assessor against a Certification Body for issuing an ISO 9001 certificate with the following scope: –

“Furniture removals and storage in compliance with BS 8522: 2009, BS 12522: 1998, BS 14873: 2005 and BS 18477: 2010”

The quoted British Standards are Service Specification’s for furniture removals and storage, therefore it could be argued that they are inside the “management system” scope of accreditation, as they relate to the main area of furniture removal specification delivered by the “management system”.

–           Does the EACC consider that standards can be included in ISO 9001 scopes if they are related to the scope of accreditation?

–           Would the EACC consider the above scope example to be acceptable if the wording was clarified to show “X Company Ltd has demonstrated that the management system complies with ISO9001: 2015 for the provision of Furniture Removals and Storage, in support of industry specifications BS 8522: 2009…………….)?

[Assumption: The CB would also need to demonstrate that their relevant personnel (auditors etc.) are competent in the service requirements detailed in the related Normative requirement.]

September 2018

In ISO webpage, it is written that “A management system is the way in which an organization manages the inter-related parts of its business in order to achieve its objectives. These objectives can relate to a number of different topics, including product or service quality, operational efficiency, environmental performance, health and safety in the workplace and many more.” According to this definition, a management system does not directly focus on the product or service quality or its conformity for any specification or standard or normative document requirements.

ISO/IEC 17021-1 states that

8.2.2 The certification document(s) shall identify the following:

  1. e) the management system standard and/or other normative document, including indication of issue status (e.g. revision date or number) used for audit of the certified client;
  2. f) the scope of certification with respect to the type of activities, products and services as applicable at each site without being misleading or ambiguous;

Above questions are answered below:

What is the meaning of “that is outside the scope of accreditation”?

Does the EACC consider that standards can be included in ISO 9001 scopes if they are related to the scope of accreditation?

In the accreditation of MS certifications, the scopes are defined in different documents e.g. ISO 9001 and ISO 14001 scopes in IAF ID 1, ISO 13485 scopes in IAF MD 9, ISO 45001 scopes in IAF MD 22 and ISO 50001 scopes in ISO 50003 etc. All of these scopes there is not any reference to any other conformity assessment specifications or standards to avoid misleading.

Due to this fact, as long as not defined in the scheme requirements, the standards cannot be included in ISO 9001 scopes.

Would the EACC consider the above scope example to be acceptable if the wording was clarified to show “X Company Ltd has demonstrated that the management system complies with ISO9001: 2015 for the provision of Furniture Removals and Storage, in support of industry specifications BS 8522: 2009……..)?

An AB should focus on the main reason of these type scope definitions. The AB should be ensure that whether CB intentionally want to imply that in addition to ISO 9001 conformity, the products or services of client organization subjected to MS certification confirms relevant product or service standards at the same time or not?

To avoid misleading or creating confusion or being ambiguous, the AB should not consider the above scope example to be acceptable or applicable even if the CB claims its relevant personnel are competent in the product or service requirements in the related normative document referenced in the scope.

Question 36.12 IAF MD8

The IAF MD 8 document sets the requirement for accreditation of certification bodies auditing and certifying ISO 13485. It also can be used for regulatory purposes (and here the trouble starts…)

The IAF-based mandatory document is not clear in many points and we (SAS) have since the beginning pointed to this unclear situation. The most obvious weakness is the incorporated “dualism” of management system certification according to ISO 13485 and “medical device related requirements”, covered in Europe by the new EU legislation (and most probably in other parts of the word by other regulatory approaches).

Now, we have faced two problems when assessing certification bodies for ISO 13485:2016 to cover management systems of organisations dealing with the following categories of medical devices:

Part A:

IAF MD 8:2017, Annex 1, Table 1.1

“Non-active medical devices other than specified above”

IAF MD 8:2017 Annex 1, Table 1.2.

“Active (non-implantable) medical devices other than specified above”

Please tell us what exactly these two categories in the annex 1 are and what distinct technical competence it would require to cover it a) in the assessment team and b) in the certification body.

Part B:

Even when the IAF document is in the issue 3 (IAF MD 8:2017) it still refers to ISO/IEC 17011:2004 and does not take into consideration ISO/IEC 17011:2017. That is why formally the mandatory document is no more applicable when the accreditation body switches to ISO/IEC 17011:2017.

  1. What is your point of view?
  2. And as the document should be probably again updated to the ISO/IEC 17011:2017 version, would it be a good idea to get rid of this above mentioned “dualism” that makes this IAF mandatory document hardly applicable in Europe (see situation together with the requirements of the EU legislation on medical devices).

NOTE: Please note that in many cases (probably in most of the cases), ISO 13485 is applied to non-manufacturer of medical devices but rather to suppliers / vendors and subcontractors not really in the same status as a classical manufacturer of medical devices that want to put on the market their devices.

Such companies normally could get along very easily with an ISO 9001:2015 certification but due to market power, they need an ISO 13485 certification for very little in house activity concerning “medical devices” (most of the time they make only small parts of the device and do not know for what exactly they are intended in the device) and ISO 13485 as the management system of choice to cover them.

Under such access approach it is also not at all appropriate to have such a severe (yearly) surveillance regime as stated in IAF MD 8!

September 2018

Part A

The main concern in this question is that there is not any exact border or separation in between “Non-active medical devices other than specified above” and the rest of the Annex 1 Table 1.1. This situation is valid for Annex 1 Table 1.2. and other parts excluding 1.7.

Unfortunately, this is the weakest point of IAF MD 8 and 9. To remove this challenge, we can propose to establish link between IAF MD 8 & 9 and IAF ID 13 for more clarification or giving particular product examples in each Table in Annex 1 of IAF MD 8.

Note: EA CC should forward this question to IAF TC and IAF WG Medical Devices.

Part B

As far as we know, IAF MD 8 and 9 are under revision by IAF WG Medical Devices. Even if relevant IAF MDs are not updated, all ABs must follow the new version of ISO/IEC 17011.

a) In Annex A Table A1 of ISO/IEC 17011:2017, the requirements for the knowledge and skills for competence are so generic and this document is “informative”. But, the Annex 2 of IAF MD 8 (Required types of knowledge and skills for personnel involved with the IAF ISO 13485 activities) is normative and covers specific knowledge and skills requirements for AB’s personnel for medical devices. IAF can put additional requirements for competence as normative for specific conformity assessment fields, although ISO/IEC 17011:2017 Annex A is informative.

NOTE: This situation is similar to ISO/IEC 17021-1 Annex A (normative) and ISO/IEC 17021-3 requirements cover mandatory items by using “shall”, but its Annex A (Knowledge for QMS auditing and certification) covers informative requirements in particular, for ISO 9001 auditing and certification.

b) There is general agreement that dualism should be avoided whenever possible and all efforts should be made to achieve this.

Question 36.13 External auditors and experts

The certification body shall require external auditors and external technical experts to have a written agreement by which they commit themselves to comply with applicable policies and implement processes as defined by the certification body. The agreement shall address aspects relating to confidentiality and impartiality and shall require the external auditors and external technical experts to notify the certification body of any existing or prior relationship with any organization they may be assigned to audit.

NOTE Use of an individual or employee of another organization individually contracted to serve as an external auditor or technical expert does not constitute outsourcing.

Question:

A: Does it mean that an external auditor or technical expert has to disclose all mandates he/she actually has or had in the past e.g. as a consultant or product specialist, even not knowing whether he/she will be appointed in the audit team in the future?

In many cases, companies that look for external support do not want that the consultant or product specialist make such a relationship public to third parties. To be discreet is one of the main assets in the medical device and pharmaceutical business. Not respecting this, will put the person out of business forever in this specialized field and depending on the contract cost him/her a lot of compensation.

B: Would it be enough as soon as the certification body will ask him/her to become a part of an audit team to tell simply that it is not possible to work for this particular certification task. Is it acceptable to reject the task without further detailed explanation?

In any case, the certification body can think about it, and make its own risk analysis and consequently mandate somebody else as external auditor for the particular task.

September 2018

Both option A and option B satisfy the requirements of clause 7.3 of ISO/IEC 17021-1.

It is acceptable to reject a task without giving a reason. however, it is the CB in control of the relationships and so it would be best practice for the CB to have the relevant information to demonstrate assessment of the risk of a conflict of interest.

Question 36.14 Corrections and corrective actions

Standard, initial certification:

If the certification body is not able to verify the implementation of corrections and corrective actions of any major nonconformity within 6 months after the last day of stage 2, the certification body shall conduct another stage 2 prior to recommending certification.

Re-certification:

Following expiration of certification, the certification body can restore certification within 6 months if the outstanding recertification activities are completed, otherwise at least a stage 2 shall be conducted. The effective date on the certificate shall be on or after the recertification decision and the expiry-date shall be based on prior certification cycle.

Question:

A1: What is the maximum time of the duration of an initial audit, if it has not been conducted in consecutive days?

A2: Example: A CB starts a “stage 2” audit with some time lags, that the whole audit will be conducted in a period of more than 6 months (e.g. a gap of 9 months between two parts of the stage 2 audit). Is the result of the first part of this audit still valid at the end of the second part of this stretched “stage 2” audit?

NOTE: Many references in the standard limit time of corrective action implementation to 6 months, but for the duration of an (interrupted) stage 2 audit there is no limit.

September 2018

The risk-based approach comes into play here.

As indicated in the question, there are no requirements or guidance for an interrupted stage 2 audit.

A certification body will need to take a number of factors into account when determining the audit time for the second part of an interrupted stage 2 audit, for example:

  • the requirements of IAF MD 5;
  • the reason for the delay – was it due to major nonconformities being identified?
  • have there been any changes in top management since the first part of the stage 2 audit?
  • have there been any other significant changes in the client’s organization?
  • are the results of the first part of the stage two audit still valid?

The real question that must be asked is why is it necessary for the stage 2 audit to be interrupted for a period of nine months? That suggests that there were some serious issues (major nonconformities) that delayed completion of the stage 2 audit, in which case the requirement of clause 9.5.3.2 of ISO/IEC 17021-1 would be applicable.  If there is a delay of nine months between two parts of a stage 2 audit, it is difficult to see that the audit time could be less than if it were a new stage 2 audit.  The underlying requirement of ISO/IEC 17021-1 (clause 9.1.4.1) is that ‘for each client the certification body shall determine the time needed to plan and accomplish a complete and effective audit of the client’s management system’.  Therefore, irrespective of the requirements of IAF MD5, the certification body must be able to demonstrate that the audit duration is sufficient to meet this underlying requirement and the accreditation body must evaluate the output from the audit to satisfy itself that the audit duration was sufficient to do so.

Question 36.15 New schemes

The main federal regulator in the medical field has set up a complex certification scheme under ISO/IEC 17021-1 (management system) for data protection in patient health care. Accreditation of CB is the base for the acceptance of certification bodies by the regulator to work in this field.

The requirements in the legislation are already set up, but in practice the scheme is still under development, (the legislation text has several requirements that shall be tested by a special software).

Unfortunately, due to some problems, a considerable delay occurred and the software as a key element in this data protection scheme is not available yet.

Nevertheless, the federal regulator urged the NAB to start the assessment process of the potential applicant certification bodies and the certification bodies shall start with the first step of the scheme (certification according to ISO 27001). The reason why this happened, are not clear.

Question:

Is it possible to refuse in general the assessment task when a “scheme is not fully developed and available”? In addition, at this moment the NAB has no prove that the scheme will be based on rugged procedures. Even when it is based on a federal ordinance.

A1) What can be used as arguments (backed up by EA, IAF or normative criteria) to still perform the work as requested? What provisos shall be made?

A2) What arguments (backed up by EA, IAF or normative criteria) can be used to refuse such an (unfinished) work?

September 2018

This question is not specific to Certification and could also be provided to the HHC.

consensus is that the situation is as described in A2 with the arguments that accreditation to a specific accreditation scheme cannot be delivered if requirements of ISO/IEC 17011 § 4.6 are not fulfilled.

In the present case, it looks that these requirements cannot yet be fulfilled.

And an AB shall fulfill whole ISO/IEC 17011, as per EC 765/2008 and the IAF and EA MLAs.

Another way would be to allow each CB to develop its own scheme based on the already published requirements and that the NAB evaluate each certification scheme implementing ISO/IEC 17011 §4.6. But this would be very difficult for the NAB and leading to potential different certification schemes and then certification results, which would be very risky and does not seem to be the need of the regulator in such a complex and regulated area.

Question 37.2 IAF MD 12:2016 & IAF MD 23:2018

Question:

In IAF MD23, it is required that the CB shall establish a legally enforceable agreement with the candidate entity to include but not be limited to

  1. v) Details of the activities to be provided by the entity;
  • Can the entity offer all the certification process including the decision on behalf of the CB?
  • If the entity provides the whole certification process including the decision and the signature of the certificate, is it not mandatory according to EA cross frontier policy to be accredited by the local accreditation body?

March 2019

  • Can the entity offer all the certification process including the decision on behalf of the CB?

The answer depends upon the relationship between the CB and the entity, as long as the entity is under the organisational control of the CB (as defined in ISO/IEC 17021-1) this is possible.

  • If the entity provides the whole certification process including the decision and the signature of the certificate, is it not mandatory according to EA cross frontier policy to be accredited by the local accreditation body?

No this is not mandatory, but the Certification Body must ensure that the entity is competent and works in accordance with ISO/IEC 17021-1. Accreditation is one way of demonstrating this.

Question 37.3 IAF MD5:2015 Number of shift work employees

IAF MD5:2015 – Calculation of effective number of employees (case of shift work employee)

Referring to 2.3.1 and 3.5 of IAF MD 5:

2.3.1 The effective number of personnel as defined above is used as a basis for the calculation of audit time of management systems. Considerations for determining the effective number of employees include part-time personnel and employees partially in scope, those working on shifts, administrative and all categories of office staff, repetitive processes and the employment of large numbers of unskilled personnel in some countries.

3.5 For QMS audits, Figure QMS 1 provides a visual guide to making adjustments from the audit time calculated from Table QMS 1 and provides the framework for a process that should be used for audit planning by identifying a starting point based on the total effective number of personnel for all shifts.

In the practice, each Certification Body has its own methodology for the calculation of the effective number of employees (case of shift work employee):

1/There are those who consider the main shift (high number of employees, referring to ISO TS 22003 B1)

2/There are those who consider the average of the shifts (Number of personnel in shifts/ Number of shifts)(the justification that the shifts make the same process and repetitive processes), so a reduction is applied for shift work taking into account the size of a single shift. Example: 450 employees concerned by the certification including 210 working in 3 * 8 on production lines. On the 210 employees, only a team of 70 people is taken into account in the calculation of the effective number of personnel to be audited: So the effective number of personnel = 450 – 210 + 70 = 310.

3/There are those who consider the total number of personnel for all shifts

Which is the methodology to be followed and correct?

March 2019

  • The definition of EPS in IAF MD 5 is as below:1.9 Effective Number of PersonnelThe effective number of personnel consists of all personnel involved within the scope of certification including those working on each shift.Based on this definition:Consideration of the shift activities should be clear and robust and must or be used as a mehtod of reducing days.Method 1 can be more useful for ISO 22000 or relevant certification audits (e.g. FSSC 22000), since there is a specific rule for it in ISO/TS 22003 B1.Method 2 needs to be justified. In this case, the CB should focus on which shift will be audited concerning size, nature and/or content of the activities or processes conducted in this shift.Method 3 should be valid for the client organisations where the size, nature and/or content of the processes are different in each shift. In this case, all shift shall be covered by the audit plan, and all EPS in all shifts shall be taken into account for conducting effective audit and cover all processes in the client organisation.According to 3.7 of IAF MD 5 “Where product or service realization processes operate on a shift basis, the extent of auditing of each shift by the CAB depends on the processes done on each shift, and the level of control of each shift that is demonstrated by the client.”

Question 37.4 Additional Audit time ISO 22000:2018

Additional Audit time calculation for transition from ISO 22000:2005 to ISO 22000:2018 certification

In the case there was a ISO 22000:2005 certification by end of 2018 and the certificate is valid until 29 June 2021 based on IAF resolution 2018-15.

How should the AB react if the CB intends to perform the “first surveillance Audit” by end of 2019 with the intention to perform the transition from ISO 22000:2005 to ISO 22000:2018 during this “surveillance audit”?

  1. Can the CB issue the new ISO 22000:2018 certificate with an expiry date of end of 2021 so as to maintain the current certification cycle?
  2. Which additional audit time should be calculated by the CB for the transition to ISO 22000:2018 during a surveillance audit?
  3. ISO 22003:2013 does not indicate clear rules for additional audit time calculation for transitions to new revisions of the standard. What should be the minimum additional audit time for a CB if they have the intention to change to the new ISO 22000:2018 standard?
  4. Would it be acceptable if the CB will issue a new certificate in end of 2019 (3 years cycle from November 2019 until November 2022) without taking into account the minimum audit time calculation (as defined in ISO 22003:2013) for a recertification? As justification, the CB is arguing they had already respected the minimum audit time calculation for the recertification in 2018.

March 2019

A1. Yes, this is acceptable

A2 & 3. Question 2 and 3 are quite similar. Neither ISO/TS 22003 nor IAF MD 16 or any other normative document is requiring additional audit time for transition to ISO 22000:2018. Since there is no dramatic or revolutionary change in the new version (most of them are for alignment to HLS), there is no justification for additional audit time for transition.

Similar to this approach, FSSC does not require additional audit time for transition.

“FSSC 22000 Requirements for the FSSC 22000 V5 upgrade process, Article 2.2.3 Audit time calculation: Based on the released ISO 22000:2018 gap analysis in July 2018, it is not justified to require additional on-site audit time to assess implementation of the new FSSC 22000 Scheme version 5 requirements by a certified organization.”

A4. No, changing or prolonging the expiry or cycle duration of a certificate that already exists should require new certificate number. The new certificate with current certificate number should follow current certification cycle depending of first issue date. If the client wants to prolong its new certificate’s expiry until November 2022, the CB should take into account at least minimum audit time for recertification and put new certificate number. This depends on the mutual agreement between the CB and certified client.

IAF Resolution 2018-15 – (Agenda Item 9) Transitional Arrangement for ISO 22000:2018 – The General Assembly, acting on the recommendation of the Technical Committee, resolved that the period for the transitioning of accredited certifications to ISO 22000:2018 Food safety management systems — Requirements for any organization in the food chain be three years, with the transition deadline being no later than 29 June 2021.

Accredited certificates issued to ISO 22000:2005 after the date of publication of ISO 22000:2018 shall state an expiry date of 29 June 2021. This resolution replaces IAF Resolution 2017-16.

IAF Resolution 2017-16 – (Agenda Item 9) Transitional Arrangement for the revision of ISO 22000:2005 – The General Assembly, acting on the recommendation of the Technical Committee, resolved that the period for transitioning of accredited certifications to the next revision of ISO 22000:2005 Food safety management systems — Requirements for any organization in the food chain be three years from the date of publication.

Question 37.5 Calculation of audit time

In IAF MD 1:2018 Issue 2 is stated under chapter 7.3 “Calculation of Audit Time”:

Unless precluded by specific schemes, the reduction of audit time per sampled site shall not be greater than 50%.

For example, 30% is the maximum reduction in audit time allowed by IAF MD 5 while 20% is to be considered the maximum reduction allowed for the single management system processes performed by the central function and any potential centralised processes (e.g. purchasing)….

The reduction of audit time per sampled site with different standards is stated as not to be greater than 50% (30% + 20%) according to IAF MD 1:2018 Issue 2. In fact, 50% time reduction per site with different standards based on IAF MD 5 calculation schemes for QMS and EMS does not lead to the same result as a first reduction of 30% applied per standard (and site) according to IAF MD 5:2015 issue 3 with a second additional reduction of 20% applied for similar standards (per site) according to IAF MD 11:2013/2019.

Should the calculation process for audit time reduction be splitted according to the different applicable IAF MD documents (eg: IAF MD 5 and IAF MD 11) or instead being summed up as suggested in IAF MD 1 chapter 7.3 in order to get a correct result?

March 2019

The requirements as stated in the IAF MD1:2018 7.3.1 is, “reduction of audit time per sampled site max 50%”.

Its composition can vary.

An example is indicated in 7.3.1, but there could be many of these.

IAF MD11:2019 is related to the level of integration of two or more sets of audit criteria/standards and its requirements are related for the “planning and delivery of audits of IMS” and therefore, defining if the audit team utilized to perform an audit of IMS, can be potentially be optimized and be more efficiently utilized during the auditing processes of IMS.
Therefore its impact in increase of audit time or decrease of audit time (max 20%), shall be considered after having applied IAF MD1:2018 and IAF MD 5:2015.

The elements justifying reduction in each MD are quite separate:

  • MD5 for the characteristics of the organisation
  • MD1 for the logistics and needs of assessing a single management system across many sites
  • MD11 for the practical benefits of assessing an integrated system where the common aspects need not to be repeated for each MS standard.

Any reduction justified because of integration efficiencies, is completely unconnected with the other considerations.

See also Question 37.23

Question 37.11 Audit time determination

IAF MD 5, clause 2.3.2:

The justification to determine the effective number of personnel shall be available to the client organization and to the Accreditation Body for review during their assessments and on request from the Accreditation Body.

The CB uses a calculation template with several formulas embedded. As an example, we recently faced a calculation where the number of personnel given by the certified client is 240. As the result of the calculations for the effective number of personnel the audit duration has been defined based on 98 persons and justified with a statement that 140 factory workers are doing repetitive processes.

Questions:

  • Have you defined any limits for the reductions of the number of personnel (definition of effective number of personnel)?
  • Is the reduction based on the effective number of personnel included in the maximum reduction of 30% (IAF MD5 clause 3.9)?
  • Do you require the CBs to open all the embedded formulas in the calculations based on the referred clause 2.3.2 of MD5?

March 2019

1) IAF MD5:2015 clause 2.3 to calculate the effective number of personnel is very clear in indicating the different considerations that a CAB shall take into account to move forward in the MD calculation process.

This is also based on the Effective Number of Personnel definition (clause 1.9).

These considerations, included in sub-clauses (i.e. from 2.3.1 to 2.3.6), are not indicating any specific limits of the increases/reductions to be considered, but 2.3.2 is indicating that justifications are to be available to the client organizations and to the AB for review during assessments and on request.

2) If there is an increase or reduction of the effective number of personnel, its calculation output (a number of employees) is used to enter in the tables to determine the first number of MDs to be considered.

After this step is completed, the clause 8 is to be taken into account and these additional considerations are determining the second number of MDs (increased/reduced) to be considered. This calculation step is potentially impacting on clause 3.9 (i.e. in case of reduction factors with a max of 30% allowed).

3) As AB, in order to understand how a quote calculation tool or process has been designed and validated by the CAB, you could ask evidences about this and, eventually, asking what is inside of an embedded formula.

Question 37.12 ISO 17021-1:2015, clause 9.1.3

Surveillance audits shall be conducted once a calendar year except in years where recertification is conducted.

The wording of the clause may give a challenge when e.g. a recertification is planned for 1st December in year X and then, due to unforeseen reasons, a need arises to change the date until 15th January year X+1.

In that case there will be no audit in year X, neither a surveillance audit nor a recertification audit.

  • What measures should be expected by the CAB to handle such deviation from the requirements?
  • Is it acceptable that the certification body plan the next surveillance audit to be conducted in year X+2 based on the fact that there has been conducted a recertification in year X+1?

March 2019

Requirement of ISO/IEC 17021-1 § 9.1.3.3 is explicit: in each calendar year, at least (the CB can have a stricter regime but not an “easier” one), there shall be an audit, whether surveillance or recertification.

In case an unforeseen event has induced some delay in performing an audit in year n, which puts the audit at the very beginning of year n+1, this situation shall be considered as exceptional and treated has such by the CB for allowing to delay audit of year n (depending on cases, measures might be, among others, suspension of the client certification or other mean of surveillance while waiting for the onsite audit…).

The reason or justification of this deviation or delay should be documented and kept to show AB when requested.

Once the problem with the audit in year n is handled, it shall not be a reason for postponing the audit originally planned at year n+1. The postponing of n+I year audit to n+2 year is not acceptable.

Question 37.13 ISO 17021-1:2015, clause 9.1.3

This relates to clause 5.2.7 of ISO 17021-1:
“5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.”

Several CABs employ contracted auditors (not ‘subcontractors’ but individuals contracted to work for the CAB, under the CAB’s management system), who are also employees of certified organization, very often engaged as e.g. Quality/Environmental/OH&S Manager/Representative. According to clause 5.2.7, can such situation be understood as significant threat to impartiality of CAB (such persons participate in establishing, implementing or maintaining a management system, so he/she fulfils the definition “management system consultancy”)? If yes, shall the CAB refuse to certify the management system of company where the CAB’s auditor is employed (permanent employee) for a minimum of two years following the end of the consultancy? Or possibly the sufficient mitigation of such threat is that auditor will not be used in any certification activity of such client?

March 2019

An answer to a similar question is already given in the ISO/CASCO Clarifications (http://bit.ly/2phNnqJ)

Based on this, it is also clear that “contracted” auditors are also = to “subcontractors”.

In the question presented, the clause 5.2.7 of ISO/IEC 17021-1:2015 is not the applicable one, but the other clauses 5.2.3 and 5.2.10 are to be applied.

In the case presented, the answer to the first question is: YES.

Therefore, the CAB has two actions to be taken:

  • Not use the contracted auditor as this is posing a significant threat to impartiality
  • Certification process for this client can continue but with appointing another auditor

The mentioned ISO/CASCO clarification is summarized below:

(Date of submission: 2018.09.04)

  1. Clarification request, please formulate the request clearly and where possible in a format that enables a YES or NO answer:

Clause 5.2.7 reads “5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.”

There is a need for clarification on three issues related to situations where the client of the CB has received MS consultancy from an individual free-lance consultant and this free-lance consultant is also acting as external auditor for the CB:

  1. One could argue that a free-lance consultant is a “body” or one could argue that a person is not a “body”. The grounds for not considering a free-lance consultant to be a body as meant in 5.2.7 is twofold: i) in clause 5.2.3 distinction is made between “… activities of other persons, bodies or organizations …”, and ii) clause 7.3 speaks of individuals contracted as external auditors. If this free-lance consultant is to be considered a “body” then this “body”, because of also having a contract with the CB, has a relationship with the CB and thus this has to be considered a significant threat to impartiality. Is it correct to argue that a free-lance consultant is to be considered a “body” when applying 5.2.7?
  2. Stating a specific method for mitigation of this risk in the text of the clause (instead of in a note as was the case in the previous version of 17021) could be understood that in fact no other possibilities for mitigation are possible. Would it however also be an acceptable way of mitigation if the CB ensures that the individual free-lance auditor will not act as auditor (nor has any other task in the certification process) for the specific clients he/she has provided MS consultancy?
  3. Could it be an acceptable way of mitigation if the CB ensures that the free-lance auditor that has provided MS consultancy to clients of the CB, during audits for this CB is always observed or accompanied (for eyes principle) by an auditor not involved in these kind of consultancy?
  4. The change in wording of 5.2.7 compared to the previous version (2011) could be considered to have the intention to include free-lance consultants. The 2011 version speaks of “the relationship between the consultancy organization and the certification body”. Based on that text it was not common to consider free-lance consultants as consultancy organizations. If the change was intended to sort the effect that free-lance consultants are to be considered “bodies” or “organizations” then this is a significant change in requirements for CBs. Was the change in wording intended to sort this effect?

7. Consensus position of the maintenance group (This section is only to be completed by the maintenance group members)

Question 1: No, a body is considered to be an organisation not an individual. Whether considering a free-lance auditor a “body” or not does not override the requirements in § 5.2.3 & § 5.2.10 that both address requirements that are applicable for “persons” – internal, external, consultants or others.

“5.2.3 The certification body shall have a process to identify, analyse, evaluate, treat, monitor, and document the risks related to conflict of interests arising from provision of certification…..() ….. demonstrate how it eliminates or minimizes such threats and document any residual risk. The demonstration shall cover all potential threats that are identified, whether they arise from within the certification body or from the activities of other persons, bodies or organizations.”

“5.2.10 In order to ensure that there is no conflict of interests, personnel who have provided management system consultancy, including those acting in a managerial capacity, shall not be used by the certification body to take part in an audit or other certification activities if they have been involved in management system consultancy towards the client. A recognized mitigation of this threat is that personnel shall not be used for a minimum of two years following the end of the consultancy.”

Question 2: Yes. In this case, clause 5.2.3 exists to evaluate the risks and find an acceptable solution to eliminate or minimize them. Clause 5.2.10 is also very clear that the requirements applies “if they have been involved in management system consultancy towards the client” and is not intended to extend beyond that.

Question 3: No, this would be in conflict with 5.2.10 which states that “A recognized mitigation of this threat is that personnel shall not be used for a minimum of two years following the end of the consultancy”. In unavoidable situations (e.g. areas of highly specialized competence where extremely few qualified auditors exist) other mitigation solutions may need to sought, but only when a detailed evaluation of the risks has been performed and established whether the proposed solution would be acceptable.”.

Question 4: no, the intent was not to include free-lance consultants under 5.2.7. When they work for CBs, they are considered to be contracted auditors and managed as such.

Question 37.14 Audit team selection (9.2.2 of ISO 17021-1)

ISO 17021-1 requires:
“9.2.2.1.1 The certification body shall have a process for selecting and appointing the audit team, including the audit team leader and technical experts as necessary, taking into account the competence needed to achieve the objectives of the audit and requirements for impartiality. (…)”

“9.2.2.1.3 The necessary knowledge and skills of the audit team leader and auditors may be supplemented by technical experts, translators and interpreters who shall operate under the direction of an auditor.(…)”

Should AB accept the situation where a CAB appoints the audit team composed of an audit team leader and an expert, where knowledge of technical area is provided only by the expert? (particularly, clause A.2.6 related to the types of products or processes of a client sufficient to understand how such an organization can operate and how the organization can apply the requirements of the management system standard or other relevant normative documents).

March 2019

It is acceptable to have an audit team composed of an audit team leader and a technical expert provided that the team collectively has the required competence to achieve the audit objectives.

In particular, the competence requirements referred to in clause A.2.6 may be fulfilled by the technical expert with the support of the audit team leader in what concerns particularly the application of the management system standard in the organization. In such case, it is apparent that the audit team leader should be competent in the named management system standard.

It is noted that, according to Table A.1, the competences defined in A.2.6 are required for the certification function ‘‘auditing and leading the audit team’’. The particular function can be sufficiently operated by individual auditors or a competent audit team composed by a team leader and an expert.

According to the definition given for the technical expert in ISO/IEC 17021-1 Standard, the specific knowledge or expertise of a technical expert is related to the organization, the process or activity to be audited. Therefore, the objective of clause A.2.6 can be achieved through a technical expert instead of an auditor.

As the technical expert has to be accompanied and cannot work alone, this means that the team leader must complete the whole audit, supported by the technical expert, who will be under the team leader’s supervision. The role of the technical expert should be clearly shown on the audit plan.

Question 37.15 Certification documents (8.2 of ISO 17021-1)

ISO 17021-1 requires:
8.2.2 The certification document(s) shall identify the following:

  1. f) the scope of certification with respect to the type of activities, products and services as applicable at each site without being misleading or ambiguous”

Should CAB identify on ISO 9001:2015 certificates additional information about which requirements of this standard are “non-applicable”?

March 2019

If requirements have been considered as non-applicable, this shall be justified and recorded by the CB in the client file, but this information shall not appear on the certificate: if the requirements were not applicable, the certification delivered is fully an ISO 9001:2015 certification, with no restriction.

The scope of the certificate should be clear with regard to the activities certified, for example “design and manufacture of …..”, or “manufacture of……”.

Question 37.17 Implementation of ISO/IEC TS 17021-10

IAF has endorsed ISO/IEC TS 17021-10 as a normative document, applicable to CBs performing certification of OH&S MS (IAF Resolution 2018-16). This resolution was also approved by EA.

Nothing was stated about implementation date (transition period) for this new standard.

Once IAF MD 22 is under revision and will make reference to ISO/IEC TS 17021-10, can we consider the application date of the new IAF MD 22 as the same application date for that standard?

March 2019

After publication of IAF MD22:2018, the TFG has received some questions similar to this one.

The replies given have been as follows:

  • IAF MD22:2015 was issued having an “immediate” application date to facilitate the accreditation activities to ISO 45001 and also to facilitate the migration activities from OHSAS 18001 to ISO 45001 (ref. IAF MD21:2018).
  • Competence requirements were already indicated in Appendix A and, after the publication of ISO/IEC TS 17021-10:2018, the requirements of this Appendix A have been superseded as already indicated in the same Appendix A.
  • The competence requirements have not changed with the publication of the ISO/IEC TS 17021-10:2018.

No need to define an application date in this case.

Question 37.21 Public information according to ISO 17021-1 § 8.1

  • 8.1 ISO 17021-1

What is enough to achieve the requirement, “available without request” (For example the certification process, complaint process, etc.)

  1. A brochure sent as soon as someone requests it after contact by phone.
  2. A brochure sent out after contact by phone where information on the public website informs that this is the process.
  3. Information is on a public website, but cannot be found with the search function on the website (for example, in the “Terms and conditions“ as a pdf on the website).
  4. The brochure / information is on a public website easily found.

March 2019

According to ISO/IEC 17021-1 Standard, clause 8.1.1, specific information shall be made public without request. This practically implies that direct access to the mentioned information or provision of information on the process to gain access to it, shall be made available to the public. Any means that facilitate access to the required information should be considered as sufficient.

With regard to the examples in the question, a. and b. are not “without request” and so would not comply with the standard. c. and d. would be acceptable.

However, accredited CABs should be encouraged to utilise the most user-friendly tools for providing access to the specified information to any interested party.

Question 37.23 IAF MD 1:2018 Temporary Sites

Clause 7.3.1 (IAF MD 1) states that “Unless precluded by specific schemes, the reduction of audit time per sampled site shall not be greater than 50%. For example, 30% is the maximum reduction in audit time allowed by IAF MD 5 while 20% is to be considered the maximum reduction allowed for the single management system processes performed by the central function and any potential centralised processes (e.g. purchasing).”

Is this reduction the allowed reduction ratio before IMS reduction? Or does this ratio (max 50%) include IMS reduction?

Can this ratio (max 50% reduction) be applied based on only one justification or reason directly?

E.g.: Assumption: a warehouse has 55 workers, category is medium for QMS, number of effective personnel is 55 and there is not any other reduction factor. The process only consists in unloading the goods in the storage area, handling, storing, preserving and loading to the truck. Goods are ordinary goods and do not need any special care, let’s say they are shoes. According to IAF MD 5, duration is 5 man-days. For single activity, 50% reduction is made. It makes 2.5 man-days. Is this correct?

March 2019

The requirements as stated in the IAF MD1:2018 7.3.1 is, “reduction of audit time per sampled site max 50%”.

Its composition can vary.

An example is indicated in 7.3.1, but there could be many of these.

IAF MD11:2019 is related to the level of integration of two or more sets of audit criteria/standards and its requirements are related for the “planning and delivery of audits of IMS” and therefore, defining if the audit team utilized to perform an audit of IMS, can be potentially be optimized and be more efficiently utilized during the auditing processes of IMS.
Therefore its impact in increase of audit time or decrease of audit time (max 20%), shall be considered after having applied IAF MD1:2018 and IAF MD 5:2015.

The elements justifying reduction in each MD are quite separate:

  • MD5 for the characteristics of the organisation
  • MD1 for the logistics and needs of assessing a single management system across many sites
  • MD11 for the practical benefits of assessing an integrated system where the common aspects need not to be repeated for each MS standard.

Any reduction justified because of integration efficiencies, is completely unconnected with the other considerations.

See also Question 37.5.

Question 37.24 IAF MD 11:2019

For 9001:2015 and 13485:2016, are IMS audits subject to IAF MD 11? Or as before, 13485 audit time is used if both certification scopes are the same since 13485 is based on 9001 structure?

But, these two standards now seem to have different structures. In previous version, ISO EN 13485:2013 (2012) states additional requirements to 9001:2008 in blue italic sentences. However, new version is not like that and also 13485:2016 is not on the basis of HLS. Therefore, there are some differences between these two standards. Should we follow same approach as above?

March 2019

According to the definition of an integrated management system given in IAF MD11:2019, the provisions of the particular MD are applicable for management standards / specifications regardless whether these standards follow the high-level structure (HLS) or not.

The audit time of an integrated management system based on the requirements of ISO 9001:2015 and ISO 13485:2016 should be calculated taking into consideration the sum of the audit times derived from IAF MD5 and IAF MD9, respectively, as a starting point.

Moreover, IAF MD9 makes an explicit reference to the application of IAF MD11 in the case of integrated management systems. According to IAF MD9, in case of certification of both ISO 9001:2015 and ISO 13485:2016 standards, the audit time should be sufficient for an effective review of all requirements of both certification standards.

Question 37.25 IAF MD 11:2019

Q1 is about clause 1.4.2

If the client systems are fully integrated, is the EAA approach compulsory to apply or can the CB choose the standard audit approach?

Q2 is about lead auditor competence (clause 1.4.2 c & e, clause 2.1.4, Annex 1 EAA planning session)

Assumption: there are fully integrated QMS and EMS systems. The lead auditor is only qualified for QMS as allowed by MD 11. If the lead auditor will audit MS, fully integrated or not, and audit clauses 4, 5, 6, 9 & 10, how will he be able to audit clauses for 4 and 6 of EMS properly without being not qualified for that system (noted to note ISO/IEC 17021-1:2015 cl 9.2.2.1.2, and also Annex 1 1st part aim)?

Q3 is about audit time for EAA (clause 2.3 b)

Assumption: there are 3 fully integrated systems and the EAA approach will be applied. These are QMS, EMS and OHS MS. Audit time for each system is determined separately. The longest audit is for OHS MS and it is 5 man-days. Then the audit time becomes for the EAA approach as follows:

A = time for OHS MS (5 man-days)     B = time for QMS (3 man-days)      C = time for EMS (2 man-days)

Audit time (T)= 5+ (50% of 3)+ (50% of 2)= 5 + 1.5 + 1= 7.5 man-days

Is this calculation correct? And there is not any other 20% reduction at most due to integration which is applicable for the standard audit approach. Is this correct?

Q4 is about audit time for EAA (clause 2.3b) related to ISO/TS 22003:2013

Question is for clarification of adding FSMS audit time in an integrated system.

Assumption: there are two fully integrated systems and the EAA approach is going to be applied. These are QMS and FSMS. Audit time is determined for both of systems separately. The longest audit time is for QMS and it is 4 man-days. And FSMS audit time is 2 man-days. Then the audit time becomes for the EAA approach as follows:

A= time for QMS (4 man-days)            B= time for FSMS (2 man-days)

Audit time (T)= 4+ (50% of 2)= 5 man-days

However ISO/TS 22003:2013 Annex B defines minimum audit time for ISO 22000 FSMS. When we take 50% of FSMS audit time, we decrease 50% of minimum time. Is it acceptable?

March 2019

A1 The CB can always choose the standard audit approach and even not use IAF MD 11. According to 2.1 of IAF MD 11, they can choose its approach, none of them is compulsory.

A2 According to clause 2.1.3, the audit team must be competent to audit both QMS and EMS, so it is not possible to “only be qualified for QMS”. Although the lead auditor is not qualified for EMS, the team as a whole must be qualified for QMS AND EMS, so it is a matter of distributing areas to be audited. The lead auditor can be only qualified for some of the management systems, but could not audit those MS for which he/she is not qualified.

A3 The calculation is correct.

A4 Yes, it is acceptable, there is no minimum time for the audit of QMS +FSMS together. The level of integration is based on common elements.

Question 38.1 Scope – witnessing activities ISMS

1) For accreditation of certification bodies for information security management systems (ISO/IEC 27001), is it sufficient to define the accreditation scope as below, without any sub-areas (similar to IAF codes for ISO 9001)?

Scope: Information Security Management System Certification
Standard: ISO/IEC 27001:2013

If the answer to question 1) is YES, which we assume, as we see this kind of accreditation scope from different NABs,

2) Is it sufficient to make one witnessing activity per accreditation cycle for this scope?

3) If the answer to question 1) or 2) is NO, would EA CC be prepared to develop a harmonized way of presenting suitable sub-areas, to be used for accreditation scopes and/or planning of witnessing activities?

(Possible sub-areas could be: Nuclear, Bank/finance/insurances, Health care, Public sector, Production, Gambling; etc.)

September 2019

1) Yes, it is confirmed that there are currently no sub areas for ISO 27001 certification.
2) Yes, provided that requirements of ISO/IEC 17011 and IAF MD17 part 1 to 3 are fulfilled.
3) Not considered necessary.

Question 38.2 Calculation of MDs for sites

According to IAF MD 1:2018, clause 7.3 Calculation of Audit Time, the reduction of audit time per sampled site shall not be greater than 50%.

How can we proceed with calculations for small simple sites (e.g. one room storage, small office with 1-5 employees)?

There are usually simple processes to be audited, which usually may not take more then 1-2 hours. When adding more schemes, even with the 50% reduction applied, the time increases a lot and we easily end up with 1-1,5 MDs for 1-person administrative place.

September 2019

According to IAF MD 5 Table QMS 1:

For 1-5 employees – audit time is 1.5 audit-days (stage 1 + stage 2),
According to clause 4.1, on-site duration of MS audit should not be less than 80% of audit time (it means, off-site audit should not be more than 20% of audit time),

If CB wants to apply reduction (based on suitable justifications) as 50% of audit time, then adjusted new audit time becomes 0.75 audit-days. Then;

On-site: 0.75 * 80% = 0.60 man-days (this number should be adjusted nearest half day, finally it becomes 0.5 audit-days. It means, one auditor will spend 4 hours in one selected site)
Off-site: 0.75 * 20% = 0.15 audit-days

IAF MD 5
2.2.3 If after the calculation the result is a decimal number, the number of days should be adjusted to the nearest half day (e.g.: 5.3 audit days becomes5.5 audit days, 5.2 audit days becomes 5 audit days).

Note: If the CAB cannot satisfy above approach, it can use another calculation method or approach provided that suitable justification concerning Note 1 and Note 2 under the clause 2.2.4 of IAF MD 5. In this case, the AB should try to evaluate the effectiveness of the new approach of the CAB in the assessments (office and/or witnesses).

IAF MD 5
2.2.4 To help ensure the effectiveness of the audit, the CAB should also consider the composition and size of the audit team (e.g.½ day with 2 auditors may not be as effective as a one day auditwith 1 auditor or 1 audit day with one lead auditor and one technical expert is more effective than 1 auditor day without the technical expert).

Note 1: ABs may require a CAB to demonstrate that the average audit time of specified clients is neither significantly more nor less than the audit time calculated from tables QMS1 and EMS1.

Note 2: CABs that work primarily in high risk or complex industries are likely to have an average higher than the tables and CABs that work primarily in low risk industries are likely to have an average lower than the tables.

Notwithstanding the above answer, the primary reuqirement is for the CB to provide sufficient time for a complete and effective audit (ISO/IEC 17021-1: 9.1.4.1), and that this should be justified when a calculation is used.

(It should be noted that a Project is now underway at the IAF TC to reconsider the way in which Audit Time is calculated).

Question 38.3 ISMS – ISO/IEC 27006:2015

According to ISO/IEC 27006:2015 (IS 10.1) accredited CAB performing ISMS certification is obliged to implement the ISMS (acc. ISO/IEC 27001).
1) Should AB verify the CAB’s MS acc. ISO/IEC 27001 during every on-site assessment?
2) If CAB is certified acc. to ISO/IEC 27001, can the AB reduce its assessment in this field?

September 2019

According to ISO/IEC 27006, ISMS implementation by an ISMS CB is a recommendation and not an obligation (ISO/IEC 27006 “10.1.1 IS 10.1 ISMS implementation It is recommended that certification bodies implement an ISMS in accordance with ISO/IEC 27001”.).

1) No: As what was discussed in the past and decided for the “Option B” in ISO/IEC 17021-1, it is not the duty of the AB to check the compliance of the CB to any specific management system certification standard.

2)No: The duty of the AB is to verify compliance of the CB to ISO/IEC 27006, not to ISO/IEC 27001; Furthermore, relying on a certification to reduce assessment would put the AB in a conflict of interest situation as in a way subcontracting part of its assessment to a CB client.

Question 38.9 Accredited certificates after accreditation transfer

If accreditation of CAB is transferred between two NAB in accordance with EA 2/13, the certificates issued by CAB till this moment are still marked by accreditation mark of previous NAB.
Is it obligatory to reissue all certificates with the accreditation mark of the “new” NAB resp. with the reference to accreditation of the “new” NAB?
If so, in which period of transition time should it be completed?

September 2019

In the interest of clarity and transparency there should be an agreement between the 2 ABs and the CB concerned, including clear timescales by which the certificates need to have been transitioned.

Question 38.12 Degree of details of MS audit report

ISO/IEC 17021-1:2015 clause 9.4.5.1 states that audit findings summarizing conformity and detailing nonconformity shall be identified, classified and recorded to enable an informed certification decision to be made or the certification to be maintained.

CAB uses one audit report form for all types of audits, which includes summary with some evidences of fulfilment of requirements of certification standard. There could be included the table of contents (headings) of the certification standard with markings (x) on the fulfilment of the standard requirements by the auditees/departments.

Evidences of how a certified client has met the specific standard requirements can only be found in the auditor’s records made during the audit in the free form, with or without any linkage with the certification standard. They are saved by CAB together with audit report.

In some cases, the decision maker cannot find evidences on the fulfilment of the certification criteria.

Question: could such headings of the certification standard and/or auditor notes be interpreted as minimum of information summarizing conformity as requested by clause 9.4.5.1?
Which document/guidelines/examples could be used as best practice example for documenting audit evidences on conformity?

September 2019

In ISO/IEC 17021-1 clause 9.4.8, defines the required content of an audit report. Also, required information for decision making (clauses 9.5.2, 9.5.3 and 9.5.4) and root-cause analysis (clause 9.4.9) and the evidences of effectiveness of corrective actions (clause 9.4.10) (if available) should be considered.

The information provided to decision makers and as a record of the audit does not all have to be in one document i.e. auditors’ notes can be included as part of the record as long as they are legible and traceable. The totality of records needs to confirm that all relevant aspects have been audited and should demonstrate compliance (and detail on non-compliance to enable effective corrective action by the client). The records must show how all requirements have been fulfilled.

Question 38.13 Internal training within CAB

ISO/IEC 17021-1:2015 clause 7.2.7 states that the certification body shall identify training needs and shall offer or provide access to special training to ensure its auditors, technical experts and other personnel involved in certification activities are competent for the functions they perform.

In the case of transition to new certification standard CAB shall identify and demonstrate appropriate skills and knowledge, based on the requirements of new certification standard, including evaluation of achieved competence.

Previously CAB asked auditors to complete an IRCA registered or accredited training course, in the case of the transition to a new version of certification standard. Nowadays CABs introduced competence assessment and even small CABs have begun to organize internal training on new version of the standard, using materials available and internal GAP analysis. Accordingly, the quality of training varies. In some cases, acceptance is done as a calibration interview. Even if the examination is completed at the end of the training, the questions of examination need to be verified.

1) What is the situation in other countries?

2) Whether any training on the application of requirements of the certification standard should end with an examination in the form of a test or there could be other form of evaluation of achieved competence?

September 2019

Please note that the primary focus within ISO/IEC 17021-1 is competence, not training. Whatever form of training has been provided the CB needs to demonstrate that its auditors meet the competence requirements, training alone is not likely to acheive this.

1) This is variable but largely the same expereince as described. For transition to a revised certification standard, but also for completely new standards, CBs may have relied on external training or developed internal training. This is indicated in all IAF transition documents.

2) There is no such requirement in ISO/IEC 17021-1 for all training to end with an examination, competence needs to be evaluated demonstrated (i.e. when the result is positive) but this can be done in a number of ways.

Requirements regarding the demonstration by the CB that it is using competent auditors can be found in ISO/IEC 17021-1 §7.2.5, 7.2.6 ,7.2.7, that it has checked  and evaluated the performance is in § 7.2.9 and 7.11 and that it has monotired its auditors in § 7.2.10.

Question 38.14 Number of witnesses according to IAF MD 17

Decision of IAF TC 18/04/05 (Frankfurt 12.5) on ISO/IEC 17021-1: IAF MD17 – The consensus was that the number of witnesses should be adjusted according to the accreditation cycle on a pro rata basis. MD 17 is being revised and this issue will be addressed at that time.

Question 1 – does this issue resulted in the new sentence added under clause 2.2.1 of IAF MD 17:2019 – The policy shall ensure that the ABs assess the performance of a sample of the conformity assessment activities representative of the scope of accreditation (see 7.4.5 of ISO/IEC 17011:2017)? Or there will come other changes on this issue?

Another point – IAF MD 17:2019 Clause 4.2.3. on the assessment program of QMS, EMS and OH&SMS schemes states – when the CB has demonstrated sufficient experience and performance for an enhanced programme, AB shall perform at least one witnessing activity in each technical cluster of each MS scheme, to be complemented with other assessment activities to guarantee that each technical cluster is assessed in a period not exceeding ten years.

Question 2 – concerning number of witnesses do AB’s need to implement this clause as underlined (without wording “to be complemented with other assessment activities …”)? Then AB need to adjust number of witnesses for CABs with small number of certificates.

Question 3 – Or assessment program of QMS, EMS and OH&SMS schemes should include at least one witnessing activity of each MS scheme, to be complemented with other assessment activities, to guarantee that each technical cluster of each MS scheme is assessed in a period not exceeding ten years? I.e., one witness audit for each scheme within 10 years to be complemented with certification file review during office assessments and other assessment activities to guarantee, that each technical cluster is assessed in a period of 10 years.

September 2019

Question 1 – The IAF TC mandate given to the IAF TF appointed to make changes introduced in the published revision of the IAF MD17 were in three folds:
• Incorporate IAF MD22 App. E in the IAF MD17 (ref. clause 7)
• Some editorial modifications based on the ISO/IEC 17011:2017 (ref. clauses 0.1, 1.1, 2.1.1 and 2.2.1)
• Modifications based on the IAF TC Meeting in Frankfurt (ref. above) (clause 4.2.3)
Therefore, the answer to this question is NO.

Question 2- The answer is NO.

Question 3 – The requirements shall be implemented as written, therefore the answer is YES.

Question 38.18 Consultancy on one MS and certification on another one

A CB accredited according ISO/IEC 17021-1 for ISO 9001 and ISO 14001, but is not accredited for ISO 45001. This CB is offering non-accredited ISO 45001 certification. This CB is offering ISO 45001 consultancy to one QSE (ISO 9001-14001-45001) certified client: is it acceptable?
If the client was certified only to ISO9001 and ISO 14001, would this be acceptable?

Our opinion is that in both above cases it is not acceptable as it poses an unacceptable threat to the impartiality in delivering the accredited certification (ISO 9001-ISO 14001).

ISO/IEC 17021 § 5.2.5 states “The certification body and any part of the same legal entity and any entity under the organizational control of the certification body [see 9.5.1.2, bullet b)] shall not offer or provide management system consultancy. This also applies to that part of government identified as the certification body.”

September 2019

The answer to both questions is that it would be “Not Acceptable” for the CAB to offer consultancy for that MS.

The requirement has been written with the intent that a CB shall not offer or provide MS consultancy irrespective that the CB is accredited or not.

Question 38.19 Audit time for surveillance and recertification audits – IAF MD5

IAF MD 5 §5 states that: “The CAB shall obtain an update of client data related to its management system as part of each surveillance audit. The planned audit time of a surveillance audit shall be reviewed at least at every surveillance and recertification audit to take into account changes in the organization, system maturity, etc. The evidence of review including any adjustments to the audit time of management systems audits shall be recorded.”

ISO/IEC 17021-1 § 9.1.4 states that: “The certification body shall have documented procedures for determining audit time. For each client the certification body shall determine the time needed to plan and accomplish a complete and effective audit of the client’s management system.”

We are facing the following practice of a MS CB: audit time is determined for one client for the whole certification cycle (i.e. initial + 2 surveillances audits) through 3 years contract. Changes concerning the client (number of persons, organization, QMS, direction, etc.) which might affect audit time are in some cases, not known in advance of a surveillance audit, and in this case the audit time is calculated based on previous information. The CB collects this information during the surveillance audit, and, if it is felt that audit time for the surveillance was not enough, plans and performs a complementary audit (this happens rather rarely).

Question: is this practice, i.e. adjusting the audit time after the surveillance, acceptable and fulfilling ISO 17021-1 § 9.1.4?

If the answer is yes, we would expect the CB to provide evidences that auditors team has collected all necessary information, and that it has performed adjustment of the audit time independently of the review of the content of the report.
If the answer is no, the CB is required to make an update of clients’ information before the planning of each audit (surveillance or recertification) and to adjust, if necessary, the audit time the audit.

September 2019

As the case has been presented, the answer is YES, occasionally.

Obtaining such information prior to the audit would be preferred as this allows the CB to make adjustments in advance, however obtaining the information during the surveillance audit is acceptable as long as it is acted upon by the CB.

Contracts should include the ability to make time adjustments.

As mentioned in the clause 8.5.3 of ISO 17021-1:2015:

Certification clients are obliged by the contractual agreement with the CAB to notify the CAB on significant changes. This requirement would at least allow a CAB in case of major changes to adjust audit time for a surveillance audit in the planning phase or even lead to extraordinary audits prior to the conduct of a regular surveillance audit.

Question 38.21 Maximum reduction of audit time

According to IAF MD 11 2019
2.2 Standard audit approach: To determine the audit time for an audit of an IMS covering two or more management system standards/specifications, e.g. A + B + C, the Certification Body shall: a) calculate the required audit time for each management system standard/specification separately (applying all relevant factors provided for by the relevant application documents and/or scheme rules for each standard, e.g., IAF MD 4, IAF MD5, ISO/TS 22003, ISO/IEC 27006); b) calculate the starting point T for the duration of the audit of the IMS by adding the sum of the individual parts (e.g. T = A + B + C);

In case the starting point T is already reduced up to 30%, based on IAF MD 5 2019, then the final reduction of an integrated system is 44% from the tables of the Annexes of IAF MD 5 2019 (44% comes from duple reduction: initial 30% and then another 20%). Is this calculation of the audit duration accepted?

September 2019

Yes. This could be an acceptable calculation (Since the integration is not a reason for the reduction in audit time according to IAF MD 5, an additional reduction can be done in IMS audit time according to IAF MD 11 due to integration). However, the primary requirement is for the CB to provide sufficient time for a complete and effective audit (ISO/IEC 17021-1: 9.1.4.1), and that this should be justified when a calculation is used (ref. 38.2).

Question 39.1 Findings classification – Nonconformities

ISO 17021-1 states in clause 9.4.5:

Audit findings summarizing conformity and detailing nonconformity shall be identified, classified and recorded.

…opportunities for improvement may be identified and recorded. Audit findings, however, which are nonconformities, shall not be recorded as opportunities for improvement.

Clause 3.12 defines major nonconformity and clause 3.13 defines minor nonconformity

Clause 9.5.2 sets out how to deal with major nonconformities  and with minor nonconformities.

Is it acceptable  if CB introduced a such findings classification system ?

1) Major nonconformity  – findings with crucial impact on  non-fulfilment of MS objectives

2) Minor nonconformity  – finding does not affect the ability of MS to achieve its objectives

3) Observation – finding could potentially lead to nonconformity in the future

4) Opportunity for improvement

Action prior to making decision has to assure that:

  1. All major nonconformities have to be cleared so that corrections and corrective actions have to be reviewed and accepted
  2. For all minor nonconformities it has reviewed and accepted the client’s plan for correction and corrective action
  3. For all observations CB does not require any corrections or corrective actions  or any client’s plan for correction and corrective action prior decision is taking.  The next audit examines the client’s response to such a finding.
  4. In case of opportunity for improvement, no action is required.

Especially, we would like to know whether  Observation as defined by the CB system is in line with ISO/IEC 17021-1 if the standard allows two types of nonconformities and opportunities for improvement only.

March 2020

ISO/IEC 17021-1:2015 says;

9.4.5.1 Audit findings summarizing conformity and detailing nonconformity shall be identified, classified and recorded to enable an informed certification decision to be made or the certification to be maintained.

“9.4.5.2 Opportunities for improvement may be identified and recorded, unless prohibited by the requirements of a management system certification scheme. Audit findings, however, which are nonconformities, shall not be recorded as opportunities for improvement.”

“3.11

nonconformity

non-fulfilment of a requirement”

The CB should be careful when defining the nonconformities. In this case, the definition of “Major Nonconformity” as “findings with crucial impact on non-fulfilment of MS objectives” is not comply with the definition in the standard (3.12 major nonconformity: “nonconformity (3.11) that affects the capability of the management system to achieve the intended results”). In the CB’s definition whether the finding is non-fulfilment of a requirement of MS standard or not is not clear. Same situation is valid for the definition of “minor nonconformity” of the CB.

According to the standard approach, firstly the finding shall be nonconformity and then needed to be classified. It is possible to write anything to indicate non-fulfilment of the MS objectives even if it complies with the standard requirements.

The names of the findings or nonconformities are not important, but at least the meanings or definitions of the nonconformities shall be the same.

If the CB audit team members can clearly and easily differentiate “the observations” and “opportunity for improvement”, the CB may use these terminology unless prohibited by the requirements of a management system certification scheme according to clause 9.4.5.2.

Question 39.2 Accreditation for certification to ISO/IEC 27701:2019

FINAS has received applications for accreditation of certification to ISO 27701. Our client has the opinion that ISO 27701 is an independent management system standard. However, there seems to be two different approaches of accreditation used:

a) as a stand-alone scheme under ISO/IEC 17021-1

b) as a supplement to ISO/IEC 27001 (similarly to ISO 3834+ISO 9001)

March 2020

While some accreditation bodies had a differing opinion, the consensus answer is that ISO 27701 is a supplement to ISO/IEC 27001.

Question 39.3
IAF Resolutions 2015–14 and 2016-17, EA Resolution 2016 (38) 21

IAF Resolution 2015–14 – Non-Accredited Certification Where the MS CB is Accredited for the Same Scope – The General Assembly, acting on the recommendation of the Technical Committee, resolved that IAF Accreditation Body members shall have legally enforceable arrangements with their accredited CABs that prevents the CAB from issuing non-accredited management systems certificates in scopes for which they are accredited.

 IAF Resolution 2016-17 – Accredited MS Certification Document – Further to Resolution 2015-14, The General Assembly, acting on the recommendation of the Technical Committee, resolved that in order for a management system certification document to be considered accredited, it must display the accreditation symbol, and/or, reference the accreditation status of the CB including the identification of the AB.

There is a concern on interpreting the resolutions regarding the prohibition to issue non-accredited certification on scopes for which CAB have accreditation.

Question is that if the to be certified management system scope includes two or more industrial areas (in our case NACE codes) for example construction of buildings (NACE 41) and architectural and engineering activities (NACE 71) and for one CAB is accredited and for another it is not accredited.

In this case:

  • can the CAB issue one certificate including both activities (both NACE activities) in the certification scope and issue certificate without reference to accreditation or
  • issue two certificates, one with reference to accreditation and with the accredited scope (NACE accredited) and other certificate for the scope (NACE which is not accredited) without reference to accreditation
  • say no to certification.

March 2020

It seems that the second option is the best solution to follow above IAF resolutions. In practice, most of the CBs have small number of accreditation scopes using this approach.

“issue two certificates, one with reference to accreditation and with the accredited scope (NACE accredited) and other certificate for the scope (NACE which is not accredited) without reference to accreditation.”

For this issue there is an IAF TC decision:

16/10/06 Scopes on Accredited Certificates The accredited certificate must be clear and not misleading. With the new resolution (14-2015), an accredited certificate shall be issued for the part of the scope of certification that falls within the scope of accreditation.

 

If a portion of the scope of certification is outside the scope of accreditation (when allowed within the certification standard), then multiple certificates shall be issued.

 

Refer to ISO 17021-1 8.2.2 9 (g).

New Delhi 12.6

Question 39.5 ISO/IEC17021-1: 2015 Clause 8.2.2

Multiple MS Standards on a single certification document

Certification Document

8.2.2 The certification document(s) shall identify the following:  …………….

e) the management system standard and/or other normative document, including indication of issue status (e.g. revision date or number) used for audit of the certified client;

f) the scope of certification with respect to the type of activities, products and services as applicable at each site without being misleading or ambiguous;

………………

h) any other information required by the standard and/or other normative document used for certification;

Questions:

Is it acceptable for a CAB to issue a single Certification Document that includes more than one Management System Standard if the scopes are the same?

Is it acceptable for a CAB to issue a single Certification Document that includes more than one Management System Standard if the scopes are different?

March 2020

Yes, it is acceptable to have one certificate including several management systems and different sites if cannot be misunderstood.

If scopes and certification cycles are different then separate certification documents are preferable.

Even if, the clause 8.2.2e) of ISO/EC 17021-1 standard refers to a single management system standard (singular used instead of plural), under same scope, it could be acceptable, provided that the certificate can be clear in indicating certification cycles for the MS’s.

Under different scopes, this would conflict with 8.2.2.f “without being misleading or ambiguous”

8.2.2 The certification document(s) shall identify the following:

e) the management system standard and/or other normative document, including indication of issue status (e.g. revision date or number) used for audit of the certified client;

Note: For clearance applications, the CAB should have a process in place on how to deal with this issue and by this being able to demonstrate compliance with ISO/IEC 17021-1.

Question 40.1 IAF MD 5 – shift

Requirements of MD 5

  • 1.9. Effective Number of Personnel The effective number of personnel consists of all personnel (permanent, temporary, and part-time) involved within the scope of certification including those working on each shift.
  • 2.3.5. Shift work employees. The CAB shall determine the duration and timing of the audit which will best assess the effective implementation of the management system for the full scope of the client activities, including the need to audit outside normal working hours and various shift patterns. This shall be agreed with the client. The CAB should ensure that any variation in audit time does not compromise the effectiveness of audits (see also clause 3.7).
  • 3.5. For QMS audits, Figure QMS 1 provides a visual guide to making adjustments from the audit time calculated from Table QMS1 and provides the framework for a process that should be used for audit planning by identifying a starting point based on the total effective number of personnel for all shifts.

In 1.9 and 3.5 it is stated that the starting point to calculate the audit duration is the total effective number of personnel for all shifts.

Instead, in 2.3.5 it is stated that the work on shift is one of the elements to take into consideration to determine the effective number of personnel.

Question: Shift work is one of the elements to be taken into consideration in order to reduce the effective number of personnel, and therefore consequently the audit duration?

September 2020

Shift work is a factor to be taken into consideration when planning an audit, however it should be noted that, depending on the situation, shift work may increase or decrease audit time. While it is possible that personnel in different shifts are carrying out the same tasks it is also possible that there are differences in working practices between shifts. Auditors may also need to consider the interaction between shifts, and this may also result in more time being needed.

In summary, it is correct that Shift Work is a factor for consideration, it does not necessarily result in less audit time being needed.

This topic will also be considered by the IAF TFG Audit Time as part of their work.

Question 40.4 Permanent sites vs Temporary sites

The question is related to the application of the definitions of permanent site or temporary site (§2.2 and §2.3 of IAF MD 1).

There are some situations where the certified company provides a service through sites/installations that belong to another administration but are completely managed by the certified company (e.g. waste water treatment, gas supply, etc.). The certified company has an operating contract for a finite period of time (20 years) to manage/deliver the service.

In these situations, (which we consider different from §9 of IAF MD 5) it is our understanding that the CB shall apply the site sampling rules as per §6.1.3 or §6.2 or §6.3 of IAF MD 1, as the provision of the service (scope of certification) is only possible if the sites are functioning. If any of the sites are disabled, the activity cannot be provided.

Do the other members have this same understanding?

September 2020

The case as presented would indicate the sites to be considered Permanent, due to the long term nature of the activity and the responsibilities of the certified company.

Question 40.5 Sites referred to in ISO/TS 22003:2013 Clause 9.1.5

Clarification is sought in respect to ISO/TS 22003:2013 Clause 9.1.5

Is it correct that for Category E Catering organisations the “sites” referred to in ISO/TS 22003:2013 Clause 9.1.5.3 and 9.1.5.4 are sites where an organisation operates and are not  locations (Customer Location) where an organisation provides catering events, that are managed from one or more of their “site(s)”.?

Referenced Clauses

9.1.5.3 The use of multi-site sampling is only possible for categories A, B, E, F and G (see Table A.1) and for organizations with more than 20 sites operating similar processes within these categories. This applies to the initial certification, to surveillance and to recertification audits. The certification body shall justify its decision on sampling for multi-site certification.

Where multi-site sampling is permitted, following certification, the annual internal audit programme shall include all sites of the organization.

NOTE Risk is another consideration when determining sampling and can increase the level of sample indicated in Table 1.

9.1.5.4 Where the certification body offers multi-site sampling, the certification body shall utilize a sampling programme to ensure an effective audit of the FSMS where the following apply.

a) For organizations with 20 sites or less, all sites shall be audited. The sampling for more than 20 sites shall be at the ratio of 1 site per 5 sites. All sites shall be randomly selected and, after the audit, no sampled sites may be nonconforming (i.e. not meeting certification thresholds for ISO 22000).

b) At least annually, an audit of the central office for the FSMS shall be performed by the certification body.

c) At least annually, surveillance audits shall be performed by the certification body on the required number of sampled sites.

d) Audit findings of the sampled sites shall be considered indicative of the entire system and correction shall be implemented accordingly. Table 1 gives examples of the number of sites to audit when sampling is used.

September 2020

Yes, it is correct.

Note: “Customer Location or application site of catering that customer owned” approach is highly similar to “temporary sites” definition in IAF MD 1. Therefore, the CB should handle these customer locations or customer owned sites as “temporary sites” not “permanent sites.

Regarding “What is the meaning of a full certification audit or its coverage?” sub-question in above note:

If one considers the reply to IAF FAQ Q5, “full certification audit” shall be understood as “full (certification) audit”  (ISO/IEC 17021-1 9.4.10) or a “ full/complete management system (certification) audit (mentioned in ISO 19011:2018 A12)” (ISO/IEC 17021-1 9.6.2.2), which normally (but not limited) apply to initial certification audits  and recertification audits, to evaluate the continued fulfilment of all of the requirements of the relevant management system standard or other normative document.

For instance, a full certification audit is an audit which is covering :

  • For an initial certification : 9.3 + 9.4 (up to 9.4.7)
  • For a surveillance : 9.6.2.2 + 9.4 (up to 9.4.7)
  • For a recertification : 9.6.3.2 + 9.4 (up to 9.4.7)

Question 40.7 IAF MD 17:2019 cl. 4.2.8

IAF MD 17:2019 cl 4.2.8 states that for non-critical codes accreditation shall be granted only:

i) in IAF codes where the CB has already taken decisions for certification or

ii) in IAF codes where the CB has demonstrated its competence by other means (e.g. demonstrating to have competent personnel for all the specific certification functions – see Annex A of ISO/IEC 17021).

In the first case, it should mean that CB have a client, but in the case of second option does it mean that CB can get accreditation for non-critical codes without a client and is it sufficient that CB demonstrates just the competence of its personnel on the basis of documentation.

September 2020

According to IAF MD17 §4.2.8 and provided that all requirements described in §4.2.1-§4.2.7 are fulfilled, accreditation for non-critical codes shall be granted only if an assessment of competence has been performed based on at least one of the two alternative options offered i.e. by assessing certification decisions taken by the CB for the respective non-critical IAF code or by assessing the competence of the CB for the relevant non-critical IAF code being demonstrated through other means (e.g. competent personnel for all the specific certification functions).

For the first option, a client of the CB with activity in the relevant non-critical IAF code is required.

For the second option, there is no prerequisite of acquiring a client for each of the non-critical IAF codes. In this case, the competence in the specific technical field of a non-critical IAF code may be demonstrated either through the competence of personnel or by other means. Respectively, the competence of personnel shall be demonstrated by the CB through the determination of appropriate competence criteria and the implementation of appropriate competence evaluation methods and assessed by the AB by reviewing documents and records (documented competence criteria and personnel files) and by interviewing personnel from all relevant functions.

Question 40.8 Cl. 5.2.4 Certification of CAB’s QMS (ISO/IEC 17021-1)

Is it acceptable that a management system certification body (MSCB) certified another MSCB according to ISO 9001 in the scope other than performing of MS certification for example trainings or research?

Is it acceptable that a management system certification body certifies an organization according to ISO 9001 in the scope of research (e.g. research institute), in the situation that such organization has in its structure a management system certification body?

September 2020

A CASCO Clarification was issued on this matter – it states that:

“Yes, a certification body can be certified to ISO 9001 for activities other than management system certification. The intent of clause 5.2.4 of ISO/IEC 17021:2015 standard is to allow a CB to certify compliance of another CB with standards such as ISO 14001 and ISO 27001 standards and for a CB that is carrying out activities different from management system certification activities to have these activities certified by another CB provided that all requirements of ISO/IEC 17021-1 including impartiality are complied with.

Therefore a Management System certification body shall not certify another Management System certification body for its quality management system certification activities but can certify one for its ISMS, EnMS, RTMS, etc., if so requested.”

Question 40.9 IAF MD 5 cl 2.3.4 “Similar or repetitive processes”

Our NAB has noted an increase in the use of the argument personnel with “similar or repetitive processes” in order to reduce the number of personnel involved in the management system of the client and seeks a clarification.

The origin of this argument is that it is reasonable, when “number of personnel” is an important factor in determining the audit time necessary, that some form of correction to effective number of personnel may be made for repetitive low and unskilled functions (cleaners, security guards, drivers, packers, etc.), where in some parts of the world, a lot of these persons are included as staff, which would distort audit time calculations (and would not ensure a level playing field). Indeed in such cases, it is reasonable to assume that the effective number of staff is smaller and may be comparable to those organization where the same functions are performed by machines/electronic surveillance etc.

The same argument is not reasonable for highly qualified and trained staff, that also may perform repetitive functions (providing personal care (such as nurses, home care specialists, pharmaceutical assistants), designing buildings, performing audits, holding interviews, etc.), but that require personal judgement (and consistently elevated competences) to ensure that each client, customer or patient is treated appropriately, in line with customer expectations and/or professional standards. If we move down this path, practically every organization is mostly made up of repetitive functions, from organizations with auditors, architects and astronauts down to zoo keepers, zoning managers or Zork Game-developers.

Thus, the question is whether the argument of “repetitive functions” may be used to reduce the number of personnel in functions such as (para-)medical staff or other highly trained and qualified personnel. It is the opinion of the RvA that they should not, since we consider their activities not as “repetitive”, in the sense of the MD.

September 2020

The consensus position is to agree with the final paragraph above, The direct reduction on the number of personnel has a strong impact on the audit time. So, it should always be seen a high-risk decision, unlike the application of other “factor for adjustment” of the audit time, The activities within the parenthesis in IAF MD 5 #2.3.4 are very clear about the type of positions expected to be considered. The CB´s method used for time reductions shall include consideration of the risk of the activities/positions and have to be sensitive to that approach.

Question 41.1 Impartiality, Cl. 5.2.5 of ISO/IEC 17021-1:2015

“The certification body and any part of the same legal entity and any entity under the organizational control of the certification body … shall not offer or provide management system consultancy. This also applies to that part of government identified as the certification body.”

3.3 Management system consultancy – participation in establishing, implementation or maintaining a management system
Example 1 Preparation or producing manuals or procedures
Example 2 Giving specific advice, instructions or solutions towards the development and implementation of management system

Does the consultancy of CABs on the implementation (preparation of MS manual or procedures) of ISO/IEC 17025, ISO/IEC 17024 and other standards setting accreditation requirements fall within the scope of management systems consultancy?

March 2021

Yes.
An accredited Management System CB can’t offer or provide these types of activities to CAB’s operating in accordance with ISO/IEC 17024 or ISO/IEC 17025 or other accreditation standards, as this is against ISO/IEC 17021-1:2015 clause 5.2.5.

Question 41.4 Accreditation scope for ISO 19443

Scope of accreditation for ISO 19443 (Quality management systems – Specific requirements for the application of ISO 9001:2015 by organizations in the supply chain of the nuclear energy sector supplying products and services important to nuclear safety (ITNS))

In the case of granting accreditation according to ISO/IEC 17021-1 for ITNS. What is your opinion?

1) Is it necessary to grant accreditation to ISO 19443 together with ISO 9001?
2) Shall the scope of accreditation according to ISO 19443 be described by technological sector(s) e.g. as description of economic sector / activity in the IAF ID 1:2020?

March 2021

1) Is it necessary to grant accreditation to ISO 19443 together with ISO 9001?

Answer is NO

Accreditation for certification to ISO 19443 shall use ISO/TS 23406 (Nuclear sector — Requirements for bodies providing audit and certification of quality management systems for organizations supplying products and services important to nuclear safety (ITNS)) as a lever for normative document, in addition to ISO/IEC 17021-1.

ISO/TS 23406 specifies all requirements, including those relating to multisite and audit duration. Therefore, there is no need to have a combined accreditation for ISO 19443 and ISO 9001 EA code 11.

Furthermore, accreditation for ISO19443 shall not automatically imply an accreditation for ISO 9001:  for accrediting the CB for ISO 9001 it shall be verified that it has considered the specific documents (i.e., IAF MDs) and have implemented them correctly. For instance, regarding the audit duration, the determination of the effective number of personnel is different for ISO 19443 certification purposes than for ISO 9001.

Another point is that an organization applying for a combined certification ISO 19443 and ISO 9001 would not necessarily, for ISO 9001, fall under EA/IAF code 11 as it could be operating in other codes (17, 18…) depending on its activities.

2) Shall the scope of accreditation according to ISO 19443 be described by technological sector(s) e.g. as description of economic sector / activity in the IAF ID 1:2020?

Answer is NO.

Consistency implies that we stay with the same level of detail than an  EA/IAF code which is the 11 in this case.

The “Table A.2 — Typical technological sector(s)” of ISO/TS 23406 describes technological sectors.

It can be used by the CB as a guidance to determine the competence of the auditors to justify the criteria “Understanding of the nuclear industry and familiar with nuclear safety culture and knowledge of clients technological sector”. This table A.2 lists the more common technological sectors in the nuclear industry and this list is not exhaustive. This information is for the CB only to help it with its personnel qualification.

The accreditation scope will be ISO 19443 standard.

Question 41.6 ISO/IEC17021-1: 2015 Cl. 5.1.2 Certification agreement & Cl. 8.2 Certification documents

ISO 44001:2017 Collaborative business relationship management systems – Requirements and framework, provides a mechanism for two or more partners to agree and implement a joint management system for the control of shared and measurable objectives. The standard does not require partnerships to be legal entities (incorporated joint ventures) and is applicable to unincorporated joint ventures and alliances that can comprise of multiple legal entities collaborating through contractual agreements.
44001 recognises that collaborations regularly change and requires documentation and maintenance of relationship plans that enable the management of partner engagement, delivery and exit. It is considered that the concept of bringing together collaborating partners will engage partners that operate at different locations. To assist with this question an example is given below.
Example: A construction company required to repair a section of highway establishes a collaborative relationship with 4 contractors that will provide the following services:

  • Traffic management and road closure.
  • Supply and installation of tarmac.
  • Painting road markings.
  • Installation of road signage and lighting.

Each of the above contractors (partners) manages its services from its own headquarter location in conjunction with the contracted collaboration arrangements in place. This activity requires the contribution and participation with the joint management system. The site where the collaboration is implemented will be the sector of highway under repair. Once the highway is repaired to the customers satisfaction the collaboration will be exited.

Is it a requirement of ISO/IEC 17021-1:2015 clause 8.2.2 that the certification document must:

  • Identify the location (multi-site) of each of the partner headquarters operating under the joint management system and therefore require update each time a partnership is entered or exited?
  • Identify the temporary location where the joint activity is being performed, in this case the section of highway?
  • Only identify the location of the lead contracting organisation, in this case the construction company?

March 2021

According to ISO/IEC 17021-1 clause 8.2.2a), the certification document(s) shall identify the name and geographical location of each certified client. Therefore, the relevant references in the certification document should be restricted to the identification of the specific legal entity subject to certification and the listing of all partner headquarters operating under the joint management system, within the same certification document should not be applied. Actually, each partner should hold own individual certification document provided that the named partner has successfully undergone the audit and certification process against ISO 44001:2017 standard requirements. Furthermore, the principles of multi-site certification should not be applied given that each partner constitute a separate legal entity.

To this respect, identification of the temporary sites where the certified entity is performing activities relevant to the scope of certification, within the certification document should not be required.

Question 41.7 Certification documents for Multiple Sites according to IAF MD 1

It is related with IAF MD 1:2018 clause 7.8 issuance of certificates for multi-sites’ organizations.

The client has multiple sites and a registration address (the company’s legally establishment address) but there is nothing in the registration address, just a post box.

Shall the registration address appear on the certification documents since there is no activity related with the certification scope?

March 2021

No.

If there are specific local legal requirements or public bids which are requiring to indicate the legal registration address of the certified multi-sites organization, then it could be possible but with the indication on the certification documents that that address is only a legal registration address and not subject to auditing activities.

Question Treatment of Multi-site organisations under
ISO/IEC 27006 AMD 1

Since the publication of ISO/IEC 27006 AMD-1: 2020, the state requirements for multi-site organisations have changed, leading to possible confusion with regard to audit time calculation.

Question: Can the audit time for a multi-site organisation be calculated as if it was a single site?

September 2021

No, Audit Time has to be calculated on the basis of the characteristics of each specific site that is part of the sample. For each site the audit time must be coherent with consideration based on the indication of § 9.1.5.1.2 and the number of people that has access to each specific site. What the amendment states is that this number cannot be less that if it was calculated on the basis of a single site, when and if such situation could be.

Question 42.2 Criteria for NBs accepting assessment reports established by body without direct contractual relationship

Background explanation:

This question relates to the notified bodies (NoBos) in the railway sector according to Interoperability Directive (EU) 2016/797 (IOD). When these NoBos are notified based on accreditation then they have to comply with requirements from IOD chapter VI and EN ISO/IEC 17065 in conjunction with ERA Assessment Scheme 000MRA1044 Ver. 1.1 according to EA Resolution 2017 (40) 16 (sectorial certification scheme for NoBos).

According to section 2.1 of Annex IV of the IOD, the NoBos perform verification (evaluation and certification) by reference to technical specifications for interoperability (TSI). Some of these TSIs request the NoBos to accept safety assessment reports of an AsBo (CSM-RA assessment body as defined in Regulation (EU) No 402/2013) as part of the evaluation work.

Question:

The aim of this question is to clarify the requirements which shall be used by a NoBo to accept a safety assessment report of an AsBo in the case when requested by the applicable TSI.

To allow the NoBo to take responsibility for the results, which acceptance criteria shall be used by a NoBo to accept a safety assessment (inspection) report of an AsBo when requested by the applicable TSI as an input to the verification by reference to TSI?

September 2021

Applicable requirements:

EN ISO/IEC 17065, section 7.4.5 states: “The certification body shall only rely on evaluation results related to certification completed prior to the application for certification, where it takes responsibility for the results and satisfies itself that the body that performed the evaluation fulfils the requirements contained in 6.2.2 and those specified by the certification scheme.”

EN ISO/IEC 17065, section 6.2.2.1 states: “The certification body shall outsource evaluation activities only to bodies that meet the applicable requirements of the relevant International Standards and, as specified by the certification scheme, of other documents. […]”

ERA Assessment scheme states in 6.2.2.1: “In case the CAB outsources inspection activities and QMS approval under its responsibility as NoBo, according to the module or modules chosen by the client, the outsourced bodies shall be accredited according to:

  • ISO/IEC 17020 type A as described in Point A.1 of Annex A if providing inspections,
  • ISO/IEC 17021 if providing QMS approval.”

Answer:

NB-Rail assumes that the NoBo shall evaluate that the following acceptance criteria are met:

Competence, Independence and Impartiality:

The AsBo shall be accredited or recognised for the relevant technical area (as defined in the “Classification” field of the ERADIS database) in relation to the relevant structural subsystem of the object under assessment.

Competence and Impartiality:

The requirement on competence and impartiality shall be deemed to be fully covered by the corresponding accreditation / recognition and by ad-hoc registration as AsBo in the ERADIS database (e.g. see TSI CCS section 3.2.1).

Independence:

There are two possibilities:

  1. The AsBo fulfils the same independence requirements as the NoBo via an accreditation / recognition for ISO 17020 type A. The AsBo safety assessment report shall be accepted by the NoBo as an inspection report part of the evaluation stage without additional checks on the criteria to be met by the AsBo assessment team.
  2. The AsBo is not fulfilling the same independence requirements as the NoBo, i.e. the AsBo is accredited / recognised according to ISO 17020 type B or C. To enable the NoBo to accept the AsBo safety assessment report as part of the EVALUATION stage the NoBo at least:
    1. shall be involved since the beginning of the design stage of the object under assessment according to IOD (EU) 2016/797 art. 15.3, and
    2. shall be allowed to verify if the AsBo assessment team meets for each project at project level the relevant independence requirements of ISO 17020 Annex A.1 (Type A).

Question 42.5 IAF activity codes

The assignment of IAF activity codes is done following the evaluation of the auditors’ skills at the CAB site or during the witness on customer site?

Note: after consultation with NAB, the question was clarified as follows: –

How does the accreditation body allocate IAF activity codes, is it by checking the auditors’ competences and qualifications during the on-site assessment, or should it be based on the witness assessment alone on the IAF activity code?

September 2021

It is the responsibility of the CB to define technical fields and to define the competence criteria to support them, such technical fields do not have to be based on the scope areas in IAF ID 1, however for consistency the ABs schedules tend to use ID1 for determining fields of accreditation.

When accrediting an MS certification body (especially for ISO 9001, ISO 14001 and ISO 45001), the scope of accreditation may be determined according to the IAF codes defined in IAF ID 1, or may be defined in some other way.

The AB can use a number of methods to determine the effectiveness of the competence criteria and demonstration of competences. While determining the relevant IAF codes as the scope of accreditation, the AB should consider a mixture of the following techniques:

1- Review of the CB’s process for competence and output from them in terms of demonstrated competence of individuals has defined and demonstrated competence in the relevant MS and technical field (IAF code, etc.) (e.g. auditors, lead auditors, technical experts and other personnel involved in certification activities.)

2- The performance of audit team(s) in witnessed audits according to IAF MD 17 requirements and relevant AB rules.

3- Records of documented client organizations (for checking proper implementation of MS certification process in specific technical fields.)

4- The adequacy and completeness of personnel records showing competence for each certification function (e.g., application review, planning, decision making, technical review, auditing etc.) and technical field (e.g. IAF codes, categories etc.).

From this perspective, the answer to the question is: both can be used, but additional activities should also be done.

Question 42.6 IAF MD 1, Sampling and audit time calculation

A certification body (CAB) has developed a method to influence the number x of the sample size:

Before determination of the sample size x, some of the organisation’s sites are merged to “one site”. The numbers of employees of these sites are added and then, according to IAF MD 5, the audit time is determined as for one site. (The merging of sites is always justified by the CAB, for example, with few employees in some sites, or simple activities, etc.).

Example:

QMS; initial certification

In addition to the central function, a company has x=26 other sites, each with 5 employees.

According to y= √x, 6 sites would have to be audited (MD 1, 6.1.3.3). According to IAF MD 5 Annex A, 6 sites with 1.5 audit days each and the central function would have to be audited for QMS, i.e. 9 days and the audit time for the central function.

If, however, three sites (one site plus two remotely audited sites) are merged to one site before the calculation and x results in x=24 and the sample y= √x results in 5 sites as sample size. One site has now 15 employees, then according to IAF MD 5 the maximum audit time is (4 small sites with 5 employees (1.5 audit days) and one “site” with 15 employees (2.5 audit days): 6 + 2.5 days = 8.5 days plus the audit time for the central function. If only small sites were in the sample, the audit time would be reduced to 7.5 days and the audit time for the central function.

Is this type of merging or clustering of sites prior to sampling, regardless of the selection of sites for sampling, permitted?

Question: Can the audit time for a multi-site organisation be calculated as if it was a single site?

September 2021

The intent of IAF MD1 is clear and it is not to be used in the way the CB indicated in the Question.

Justifications can be made to clarify and explain the considerations made to take any decision taken to redistribute the efforts (i.e. MDs) among the sampled sites.

It is not allowed by IAF MD1 to merge or cluster sites to reach a benefit in terms of reduction of MDs at the starting point.

As said above, this can be instead justified after the calculation of the efforts has been completed but still the output of the calculation is unbalanced and doesn’t make sense in relation to the effective and efficient audit time to be dedicated in the specific context.

So the answer to the Question posed is NO.

Question 43.10 IAF MD 22:2019, § G 9.4.4.

Interpretation of § G 9.4.4.2 of IAF MD 22:2019 (application of ISO/IEC 17021-1 for the certification of occupational health and safety management systems (OH&SMS))

The document IAF MD 22:2019, states in G 9.4.4.2 that: The audit team shall interview the following personnel:  ‘iii) personnel responsible for monitoring employees’ health, for example, doctors and nurses.[…]’

The question we have is: what are the personnel, “responsible for monitoring employees’ health”, expected to be audited for an ISO 45001 certification?

In France (and this may be also the case in other countries), workers health is monitored by a “at work health system”, including doctors and nurses. This system is public, mandatory for every company, external to the company, and then not under its responsibility nor management system.

The certified companies do not have internal doctors or nurses (maybe the big ones have duplicated the system internally, but only very few of them).

Does G 9.4.4.2 require that only doctors and/or nurses or medical personnel under the responsibility of the doctor- all from the external system – shall be interviewed by the CB’s auditors?  Which might lead to issues of availabilities and responsibilities, as none of them belongs to the certified company?

2 different CBs have interpreted the clause in another manner, indicating in their provisions that some type of internal staff, as e.g., the human resources director or the representative of the social and economic committee “ (mandatory for every company with more than 11 employees), this committee having the mission to “help to promote health, safety and working conditions in the company. It carries out investigations into accidents at work or occupational or occupational diseases”, can be considered as the personnel responsible for monitoring employees’ health, and then be the one audited. Could this be acceptable? At which conditions? Can we consider that the conditions that he/she has been namely designated for this task, and this responsibility is clearly defined and that he/she has all the necessary information and full access to the data (or allowed data, some might be confidential) related to the employees’ health, are acceptable?

We are fully aware that:

  • The external system does not exist in every country and that IAF MD 22 is an international document, but shouldn’t the national conditions be considered?
  • The external system is not under the company responsibility
  • The external system is neutral and objective regarding the workers’ health, where the HR director might have a conflict of interest and not all the persons’ health data,
  • the health and social committee, inside the company may be more neutral but may not have information regarding one specific person (while it can have global report from the external doctor)

We have at first interpreted the clause as requiring the external doctor to be audited.

The 2 CBs are refusing this for 3 reasons, as national specific and since the doctor is external to the company and regarding the mission of the committee which for them is covering the requirement.

March 2022

“Clause G9.4.4.2iii requires that the personnel responsible for monitoring employees’ health shall be interviewed during the OH&SMS audit in order to confirm that the activity for which he/she is assigned is continuously and effectively made in accordance with his/her mandate.

The clause does not specify if such person shall be an employee or an external who operates based on a contractual assignment.

In Italy for example, it is mandatory by law that each organization appoint a so-called “Competent Doctor” who generally is an external professional with a degree in medicine specialized in hygiene and work medicine, working on behalf of the organization based on a legally enforceable agreement.

His responsibilities are clearly defined by the Consolidated Law on OH&S (Decree 81/2008) and include among others:

  • the participation in the preparation of the mandatory OH&S risk assessment document,
  • the initial and periodic medical examination of each worker to confirm and authorize their eligibility to the task assigned by the management, and to determine any job limitations,
  • to decide on the types of medical test to which the workers must periodically undergo,
  • to conduct periodic inspections of the workplace to confirm their continual healthiness and safety
  • to participate in an annual periodic meeting to keep the management updated about the status of health monitoring of workers.

As you can understand, this doctor represents a key role in the management structure of the OH&S system and, as such, during each audit, in addition to being interviewed in person or remotely (G 9.4.4.2) he must also be invited to participate in the closing meeting (G .9.4.7.1).

From what you wrote I understand that the French OH&S legislation is not significantly different from the Italian one.

Anyway, since the IAF MD22 document is applicable in all countries worldwide, the clause must necessarily be interpreted and applied according to local legislation which may not necessarily require the nomination of a medical doctor like in Italy. For this reason, the consensus was reached introducing the more general role of “personnel responsible for monitoring employees’ health” and making the example of doctors, nurses, or others.

In conclusion, the correct interpretation of this clause for any CAB should be as a minimum:

  • to confirm that each organization has assigned such a role in its organizational structure, independently if he is an employee or a contracted specialist, and if he is a doctor, a nurse, or other
  • to demonstrate that it has interviewed him during the audit, checking the evidence of his activity within the limits of medical confidentiality, and recording the outcome of the interview in the audit report (G 9.4.4.2)
  • to make sure that the representative of the organization invites him, as MS key role, to participate in the closing meeting, providing a justification in case of absence (G .9.4.7.1).

Of course, we must accept that the declination of such mandatory requirements may be different from country to country in function of the local laws and regulations in the OH&S field.

Question 44.2 ISO 17021-1 clause 9.1

Is it allowed for an ISO 9001 scheme that the first surveillance audit in a certification cycle generally does not cover operations (section 8) but focus on the management system?

This is especially seen for schemes that consists of the requirements in ISO 9001 in combination with some extra requirements in e.g., national executive orders. E.g. a national statutory order on control, maintenance, and repair of lifts with specific requirements on certification in combination with requirements in ISO 9001. Operations of the certified company are stated in procedures of CB’s not to be assessed at the first surveillance. This means that the first surveillance in a certification cycle only covers documents and records of the managements system.

March 2022

ISO/IEC 17021-1 says “§9.6.2.2 Each surveillance for the relevant management system standard shall include: … f) continuing operational control;”

So, this is not allowed, as per ISO/IEC 17021-1, no matter whether the management system is full ISO 9001 or derived from it.

This is fully logical and consistent with a risk-based thinking approach: after the initial certification (i.e., the first surveillance), the operations should be subject to being audited in priority to demonstrate that what has been delivered (management system certification) is effective.

Such a scheme is not fit for ISO/IEC 17021-1 accreditation.

Question 45.2 IAF MD2:2017 Transfer of certification of a site

2.2.4 (iv) IAF MD 2:2017:

The review shall cover the following aspects(…):

(iv) that the site or sites wishing to transfer certification hold a valid accredited certification.

Question:

A site (separate legal entity) which is a part of an organization that has a hierarchical system and the sampling model does not include this site in each year of the certification cycle. Is it possible to transfer an accredited certification for a site wishing to transfer a certificate that has a valid accredited certification? Should this site be transferred as a separate certification, since 2.2.4 (v) is difficult to meet.

March 2023

Yes, what is transferred is a full certificate and not any separate part of the certificate (for example, a site), irrespective of the sampling regime of the sites involved. It is not possible to transfer a site that is part of a larger organization separately while leaving the rest of the organization certified with the issuing CB.

Question 45.3 IAF MD1:2018

Multi site organisation IAF MD 1:2018

  1. 3.1 definition: The organization has 2 factories next to each other on the same factory site, but their addresses are different. Should they be defined as separate facilities and be taken for sample selection as separate locations? Should audit time be counted for each of them separately?
  2. 2.5 Central function: The site, where the central function is performed is audited every year. What about the situation, where the central functions are placed in few sites?

March 2023

1) IAF MD1 speaks about locations, not addresses, so if the complex is the same (independently of the addresses), the company (the two factories) can be considered as a single site. But, even in this case, both addresses should be reflected on the certificate.

2) The central function shall be audited every year, whatever the means for performing this audit (remote, blended or hybrid, etc.).

Question 45.4 ISO 45003

Can the ISO 45003 standard be used alone for certification?

March 2023

ISO 45003:2021 Standard (Occupational health and safety management – Psychological health and safety at work – Guidelines for managing psychosocial risks) provides guidelines for managing psychosocial risk within an occupational health and safety (OH&S) management system based on ISO 45001. ISO 45003 Standard focuses on a specific type of OH&S risks, namely psychosocial risks, and therefore it is covering partially the OH&S risks applied within the context of an occupational health and safety management system. To this respect and given that an occupational health and safety management system is required to address all types of OH&S risks under the organization’s control, ISO 45003 is not suitable for stand-alone certification.

Note: The subject of this question is quite similar to Q39.2.

Question 45.6 ISO/IEC 27006

p.7.2.1.1 c) of ISO/IEC 27006 states:

„In addition to 7.1.2.1, the criteria for selecting auditors shall ensure that each auditor:

(….)

C) has successfully completed at least five days of training, the scope of which covers ISMS audits and audit management.”

Does this mean that the auditor should complete one five-day training course (for example lead auditor course) or can it be, for example, two training courses, lasting together 5 days, that the scope of which covers ISMS audits and audit management.

March 2023

Although there is no clear statement in the standard on the subject, both seem possible when looking at internationally accepted/recognized/common training programs. However, a person who has not yet received lead auditor training in another management system should initially be required to have attended and successfully completed a 5-day training program covering ISMS audit and audit management.

In any case, it will remain the CAB’s responsibility to define the competence criteria to meet this requirement of 27006. (this last sentence is the view of WG ICT DS)

Question 45.7 ISO/IEC 17021-1, Cl. 7.1.2

p.7.2.1.2 of ISO/IEC 17021-1 states:

„The certification body shall have a process for determining the competence criteria for personnel involved in the management and performance of audits and other certification activities. Competence criteria shall be determined with regard to the requirements (…) for each function in the certification process”.

Question 1: Shall the criteria be determined for the personnel involved in complaints-handling process and appeals-handling process the same way as for the certification functions described in Annex A of ISO/IEC 17021-1?

Question 2: Is personnel involved in complaints-handling process and appeals-handling process the part of certification functions, despite the fact that it isn’t described as certification functions in Annex A.

March 2023

Answer 1: Of course, cl. 9.7 “Appeals” and 9.8 “Complaints” are part of cl. 9 of ISO 17021-1 “The Process”. The competence process is referenced in cl. 7.1.1, 7.1.2, 7.1.3, 7.1.4, and 7.4 and 7.5 (see, for example, 7.2.7 and 7.2.9 for “and other personnel involved in certification activities”). Nevertheless, Annex A.1, A.2, A.3, and A.4 require knowledge and skills for “specific certification functions” and are not dealing with such functions (appeals and complaints).

Answer 2: Yes; see above.

Note: Since appeals are related to the decision, the competence requirements for decision-makers should be required for those who will handle the appeal.

Question 45.8 ISO/IEC 17021-1

ISO 17021-1 management systems, is there a minimum level of witnessing required for the 5 year cycle.

For example we have very small CABs issuing <50 certificates per year and then we have every large CABs issuing >1500 certificates.

March 2023

No, there is no minimum level written as such for very small CABs; the witness is to be made by clusters. But, based on IAF MD 17:2019 clause 2.3.3, which uses the number of certificates as an entry point to determine the number of witnesses to be performed, it can be understood that the minimum is one witness for the selected IAF codes, as determined using the clusters approach, and possibly more, according to AB’s policy, if the CB has a large number of clients in an IAF code.

In IAF MD 17,

2.3.3. When deciding how many and which audits are to be witnessed, the AB shall

take into account factors such as:

vii) number of clients within the CB’s scope of accreditation;

and,

The following additional factors may be taken into account to select witnessing

activities:

  1. i) number of certificates issued;

Question 43.1 ISO/IEC 17021-1 clause 7.2.11 Monitoring on-site performance

  1. It is noted that some CABs do not consider each type of management system (7.2.10) in the periodic evaluation of the auditor’s performance on-site (7.2.11). Is this correct?
  2. On the one hand, they are formally two different requirements of ISO 17021-1. However an on-site evaluation of an auditor’s performance of an EMS audit does not appear to give specific information about his/her practical performance of an audit regarding the FSMS Hazard analysis, implementation of CCP’s or oPRP’s?

March 2022

A clarification request has been submitted to ISO/CASCO to verify, with the relevant ISO/CASCO Maintenance Group (ISO/IEC 17021-1), the intent of the standard with reference to the specific standard requirements in relation to the on-site monitoring of auditor performance.

The clarification request has been answered accordingly and can be found enclosed below for your easy reference:

ISO/CASCO Clarification request form

  1. Based on CASCO clarification, which is acknowledged, the answer is YES.
  2. The on-site evaluation of an auditor’s performance required by 7.2.11 is not scheme specific as the aim here is to evaluate the on-going performance of an auditor conducting an audit (e.g., interacting with the customer, conducting the interviews, conducting the opening/closing meetings, being clear in presenting the findings, etc.).

Question 43.2 ISO/IEC 17021-1; IAF MD 1, MD 5, MD 11

A CB has following rules for reduction of audit time:
“Reductions IAF MD:

  • Max. 30% from MD 5 for individual sites
  • Max. 20% from MD 1 for sites in a multi-site certification whose certain functions (sales, logistics) are not managed in the sites but are parts from the central function
  • Max. 20% from MD11 linked to the level of integration of the system”

These reductions are added up to a maximum of 70%.

Questions:

a) Does IAF MD 1 limit all reductions to 50% maximum (7.3.1)? If not, please specify.

b) Is it allowed, to add reductions up to 70% like the CB indicates in its documents?

March 2022

The question is referring to other Questions already discussed in one of the previous EACC Meeting i.e., 37).

At that time two Questions, i.e., 37.23 and 37.5, with a similar content, were addressed.

Their contents are embracing the above context and related questions.

Taking into consideration the same answer given for both Questions 37.23 and 37.5, this question can be answered as follows:

Question a)
YES unless precluded by specific schemes, the reduction of audit time per sampled site shall not be greater than 50%. (Refer to 7.3 of IAF MD1)

Question b)
NO.

The basis of reductions of the related MD’s are different with different impacts.

IAF MD 1 and IAF MD 5 are specifying time reductions per site and per management system (s), while IAF MD 11 specify reduction for the audit of Integrated Management System (s). However, as, presented in answer a), the reduction of audit time per sampled site shall not be greater than 50%.

Question 44.1 IAF MD5: 2029

Background

Over time our NAB has noticed an increase in reductions related to Effective Number of Personnel (ENP) when determining audit time, related to similar or repetitive processes. This has previously been raised in FAQ EA CC 40.9.

Our observation is that the size of reductions made have increased, which have an effect on the starting point according to Tables 1 (QMS/EMS/OH&SMS) in the Annexes of IAF MD 5:2019. Heavy reductions of ENP gives considerably lower starting points.

We ask for clarifications regarding expectations of risk considerations according to IAF MD 5:2019, 2.3.4, as well as acceptable size of reductions of ENP.

IAF MD 5:2019 gives no limitations regarding extent of reductions.

Questions

We have seen different principles to generalize reductions and ask for guidance of what can be accepted:

  1. Generic risk-classification of activities/positions used on every certified company regardless branch/industry, without statement to different risk related to each activities/positions. Using generic reduction for each activities/positions.
  2. Maximum 1/3 (or 33%) reduction of the total number of personnel. Reduction is done related to personnel perform certain activities/positions. Can the reduction to one certain activity/position be bigger than 1/3 (or 33%)?
  3. Personnel perform certain activity/position that are considered repetitive and/or similar, can the reduction be 100%, i.e. this personnel is excluded from ENP?
  4. Personnel perform certain activity/position that are considered repetitive and/or similar, can the reduction be square root of, i.e. 100 persons gives an ENP of 10?
  5. Personnel perform certain activity/position that are considered repetitive and/or similar, can the reduction be 50% on general basis?
  6. What evidence should the CAB present to confirm that the model for reduction is appropriate?

September 2022

The requirements of the IAF MD 5 relevant to the ENP are general and connected to concepts like risks, consistency, and effectiveness of the audit activities. Furthermore, the justification to determine the ENP shall be available to the client organization and to the Accreditation Body for review during their assessments and on request from the Accreditation Body (reference IAF MD 5 Clause 2.3).

For the 6 specific situations outlined in the Question, it’s not possible to define a YES/NO answer, but we have tried to evaluate each of them and give an answer if these situations are considered appropriate or not (always considering the effectiveness of the audit activities) as follows:

A1:
The method and criteria for determining ENP should be defined by the accredited CB, where criteria are related to activities/positions/functions and consideration of the risks connected with their effect on the specific management system.

A2:
This approach could be appropriate based on defined methods and criteria and proper justification for the reductions (see also Q4). There is no such reduction limit for ENP.

A3:
This is not appropriate and permitted (see also ENP definition – IAF MD5 –  Clauses 1.9 and 2.3).

A4:
This could be an appropriate approach. However, with such big reductions, it should be limited to similar/repetitive activities/processes/functions that are considered simple in the way that they require limited skills/knowledge/education, are executed under direction by others, and what they do has a limited effect on the outcome of the management system or its scope (ref. e.g., type of functions listed in IAF MD 5 – Clause 2.3.4).

A5:
This approach could be appropriate based on defined methods and criteria and proper justification for the reductions (see also A4).

A6:
There needs to be methods/criteria defined for determining ENP, and for a particular client, there needs to be appropriate records to show the activities/positions/functions identified for reduction and the number of personnel connected to them as a basis for a reduction in the calculation utilized.

Question 44.5 Initial competence and periodic performance evaluation of an auditor on-site according to ISO/IEC 17021-1

A discussion arose between our assessors about the clauses of ISO/IEC 17021-1 given below.

“7.2.4 The certification body shall have processes for selecting, training, formally authorizing auditors and for selecting and familiarizing technical experts used in the certification activity. The initial competence evaluation of an auditor shall include the ability to apply required knowledge and skills during audits, as determined by a competent evaluator observing the auditor conducting an audit.

 7.2.10 The certification body shall monitor each auditor considering each type of management system to which the auditor is deemed competent. The documented monitoring process for auditors shall include a combination of on-site evaluation, review of audit reports and feedback from clients or from the market. This monitoring shall be designed in such a way as to minimize disturbance to the normal processes of certification, especially from the client’s viewpoint.

 7.2.11 The certification body shall periodically evaluate the performance of each auditor on-site. The frequency of on-site evaluations shall be based on need determined from all monitoring information available.

Taking into consideration the clause 7.2.10 referring “each type of management systems”, does it effect the other clauses 7.2.4 and 7.2.11?

In other words, the initial competence evaluation and periodic on-site performance evaluation need to be performed for each type of management system or not?

September 2022

For initial competence evaluation, the answer is YES as it is very clear that the requirement indicated in clause 7.2.4

For periodic on-site evaluation of audit performance, the answer is NO, refer to the answer to EA CC FAQ 43.1.

Question 45.5 Applicability of IAF MD11

IAF MD11 (IAF Mandatory Document for the Application of ISO/IEC 17021 for Audits of Integrated Management Systems) states that “This document is mandatory for the consistent application of ISO/IEC 17021 by Certification Bodies (CBs) for planning and delivery of Audits of Integrated Management Systems (IMS).”

We are facing the following situation: a CB is performing audits for Integrated Management Systems for ISO 9001 and ISO 14001; this CB is accredited for ISO 9001 certification but is not accredited for ISO 14001 certification.

The CB applies IAF MD11 for both certifications, i.e., applying 20% supplementary audit time reduction for ISO 9001 (depending on the level of integration and the competence resource of the certification body), the audit duration for the ISO 14001 is very small and outside any audit time rules.

Questions:

  • Is it acceptable that a CB applies the 20% reduction for the ISO 9001 audit time of an Integrated Management System audit, where only one of the 2 certification standards concerned by the Integrated Management System is covered by accreditation?  In other words, is IAF MD11 applicable where a CB is not accredited for all management system certification standards concerned by the Integrated Management System?
  • If answer is YES, how the AB can check the application of IAF MD11?
  • If answer is NO, the audit time must be calculated separately for the Management System which is under accreditation, without considering IAF MD11.

Our view is:

This situation is not acceptable, audit time must be calculated separately for the management system which is under accreditation (in that case ISO 9001), without considering IAF MD11.

March 2023

The general question, “In other words, is IAF MD11 applicable where a CB is not accredited for all management system certification standards concerned by the Integrated Management System?” was considered, not the practical case.

1) The answer is NO, as the consistent application of ISO/IEC 17021 by the CB for all integrated management systems, as required by IAF MD11, has not been assessed as they are not part of the accreditation scope. This applies even if the CB can reasonably justify and demonstrate that applicable requirements are followed for the standard(s) which is (are) delivered non-accredited.

2) NA

3) YES

Question 46.2 Certificates for ISO 44001 – Collaborative business relationships management systems

ISO 44001:2017 collaborative business relationship management systems specify requirements for the implementation and control of relationships within or between multiple external partners where each partner is assigned specific management system responsibility to support the overall collaborative business relationship of a defined organisation (ISO 44001:2017 clause 3.1 refers).

ISO/IEC 17021-1:2015 § 8.2.2.a requires the certificate to identify the name and geographical location of the certified client (or the geographical location of the headquarters and any sites within the scope of a multi-site certification).

If the certified client is a defined organization comprising multiple partners based at different locations, then would it be acceptable that the certificate identifies the name of the organization and refer to a publicly available organization chart detailing the overall structure? The organization would be required to keep its organizational chart up to date and notify the certification body of any changes?

March 2023

Answer is “No”.

Maintaining and continuously updating a register of sites outside of the certificate as described is not acceptable, as ISO/IEC 17021-1:2015 § 8.2.2.a requires any site within the scope of a certification to be listed on the certificate. The certificate would not comply with the requirement.

Question 46.5 IAF MD1, Sampling size

IAF MD1 § 6.1 and 6.2 give minimum requirements for the sampling of sites.

If an organization has its central function and two production sites (same processes), there is no random sampling of 25% of the sites possible (as in §  6.1 required), and § 6.2 of IAF MD1 is applicable.

6.2 Methodology for Auditing Multi-Site Organizations Where Site Sampling Using Section 6.1 is not appropriate:

6.2.1 The audit program shall consist of an initial audit and a recertification audit of all sites. In surveillance audits, 30% of sites, rounded up to the whole number, shall be covered in a calendar year. Each audit will include the central function. The sites selected for the second surveillance audit will normally be different from the sites selected for the first surveillance audit.

Q1: Is it acceptable that the minimum requirement for sampling, as detailed in § 6.2.1, can fall below the minimum requirement as follows:

New certification: all sites

First surveillance: first site + central function

Second surveillance: second site+ central function

Recertification: first site + central function

etc. (continuously alternating)?

Q2: Is there any option to accept continuously alternating sites instead of auditing all sites for the recertification audit?

March 2023

The described situation falls under § 6.1 of IAF MD1 ; organizations with a number of sites (apart from central function) greater than 1 (N>1) are eligible for the application of IAF MD1, which addresses the situation where sampling is appropriate (§6.1).

A1: No, the minima sampling pattern shall be as follows, according to 6.1 :

Initial audit: central function + all (2) sites

First surveillance: central function + 1 site (0.6 x square root of 2)

Second surveillance: central function + 1 site (0.6 x square root of 2)

Recertification: central function + 2 sites (0.8 x square root of 2), which means all sites.

A2: No
In application of § 6.1 of IAF MD1, 2 sites shall be audited, which means that alternating is not acceptable.

Question 46.4 Application of IAF MD 2

IAF MD 2:

2.3.5 The accepting certification body shall take the decision on certification before any surveillance or recertification audits are initiated.

In case of a positive decision to take over the MS certification of a client (all conditions fulfilled, IAF MD 2, chap. 2.1 and 2.2) shortly before the end of the regular certification cycle (about 3 months before the expiry of the previous CB’s certificate), can an “accepting” CB refrain from issuing a new certificate for this very short period and formally take over the client with the recertification audit, formal decision, and subsequent issuing of the new certificate, based on the previous cycle from the “issuing” CB?

September 2023

No.  The accepting CB shall take a decision on certification before any recertification audits are initiated. Additionally, according to 8.2 of ISO/IEC 17021-1, the CB is required to issue a certification document including all required information such as scope, validity, etc. after the decision is made.

Question 47.1 Interpretation/Implementation of §5.2.5 and §5.2.9 of ISO/IEC 17021-1

  1. According to §5.2.5 the CB and any entity under the organizational control of the CB shall not offer or provide management system consultancy. The organizational control in this sentence is referring only to §9.5.1.2-b). Does it mean that the examples of organizational control given in §9.5.1.2-a) and c) are not applicable for §5.2.5?
  2. When the CB (within a defined legal entity) has a relationship with another legal entity (by ownership) and both are sharing part of their names (e.g. the same words for the group brand or affiliation), is this considered that the CB’s activities are being marketed or offered as linked with the consultancy organization, as per §5.2.9?

March 2024

  1. NO: all examples of organizational control given in §9.5.1.2 are applicable for §5.2.5. As further confirmation, as clearly stated, example c) can also be linked to the form of organizational control referred to in example b), making it also applicable.

If example a), “whole or majority ownership”, is a form of organizational control that can support authority for decision making according to §9.5.1.2 it is also a form of organizational control relevant to the management of impartiality in §5.2.5.

  1. NO: If the relationship between the CB and the other legal entity does not fall under the applicability of 9.5.1.2, then it cannot be considered that certification and consultancy services are marketed or offered as linked only because both organizations share part of the name. It is anyway expected for the CB to identify, analyze, evaluate, treat, monitor, and document the risks related to conflicts arising from its relationships, notably in this case, in accordance with §5.2.3.

Question 47.2 ISO 17021-1 clause 8.3.1

Clients reference to certification body

A certification body shall have rules for the way certified clients refer to certification according to ISO 17021-1 clause 8.3.1. In this clause is stated amongst others: “There shall be no ambiguity, in the mark or accompanying text, as to what has been certified and which certification body has granted the certification.”

Can a certification body, for instance named Global Certification Denmark A/S, which is a part of the international organisation Global Certification, accept that their clients just refer to “Certified by Global Certification” or is this not acceptable as there are several legal entities and certification bodies around the world named Global Certification (and often with a country name etc. in the name).

September 2024

According to 8.3.1, “there shall be no ambiguity as to … and which certification body has granted the certification”. This means that the unique identity of the accredited certification body shall be used irrespective if it is for the statement or accompanying information.

Question 47.5 Recertification audit of CB in 17021-1

EN ISO/IEC 17021-1 – 9.6.3.2 Recertification audit

9.6.3.2.4 If the certification body has not completed the recertification audit or the certification body is unable to verify the implementation of corrections and corrective actions for any major nonconformity (see 9.5.2.1) prior to the expiry date of the certification, then recertification shall not be recommended and the validity of the certification shall not be extended. The client shall be informed and the consequences shall be explained.

9.6.3.2.5 Following expiration of certification, the certification body can restore certification within 6 months provided that the outstanding recertification activities are completed, otherwise at least a stage 2 shall be conducted. The effective date on the certificate shall be on or after the recertification decision and the expiry date shall be based on prior certification cycle.

CBs in the field of management systems issue certificates with an expiration date. If the CB conducts a certification audit (on site audit) after the certificate’s expiration date, in which cases must the CB treat the client as a new one and carry out phase 1 and phase 2 of the certification audit?

September 2024

This subject has been already dealt with in the past

[It is considered by the RP that CASCO answer on scenario 4 is confusing as it is not in line with ISO/IEC 171021-1, which states that, after the 6 months period allowed after the end of validity of the previous certification, an initial audit shall be performed (with at least a stage 2).]

Answer, based on ISO/IEC 17021-1:

The CB must treat the client as a new one if, 6 months after the expiry date, not all recertification activities (including the recertification decision) have been completed. In this case, the standard does not request a stage 1 (“at least a stage 2 shall be conducted”).

Question 47.6 Knowledge requested to take the decision

ISO/IEC 17021-1:2015 § 9.5.1.1, ISO/IEC 17021-2:2016 § 7.3.4, ISO/IEC 17021-10 Table A.1

According to the standard ISO/IEC 17021-1:2015 § 9.5.1.1 it is required that “The individual(s) appointed to conduct the certification decision shall have appropriate competence”, moreover in ISO/IEC 17021-2:2016 in § 7.3.4 it’s requested that “Personnel reviewing audit reports and making certification decisions shall have knowledge of applicable compliance obligations sufficient to make a decision on the basis of a certification audit report”.

Taking into consideration all these factors:

Question 1: Is it acceptable for a legally established CAB (Conformity Assessment Body) in one country (Italy) to establish a hub in another country (such as India) where certification decisions are made for all the certificates issued worldwide, while the responsible personnel do not demonstrate knowledge of the relevant compliance obligations?

Question 2: How can the CAB demonstrate this? For instance, by ensuring that the decision-making staff is supported by technical experts on the local issues where the audit took place.

Question 3: In a similar vein, could the same situation apply to the FSMS (Food Safety Management System) scheme, where Table C.1 requires knowledge of the applicable food safety regulations in both the country of production and the country of destination?

In ISO/IEC 17021-10, it is also stated that personnel responsible for making decisions must possess knowledge of legal and other requirements. However, personnel operating in a different country may not be aware of these specific requirements.

March 2024

Answer 1: No, because the responsible personnel could not demonstrate sufficient knowledge.

Answer 2: As the decision can be taken by a team, support by experts with sufficient knowledge on local compliance issues might be a solution to demonstrate the competence to take the decision.

Answer 3: If the knowledge is required for both countries (production and destination) the knowledge of the decision maker must fulfil these requirements.

For OHSMS the requirements are similar, the knowledge of the decision maker (team) shall cover the local requirements where the audit took place.

Question 48.1 Monitoring for initial competence evaluation – 17021 cl. 7.2.4

Regarding ISO/IEC 17021-1 cl. 7.2.4:

The initial competence evaluation of an auditor shall include the ability to apply required knowledge and skills during audits, as determined by a competent evaluator observing the auditor conducting an audit.

A CAB states that the initial competence of the auditor concerns the first qualification including witness of the auditor regardless at which CAB this has been achieved. So for example: CAB 1 has initially witnessed and qualified the auditor. When the auditor moves to a different CAB 2, this CAB 2 can qualify the auditor without witnessing this auditor.

How shall the “initial competence” be interpreted:

Option A: The ‘initial competence’ including the mandatory on-site observation is related to the auditor itself

Option B: The ‘initial competence’ including the mandatory on-site observation is related to the CAB. So the CAB has to observe every new auditor for the CAB on-site regardless the auditor having a qualification at a different CAB.

September 2024

Answer is Option B :

The initial competence evaluation is related to the CAB.

ISO/IEC 17021 Cl. 7.2.4 also requires the CAB to provide training. In case of a change of auditor to a new CAB, this should at least be the training on the MS and the applicable documents of the CAB to be used in the audit process.

Monitoring during his first audit is required to authorize the auditor for the assigned area of competence.

It is the responsibility of the employing CAB to ensure the auditor’s competence, ability to apply required knowledge and skills during auditing, regardless of whether this auditor has been previously qualified by another CAB.

It is noted that for the initial qualification, the requirements of cl. 7.1.2 and 7.1.3 should be considered as well.

Question 48.2 Scope of accreditation (IAF ID 1)

A certification body (CB) has required granting accreditation for NACE 99. The CB is expecting to perform a space agency certification. The NACE 99 was removed from IAF ID 1 and is not currently covered by any other EAC. Is it possible to list the “NACE 99” under EAC 39 despite the fact that according to the IAF ID 1 this “code” is not listed in EAC 37?

September 2024

The Question does not lead to a YES/NO answer

Even if the NACE code 99 has disappeared from IAF ID1, the activity and the NACE code still exist.

The AB can accept the application, attributing the activity which is actually performed by the organization(s) the CB intents to certify to the most appropriate IAF code, as NACE code 99 refers to extraterritorial activities and does not specify any activity.

IAF ID1 is an informative document aimed to facilitate the consistent application of ISO/IEC 17021-1 and to help defining the scopes of accreditation.

To this end, it is the responsibility of the CB to analyse the type and nature of the activities of the organization seeking certification and classify it under the most relevant IAF ID1 code. This classification shall be subject to the CB’s application review by the AB and consequent assessment.

In the given situation (space agency), such IAF code could be IAF 34 (Engineering Services) or 35 Other Services (NACE 72.19 or NACE 74.9).

IAF codes 37 and 39 do not appear to be the most appropriate codes of classification.

Question 48.4 Audit time determination to ISO/IEC 20000-6

Audit time calculation to ISO/IEC 20000-6:

For calculating audit time with regard to chapter 9.1.4.2 it is possible to reduce audit time based on the proposed criteria. The max. reduction of the audit must not be more than 30%. A CAB has invented a tool, so that in 95% of all cases the result for the reduction is -30%.

Example:

Criteria for reduction: previously certified (-20%), combined audit with another MS (-20%), identical activities on all shifts (-20%), low level of reliance on third party (-10%) subtotal -70%

Criteria for increase: complex business processes (+10%)

Total would be -60%, however the limit of -30% is respected.

Is this system acceptable using an “overcompensating” mechanism, so it is basically not possible to result in less than 30% reduction?

September 2024

According to ISO 20000-6:2017 #9.1.4.2.  “…the maximum reduction shall be 30% of the Table 1 audit time….”. The intention was to establish an acceptable value for the sum of the contributions of reduction factors, in a way that would not compromise audit effectiveness.

It is acceptable that the CB considers multiple factors that could justify more or less audit time for an effective audit, depending on the attributes of the client’s system, processes, and products/services.

The contribution of each individual factor (usually established in terms of % of audit time reduction/increase) shall also be justified and documented by the CB.

However, it is not realistic to consider that, if above requirement did not exist, the sum of different contribution of individual reduction factors applicable to a specific case, could reach a decrease value significantly higher than 30%, without affecting the effectiveness of the audit.

Answer to the question is NO : irrespective of the calculation methodologies used when the contribution of different reduction factors systematically obtains values significantly higher than the 30% limit (which are then “artificially” limited to 30%), are not credible nor feasible.”

Question 48.5 Audit time determination to ISO/IEC 27006-1:2024, for multisite (C.6)

The definition in ISO/IEC 27006-1 for multi-site under C.6 is:

Generally, the total audit time for on-site audit shall be calculated by considering the total number of persons doing work under the organization’s control irrespective of their location.

Alternatively, for justified reasons which shall be documented, it is permitted to sum the audit times which are individually calculated for each site, as long as this total audit time is larger than that defined in accordance with the first paragraph of this clause.

These two requirements seem to contradict the requirements in IAF MD1, and the second sentence in C.6 seems illogical since the sum of the individual calculations is always greater than using the total sum of the FTE in a company.

Example: a company has a total of 150 FTE in 3 locations, each 50 FTE. Audit time in total for the whole organization would be 13 days. The total of all 3 locations would be 10 days each site which equals to 30 days if calculated separately.

Question: How do we deal with this requirement internationally in a harmonized way and does it overwrite IAF MD1?

September 2024

ISO/IEC 27006-1 shall be applied, as stipulated in the scope of IAF MD1.

Question 48.6 Audit time determination to ISO/IEC 27006-1:2024, determination of initial number of persons (C.3.4)

The definition in ISO/IEC 27006-1 for initial number of persons C.3.4 is:

A reduction in the number of persons performing identical activities shall be made based on the risk of the activities associated with the tasks. The square root of the head count of people performing each identical activity may be used to determine the effective number of people, which is used for audit duration calculations, rounded up to the next full number. This number shall be the maximum reduction of the head count allowed.

Example:

Company with 144 FTE (square root =12)

Reduction for each identical activity:

49 technicians = 7 (square root)

49 support personnel = 7

49 service desk personnel = 7

Total reduction 21

Is the total reduction in this case 21 instead of 12 FTE?

(The difference in audit time between 12 and 21 FTE would be 1 day for this example)

September 2024

This question may be related to other similar questions already raised and answered by the EACC in the past (although referring to other schemes), such as EA FAQ 44.1. When addressing the use of square root method, it was noted that “…This could be an appropriate approach. However, with such big reductions, it should be limited to similar/repetitive activities/processes/functions that are considered simple in the way that they require limited skills/knowledge/education, are executed under direction by others, and what they do has a limited effect on the outcome of the management system or its scope (ref. e.g., type of functions listed in IAF MD 5 – Clause 2.3.4)…”.

This said, the accredited CB shall establish, justify and document the criteria related to relevant activities/positions/functions subjected to the referred reduction and consideration of the risks connected with their effect on the specific management system.

It is difficult to understand from the example what is the risk of each of the identified activities. However, it is clear from ISO/IEC 27006-1 that the calculation cannot be applied directly to the entire number of FTEs of the organization (144) but rather to the head count of people performing each relevant identical activity, for which proper justification is presented.

Therefore, the answer is that the acceptable total reduction in this case is 21, the sum of the square roots applied to each category of personnel, this square root calculation for each category being possible as long as this category is relevant according to answer to 44.1, i.e. having similar activities.

It should be noted that the final consideration should always be that the CAB ensures that sufficient audit time is allocated for a complete and effective audit in line with cl. 9.1.4.

Question 48.7 On-site evaluation for multi-site certifications

In the case of a Multi-site certified client, a random sample is taken from the central site and three other sites as part of a monitoring programme (which is in line with IAF MD 1, 6.1.2, sampling).

The actual audit plan shows that representatives from two sites will come to the central site and then the certification body will “audit” the representatives of these two sites at the central site.

In addition to the audit at the central site (including the representatives from two sampled sites), it is only planned that one further location of the three sampled sites will be “really” audited on site.

This procedure clearly contradicts good auditing practice. Certainly, it is arguable with reference to the ISO/IEC 17021-1:2015 standard clauses 9.6.2.2 f and 9.3.1.3d that operations shall be audited, including more people than one or two representative(s). Ultimately, however, it includes some aspects of interpretation.

Questions:

1) Is this procedure permissible?

2) If not, which clause of the standard (or IAF requirement) should be used to justify to the certification body that the audit of all sampled sites must be carried out on site at the respective locations in the case of multi-site certifications?

September 2024

1) NO

2) The clauses in support of the answers are :

  • Definition of a site in IAF MD1

2.2 Permanent Site :

site (physical or virtual) where a client organization performs work or from which a service is provided on a continuing basis.

The definition of a person is different from the definition of a site (a person is definitely not a site) : so, interviewing a person from a site is not auditing this site/location, and cannot be considered as auditing the site.

  • Definition of an audit in ISO/IEC 17000

6.4 audit:

process for obtaining relevant information about an object of conformity assessment (4.2) and evaluating it objectively to determine the extent to which specified requirements (5.1) are fulfilled

Note 1 to entry: The specified requirements are defined prior to performing an audit so that the relevant information can be obtained.

Note 2 to entry: Examples of objects for an audit are management systems, processes, products and services.

  • Methods to obtain information ISO/IEC 17021-1

9.4.4.2

Methods to obtain information shall include, but are not limited to:

  1. a) interviews;
  2. b) observation of processes and activities;
  3. c) review of documentation and records.

In the example  given in the question, the interviews of the representatives, b) and c) are missing.

Question 48.8 Personnel/auditor competence according to Cl. 7.1.2 ff, ISO/IEC 17021-1 for QMS

17021-1/7.1.2 states: The certification body shall have a process for determining the competence criteria for personnel involved in the management and performance of audits and other certification activities.

Competence criteria shall be determined with regard to the requirements of each type of management system standard or specification, for each technical area, and for each function in the certification process. The output of the process shall be the documented criteria of required knowledge and skills necessary to effectively perform audit and certification tasks to be fulfilled to achieve the intended results.

17021-3 is adding requirements on specific fields of knowledge (not necessarily experience, specific training demands or “competence” as such)

This in mind, we propose the following two case examples:

A) A CB, active in IAF scope 38 states as a qualification/experience basis within the competence profile for its auditors:

  • Training with medical knowledge
  • Minimum 2 years vocational experience in the field (medical/health sector)
  • Training as general practitioner (medical doctor) or
  • Training as hospital worker/nurse or
  • Training as (health-) care worker

B) Another CB is employing an auditor for 9001 audits in pharmacies, who’s original qualification is documented as “trained office clerk”. The CB has documented as well that this person is fully trained as auditor/lead auditor. Furthermore, according to the CBs records, the auditor has studied various items of pharmacologic literature and has taken part in three individual trainings on “QM in the pharmacy sector”, two of which were held within the CB by a QM-competent pharmacist.

Are those examples acceptable with regard to the competence of auditors under 17021-1/QMS?

September 2024

ISO/IEC 17021-1 requires that competence criteria are determined for personnel involved in the management and performance of audits and other certification activities.

Competence criteria shall be determined for each type of management system standard and, for each technical area. Criteria are required knowledge and skills necessary to effectively perform a management system audit.

Based on the above :

  •  The competence criteria shall be written in knowledge and skills to be fulfilled, not in qualifications (which are records of having followed a training but without questioning the efficiency of the training for the person)
  • The competence criteria shall consider that it is a management system which is audited (and not a product/process or service), that the technical area is a sector field, but not a product, service or profession, A.2.5 (knowledge of client’s business sector) and A.2.6 (knowledge of client products, processes and organization) of ISO/IEC 17021-1 annex A are to be considered in this context.

Both examples are referring to qualification (i.e. previous experience and/or training) and not to knowledge and skills.

Question 48.11 ISO/IEC 17021-1 § 5.2.6 & ISO/IEC 17065 § 4.2.6.e

Currently, CBs are allowed to perform preliminary audit for a given standard or CAS, i.e. an audit performed before any step of certification to evaluate the state of preparedness of a future client to fulfil the requirements of  this given standard or CAS, with conditions to accept this practice(only once per client,  only gap analysis, no reduction of time of the  subsequent audit.)

The standards ISO/IEC 17021-1 or 17065 do not refer to blank audit and we did not find any IAF or EACC decision on this matter.

It is now questioned to extend this possibility of preliminary audit for the revision of a standard or CAS, i.e., during the transition period, the client being already certified by the CB for the previous version of the standard or CAS.

However, this could be considered as a threat for impartiality.

The rationale is as follows : a transition preliminary audit is necessarily performed at a CB’s client (the client is certified for the previous standard/CAS) then it is considered as internal audit and both ISO/IEC 17021-1 (5.2.6) and ISO 17065 (4.2.6.e) forbid the performance on internal audit.

Question 1: shall a transition preliminary audit be considered as an internal audit?

Question 2: If answer to Q1 is no, it means that it is acceptable that accredited CBs realize preliminary audits (which are not in certification process) for their certified clients, to check if they are ready to be audited for the new version of a standard or CAS, when they are certified to the previous version? Are they conditions to have this practice acceptable?

Considering the global subject, we have an additional question referring to the performance of a preliminary audit itself.

Question 3: is preliminary audit in general acceptable? If no, what would be the standard requirement to refer to?

Are any ABs accepting it?

September 2024

It should be noted that the IAF consensus position is related to MS certification, not to product certification.

Answer 1: NO, from definition, a transition preliminary audit it is not an internal audit (first party audit)

Answer 2: YES

Refer to IAF decisions number 10/03/08 and 19/04/01

– 10/03/08 Certification audit process, stage 1 and stage 2

There was consensus in IAF TC

  • that more than one stage 1 audit is possible with proper justification
  • that pre-audits prior to stage 1 are acceptable as long as impartiality is not compromised , but not appropriate between stage 1 and stage 2
  • Pre-audits prior to transition/ migration is acceptable

– 19/04/01 Pre-Audit

Additional note to TC Decision 10/03/08 “Pre-audits prior to transition/ migration is acceptable.”

Answer 3: YES, refer to TC decision.

As a general statement it is confirmed that pre-audit cannot be used as a stage 1 audit.

The additional risk to impartiality shall be considered in the CAB’s risk assessment.

For product certification, further considerations may be relevant, e.g. information given in EA-2/20, as well as scheme requirements.

Question 48.12 9.1.3 Audit programme

An audit programme for the full certification cycle shall be developed to clearly identify the audit activity/activities required to demonstrate that the client’s management system fulfils the requirements for certification to the selected standard(s) or other normative document(s). The audit programme for the certification cycle shall cover the complete management system requirements.

When the audit programme should be prepared by the CAB?

September 2024

– For the first certification cycle, the audit programme shall be prepared by the CAB before the stage 1 audit (refer to 9.1.3.2). This programme shall be revised for completion after the initial certification decision is taken, and actual programming can be realized, based on the output of the initial certification activities.

– For the subsequent certification cycles, the audit programme shall be developed for the full certification cycle, which implies that the audit programme shall be developed after the recertification decision, as the new cycle begins after the recertification decision.

In both cases, the audit programme can, of course, be a first version, subject to revision, as stipulated in Note 2 of 9.1.3.2.

Question Energy Audits

Is the performance of energy audits, in accordance with ISO 50002 or BSEN 16247, as well as environmental and/or energy management system certification for the same client considered to be an unacceptable threat to impartiality?

March 2017

Consensus Position
An energy audit may be used to support the “Energy review”, which is a key process and forms the basis for an energy management system according to ISO 50001. An energy audit according to ISO 50002 (or BS EN 16247) is defined as a “systematic analysis of energy use and energy consumption within a defined energy audit scope, in order to identify, quantify and report on the opportunities for improved energy performance”. Performing a full energy audit according to ISO 50002 or BS EN 16247 contains elements of management system consultancy, including the following examples:

  • “establish and evaluate the current energy performance”;
  • “The energy auditor shall identify energy performance improvement opportunities based on analysis and the following: a) their own competency and expertise …
  • “When reporting the energy audit results, the energy auditor shall: … f) provide a prioritized list of energy performance improvement opportunities; … g) suggest recommendations for the implementation of the opportunities.”
  • “The energy audit report shall include the following topics: d) opportunities for improving energy performance: 1) recommendations and the suggested implementation programme; 2) assumptions and methods used in calculating energy savings, and the resulting accuracy of
    calculated energy savings and benefits; 3) assumptions used in calculating costs of implementation, and the resulting accuracy; 4) appropriate economic analysis, including known financial incentives and any non-energy gains; 5) potential interactions with other proposed recommendations; 6) measurement and verification methods recommended for use in post-implementation assessment of the recommended opportunities;”.

Therefore, the performance of energy audits, in accordance with ISO 50002 or BSEN 16247, as well as environmental and/or energy management system certification for the same client is considered to be an unacceptable threat to impartiality. It is noted that providing EMS or EnMS certification to entities, related to the client where the Certification Body has provided an energy audit, who could use those energy audit results (i.e. through having a similar energy profile) shall also be considered to be an unacceptable threat to impartiality.

When EnMS and EMS Certification Bodies demonstrate through their regular mechanisms awareness and mitigation of the risks to impartiality arising from the consultancy elements as listed above, the performance of energy audits at other clients is not considered to be an unacceptable threat to impartiality.

Question CW2017 1

This question is the result of a workshop held at the EACC meeting in March 2017

Can a Certification Body offer management systems related training?

March 2018

ISO/IEC 17021-1: 2015 – Clause 5.2.1 and 5.2.3

The consensus position of the EACC is that training can be offered as long as it is generic and not tailored to a particular customer and as long as it does not offer direct solutions to the customer’s management system implementation.

Attendance at training courses must not be compulsory and customers sending delegates must not be given any preferential treatment.

The provision of training should be covered within the CB’s risk management system.

Question CW2017 2

This question is the result of a workshop held at the EACC meeting in March 2017

How much should the organisation’s consultant be involved in the CB audit process.

March 2018

ISO/IEC 17021-1: 2015 – clause 9.1.1; 9.2.2.3; and 9.3.1.3

The consensus position of the EACC is that there is no restriction on the presence of the consultant in the audit process.

The role of the consultant (e.g. ranging from being observer/guide to acting Quality Representative) shall be clearly established and the participation should be accordingly (e.g. no interference vs answering/contributing as QR).

Notwithstanding the above, the following points should be noted by the CBs auditor:

  • The management system should be owned by the organization with the consultant’s assistance, the organization must be able to demonstrate that there is effective leadership in terms of the implementation of the management system
  • If the consultant is present during the audit, it is important that the CB is able to see that the system is effectively implemented by the organization and is not just “owned” by the consultant.

Question CW2017 3

This question is the result of a workshop held at the EACC meeting in March 2017

Can the CB offer internal auditing to its clients

March 2018

ISO/IEC 17021-1: 2015 – Clause 5.2.6

The consensus position of the EACC is that this is not possible for existing clients of the CB, internal auditing can be offered to other organisations not certified by the CB. There should be a suitable gap (2 years) between the CB offering internal audit and the customer becoming certified by that CB.

Question CW2017 4

This question is the result of a workshop held at the EACC meeting in March 2017

Can a CB provide finders fees to consultants

March 2018

ISO/IEC 17021-1: 2015 – Clause 5.2.1; 5.2.3; Attention is drawn to the IAF Technical Committee decision 10/10/01 which his reproduced here: –

It should be noted that this decision was made in 2010 and there have been some changes since then, for example the bullet point referring to Impartiality Committee, which is no longer a requirement; reference should be made to the risk processes of the certification body.

“Consensus of the IAF TC is that there are alternative methods to the 2-year option to manage impartiality in the case of payment of commission/finder’s fee to consultants.  A CAB has to demonstrate the following:

  • Transparency – all documentation relevant to this relationship are recorded and available on request to AB. The client and relevant CAB personnel are aware of this relationship and/or payment of commission/finder’s fee and that the CAB does not provide special treatment.
  • Management of the CAB has signed the relevant declaration of impartiality that includes reference to such relationships and their management.
  • Risk assessment conducted for the specific relationship between the involved parties. Special attention given to the threats arising from relationships of the parties/individuals involved.
  • Impartiality committee reviews the effectiveness of management of risk due to such relationships.
  • A process is established to ensure there is no special treatment of clients during the certification process.
  • Instances of pressure or influence from management, consultant or client are reported and mitigated.
  • Additional witnessing of the audits may need to be conducted by the CAB.
  • Closer scrutiny of audit output and certification / recertification decisions.
  • Monitoring of such relationships through internal audit.
  • An AB may need additional time to assess the management of such relationships and may also need to conduct additional witness audits.”

EUROLAB Question: Certification of laboratories due to ISO 9001

ISO/IEC 17025:2017 offers in article 8.3 the opportunity that a laboratory that has established and maintains a management system, in accordance with the requirements of ISO 9001, and that is capable of supporting and demonstrating the consistent fulfilment of the requirements of Clauses 4 to 7, also fulfils at least the intent of the management system requirements specified in 8.2 to 8.9.

Within ILAC P15 (with respect just to Inspection Bodies) recommends in article 8.1.3b that However, when determining the extent of required assessment, the accreditation body should take into consideration whether the inspection body has been certified against ISO 9001 by a certification body accredited by an accreditation body which is a signatory to the IAF MLA, or to a regional MLA, for the certification of management systems.

In note 2 of article 5.5 of ISO/IEC 17000:2004 is written that Certification is applicable to all objects of conformity assessment except for conformity assessment bodies (2.5) themselves, to which accreditation (5.6) is applicable.

Does this mean that article 5.5 (incl. its note) means that a quality management system due to ISO 9001 of a CAB (like a laboratory) can not be certified by an accredited certification body because that would appear like an accreditation which is reserved for the NABs?

8 January 2021

There is no clause in ISO/IEC 17021-1 that would prevent a Certification Body from certifying the management system of a Laboratory or Inspection Body. Such a possibility is recognised in some related documents, for example, ILAC P-15: Application of ISO/IEC 17020:2012 for the Accreditation of Inspection Bodies, clause 8.1.3b, which states that ‘Option B does not require that the inspection body’s management is certified to ISO 9001. However, when determining the extent of required assessment, the accreditation body should take into consideration whether the inspection body has been certified against ISO 9001 by a certification body accredited by an accreditation body which is a signatory to the IAF MLA, or to a regional MLA, for the certification of management systems.’

However there are justifyable concerns regarding the possibity of such an accredited certification being confused in the market place with accreditation to ISO/IEC 17025 and that there are specific risks of the CB covering aspects normally covered by the Accreditation Body.

Therefore it is the opinion of the EA CC that:

  • It is valid for a Certification Body to certify the management system of a Laboratory or Inspection Body, however:
  • The CBs Risk management system must identify any impartiality risks and how they are mitigated/managed (ISO/IEC 17021-1: 5.2.3).
  • The Scope of the ISO 9001 certification is clear that it is for the Magement System supporting the operation of the Laboratory/Inspection Body.
  • The scope of the ISO 9001 certification must be different to the scope of the ISO/IEC 17025/ISO/IEC 17020 accreditation.
  • The certification must in no way infer compliance with ISO/IEC 17025 or ISO/IEC 17020.
  • The certification Body’s marks and logos must not be used by the certified laboratory / inspection body in any way that infers that that they are indicating compliance with ISO/IEC 17025 or ISO/IEC 17020.
  • A certification body shall not permit its marks to be applied by certified clients to laboratory test, calibration or inspection reports or certificates (ISO/IEC 17021-1: 8.3.2.)

Questions relating to ISO/IEC 17065 – Product Certification

Question 32,7 Other standards

The question concerns certification schemes where inspection is (part of) the evaluation activities. Which independence criteria would apply to inspection bodies or individually hired inspectors?

As certification and the inclusive components like inspection are a third party activity, we would assume that the requirements of ISO/IEC 17020: 2012 Clause 4.1.6.a / Clause A.1. apply in full.

September 2016

It is for the certification scheme (and accordingly for the scheme owner) to specify the independence requirements applicable to the nature of the evaluation activity. So in general, inspection bodies type A, B or C might be specified to be used where inspection is (part) of the evaluation activities. In the other hand it is for the CB to demonstrate that both internal and external resources meet the independence requirements stipulated in the relevant standard.

A) Individually hired inspectors (ISO 17065 6.2.1 internal resources )
The requirements for personnel including the inspectors are described in the Standard.(ISO/IEC 17020:2012) regardless of the type (A, B or C ) of inspection body from which they derive.

B) Outsourced Inspection body (ISO 17065 6.2.2 external resources )
ISO 17065 6.2.2.2 allows the CB to outsource activities to “non independent” bodies like the testing lab. of the client of the certification body. Certification is a third-party activity, but Inspection as a part of the certification scheme may include “different parties´” activities: from Type A inspection Bodies (third-party inspection), Type B and/or Type C inspection bodies (first party inspection for its parent organization ).

Type A inspection bodies may always be used for evaluation activities complying with the rest of requirements of the ISO 17065.

The use of type B and C implies that the CB analyzes the potential conflicts of interest and adopts measures to eliminate or reduce it. Type B inspection bodies all should not be involved in the certification of its parent company but may be used for evaluation activities complying with the rest of requirements of the ISO 17065.The use of Type C inspection bodies as part of the evaluation may be used for evaluation activities complying with the rest of requirements of the ISO 17065 but this fact should be communicated in advance to the client of certification.

Probably it is going to be easier for a CB to demonstrate independence when using Type A inspection bodies while it will require more work when using Type C inspection bodies.

Question 33.4 Discrimination

Clause 4.4 of ISO/IEC 17065 reads:

4.4.1 The policies and procedures under which the certification body operates, and the administration of them, shall be non-discriminatory. Procedures shall not be used to impede or inhibit access by applicants, other than as provided for in this International Standard.[…] 4.4.3 Access to the certification process shall not be conditional upon the size of the client or membership of any association or group, nor shall certification be conditional upon the number of certifications already issued. There shall not be undue financial or other conditions.
During a recent assessment an assessor raised following NC against 4.4:
Within „certification case XYZ“, the fee was reduced without reason (compared to the fee schedule). The rules and procedures of the CB foresee such reductions but without reasoning. (The CB is internationally active and subject to assessments of several AB. Furthermore, the reduction of the fee was decided on by a “non CL” office, not the accredited office itself.)

1) Does the EA CC support the interpretation that individual, “freeform” discounts of certification fees without reasoning and general applicability are not in line with the requirements of ISO/IEC 17065 and constitute a discrimination especially looking at equal treatment of clients?

2) More generally, what is the stance of the EA CC toward discounts and application of fee schedules? Are discounts acceptable? Under which circumstances?

3) Does the EA CC support a submission of this query to the ISO/CASCO?

March 2017

A certification body does not have to charge all clients that are in the same condition the same fee. Offering discounts does not ‘impede or inhibit’ access by applicants, neither does it impose ‘undue financial or other conditions’.

The fees charged by a certification body are a purely commercial decision for the certification body and it is perfectly acceptable for a CB to charge different clients different fees, providing the certification process is applied equally to all clients. Certification bodies operate in a competitive environment. Most clients obtain multiple quotations for certification and cost will be one of the factors taken into account. Certification bodies need the flexibility to vary their fees in order to attract clients. There is no requirement in ISO/IEC 17065 for the CB to justify the reasons for the fees it charges or for applying a discount.

Question 33.5 Group Certification

EA 6/04 stresses that groups under an umbrella organization, where only this umbrella organization is certified, may NOT sell their products individually as certified.

How is this issue dealt with in face of the fact, that at least GLOBALG.A.P. as a major scheme owner does allow group members to sell their products individually, due to market pressure in the US?

What is the opinion of the EA CC in general in relation to group certificates, especially within product/process/service certification and their use by individual members?

The reply will be the more important since a solid stance on this will be part of the revised EA 6/04.

March 2017

In a group, certification is granted based on the sampling performed and based on the assessment that the group has done on all the operators that comprise it. An operator belonging to a certified group cannot receive an individual certificate (sub certificate) as far as it has not been evaluated.

Question 33.9 certification of Feeds

Regulation (EC) No. 834/2007 in the second paragraph of the first article provides products originating from agriculture, to which the latter regulation applies as follows:

(A) live or unprocessed agricultural products;
(B) processed agricultural products for use as food;
(C) feed and
(D) vegetative propagating material and seeds for cultivation.

Our assessment procedures take into account those four areas when assessing the qualifications of persons to carry out certification procedures. If all conditions for accreditation in these areas are fulfilled, they are also listed in the annex to the accreditation certificate.

Certification bodies accredited for certification of organic production and processing under Regulation (EC) No. 834/2007, in section “C” – feed include only customers – companies which produce feeds in the production process (eg. mixing concentrated feed). Customers which produce feed on their own farms (eg. grass, hay, corn, other cereals, etc.) are included in the area “A” or “B”.

We are kindly asking for your opinion if the current classification of the customers in the area “C” – feed is appropriate or whether it is necessary to include in this area all farms producing mainly unprocessed agricultural products (usually only for animal feed) kept on their own farms.

March 2017

3 different situations can be considered :

If an operator produces feed for his livestock on his own farm (eg grass, corn, cereals …), he must be included in unprocessed plant products, provided that the feed is intended exclusively for his own livestock. The operator may add to the agricultural products, substances complying with Annex V or additives listed in Annex VI to R (EC) 889. Category A

If the operator produces raw materials for animal feed, he can market them to third parties with the scope of unprocessed plant products. Category A

If the operator mixes the raw materials from his own holding and adds them to the substances listed in Annex V or additives of Annex VI and wishes to market the feed to third parties, he must be included in processed agricultural products for animal feed.

(It was agreed that this question would be forwarded to DG AGRI for further consideration)

Question 33.12 Notified Body Stating of Product Standards

Is it possible for an accredited CB, when acting also as a Notify Body, to issue a certificate of conformity to the producer for a given type of product, without mentioning the product standards or specifications against which conformity has been demonstrated?

Note for example the Lifts Directive: The Commission Communication 2016/C 138/03 published the list of harmonized standards to be used for the conformity assessment. So, the list of applicable standards is defined in the law, and anyone can access it.

If the conformity certificate is a positive one (approval without exclusions) the absence of identification of the standards becomes administrative and may be omitted as long as the assessment report contains the details of the conformity assessment, including the standards used?

March 2017

ISO/IEC 17065:2012 says that in 7.1.2 “The requirements against which the products of a client are evaluated shall be those contained in specified standards and other normative documents.” and in 3.10 “scope of certification identification of

  • the product(s), process(es) or service(s) for which the certification is granted,
  • the applicable certification scheme, and
  • the standard(s) and other normative document(s), including their date of publication, to which it is judged that the product(s), process(es) or service(s) comply”

If manufacturer choses non-harmonised product conformity standard, in this case they should conduct risk analysis and show its (non-harmonised standard) applicability and validity.

On the other hand, in some EU directives, there is no defined harmonised standard for specific products and in this case, it is left to manufacturer’s decision to choose the most relevant product conformity standard or criteria.

In both cases, the product conformity certificate should give reference to relevant standard or criteria (normative document). For other cases (when EU Directive mandates to use any harmonized product conformity standard), there is no need to give additional reference in the product conformity certificate

ΝΟΤΕ
All the technical specifications and standards (harmonized or not) of these products normally is a part of their technical files.

Question 33.17 Response to nonconformities

Situation: The certification process in the CB is as follows :

  • The CB auditor performs the audit and writes non conformities in case there are. His/her action stops after that.
  • The reviewer (technical officer inside the CB) is in charge of the follow up of the audit which includes analysis of the answers from the client to the nonconformities and recommendation on closing or not the nonconformity
  • The reviewer is in charge of reviewing other results from the evaluation process (e.g. test results)
  • This reviewer makes a recommendation for the certification
  • The certification decision is taken by the CB’s Director

Question: Is the analysis of the answers from the client to the nonconformities (and opinion on closing or not the nonconformity) part of the audit or can it be considered as part of the review?,

  • In other words is the analysis of the answers from the client to the non conformities is an evaluation task and shall be considered as an evaluation activity or is this analysis of client answers part of the evaluation process without being considered as an evaluation task belonging to evaluation activities?

Depending on the answer, is it fulfilling (or not) 7.5 requirements that the reviewer performs the analysis of the answers from the client to the non conformities raised in audit?

Mars 2017

Clause 7.5.1 of ISO/IEC 17065 states “7.5.1

  • The certification body shall assign at least one person to review all information and results related to the evaluation. The review shall be carried out by person(s) who have not been involved in the evaluation process.”

Therefore in, an independent review is required. The review, acceptance and verification of answers to nonconformities is an evaluation activity and the individual performing these tasks cannot, therefore, perform the review required by clause 7.5.1 of ISO/IEC 17065.

If the product certification scheme requires that the certification body performs management system auditing as part of product certification, it shall meet the applicable requirements of ISO/IEC 17021-1. The applicable requirements concerning handling the client’s response to non-conformities are specified in Clause 9.5.2 of ISO/IEC17021-1 which states that prior to making a certification decision:

  • that for any major non-conformities, the certification body has reviewed, accepted and verified the correction and corrective actions and
  • that for any minor nonconformities it has reviewed and accepted the client’s plan for correction and corrective action.

In this case, the review and acceptance of the client’s plan for correction and corrective action, in respect of minor non-conformities, is not part of the evaluation as there is no verification of the correction and corrective action, and the individual performing these tasks can perform the review required by clause 7.5.1 of ISO/IEC 17065

Question 33.20 witnessing for CPR

In the area of Product Certification, the NAB performs demo witness assessments in the initial accreditation or scope extension assessments for the CABs that are not designated as NB yet by notifying authority and applied first time in the field of CPR (Reg.No. 305/2011) for a certain scope and makes decision about CAB’s competence according to this demo witness assessment.

The question is whether CABs can use the reports and outcomes of this demo witness assessment as a basis for certification decision and issuing real certificate under CPR for relevant producer, after being accredited by NAB and being designated as Notified Body by authorities without performing a new audit to relevant producer?

Does any other NAB faced a similar case in their country and what is the general implementation about this issue in other EA member countries?

Note: The national authority requests the NAB’s opinion about this issue and expects the NAB to determine some rules in accreditation procedures for preventing this issue.

March 2017

When CPR came into force there was two options for the initial accreditation:
One possibility with DEMO witness assessment and the other possibility with conditional accreditation.

The first possibility takes place in the initial accreditation for the CABs which are not notified. If the AB follow all the procedures regarding accreditation then it is not needed new audit to the relevant producer after the Notification.( DEMO witnessing assessment) – however the NB would need to carry out a review to ensure that the processes used in the DEMO witnessed are still valid in terms of the processes under which the CAB achieved Notification.

The second possibility was a practice suggested by the European Union. This means accreditation shall be gained without witness assessment and under the condition that the first witness assessment will take place with the AB. (conditioning accreditation)

Question 34.1 Interpetation of Organizational Control

One applicant certification body has two owners (persons) . These two owners are also the owners of another company. The second company is a provider of the certified services. This two people owns all the shares of both companies.

Do you consider that the second company (the provider of certified services) is under the “organizational control” of the certification body?

4.2.6 The certification body and any part of the same legal entity and entities under its organizational control (see 7.6.4) shall not:

  • be the designer, manufacturer, installer, distributer or maintainer of the certified product;
  • be the designer, implementer, operator or maintainer of the certified process;
  • be the designer, implementer, provider or maintainer of the certified service;

7.6.4 A certification body’s organizational control shall be one of the following:

  •  whole or majority ownership of another entity by the certification body;
  • majority participation by the certification body on the board of directors of another entity;
  • a documented authority by the certification body over another entity in a network of legal entities (in which the certification body resides), linked by ownership or board of director control.

The standard states “whole or majority ownership of another entity” by the certification body, as a mean to exercise organizational control but nothing is said about the same situation for the owners of the certification body.

September 2017

The two persons own all the shares of the CB, then they are legally responsible for the CB and they have full authority on the CB. They shall be then considered as being the CB.

Therefore, the answer is yes: the second company (providing the certified services) is under the organizational control of the CB

Clause 4.2.3 should also be noted, this requires the CB to identify risks to its impartiality on an ongoing basis, including risks that arise from its relationships, or from the relationships of its personnel. The Note to this clause states that a relationship that threatens the impartiality of the certification body can be based on ownership, governance, management, personnel. Such common ownership should be identified as a risk to impartiality.

Question 35.5 Competence criteria

Relating to ISO/IEC 17065 Clause 6.1.2.1 the certification body shall determine the criteria for the competence of personnel for each function in the certification process (see Clause 7).

Does the above requirement include the determination of competence criteria for each function identified in Clause 7, for example for personnel:

  • handling complaints and appeals (Clause 7.13)
  • implementing changes affecting certification (Clause 7.10) ?

March 2018

Yes, the highlighted roles are considered to be a function of the certification process and therefore competence needs to be determined.

Question 36.3 External Sources

What is the difference between external source (cl. 6.2.2 ISO/IEC 17065) and subcontractor (for ex. article 45 of CPR together with Blue Guide, article 5.2.5)? Is there any difference based on who is providing education/training or paying the person? What are the criteria, requirements?

September 2018

Use of external resources and subcontracting are essentially the same and are outsourcing of assessment and verification activities.  The requirements of clause 6.2.2 of ISO/IEC 17065, Article 45 of the CPR (which refers to Article 43) and clause 5.2.5 of the Blue Guide are consistent.

They all require that external resources/subcontractors:

  • are competent to perform the tasks they are allocated;
  • shall not be the designer, manufacturer, supplier, installer, purchaser, owner, user or maintainer of the construction products which it assesses, nor the authorised representative of any of those parties;
  • shall not become directly involved in the design, manufacture or construction, marketing, installation, use or maintenance of those construction products, nor represent the parties engaged in those activities;
  • shall not engage in any activity that may conflict with their independence of judgement and integrity related to the activities for which they have been employed and
  • do not affect the confidentiality, objectivity and impartiality of the assessment and/or verification activities they perform..

It is the responsibility of the Notified Body to ensure that the external resources/subcontractors they use have the necessary competence for the tasks they perform on their behalf.  Providing it does not affect confidentiality, objectivity and impartiality, how they gained this competence and who paid for their education and training is irrelevant.  Where a subcontractor has worked for or with a client of the Notified Body it is appropriate for the Notified Body to establish a minimum time period before the subcontractor can perform assessment/verification activities on that client or its products.  For example in the case of management systems consultancy, this is a minimum of two years (ref clause 5.2.7 of ISO/IEC 17021-1)

It is the responsibility of the Notified Body to pay its external resource/subcontractors for the tasks they perform.

Question 36.11 Mandatory Documents v Notified Bodies

Shall Notify Body follows the relevant MD IAF documents when they are assessing Manufacturer quality system (i.e. Conformity to EU-type based on quality assurance of the production process – Module D)?

Shall in particular be considered mandatory the followed documents: IAF MD5 (duration of audit), MD2 (transfer of certification), MD1 (multiple sites sampling)?

September 2018

As in the example given in the question:

(In Blue Guide 2016)

D Conformity to EU-type based on quality assurance of the production process

Covers production and follows module B. The manufacturer operates a production (manufacturing part and inspection of final product) quality assurance system in order to ensure conformity to EU- type. The notified body assesses the quality system.

Module Description EN/ISO/IEC 17065 EN/ISO/IEC 17020 EN/ISO/IEC 17021 EN/ISO/IEC 17025
D Conformity to type based on quality assurance of the production process 1 + qa 1 + qa 1 + pk

qa: Ability to assess and approve manufacturer’s quality systems where required. To this end, fulfillment of clause 9 in EN ISO/IEC 17021:2011 shall be demonstrated.

pk: Ability to make professional judgments related to product requirements where required. To this end fulfilment of clauses 6.1.2, 6.1.3 and 6.1.6 to 6.1.10 in EN ISO/IEC 17020:2012 shall be demonstrated.

 Also, for Module D (Conformity to EU-type based on quality assurance of the production process) ISO/IEC 17065 is preferred standard.

 In ISO/IEC 17065:2012

6.2.1 Internal resources

 When a certification body performs evaluation activities, either with its internal resources or with other resources under its direct control, it shall meet the applicable requirements of the relevant International Standards and, as specified by the certification scheme, of other documents. For testing, it shall meet the applicable requirements of ISO/IEC 17025; for inspection, it shall meet the applicable requirements of ISO/IEC 17020; and for management system auditing, it shall meet the applicable requirements of ISO/IEC 17021. The impartiality requirements of the evaluation personnel stipulated in the relevant standard shall always be applicable.

NOTE Examples of reasons as to why some requirements are not applicable include the following:

  • expertise is available within the certification body when using the results of the evaluation activity;
  • the extent of control the certification body has over testing (including witnessing the testing), inspection (e.g. specifying inspection methods or parameters) or management system assessment (e.g. requiring specific details of a management system);
  • a particular requirement is covered in an equivalent way by this International Standard, or is not needed to give confidence in the certification decision.

 It can be noticed from above definitions and requirements, there is a strong link between accreditation for notification purposes for quality management system-based modules and accreditation requirements for MS certification bodies. In almost all cases, it is appropriate for Notified Bodies to take into account the relevant MD IAF documents while assessing quality management system-based modules e.g. Modules D, E, H and their derivatives, especially IAF MD5 (duration of audit), MD2 (transfer of certification), MD1 (multiple sites sampling), or the Notified Bodies should take applicable IAF MDs as reference in relevant issues i.e. audit or evaluation time allocation, multi-site sampling and transfer of certification.

Question 37.6 Independency of reviewer

ISO/IEC 17065 stipulates :

7.5.1 The certification body shall assign at least one person to review all information and results related to the evaluation. The review shall be carried out by person(s) who have not been involved in the evaluation process.

Is an observer of an audit considered as being involved in the evaluation?

In other words, if a person witnesses an audit (for example, to supervise an auditor), can he perform the review of the report of this audit witnessed, in regards with §7.5.1 of ISO/IEC 17065?

March 2019

The exact role of the observer in that particular situation needs to be clear.

Normally an observer is not involved at the evaluation (the trails, the samples, the conclusions, etc.), and so can perform the review.

If the observer takes any active role in the audit, for example offering advice or opinion to the audit team etc., then he is no longer an observer and cannot perform the review.

  • a particular requirement is covered in an equivalent way by this International Standard, or is not needed to give confidence in the certification decision.

Question 37.7 Tests reports under PPE regulation

Acceptation of tests reports provided by manufacturers under PPE regulation  (and ISO/IEC 17065)

The context is:

While assessing applicant CBs for accreditation for evaluation according PPE regulation, we have come across the following situation :

For PPE regulation, the practice is that notified bodies accept test reports (provided by clients) from other notified bodies (acting in this case as laboratories) without requiring a binding contract with the laboratory.

This practice is taken in application of the article 32.2  of PPE regulation (Conformity assessments shall be carried out in a proportionate manner, avoiding unnecessary burdens for economic operators).

The use of test reports provided by manufacturer is allowed in the Blue Guide (The last paragraph of 5.2.5 subcontracting by notified bodies of Blue guide mentions that the manufacturer can provide test reports or other elements of its technical documentation. The notified body can take these reports into account if it assumes full responsibility for the results. The notified body may accept the manufacturer’s test results for the conformity assessment provided that it justifies the reason for taking account of these tests).

But the Blue Guide also stipulates (5.2.5) that Subcontracting must be based on a contract, which makes it possible to ensure the transparency of and have confidence in the notified body’s operations.

Decision 768/2008 requires that where a notified body subcontracts specific tasks connected with conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements set out in Article [R17] so, in the case the notified body is not in direct relation with the laboratory, how can he demonstrate that specific provisions of R17 for confidentiality and conflict of interest are met?

ISO/CEI 17065 (7.4.5) stipulates that the certification body shall only rely on evaluation results related to certification completed prior to the application for certification, where it takes responsibility for the results and satisfies itself that the body that performed the evaluation fulfils the requirements contained in 6.2.2 and those specified by the certification scheme.

The question is the following:

Is it acceptable for a certification body (acting as a notified body) to accept test reports provided by the manufacturer and issued from other laboratories (accredited according ISO/CEI 17025) when there is not a legally binding contract between the notified body and the laboratory ,as required by ISO/CEI 17065 (§6.2.2.3)?

March 2019

Based on the Blue Guide, it is possible provided that at least the following requirements are met:

  •  NB must justify the reason why he accepts the test of the manufacturer instead of making them.
  •  NB assumes full responsibility for the results of those tests, so the NB must ensure that these were made with the required competence so that provide confidence in the results (accredited laboratories), and additionally that maintain records to demonstrate that confidence.
  • NB ensures that test have been done meeting the requirements of independence and impartiality required and therefore there are no conflicts of interest, and accordingly must demonstrate that the laboratory that conducted the tests is not related with the tested item nor there are other possible causes that can compromise their impartiality.

Conclusion

When a NB accepts existing manufacturer´s test reports meeting these requirements, it is not a process of outsourcing and therefore it is not necessary to have a legally binding contract with the laboratory used by the manufacturer, provided as we have said that the above warranties are given, so NB can assume full responsibility for the outcome of these tests.

However, if a specific test is requested by the NB as part of its evaluation activities, a contract will be required.

Question 37.10 Certification agreement and decision

ISO/IEC 17065 stipulates:

4.1.1 Legal responsibility

The certification body shall be a legal entity, or a defined part of a legal entity, such that the legal entity can be held legally responsible for all its certification activities.

As part of a new application for accreditation of a CB for product certification we are facing a particular situation :

The applicant CB (delivering the certification decision) does not have an agreement with the client.

The client has an agreement with another entity, which is performing all the other certification activities (the CB will only make the decision). This other entity will not be accredited.

It is possible for a CB (the entity who is delivering the certification decision) to not have an agreement with the client?

March 2019

No, it is not possible.

According to 7.6.1 of ISO/IEC 17065, the CB shall be responsible for, and shall retain authority for its decisions. And, according to 6.2.2.1, the CB can outsource only its evaluation activities. One of the core activities of the product certification body is decision making. In both cases, the CB shall have its own certification agreement with its client instead of another entity, which is performing all other certification activities (evaluation activities?) excluding decision making.

“7.6.1 The certification body shall be responsible for, and shall retain authority for, its decisions relating to certification.”

Also according to 7.7.3 of ISO/IEC 17065, if there is not any completed/signed certification agreement in between the CB and its client, formal certification documentation (certificate) cannot be issued.

“7.7.3 Formal certification documentation (see 7.7) shall only be issued after, or concurrent with, the following:

  1. c) the certification agreement (see 4.1.2) has been completed/signed.”

Also, this question reminds us below IAF TC Decision;

14/04/07 Evaluation Activities ISO/IEC 17065 Concerning the question if a certification body can be accredited to ISO/IEC 17065 where the CB does not undertake any evaluation activity and just undertakes review and decision the answer is yes as ISO/IEC 17065 Clause 7.4.5 and 6.2.2.4 permits the acceptance of the evaluation. Nevertheless, all other clauses of ISO/IEC17065 need to be met.

and decision the answer is yes as ISO/IEC 17065 Clause 7.4.5 and 6.2.2.4 permits the acceptance of the evaluation. Nevertheless, all other clauses of ISO/IEC17065 need to be met.

Addition:

CB verifies incoming test report against the certification scheme requirements is considered an evaluation activity.

Note: The discussion does not accurately reflect the two schemes operated in the USA, because such schemes are not type testing.

Question 37.16 Measurement uncertainty

According to 7.4.4 in ISO/IEC 17065:2012, a certification body shall carry out the evaluation activities that it undertakes with its internal resources (see 6.2.1) and shall manage outsourced resources (see 6.2.2) in accordance with the evaluation plan (see 7.4.1).

The certification body is accredited (according to ISO/IEC 17065:2012) for notification purposes (eg. 1+ CPR system). The CB is hereinafter referred to as the “Notified Body”.

The notified body uses testing as an evaluation method during conformity assessment procedure.

Shall the notified body always include measurement uncertainty during its conformity assessment procedure based on testing?

March 2019

This question is not specific to CPR or notified body; it applies to any ISO/IEC 17065 CB.

ISO/IEC 17065 requires that (6.2.1), for testing, it shall meet the applicable requirements of ISO/IEC 17025; therefore, if testing is a requirement of the Harmonised standard and attestation system, measurement uncertainty is a requirement.

Question 37.18 Product requirements in technical specification

Product certification where the product requirements are defined in a technical specification developed by the CB

Consider a situation where a Product CB has developed a normative document (technical specification) where product requirements are established. For some product characteristics, the technical specification states that the product requirements shall be defined in a specification from the producer.

Question 1: Is this possible, considering that the CB can have two (or more) certifications granted against the same technical specification, but the products will not meet the same requirements?

Question 2: In this situation, the certification documentation, when describing the scope of certification (§7.1.1 & 3.10), shall make reference both to the CB’s technical specification and the producer specification or just the CB’s technical specification?

March 2019

Question 1

Yes, but the scheme shall be clear if there are optional requirements or variants within. In this case, there is only 1 scheme and so any variants should not significantly change the nature of the item being certified. For example, options to the length of an electrical cable, dimensional options, layout of controls, etc.

Question 2

Yes, this should be clear on the certification documents.

Question 37.19 ISO/IEC 17065 cl. 6.2.2.3 Legally binding contracts

Background: A manufacturer has purchased evaluation activities for a product it produces. Testing has been performed by an external laboratory and inspection has been performed by an external inspection body. The manufacturer has sent the results from evaluation activities to a certification body for certification of the product.

Question: If a manufacturer has purchased relevant accredited testing analyses and/or inspection, does the certification body have to sign a legally binding contract with the laboratory and/or inspection body for certification?

March 2019

This question recalls the following IAF TC decision:

14/04/06 Evaluation Activities – ISO/IEC 17065 Concerning the question if a certification body can be accredited to ISO/IEC 17065 where the CB does not undertake any evaluation activity and just undertakes review and decision the answer is yes as ISO/IEC 17065 Clause 7.4.5 and 6.2.2.4 permits the acceptance of the evaluation. Nevertheless, all other clauses of ISO/IEC17065 need to be met.

Note: The discussion does not accurately reflect the two schemes operated in the USA, because such schemes are not type testing.

Frankfurt

12.10

It should not be considered as MUST. But, in any case, the CB shall confirm that all applicable requirements of ISO/IEC 17025 and/or ISO/IEC 17020 are met in all relevant accredited testing and/or inspection services purchased by the client. See Also, Q.37.7

Question 37.26 ISO 22003:2013

Annex B of ISO 22003 states that the minimum time for on-site auditing of the product and/or service realization of the organization shall be 50% of the total minimum audit time (applies to all type of audits).

Product and/or service realization includes only production/service area, storages, labs’ visits?

OR

Product and/or service realization includes not only production/service area, storages and labs’ visits, but also auditing documentation (e.g. review of process flow diagrams, hazard analysis, PRP plans, records for PRP, OPRP, withdrawal, emergency drills, verifications, etc.) on desk at client’s premises before or after visiting production/service area, storages, labs’ visits?

March 2019

Annex B states that the minimum time for on-site auditing of the product and/or service realization of the organization shall be 50 % of the total minimum audit time (applies to all type of audits). It should be noted that this activity is not necessarily a stand-alone part of the audit.

Product and/or service realization includes only production/ service area, storages, labs’ visits but not auditing documentation.

Please also refer to the note in Annex B

NOTE 2 Product and service realization processes do not include activities related to FSMS development,

training, control, audit, review and improvement.

According to this note, only review of process flow diagrams and verifications may be covered by product and/or service realization term.

Question 38.5 ISO/IEC 17065:2012, 4.3.2 Responsibility and funding

1) How should the certification body demonstrate compliance with 4.3.2 ISO / IEC 17065: 2012?
2) What are the minimum criteria for the status of СВ “has financial stability and resources”?
3) Is there enough self-esteem information that the СВ does not have arrears of wages, taxes and leases? What is the practice / national specifics of other ABs?
4) Should CBs consider “financial stability and resources” as a separate risk (not included in Annex A of ISO / IEC 17065) with further assessment and demonstration of minimization? What is the practice of other ABs?

September 2019

ISO/IEC 17065:2012
4.3.2 The certification body shall have the financial stability and resources required for its operations.

Accreditation assessors are not expected to be financial auditors, they should be looking for ongoing stability to enable the CB to continue its obligations. A (short term) profit or loss in itself are not necessarily an indication of financial instability or risk to impartiality.

1) The balance sheet of the certification body should be in favor of revenues or be in a place to cover its own resources and expenditure on certification activities for a certain time. If the certification body’s budget balance is in favor of expenses, i.e. the budget continues with loss, then the certification body may go to jeopardize impartiality or flexibility in other accreditation rules to correct the situation and show some negative tendencies.

2) There are no specific criteria. However, the CB should supply objective evidences that prove its financial sources are enough to keep up its certification activities objectively or impartially and competently (in the light of 3 year contractual obligations).

3) No, the AB should try to find objective evidence.

4) It depends. “Financial stability and resources” relate to the impartiality and competence of the CB indirectly. They may be affected by financial instability and insufficient resources required for its operations. Under these conditions, the CB may not continue to give its services competently and/or objectively. From this angle, they may be a source of risk to impartiality and competence.

Question 38.16 Outsourcing in ISO/IEC 17065, 6.2.2

CB is in the position that all activities in certification process can be outsourced in case this is not directly prohibited by the standard.
What kind of activities can be outsourced by CB? Is it allowed to outsource for example reception of applications, application review, planning of the evaluation activities etc. Or is it allowed for CB only outsource evaluation activities described under cl.7.4?

September 2019

CB can outsource its certification activities including evaluation excluding decision making. Even though it is not prohibited directly in the ISO/IEC 17065 standard, it is indirectly addressed in clause 7.6.3 (this requirement also is indirectly supported or enhanced by clause 4.2.8 of the standard). The rest of the certification activities of CB can be outsourced provided that to meet the applicable requirements of the standard (or relevant standards e.g., ISO/IEC 17025 for testing relevant, ISO/IEC 17020 for inspection relevant or ISO/IEC 17021-1 MS certification relevant) which are relevant to undertaken activities. Although, there is no exact or detailed definition of evaluation activities in the standard, but according to definition of “evaluation” in clause 3.3 of the standard, it includes selection and determination activities covering planning and preparation activities, testing, inspection or audit, decision making, surveillance etc. as referred in ISO 17000 clauses A2 and A3. Based on this approach, the CB can outsource more activities than written in clause 7.4 of the standard. Outsourcing of Contract Reviews is also not prohibited by the standard.

It was agreed that an ISO clarification would be sought on this matter to confirm the EA consensus i.e. that a CB for ISO/IEC 17065 can outsource everything except decisions (e.g. application, application review, competence review and allocation, etc.).

Question 38.20 ATP scheme for refrigerated transportation

Which NAB delivers accreditation in the frame of the scheme Carry Perishable Foodstuffs Abroad In Road Vehicles (ATP)?
https://www.unece.org/fileadmin/DAM/trans/main/wp11/ATP_publication/2017/ATP_E_ECE_TRANS_271_WEB.pdf

What is the conformity assessment activity which is under accreditation?

September 2019

ESYD is offering accreditation to testing laboratories and inspection bodies related to the requirements of the ATP Agreement (Agreement on the International Carriage of Perishable Foodstuffs and on the Special Equipment to be Used for such Carriage).

The testing activity refers to specific physical tests of the refrigerated vehicle equipment (http://www.esyd.gr/eped/1.19513_en.doc).

The inspection activity refers to the periodic inspection of vehicles (http://www.esyd.gr/eped/1.226175_en.doc).

Question 39.6 Evidence before certification decision

In what situation can a product certification (ISO/IEC 17067:2013 type 5) be issued, only based on product test report but without assessment of the production process or/and audit of the management system provided

  1. not known earlier
  2. known earlier
  3. known earlier and similar product

March 2020

According to Table 1 and clause 5.3.7 of ISO/IEC 17067, for a scheme type 5, a combination of determination activities is required for initial certification and surveillance, as applicable.

In particular, as defined in clause 5.3.7, ‘‘The surveillance part of this scheme allows for the choice between periodically taking samples of the product either from the point of production, or from the market, or from both, and subjecting them to determination activities to check that items produced subsequent to the initial attestation fulfil the specified requirements. The surveillance includes periodic assessment of the production process, or audit of the management system, or both.’’

Product testing is partially covering the required determination activities even if the product is known earlier or is similar. Certain elements of the production process and/or the management system should be at least evaluated as part of the initial certification process.

Therefore, granting product certification based only on product testing is not sufficient in any case when this specific type 5 scheme is applied.

Question 40.2 ISO/IEC 17065, § 4.4.3 – Illegal activities

Requirements of ISO 17065 – 4.4.3

Access to the certification process shall not be conditional upon the size of the client or membership of any association or group, nor shall certification be conditional upon the number of certifications already issued. There shall not be undue financial or other conditions.

NOTE A certification body can decline to accept an application or maintain a contract for certification from a client when fundamental or demonstrated reasons exist, such as the client participating in illegal activities, having a history of repeated non-compliances with certification/product requirements, or similar client-related issues.

Question: Which are the illegal activities that the note is talking about? We have to consider only the activities connected to the scope of accreditation, or is it possible to take into consideration also other activities?

Here an example in a CAB accredited for a food scheme. An illegal activity

  • connected to the scope is a fraud/falsification in an inspection report regarding the origin or composition of a food (even if the scheme is not accredited)
  • Not connected to the scope is a fraud/falsification in the payment of taxes or violation of some rules applicable to the employee

September 2020

Given that the NOTE is not prescriptive on the issue of ‘‘illegal activities’’ a potential or existing client of a certification body might be involved in, or limited to specific types of illegal activities either, it is considered that, besides those illegal activities that are directly associated with the scope of certification (whether accredited or not), other illegal activities which are deemed as bringing the certification body into disrepute can be taken into account by the certification body. Therefore, on one hand, any engagement of the client with illegal activities undermining the validity of certification, sought or granted, can initiate suitable actions by the certification body such as rejection of an application or termination of a contract for certification. While other types of illegal activities which are perceived as damaging the certification body’s reputation and could lead to actions such as the ones mentioned above should be clearly determined by the certification body itself and may be introduced more explicitly in the certification rules and/or the certification agreement.

Question 40.3 Verification/Validation activities within Product/Process/Service Scheme

ISO/IEC 17065 Clause 6.2.1 and 6.2.2.1 refer to requirements to be followed for internal or external resources where the scheme includes activities covered by other Conformity Assessment standards i.e. “…..it shall meet the applicable requirements of the relevant International Standards and, as specified by the certification scheme, of other documents. For testing, it shall meet the applicable requirements of ISO/IEC 17025; for inspection, it shall meet the applicable requirements of ISO/IEC 17020; and for management system auditing, it shall meet the applicable requirements of ISO/IEC 17021.”

Clearly ISO/IEC 17029 for Verification and Validation was published after publication of the current version of ISO/IEC 17065.

In the view of EACC members, can we apply the same principles for Validation and Verification i.e. where a scheme includes validation/verification elements the applicable requirements of ISO/IEC 17029 have to be met?

September 2020

While not agreed by 100% of attendees there was an overall consensus that it should be possible to treat ISO/IEC 17029 in the same way as the other standards referred to in this section of ISO/IEC 17065.

Note: following the meeting the same question was posed to the CASCO Maintenance Group, the following response was received: –  “No consensus position was possible to provide an answer, one of the difficulties was that the question asked about the applicability of ISO/IEC 17065 to schemes rather than to certification bodies”.

Question 41.2 Regulation (EU) 305/2011 CPR Art 8 § 3, ISO/IEC 17065:2012 cl. 7.1.2

Question about implementing the judgement of the General Court (First Chamber) of 10 April T-229/17 regarding parallel markings alongside with the CE-marking.

Web link to T-229/17 CURIA – List of results (europa.eu)

How are you intend to apply it?

What can be assumed to be the main resistance to implementation?

March 2021

Harmonised standards, as published in the Official Journal of the European Union, shall be applied in the context of the Regulation (EU) No 305/2011. To this respect, the named harmonised standards of which specific parts have been excluded as referenced in the Commission Communication 2017/C 076/05 published in the Official Journal of the European Union on 10.03.2017 shall be applied as such. This requirement is derived from the Regulation and is binding for all concerned parties.

Question 41.9 Regulation (EU) 305/2011 CPR: 1090-x standard set

Construction products regulation CPR – Regulation(EU) No 305/2011

Issue: 1090-x standard set (1090-1 Execution of steel structures and aluminium structures – Part 1: Requirements for conformity assessment of structural components – harmonized,  1090-2,1090-3,1090-4,1090-5: Technical requirements- non harmonized)

CAB is NB and performs certification according to EN 1090-1 and at the same time e.g. standard EN 1090-2 is in use too and NB has to take it in consideration an assess producer also according that specific requirements. What would be good practice in describing the CAB´s scope of accreditation? Up to now, we use to describe non-harmonized scope with EN 1090-2. In the meantime, we received information that EN 1090-2 is not specification appropriate for AVCP 2+ or any AVCP system at all. So considering that information, we are interested is there any NAB with similar experience to share and what would be good practice describing the CAB/NB scope of accreditation in that case?

March 2021

It is not possible to certify under a non-harmonized standard, as it is not containing ZA Annex (annex including all product characteristics with a template of the CE label).

AB has accredited only 3 NoBos (among the 22 accredited for CPR) having EN 1090-1 in their scope, they have other standards in their scope but they’re all harmonized standards.

None is having EN 1090-2 as it is not a harmonized standard.

Nevertheless EN1090-2 can be integrated in other certification schemes including other CE ones.

The sample scope definition of them is given below.

CPR(305/2011/EU)
Product Group or Product / usage purpose
Function / Technical Requirement
Structural metal products and auxiliary elements (2/4):
-construction materials made of structural metal: finished metal products
such as trusses, beams, columns, stairs, floor mounts, carrier poles and palplang (curtain).
Cut parts, rails, sleepers in appropriate sizes designed for specific applications.
These may be primed or not protected against corrosion, welded or non-welded.
(For use in foundations and building frames)
Decision: 98/214/EC

AVCP system: System 2+ TS EN 1090-1+A1

Question 41.10 Regulation (EU) 305/2011 CPR: 1090-x standard set

Construction products regulation CPR – Regulation(EU) No 305/2011

Issue: 1090-x standard set (1090-1 Execution of steel structures and aluminium structures – Part 1: Requirements for conformity assessment of structural components – harmonized,  1090-2,1090-3,1090-4,1090-5: Technical requirements- non harmonized)

What does an accredited CAB issue on certificate? Is it only steel structures and aluminium structures according to 1090-1? Or can it list 1090-2 next to 1090-1? Are there possibilities to issue certificate with 1090-1 and an annex to certificate where CAB will state that the products is manufactured according to 1090-2?

March 2021

EN 1090 comprises five parts currently:

EN 1090-1: Requirements for conformity assessment for structural components (CE-Marking)
EN 1090-2: Technical requirements for the execution of steel structures
EN 1090-3: Technical requirements for the execution of aluminium structures
EN 1090-4: Execution of steel structures and aluminium structures; Technical requirements for cold-formed structural steel elements and cold-formed structures for roof, ceiling, floor and wall applications.
EN 1090-5: Execution of steel structures and aluminium structures; Technical requirements for cold-formed structural aluminium elements and cold-formed structures for roof, ceiling, floor and wall applications.

Since the subject of the question is CPR, then we should consider an accredited CAB and notified body as the same.

Since the valid issue year of EN 1090-1 is 2009 and the amendment year is 2011, it is not giving any reference to part 4 (the issue year 2018) and part 5 (the issue year 2017). It gives reference to only part 2 and part 3 in relevant clauses. The CPR harmonized standards list covers only EN 1090-1, not other parts. That means other parts are not harmonized. But,

In the GNB-CPD position paper from SG17 – EN 1090-1:2009 (NB-CPD/SG17/09/069) document, under clause 1.2.; it is stated that “The certificate issued by the NB shall be definitive in terms of the scope and execution class of product types, the applicable standards, and the facilities covered.”

According to this requirement, the certificate shall include the content similar to below examples;

Example 1:
Construction product: Structural components and kits for steel structures to EXC1 according to EN 1090-2
Confirmation: This certificate attests that all provisions concerning the assessment and verification of constancy of performance described in Annex ZA of the harmonized standard
EN 1090-1:2009+A1:2011
Under system 2+ are applied, and that the factory production control fulfills all the prescribed requirements stated therein.”

Example 2:
“Construction product: Structural components and kits for aluminum structures to EXC2 according to EN 1090-3
Confirmation: This certificate attests that all provisions concerning the assessment and verification of constancy of performance described in Annex ZA of the harmonized standard
EN 1090-1:2009+A1:2011
Under system 2+ are applied, and that the factory production control fulfills all the prescribed requirements stated therein.”

In GNB-CPR Position Paper: Issuance of certificates under CPR (NB-CPR/14-612r5) the certificate content is listed in between clause 2 a) and 2 n). The certificate models are:

Question 41.11 Assessing ISO/IEC 17020 & 17025 requirements for ISO/IEC 17065 (CPR)

How are applicable requirements for 17020 and 17025 assessed for witnessing of factory production control (Construction Products Regulation). For example, a manufacturer that has its own laboratory, which 17025 requirements are relevant and how do other ABs assess CBs follow up of these requirements? Is participation in interlaboratory comparisons too much? How thoroughly/strict should clauses 6.3/6.4/6.5 from 17025:2017 be assessed? Does the system make a difference in assessment, for example 1 vs 2?

March 2021

This issue was the subject of one of the strategic discussions of EA CC.

At least the following requirements of ISO/IEC 17025:2017 and/or ISO/IEC 17020:2012 should be concerned during AB witnesses whenever applicable by NB and the manufacturer:

ISO/IEC 17025:2017
6 Resource requirements
6.2 Personnel
6.3 Facilities and environmental conditions
6.4 Equipment
6.5 Metrological traceability

7 Process requirements
7.2 Selection, verification and validation of methods
7.3 Sampling
7.4 Handling of test or calibration items
7.5 Technical records
7.6 Evaluation of measurement uncertainty
7.7 Ensuring the validity of results
7.8 Reporting of results
7.8.1 General
7.8.2 Common requirements for reports (test, calibration or sampling)
7.8.3 Specific requirements for test reports
7.8.4 Specific requirements for calibration certificates
7.8.5 Reporting sampling – specific requirements
7.8.6 Reporting statements of conformity
7.8.7 Reporting opinions and interpretations
7.8.8 Amendments to reports
7.10 Nonconforming work
7.11 Control of data and information management

ISO/IEC 17020:2012
6 Resource requirements
6.1 Personnel
6.2 Facilities and equipment
6.3 Subcontracting
7 Process requirements
7.1 Inspection methods and procedures
7.2 Handling inspection items and samples
7.3 Inspection records
7.4 Inspection reports and inspection certificates

The system of AVCP (Assessment and Verification of Constancy of Performance) like 1, 1+, and 2+ makes a difference in terms of testing and inspection coverage;
According to CPR Regulation 305/2011:
1.1. System 1+ – Declaration of the performance of the essential characteristics of the construction product by the manufacturer on the basis of the following items:
(b) the notified product certification body shall issue the certificate of constancy of performance of the product on the basis of:
(i) determination of the product-type on the basis of type testing (including sampling), type calculation, tabulated values or descriptive documentation of the product;
(ii) initial inspection of the manufacturing plant and of factory production control;
(iii) continuous surveillance, assessment and evaluation of factory production control;
(iv) audit-testing of samples taken before placing the product on the market.
1.2. System 1 – Declaration of the performance of the essential characteristics of the construction product by the manufacturer on the basis of the following items:
(b) the notified product certification body shall issue the certificate of constancy of performance of the product on the basis of:
(i) determination of the product type on the basis of type testing (including sampling), type calculation, tabulated values or descriptive documentation of the product;
(ii) initial inspection of the manufacturing plant and of factory production control;
(iii) continuous surveillance, assessment and evaluation of factory production control.

1.3. System 2+ – Declaration of the performance of the essential characteristics of the construction product by the manufacturer on the basis of the following items:
(b) the notified production control certification body shall issue the certificate of conformity of the factory production control on the basis of:
(i) initial inspection of the manufacturing plant and of factory production control;
(ii) continuous surveillance, assessment and evaluation of factory production control.

The latest answer coming from HHC is given below:

Due to the nature of the question which is more a request for sharing practices with other ABs, the following response is the description of one practice without any assurance that it is the common practice of the majority of ABs.

As mentioned in EA 2/17 :
For AVCP 2+ system, only the requirements of ISO/IEC 17020 :2012 ( 6.1.2, 6.1.3, 6.1.6 up to 6.1.10) should be concerned during AB witnesses.
For AVCP 1 and 1+ systems, the same requirements of ISO/IEC 17020 :2012 apply added with the concerned requirements of ISO/IEC 17025 :2017 (§§ 6 and 7 entirely except of the § 7.9).

The expectations in terms of assessment of the CB’s competence should be the following :
As far as the requirements of ISO/IEC 17020 :2012 are concerned, it’s important for the AB’s assessor to observe the CB’s auditor answering the questions of the manufacturer, as it will provide a basis to appreciate the clauses 6.1.2 and 6.1.3 in matter of regulation knowledge of the auditor.

In the case of 1 and 1+ systems, with respect to the additional requirements related to ISO/IEC 17025 : 2017, it’s important for the AB’s assessors to verify metrological knowledge of CB’s auditor via his/her capacity to explore a test/calibration report or to follow tests being carried out on site.

Question 41.13 Use of CE mark

Regulation 765 determines the use of the CE-mark. The CE-mark is intended to be used only by the producer, bringing a product onto the EU market.

Article 30
General principles of the CE marking
1. The CE marking shall be affixed only by the manufacturer or his authorised representative.
2. The CE marking as presented in Annex II shall be affixed only to products to which its affixing is provided for by specific Community harmonisation legislation, and shall not be affixed to any other product.

Since the requirements clearly specify “only by the manufacturer” and “only to products”, these requirements have has been interpreted by RvA to mean that the logo should not be used in any other way, i.e. this includes the use on certificates. A CAB shall refer the appropriate regulation on its certificate (as the requirements document), but it should not use the CE mark on their certificates.

When we observe this situation with accredited CAB’s, we raise a nonconformity against e.g. cl. 4.1.3.1 of ISO/IEC 17065, that for those observations, the certification body did not “exercise the control as specified by the certification scheme over … use and display of … marks of conformity…”

1) Is this approach generally supported?
2) We (and our CAB’s) have observed several certificates in the market with CE marking attached (accredited by various NAB’s). How should we proceed?

March 2021

It is confirmed that the CE mark should only be used by the manufacturer and only on the products to which it pertains. This means that:

  • The CE mark should not be used on the certificates issued by the CAB’s;
  • When instances are found that CAB’s do not comply with the above, NAB’s shall ensure that compliance to Article 30 is restored, e.g. by raising a nonconformity for this issue.

The NAB’s attention is requested for this matter.

Question 42.2 Criteria for NBs accepting assessment reports established by body without direct contractual relationship

Background explanation:

This question relates to the notified bodies (NoBos) in the railway sector according to Interoperability Directive (EU) 2016/797 (IOD). When these NoBos are notified based on accreditation then they have to comply with requirements from IOD chapter VI and EN ISO/IEC 17065 in conjunction with ERA Assessment Scheme 000MRA1044 Ver. 1.1 according to EA Resolution 2017 (40) 16 (sectorial certification scheme for NoBos).

According to section 2.1 of Annex IV of the IOD, the NoBos perform verification (evaluation and certification) by reference to technical specifications for interoperability (TSI). Some of these TSIs request the NoBos to accept safety assessment reports of an AsBo (CSM-RA assessment body as defined in Regulation (EU) No 402/2013) as part of the evaluation work.

Question:

The aim of this question is to clarify the requirements which shall be used by a NoBo to accept a safety assessment report of an AsBo in the case when requested by the applicable TSI.

To allow the NoBo to take responsibility for the results, which acceptance criteria shall be used by a NoBo to accept a safety assessment (inspection) report of an AsBo when requested by the applicable TSI as an input to the verification by reference to TSI?

September 2021

Applicable requirements:

EN ISO/IEC 17065, section 7.4.5 states: “The certification body shall only rely on evaluation results related to certification completed prior to the application for certification, where it takes responsibility for the results and satisfies itself that the body that performed the evaluation fulfils the requirements contained in 6.2.2 and those specified by the certification scheme.”

EN ISO/IEC 17065, section 6.2.2.1 states: “The certification body shall outsource evaluation activities only to bodies that meet the applicable requirements of the relevant International Standards and, as specified by the certification scheme, of other documents. […]”

ERA Assessment scheme states in 6.2.2.1: “In case the CAB outsources inspection activities and QMS approval under its responsibility as NoBo, according to the module or modules chosen by the client, the outsourced bodies shall be accredited according to:

  • ISO/IEC 17020 type A as described in Point A.1 of Annex A if providing inspections,
  • ISO/IEC 17021 if providing QMS approval.”

Answer:

NB-Rail assumes that the NoBo shall evaluate that the following acceptance criteria are met:

Competence, Independence and Impartiality:

The AsBo shall be accredited or recognised for the relevant technical area (as defined in the “Classification” field of the ERADIS database) in relation to the relevant structural subsystem of the object under assessment.

Competence and Impartiality:

The requirement on competence and impartiality shall be deemed to be fully covered by the corresponding accreditation / recognition and by ad-hoc registration as AsBo in the ERADIS database (e.g. see TSI CCS section 3.2.1).

Independence:

There are two possibilities:

  1. The AsBo fulfils the same independence requirements as the NoBo via an accreditation / recognition for ISO 17020 type A. The AsBo safety assessment report shall be accepted by the NoBo as an inspection report part of the evaluation stage without additional checks on the criteria to be met by the AsBo assessment team.
  2. The AsBo is not fulfilling the same independence requirements as the NoBo, i.e. the AsBo is accredited / recognised according to ISO 17020 type B or C. To enable the NoBo to accept the AsBo safety assessment report as part of the EVALUATION stage the NoBo at least:
    1. shall be involved since the beginning of the design stage of the object under assessment according to IOD (EU) 2016/797 art. 15.3, and
    2. shall be allowed to verify if the AsBo assessment team meets for each project at project level the relevant independence requirements of ISO 17020 Annex A.1 (Type A).

Question 42.3 Participation of clients in the committees in charge of decision

In conformity with § 7.6.2 of ISO/IEC 17065, “the certification decision can be carried out by a group of persons [in regards with the requirements concerning committee in 5.1.4] that has not been involved in the process for evaluation”.

In the case of our example, this group is composed by the different interested parties including certified clients, to insure a balanced representation of interests in regards to 5.1.4 of ISO/IEC 17065.

Nevertheless, the clause 4.2.8 of ISO/IEC 17065 requires that “the personnel of separated legal entity [which produces the certified product] shall not be involved in (…) the certification decision.” In conclusion, the clause 4.2.8 seems contradicting the clause 7.6.2.

Shall we consider that certification decision could not be taken by a committee? or by a committee where certified client are excluded, but then it would not be a balanced interest group?

September 2021

Relevant requirements of ISO/IEC 17065 are listed below:

7.6.2 The certification body shall assign at least one person to make the certification decision based on all information related to the evaluation, its review, and any other relevant information. The certification decision shall be carried out by a person or group of persons [e.g. a committee (see 5.1.4)] that has not been involved in the process for evaluation (see 7.4).

NOTE The review and the certification decision can be completed concurrently by the same person or group of persons.

5.1.4 The certification body shall have formal rules for the appointment, terms of reference and operation of any committees that are involved in the certification process (see Clause 7). Such committees shall be free from any commercial, financial and other pressures that might influence decisions. The certification body shall retain authority to appoint and withdraw members of such committees.

4.2.8 When the separate legal entity in 4.2.7 offers or produces the certified product (including products to be certified) or offers or provides consultancy (see 3.2), the certification body’s management personnel and personnel in the review and certification decision-making process shall not be involved in the activities of the separate legal entity. The personnel of the separate legal entity shall not be involved in the management of the certification body, the review, or the certification decision.

NOTE For the evaluation personnel, impartiality requirements are stipulated in Clause 6 and additional requirements are given in the other relevant International Standards cited in 6.2.1 and 6.2.2.1.

5.2 Mechanism for safeguarding impartiality

5.2.2 The mechanism shall be formally documented to ensure the following:

a) a balanced representation of significantly interested parties, such that no single interest predominates (internal or external personnel of the certification body are considered to be a single interest, and shall not predominate);

b) access to all the information necessary to enable it to fulfil all its functions.

Actually, there is no contradiction between 4.2.8 and 7.6.2 clauses of ISO/IEC 17065 in relation to the use of a committee/group of persons for decision making. Certification decisions can be taken by a committee and also there is no need for a balanced representation of interested parties in such a certification committee.

A balanced representation of interests or significant interested parties is requested only for the mechanism for safeguarding impartiality, not for any other committee or organs of CB.

Provided that the overall competence of the committee and its members’ impartiality are ensured (the members shall not be involved in the evaluation activity of a product subjected to be certified based on decision-making), the committee for decision making is possible.

And, it has to be pointed out that clients of the CB (or parties eligible for certification) cannot be part of such a committee since this would imply direct conflicts of interest and contradict 4.2.8 clause of ISO/IEC 17065.

Question 43.4 EA Policy for Accreditation of CBs Providing Certification of PDO, PGI and TSG

In July 2021, by the EACC was initiated document EA-3/02 M – EA Policy for the Accreditation of Certification Bodies Providing Certification of PDO, PGI and TSG.  Document includes additional requirements for product certification bodies when they certifying products protected by Geographical indication.

The questions are:

– Is there any mechanisms on the EU level which will support this policy to in force?

– If products protected by GI will not certify by certification bodies accredited according to the indicated document, does they refuse to place on EU market?

– What will be approach for EA B members?

– After the adoption of this document, what are the plan for transition period?

March 2022

The document gives direction on the formulation of accreditation scopes for PDO (Protected Designation of Origin) /PGI (Protected Geographical Indication) /TSG(Traditional Specialties Guaranteed) products based on categories and outlines details on evaluation strategy for the accreditation; it is not expected any action from EU to enforce the document.
EU regulations establishing the need for certification of these types products are indicated in the document; the compliance of the requirements established in the regulations for these products in the market depends on the governments of the member states.
The approach for EA B members will be the same as with other EA documents.
The transition period is not yet established, but probably it will be one year.

Question 43.9 ISO/IEC 17065 Cl. 5.2.1 Person Mechanism for Impartiality

ISO/IEC 17065 (5.2.1) requires a CB to have a mechanism for safeguarding its impartiality.

In addition

clause 5.2.2 The mechanism shall be formally documented to ensure the following:

a) a balanced representation of significantly interested parties, such that no single interest predominates (internal or external personnel of the certification body are considered to be a single interest, and shall not predominate).

clause 5.2.4 Although every interest cannot be represented in the mechanism, a certification body shall identify and invite significantly interested parties.

Taking into account the above requirements and specifically the need to ensure a balance of interest, is there any circumstance under which it would be acceptable for such a mechanism to be set up with only 1 person?

March 2022

It is quite unlikely that the mechanism for safeguarding impartiality is comprised of just one individual.

The CB shall identify and invite major interested parties in accordance with the requirements of 17065 (e.g. article 5.2.4) and shall not allow any party to be dominant in this mechanism. It also shall provide a balanced representation. Even though one individual has the power or authority to speak for a number of important interested parties, they are not allowed to do so. Other parties can be represented by different persons.

Question 44.6 ISO/IEC 17065 – Mechanism for safeguarding impartiality

“5.2.2 The mechanism shall be formally documented to ensure the following:

  1. a balanced representation of significantly interested parties, such that no single interest predominates (internal or external personnel of the certification body are considered to be a single interest, and shall not predominate)

According to that statement, can the internal personnel of the certification body have a vote in the decisions of the mechanism?

Is it possible to participate in the meetings with more than one participant of the certification body’s internal personnel (including members of top management) as an observer?

September 2022

According to §5.2.2 of ISO/IEC 17065, the certification body itself may be considered as an interested party and be represented by its internal or external personnel in the mechanism for safeguarding impartiality with voting rights. The representative(s) of the certification body is(are) considered a single interest and the principle of no predominating interested parties shall be observed.

It is allowed for more than one individual of the personnel of the certification body (including members of top management) to participate in the meetings as observers.

Question 44.10 Group certification under ISO/IEC 17065

There are more and more schemes that allow group certification. E.g. PEFC CoC (https://cdn.pefc.org/pefc.org/media/2020-02/66954288-f67f-4297-9912-5a62fcc50ddf/23621b7b-3a5d-55c9-be4d-4e6a5f61c789.pdf – par.2.3option b:) and also other local (Dutch) schemes.

However, we also see schemes under the 17065 that do not lay down requirements for group certification. Group certification in our view is certification of a certificate holder including multiple independent companies (separate legal entities from the certificate holder) having no relation to each other. Only the relation with the certificate holder connects them together.

With the withdrawal of EA-6/04 M: 2011 EA Guidelines on the Accreditation of Certification of Primary Sector Products by Means of Sampling of Sites no guidance or mandatory documents exits for this situation at all. Not for the primary sector but also not for other sectors.

  1. Does EA confirm that there are no requirements from the EN ISO/IEC 17065 on the certification body that directly apply to group certification besides the requirement to operate one or more certification scheme(s) (7.1.1.of 17065)?
  2. If a certification scheme has no mention of group certification as an option, is it possible for the CB to apply it anyway, or do the requirements have to be laid down in the scheme?

Does EA confirm that, if group certification is allowed in a scheme, at least for the supporting management system scheme requirements, the relevant requirements of the EN ISO/IEC 17021-1 apply including the IAF MD 1 (multi site) requirements even if MD1 is not mentioned in the scheme?

September 2022

1- Yes, there is no specific requirement for applying for group certification in the standard.

2- No, Even if it is not clearly stated in the standard, as per EA1/22, the requirements for group certification have to be laid out in the certification scheme, including specific requirements for the application of group certification.

3- Yes, IAF MD1 should be referenced in the scheme.

NB-Rail question – ILAC P15 does not apply to inspection activities performed by external personal under ISO 17065

According to ISO 17065:2012 §6.2.2.1: “note 2 The use of external personal under contract is not outsourcing”.

According to ISO 17065:2012 §6.2. 1:” When a certification body performs evaluation activities, either with its internal resources or with other resources under its direct control, it shall meet the applicable requirements of the relevant International Standards and, as specified by the certification scheme, of other documents. For testing, it shall meet the applicable requirements of ISO/IEC 17025; for inspection, it shall meet the applicable requirements of ISO/IEC 17020; and for management system auditing, it shall meet the applicable requirements of ISO/IEC 17021. The impartiality requirements of the evaluation personnel stipulated in the relevant standard shall always be applicable”

Question :

When performing inspection activities by using external personal under contract, shall the certification body apply the requirements on independence of ISO/IEC 17020 (and applicable guidance as ILAC P15) or only those ones of ISO/IEC 17065 and its associated schemes?

Note: It is understood, that the requirements on independence and impartiality are to be regarded as different aspects within the standards ISO/IEC 17020 and also in ISO/IEC 17065.

March 2023

When performing inspection operations under contract with external personnel, the certifying body shall apply independence requirements of ISO/IEC 17065 rather than ISO/IEC 17020.

This statement is based on the six-eyes principle (evaluation (in this case: inspection), review, and decision-making), which does not apply to inspection bodies. Furthermore, clause 6.2.1 only applies to the impartiality criteria of the applicable standard (17020), not the independence requirements.

In fact, although the concepts of impartiality and independence appear to be intertwined in many standards, they are handled somewhat differently in ISO/IEC 17020. Therefore, impartiality requirements shall be taken into account, not the independence requirements (especially given in clause 4.1.6) according to ISO/IEC 17020.

As a result, when the certification body performs inspection activities under contract with external personnel, the corresponding documentation providing information on the implementation of ISO/IEC 17020 (e.g. ILAC P15) shall not be considered, only those of ISO/IEC 17065 (e.g. clause 6.1.3 a) and its associated schemes shall be considered.

Question 44.11 Maintenance of certification

ISO 17021-1 clause 9.6.1 allows the possibility of maintenance of certification based on a positive conclusion by the audit team leader.

ISO 17065 does not mention such a possibility, but does not disallow it either.  And clause 7.9.2 hints that there is a possibility that a decision following surveillance is not necessarily a requirement:

7.9.2 When surveillance utilizes evaluation, review or a certification decision, the requirements in 7.4, 7.5 or 7.6, respectively, shall be fulfilled.”

So, for product certification where there is a significant QMS element (such as, for example, FPC audits under the construction products regulation), is the CB allowed to maintain certification without an independent review/decision?

September 2022

This question can be answered in 3 different ways, depending on its grounds:

i) If surveillance is defined in the certification scheme and this activity includes review and decision, then review and/or decision-making processes shall be carried out in accordance with ISO/IEC 17065.

or
ii) If the certification scheme envisages surveillance but does not include review and decision as part of surveillance, then review or decision processes may not be carried out. Indeed, in ISO/IEC 17000:2020 clause A.5.6, “In many cases, no special action is taken if the statement continues to be valid.” is called.

or
iii) Concerning certification schemes given in ISO/IEC 17067 Table 1,

  • If the scheme covers MS audits like type 5 and 6, then the CB can follow requirement 9.6.1 of ISO/IEC 17021-1,
  • If the scheme does not cover MS audits like types 2, 3, and 4, then the CB shall facilitate review and/or decision process.

Question 46.1 CPR EN 1090 audit expectations

The Construction Products Regulation (CPR), EU No 305/2011, under System 2+, requires:

The notified production control certification body shall issue the certificate of conformity of the factory production control on the basis of:

  • (i) initial inspection of the manufacturing plant and of factory production control;
  • (ii) continuous surveillance, assessment and evaluation of factory production control.

This question relates specifically to EN 1090 (Requirements for conformity assessment of structural steel and aluminium components), but it could apply in other areas.

It is understood that a steel fabricator must be certified in accordance with EN 1090 in order to be able to make a declaration of performance (DoP) and apply the CE marking to the construction product.

It is further understood that such certification involves audit of the fabricator’s factory production control (FPC) system (not the construction product, not the DoP, not the CE Marking – see clause 4.2 of NB-CPR/15/568r8).

There are cases where small manufacturers might not always fabricate a construction product, and therefore might not, on the day of the audit of their FPC, have a construction product to demonstrate to the auditor.

It is noted that the Group of Notified Bodies Approved Guidance on EN 1090-1:2009+A1:2011- Certification of FPC of steel and aluminium structural components (NB-CPD/SG17/09/069r3), issued on 18 November 2016, states: “During the initial inspection and/or continuing surveillance NBs should review the scope of the portfolio of DoPs that the manufacturer has issued or plans to issue. The NB should then ensure that the processes covered by the FPC (which the NB is being asked to certify) are consistent with the scope of the portfolio of DoPs, and that the manufacturer has undertaken suitable ITT to support its DoPs.”

The notified body is not certifying the product; it is certifying that the manufacturer’s FPC is capable of producing construction products that meet defined requirements.

Therefore, the question is:

Is it acceptable for a notified body under the CPR  to certify a manufacturer’s FPC system (AVCP 2+ for EN 1090) based on review of the manufacturer’s documentation and records, as well as the fabricator demonstrating the effectiveness of its FPC system by applying the same processes to a similar product that is not intended to be a construction product?

It is understood, of course, that the manufacturer cannot apply the CE marking to such a product.

September 2023

The answer is YES, provided that the producer can present the DoP and ITT register, established on the basis of the same FPC at the time of the most recent production.

It will be the task of NoBo’s auditor to compare what he/she sees on the day of the audit in terms of FPC elaboration and the values present in the register for the most recent production performed before the audit.

As a matter of fact, the objective of a system 2+ audit is to ensure that equipment is present and operated in a way that allows for conformance with the criteria certified and announced in the DoP.

As a prerequisite, that the NoBo’s auditor shall be particular cautious with the demonstrated processes at the time of the audit and shall confirm that the audited processes (applied for a similar product not intended to be marketed as a construction product) fully correspond to the processes regularly applied by the manufacturer for the delivery of the product that bears the CE marking.

This means that, where the above conditions are not fulfilled (e.g. new entrants), this is not accepted.

Question 46.3 Remote assessment conducted by Notified Bodies

Is it possible to perform initial or surveillance certification audit by a Notified Body remotely regarding the Modules based on quality assurance (such as D1 module of 2019/1009 EU Regulation)? If possible, does the decision of the detailed rules belong to the competence of the relevant notified body forum, which rules necessary to make in order to conduct remote audit?

September 2023

According to Regulation (EU) 2019/1009, the application of the conformity assessment procedure established under Module D1—Quality Assurance of the Production Process—by the NoBo shall include an assessment visit to the manufacturer’s premises as an integral part of the audit (Annex IV, Part II, Module D1, §5.3.3). For surveillance purposes, the NoBo shall be allowed to access the manufacture, inspection, testing, and storage sites of the manufacturer (Annex IV, Part II, Module D1, §6.2). Moreover, unexpected visits may be paid to the manufacturer by the NoBo (Annex IV, Part II, Module D1, §6.4).

Within the context of the Regulation, the NoBo is required to visit the manufacturer’s premises. Thus, the audits, either initial or surveillance, shall be carried out in the physical presence of the NoBo’s auditor(s).

Any deviation from these requirements should be agreed with the European Commission.

Furthermore, according to EA-2/17, Accreditation for module D1 requires the application of EN ISO/IEC 17065 + qa requirements.

qa requirements are : Ability to assess and approve manufacturer’s quality systems where required. To this end, fulfilment of clauses 7.1.1, 7.1.2, 7.2.4, 7.2.5, 7.2.8, 7.2.10 and 9.1 to 9.4 and 9.6 in EN ISO/IEC 17021-1:2015 shall be demonstrated.

9.3 and § 9.6 of EN ISO/IEC 17021-1 require on-site audits.

Question 46.8 Umbrella Certification (group certification) under EN ISO/IEC 17065

The following situation is the case:

A group of independent companies is brought together for the purpose of multi-site product certification (in schemes often called “umbrella” or “group” certification). The scheme includes requirements for a supporting management system and refers to IAF MD 1 for umbrella” or “group” certification purposes.

Given the answer on Question 44.10 where it is confirmed that:

  • for group certification (or certification under an umbrella of one organization) that there are no requirements given in the EN ISO/IEC 17065.
  • that requirements for certification under an umbrella of one organization must be laid down into a scheme to make this possible .
  • that for the requirements for the supporting management system the IAF MD 1 must be referenced to into the scheme.

Given the text as mentioned in IAF MD 1:2023 (1. scope):

This document shall not be used for situations where independent organizations are collected together by another independent organization (e.g. consulting company or an artificial organization) under the umbrella of a single management system.

Does the EA CC agree that so called umbrella or group certification is not possible for independent companies or organizations that have no link other than being brought together for the purpose of umbrella or group/multi-site certification for product certification (not only management system certification) if a scheme includes management system requirements and IAF MD 1 is applicable/referred to in the scheme?

September 2023

Yes, EA CC agrees. To be consistent with the answer to question 44.10 and the requirements of IAF MD 1, umbrella and group certification of such organizations is not eligible.

Question 47.3 Content of a certificate if a scheme has the option of choosing modules

Some schemes have a structure where there is a base set of requirements that all certificate holders need to comply with, and an additional set of requirements for which the certificate holder can choose which ones it complies with. Either by choosing a specific theme/module or by scoring enough “points” to qualify for the certificate.

Just stating that the product complies to the (all) requirements of the scheme, does not provide the user of the certificate information about the actual requirements a specific certificate refers to and complies with.

  • Does the certificate have to specify to which requirements the certificate is issued in such a case?
  • Does the certification scheme need to clearly identity these levels in themes/modules to enable a specific certificate?

March 2024

Given that the ‘‘certification scheme’’ is consisted by a core set of requirements and several sets of additional requirements which are available to the applicant to select from, it seems that each combination of core plus additional requirements constitutes a separate and distinct certification scheme (refer to §3.9 of ISO/IEC 17065 or more generally to §4.9 of ISO/IEC 17000).

To this end, the scheme owner shall clearly distinguish the individual sets of additional requirements (or so-called sub-schemes), thus allowing for an explicit reference to the core plus specific additional requirements to be made on the certificate.

  • YES, the certificate must specify to which requirements the certificate is issued in such a case.
  • YES,  the certification scheme needs to clearly identity these levels in themes/modules to enable a specific certificate.

Question 48.11 ISO/IEC 17021-1 § 5.2.6 & ISO/IEC 17065 § 4.2.6.e

Currently, CBs are allowed to perform preliminary audit for a given standard or CAS, i.e. an audit performed before any step of certification to evaluate the state of preparedness of a future client to fulfil the requirements of  this given standard or CAS, with conditions to accept this practice(only once per client,  only gap analysis, no reduction of time of the  subsequent audit.)

The standards ISO/IEC 17021-1 or 17065 do not refer to blank audit and we did not find any IAF or EACC decision on this matter.

It is now questioned to extend this possibility of preliminary audit for the revision of a standard or CAS, i.e., during the transition period, the client being already certified by the CB for the previous version of the standard or CAS.

However, this could be considered as a threat for impartiality.

The rationale is as follows : a transition preliminary audit is necessarily performed at a CB’s client (the client is certified for the previous standard/CAS) then it is considered as internal audit and both ISO/IEC 17021-1 (5.2.6) and ISO 17065 (4.2.6.e) forbid the performance on internal audit.

Question 1: shall a transition preliminary audit be considered as an internal audit?

Question 2: If answer to Q1 is no, it means that it is acceptable that accredited CBs realize preliminary audits (which are not in certification process) for their certified clients, to check if they are ready to be audited for the new version of a standard or CAS, when they are certified to the previous version? Are they conditions to have this practice acceptable?

Considering the global subject, we have an additional question referring to the performance of a preliminary audit itself.

Question 3: is preliminary audit in general acceptable? If no, what would be the standard requirement to refer to?

Are any ABs accepting it?

September 2024

It should be noted that the IAF consensus position is related to MS certification, not to product certification.

Answer 1: NO, from definition, a transition preliminary audit it is not an internal audit (first party audit)

Answer 2: YES

Refer to IAF decisions number 10/03/08 and 19/04/01

– 10/03/08 Certification audit process, stage 1 and stage 2

There was consensus in IAF TC

  • that more than one stage 1 audit is possible with proper justification
  • that pre-audits prior to stage 1 are acceptable as long as impartiality is not compromised , but not appropriate between stage 1 and stage 2
  • Pre-audits prior to transition/ migration is acceptable

– 19/04/01Pre-Audit

Additional note to TC Decision 10/03/08 “Pre-audits prior to transition/ migration is acceptable.”

Answer 3: YES, refer to TC decision.

As a general statement it is confirmed that pre-audit cannot be used as a stage 1 audit.

The additional risk to impartiality shall be considered in the CAB’s risk assessment.

For product certification, further considerations may be relevant, e.g. information given in EA-2/20, as well as scheme requirements.

Question 48.14 Management of CB’s impartiality (EVS-EN ISO/IEC 17065:2012, p. 4.2.6)

It is understandable, that according to EVS-EN ISO/IEC 17065:2012 p. 4.2.6 a)-d) CB shall not offer the design, manufacturing etc. and consultation regarding the product to be certified by the CB.

Regarding p.4.2.6.d), we would like to clarify whether the CB can offer the consultation to its client, when the offered consultation is related to a completely different field, which is not related to the product to be certified?

In other words, can CB offer consultations to its client in areas in which they do not certify?

September 2024

YES

In the context of ISO/IEC 17065, consultancy is defined as participation in the designing, manufacturing, installing, maintaining or distributing of a certified product / process / service or a product / process / service to be certified (see ISO/IEC 17065, §3.2). According to ISO/IEC 17065, §4.2.6 d), the CB shall refrain from offering or providing consultancy as defined in §3.2 to its clients. Moreover, the CB shall not offer or provide management system consultancy or internal auditing to its clients where the certification scheme requires the evaluation of the client’s management system, as outlined in ISO/IEC 17065, §4.2.6e).

Other types of consultancy activities or consultancy to its client in areas which they do not certify are not strictly prohibited, however any activities of the CB other than certification activities shall be subject to evaluation of the associated risks to impartiality and of the potential occurrence of conflicts of interest.

Question 48.15 ISO/IEC 17065 – Evaluation activities with external resources – clauses 6.2.2 / 7.4.

A Certification Body (x) makes use of an ISO/IEC 17025 accredited laboratory (y) as an external resource (§6.2.2) for a part of the evaluation activities. The external laboratory is impartial with regards to the clients/products it evaluates and complies with the relevant clauses of ISO/IEC 17025.

A person is under contract with both CB (x) and accredited laboratory (y).

This person performs the review and authorization of the results at the accredited laboratory (ISO/IEC 17025, § 7.8.1.1) while also being the person performing evaluation tasks as an internal resource (§6.2.1) for the CB (x) using the test reports issued by laboratory (y).

The review/decision are performed by a different person, not involved in the evaluation activities.

Question: Is this an acceptable practice? Can this situation be acceptable, as this would also be allowed with a laboratory that was an internal resource?

September 2024

YES

The situation described, i.e. the same person performing evaluation tasks on behalf of a laboratory (“performs the review and authorization of the results”) and on behalf of the CB (performing evaluation tasks) is not a situation that involves this person, either directly or through any other employer (the laboratory in this case) in such a way that the credibility of the results could be compromised.

Question 48.17 ISO/IEC 17065 – Closing NCs before certification decision

Background:

A certification scheme based on ISO/IEC 17065 has been created to assure the responsible supply of marine ingredients, and the review is initially focusing on the scheme owner’s Chain of Custody standard.  The object of conformity assessment is a process; the process of ensuring satisfactory systems for product identification, traceability, and segregation.  Product quality is not considered in this standard; that will follow in future submissions from the scheme owner if this review is successful.

To do a proper audit of the process, the auditor must do a walk-through of the facility and observe the processes employed to ensure proper identification and segregation of product.  Interviews with personnel will be necessary to confirm that the processes are properly managed, and documents will have to be reviewed to ensure satisfactory traceability.

As the chain of custody audits have some management systems elements, there are several clauses of ISO/IEC 17021‑1 that are applicable (as per ISO/IEC 17065 clause 6.2.1, prompted also by clause 3.1.7 bullet 5 in EA-1/22).

One feature of this scheme is that a minor NC is only raised where, ‘based on objective evidence the conformity of the product is not in doubt.’

In this case, as the NC could only relate to a management system element of the scheme, the scheme owner considers that clause 9.4.9 of ISO/IEC 17021-1 applies:

9.4.9 Cause analysis of nonconformities

The certification body shall require the client to analyse the cause and describe the specific correction and corrective actions taken, or planned to be taken, to eliminate detected nonconformities, within a defined time.

So the scheme allows for the possibility that a certification decision can be taken based on a corrective action plan for minor NCs.

It could be considered that, for this particular scheme, the approach from the scheme owner is satisfactory.

However, it could also be considered that in ISO/IEC 17065, only conformity or nonconformity is possible, and that all nonconformities must be solved before decision.

Question

Is the scheme owner’s approach, as described above, acceptable?

Factors which may influence the deliberations

In an ISO/IEC 17065 scheme accepted by EA , not all requirements must be met before decision.  Producers only need to attain 95% Minor Must compliance to achieve Integrated Farm Assurance certification.

September 2024

Context :

An EA CC TFG dedicated to this issue concluded in March 2023 that the following points are important to be considered:

  • 4.7 requires the verification that nonconformities have been corrected. – Which verification could be acceptable, on site, remote, documentary review? There might be some adjustment of the verification method, based on the risk posed by the NC on the product conformity. This shall be established in the certification scheme. – What is to be verified, the correction, the corrective action plan (to be set but not yet implemented)? This shall be established in the certification scheme.
  • Is it possible to have a distinction between certification requirements (which must be fulfilled before certification decision) and other additional/supporting minor requirements which could be fulfilled after the certification decision? These additional requirements shall be identified in the certification scheme and the certificate should be fully transparent and unambiguous on which additional requirements were fulfilled and which were not fulfilled when the certification decision was made. These provisions shall be established in the certification scheme.”

Nevertheless, the situation is here, and already existing for different schemes (as Food safety,  organic, CE marking…).

Some preliminary remarks attached to the question:

  • Introducing the fact that the scheme bears some management requirements as a rationale to accept minor NCs and their way of treatment “17021 like” was not considered as appropriate by the TF, some of the management requirements having a potential effect of the conformity of the product and this approach jeopardizing the intent of a product certification, which is delivering the assurance that a product continuously meets the product requirements.
  • Another remark is that the question is inappropriately mixing process and product : as the object of conformity assessment is a process (the process of ensuring satisfactory systems for product identification, traceability, and segregation), the feature of this scheme being that “a minor NC is only raised where, ‘based on objective evidence the conformity of the product is not in doubt”, is misleading; it should be “a minor NC is only raised where, ‘based on objective evidence the conformity of the process is not in doubt “. There is not consistency between a process certification and the fact that minor NC does not affect the product.

Based on above, the answer is:

YES, the scheme owner’s approach could be acceptable provided that the conformity assessment scheme establishes:

  • which findings are to be considered as NC (i.e. compromising, in the sense of ISO/IEC 17065, the conformity of the product, process or service) and what are the other types of findings (no matter the wording used)
  • the type of objective evidence expected to demonstrate that the conformity of the product (when the scheme is a product certification) or the process (when the scheme is a process certification) or the service ((when the scheme is a service certification) is not in doubt
  • what is to be verified before decision, for all kinds of findings, correction or corrective action plan (to be set but not yet implemented at the time of certification decision)
  • that the CB shall receive answers for every finding describing the specific correction and corrective actions taken, or planned to be taken, examines these answers and considers them as relevant before granting certification, and follows the delay of implementation of corrective action planned to be taken.

Question 48.18 Claims on EN ISO/IEC 17065 accredited (food/feed) certificates

European Union (EU) legislation provides for a set of harmonised rules to ensure that food and feed are safe and wholesome, and that activities which might have an impact on the safety of the agri-food chain or on the protection of consumers’ interests in relation to food and food information are performed in accordance with specific requirements.

EU legislation on organic production and labelling of organic products provides a basis for the sustainable development of organic production.

EU legislation on agricultural quality schemes for agricultural products and foodstuffs identifies products and foodstuffs farmed and produced to exact specifications whilst encouraging diverse agricultural production, protecting product names and informing consumers about the specific character of agricultural products and foodstuffs.

EU agri-food chain legislation is based on the principle that operators at all the stages of production, processing and distribution which are under their control are responsible for ensuring compliance with the requirements relevant to their activities established by Union agri-food chain legislation.

Verification of compliance of EU agri-food chain legislation lies with Member States, whose competent authorities monitor and verify, through the organisation of official controls, that relevant Union requirements are effectively complied with and enforced. Competent authorities may delegate certain official control tasks to one or more delegated bodies, such delegation shall comply with specific conditions.

For all of the above, the inclusion of mentions related with EU legislation in an accredited certificate issued by a private certification body certifying a private scheme, not related with EU legislation, can mislead, and convey false impression. Furthermore, the private scheme could be a process certification, and not a product certification, the certification body has checked only the private scheme requirements, the operator could have only a part of the production marked under EU legislation, while the private scheme covers the whole production. On the other hand, the operator could have its certificate issued under EU legislation by the delegated body suspended or withdrawn.

The  clarification/resolution should not be limited to food and feed sectors and in particular areas of European regulations.

In any field, in fact, cross-references outside the scope of a scheme are misleading, and the truthfulness of the information may not be verified because it is not part of the certification program. By accepting this condition, an increase in these situations may occur with many references to other schemes not relevant to that specific certification program.

Is it allowed to include a claim in a certificate that relates to conformity assessment requirements which are not included and may not be verified because it is not part of the certification program concerned by the certificate?

September 2024

Including a claim in a certificate that relates to conformity assessment requirements which are not included in the certification programme concerned by the certificate is not allowed as this is a misleading on the accredited certificate (Refer to EN-ISO/IEC 17065, 3.10 & 7.7.1).

Answer to the question is NO.

The description of the scope of certification (ISO/IEC 17065, §3.10) in the certification documentation pursuant ISO/IEC 17065, §7.7.1d), shall be relevant and consistent with the certification scheme’s requirements against which evaluation activities have been applied and certification has been granted. The inclusion of references / claims to the scope of certification which are not subject of the applicable certification scheme and therefore not covered by the CB’s evaluation activities cannot be allowed.

Other question Application of EA-3/12 M:2022 in NABs from third countries accrediting CBs for organic agricultural processes

We are seeking clarification on the accreditation of certification bodies for organic agriculture processes in third countries, that are not EU members but are signatories to the Mutual Recognition Agreement (MLA) in the European Accreditation (EA) system.

As an EA MLA signatory for accreditation scheme for organic production process according to ISO/IEC 17605, we are fully obliged to follow all mandatory documents from EA, but we have some issues for implementing the particular EA mandatory document EA-3/12. The reason is we are not in the position to follow Regulations (because we are not EU Member State) but we are obliged to fulfill requirements from all mandatory documents from EA and IAF as well.

The CBs are accredited by our NAB according to our national legislation.  They are not recognized, they are authorized according to national law on organic products, and with our accreditation operated only in our country.

It has come to our  attention that there are restrictions on assessing compliance with the new regulations (EA-3/12 M). Could you please provide more information how accreditation processes should be conducted in these specific cases?

September 2024

In the purpose of EA-3/12 (first page), it is indicated “according to regulation (EU) 2018/848”.

This means that the scope of the document is limited to this specific regulation.

An EA MLA signatory accreditation body only has to implement the EA requirements if the defined scope of the EA document is relevant. If this is not the case, then the document is not applicable, and the accreditation process can be decided by your NAB and does not have to be in compliance with EA-3/12.

Questions relating to ISO/IEC 17024 – Certification of Persons

Question 32.0 restriction

The situation concerns invoicing of an initial certification which can in the same CB follow 2 different routes :

  • Registration directly to the CAB: payment of fees for initial and 1st surveillance in one go
  • Registration via a training body (with which the CBs has an agreement): payment of fees in 2 steps part before the initial examination, the other part before the 1st surveillance
  • The total amount of fees is the same in both cases

One possible interpretation of the case is that these provisions are not acceptable regarding § 4.3.3 and 4.3.4 as they lead to 2 different treatments of the certified person :

  • In the first case, the applicant has to pay for the whole process no matter he/she succeeds in the certification or continue to work after the certification
  • in the second case, under the same circumstances, the applicant will have paid only a part.

The CBs argues that :

  • conformity to § 4.3.3 from the definition of fairness (3.16 fairness : equal opportunity for success provided to each candidate (3.14) in the certification process (3.1)) the CB argues that the difference of invoicing does not affect the opportunity of success
  • Conformity to §4.3.4 : the CBs argues that
  • The price is the same for all applicants
  • The fact that there are 2 steps of invoicing is due to the fact as part of the initial exam can be included in some training financial support (which exist in some cases for helping working persons to go on professional training)
  • Each applicant is informed of this possibility and can apply through a training body

Then the question is what interpretation of the 2 above is acceptable regarding (§4.3.3 and § 4.3.4 of the standard).

September 2016

ISO/IEC 17024 states :

4.3.3 : Policies and procedures for certification of persons shall be fair among all applicants, candidates and certified persons.

4.3.4 : Certification shall not be restricted on the grounds of undue financial or other limiting conditions, such as membership of an association or group. The certification body shall not use procedures to unfairly impede or inhibit access by applicants and candidates.

There is no apparent breach of clauses 4.3.3 (the opportunities to be certified are the same by either of the two ways) or 4.3.4 (access is not restricted or limited arbitrarily (unfairly) to a candidate to the detriment of another), as long as both options are available to all and the relationship between the CB and the training organisations meets all other requirements of the standard.

Question 33.18 publicly available information

According to ISO 17024 cl 7.2.2, and 7.2.3, the only information that shall be publicly available without request, is that regarding the “scope” of the scheme (cl 8.2. a)) a general description of the certification process and the prerequisites (cl 8.2. e)).
Please give us your opinion (agreement or not with and if not, details for justification) on the following:

a) the previous paragraph,

b) that the standard clearly excludes the required “competencies” of the person (cl 8.2 c) be publicly available without request, and

c) Upon request, both the “competencies” (cl 8.2 c) and the “job description” (cl 8.2 b) shall be provided (this does not exclude the right of the scheme owner to be paid for that information (please note that this is the case of the Standardization Bodies)

March 2017

As a preliminary, the standard has 3 different levels of diffusion regarding information :

  • The one without request (4.3.1, 7.2.2 ,7.2.3, 9.2.2, 9.8.3, 9.9.2) to any one
  • The one upon request i.e. to anyone requesting
  • The one for applicants (9.1.1) : this is also upon request (through the application)

a. Not in agreement: we do not interpret the clauses like this: the minimum mandatory publicly available information are 8.2.a and 8.2.e). This doesn’t prevent CBs to have other publicly available information if they wish to do.

b. Not in agreement (from answer to a))

c. Partial agreement: as per §9.1.1, the CB shall make available “the requirements for certification and its scope”. The “requirements for certification” of 9.1.1 are considered to be equal to the “c) required competence; » of 8.2.c. It is not nevertheless mandatory to give the 8.2.b, even upon request

Question 35.4 Welder Qualification EN ISO 9606

Criterion 6.3 (EN ISO 9606-1: 2014) Welding conditions states “The welding qualifier tests must be performed using pWPS or WPS prepared according to EN ISO 15609-1 or EN ISO 15609-2.

Criterion 10 (EN ISO 9606-1: 2014) The welder certificate contains the text “… The recommended format is in Annex A. It shall contain all the particulars listed in Annex A.” And annex A requires “WPS – Reference:” without any note or explanation.

1) Is it necessary to always state the WPS reference on the personal certificate?

I.e. : WPS has to be used for welder test or where pWPS was used for the test: at the time of certificate issuing, there must exist WPS which was verified with WPQR and which was identical to pWPS used for the test.

2) Is the personal certificate, where only pWPS is stated, acceptable?

3)  In case the test was performed using pWPS (not verified with WPQR), is it acceptable to issue a personal certificate declaring that test was performed using WPS?

4) Is it acceptable on the certificate to be written the only number e.g. “192” in the part “WPS reference” without informing it is pWPS and is not WPS?

5) In case the test was performed using pWPS (not verified with WPQR), is it acceptable to issue a personal certificate where in the part “WPS reference”  is replaced with “pWPS/WPS reference” and it is not clarified which document version was used for the test?

6) Is a such a situation at a factory in line with special technical standards in the field of welding? A welding supervisor (in a company which has certified management system according to ISO 9001 and ISO 3834-x) accepts a personal certificate based on pWPS /WPS from a different location (e.g. issued by accredited certification body for personnel, where test/conditions are not the same as in the company) without any additional activity/measures?

March 2018

EWF (European Welding Federation) was consulted on this question and replied as follows:

  1. As stated in clause 6.3,  a WPS or a pWPS can be used. A certificate can be issued solely based on a pWPS or on a WPS.
  2. Yes.
  3. No. If a pWPS was used, that pWPS has to be referenced not a WPS.
  4. If the WPS or pWPS is referenced in the certificate, the correct reference has to be written to guarantee the traceability. Annex A is informative, but all information within the annex is mandatory to present. How to present it is not mandatory but our opinion is that in the certificate it should be clear if a pWPS or a WPS was used. Example: “pWPS nº/WPS nº:” (strike what is not applicable).
  5. If the test was done according to a specific pWPS, that pWPS has to be traceable to the test. If the pWPS is referenced in the certificate, the reference might not contain details of which type it is, but in the certificate it should be clear if a pWPS or a WPS was used. Example: “pWPS nº/WPS nº:” (strike what is not applicable). The identification code of an WPS or pWPS used on the welder certificate must be traceable to the test records.
  6. If the certificate is valid, yes. ISO 9606-1 states all the conditions to perform the tests (minimum dimensions, tests to perform, etc.), and also allows to use a pWPS or WPS. So there could be differences on the dimensions of the test pieces used, different tests used, etc. But all these are permitted by the standard since all minimum test conditions are guaranteed, and for that reason the certificate remains valid. It is up to the company to accept it, or ask for further tests.

Question 36.6 Scheme Owners

Scheme owner, who is not a Certification body, manages scheme and all tests.

Scheme for personnel certification is structured on computer-based examination where results and score of theoretical knowledge is checked by IT system.

Scheme does not contain any practical or oral tasks.

Does it mean that CB is not obligatory to have examiners and implement ISO/IEC 17024:2012 6.2.2?

Please, share ABs experience for assessment of CBs (ISO/IEC 17024) with e- assessment.

September 2018

AI or computer- based system will have to be accepted in the short term.

those systems are created by individuals, the designers and therefore these persons have a role and that of the examiner to that extent. By this, the examiner is not completely out of the picture. Instead as the designer he/she is validating the system for the examination.

Examination covers preparation of the questions, answers, it is the full mechanism which involve the competencies of the examiner at some point even if at the exam stage, the examiner is not present.

Conclusion

At the end we do not need an examiner provided that examiners are involved in the design of the process at the validation stage in particular.

The CB does not need to have examiners, but examiners are needed at the validation stage.

Question 38.7 ISO/IEC 17024 cl.9.4.8.e) & EN ISO 9606-1:2017 cl.9.1-2

According to ISO/IEC 17024 clause 9.4.8.e) “The certificates shall contain the scope of the certification including, if applicable, validity conditions and limitations”.

According to EN ISO 9606-1: 2017 clause 9.1 “ The welder’s certificate needs to be confirmed every 6 months otherwise the certificate(s) become(s) invalid.” and clause 9.2 “The qualifications of a welder for a process shall be confirmed every 6 months by the person responsible for welding activities or examiner/examining body. This is confirming that the welder has worked within the range of qualification and extends the validity of the qualification for a further 6-month period.”

There are two different opinions determined among our assessors while interpreting EN ISO 9606-1: 2017 clause 9.1 and 9.2.

One group claims that “The CAB must confirm welder’s certificate/qualification of a welder by conducting surveillance activity every 6 months.”

The other group claims that “The confirmation of qualification of a welder does not have to be performed by the CAB. Employer can also perform the confirmation of qualification of a welder.” However, this should be specified in the certificate prepared by CAB under ISO/IEC 17024 clause 9.4.8.

  • What is the implementation of this issue in your country?
  • Is it the responsibility of the CAB or the employer to confirm the welder’s certificate every 6 months?

September 2019

It is the responsibility of the employer to validate welder qualifications, any scheme based on ISO 9606-1 should identify these validation activities and the activities to be carried out by the Certification Body/Notified Body, if any. ABs should only accept schemes for accreditation where such responsibilities are clearly stated.

Note: Set up an EA CC TF (including at least EWF), to clarify if the wording in ISO 9606-1 is sufficiently clear to be used in ISO 17024 accredited certification.

ISO 9606-1 contains not only competence criteria for welders and examinations contents and arrangements but also elements typical of the owners´ certification scheme, like initial validity, confirmation, revalidation etc.

For some of these steps (validity process) third party certification is used, but for others alternatives are given (cl. 9.2. “by the person responsible for welding’s activities or by the certification body “) or there even are requirements for the employer of the persons (cl. 9.3 c) ii) and iii)) that logically has nothing to do with third party certification and are out of the range of the accreditation.

It should be noted that a TFG is now underway at the EA CC to identify aspects of this standard that might be not in line with third party certification ISO 17024.

Question 38.10 Certification of persons

Examination center would like to apply for accreditation as Persons Certification Body with a wide range of scope (for a very colorful list of different professions).

Shall we cover the full scale (each items) of scope with witness assessments during the initial accreditation?

September 2019

Witnessing as an assessment technique is always based on sampling regarding the applied scope. There are other ways of confirming competence that can also be used.

In certification of persons, it seems to be more adequate to set up the sampling at the level of certification scheme more than at the level of categories of persons. If all those categories are within the same rules for certification and examination – the same scheme – the sampling may be done at the categories of persons level.

Question 38.15

Person certification body according to national legislation performs the certification of land surveyors. Also, the same person certification body offers a service to perform land survey works by itself. Person, who provides this service, has been certified by another person certification body.

The question is: If the person certification body both can certify land surveyors and at the same time offers the service to make the land survey works?

September 2019

According to ISO/IEC 17024 Standard, the persons certification body shall identify potential risks to its impartiality including those deriving from its activities. Therefore, the provision of land survey works shall be considered by the CAB as a potential risk to its impartiality and analyzed by them as to whether its level is unacceptable or not.

Question 38.17 Technical Experts – Persons certified by the same CB

Some schemes in Certification of Persons are normally driven in every country by the “National professionals association” for instance: “Nondestructive testing” and “welders”. In such cases almost all of the professionals active at the country are normally certified (and need to be continuously certified) by the only CB active in the country. So, the AB often have a lot of difficulties to find and select technical experts for the assessments and finally have to collaborate with a person already certified by the CB.

With that view of this constrain and taken into account the specificities of this schemes (standard based certification, thousands of certified persons, a well-established scheme with computer based exams and anonymous files for review , re-evaluation based mainly in experience of certified persons) we would like to hear your opinion about the potential risk to impartiality if the AB collaborate with a Technical expert already certified by the assessed CB?. The fact that the T. Expert belongs to the group of interest of “employer/recruiter of the persons certified” (and not to the welders) besides to the “certified persons” group of interest may reduce the risk? The Technical expert is always accompanied and monitored by an assessor at the office assessments.

Our impartially risk analysis of the situation considered all of that aspects and couldn’t reach a conclusion, the risk of not behaving “critical” enough because of “self-interest and familiarity” of the TE can be minimized due to the presence of the Assessor. and is check by the past experience but the risk associated with “the external perception” of the situation can’t not be reduced. This is why we would like to hear from you additional arguments.

September 2019

If the accreditation body cannot find a competent technical expert from another source within the country (not certified by that accredited certification body or without any risk of impartiality, for example academicians from universities, industry practitioners or regulatory authorities, etc.), then the following options may be considered:

1- Persons who have received a certificate from the same certification institution in the past but who have cut the certification relationship (those who have passed at least 2 years after the certification as stipulated in ISO/IEC 17021-1; retired, etc.) can be appointed as technical experts.
2- Competent technical experts in the pool of another EA member AB (provided that the requirements of impartiality and competence are met).
3- The accreditation body can train one or several full-time personnel with suitable professional background in this field and may gain experience in on-site practice and may be assigned to assessments.
4- If TAs are used, they are there purely to support the assessor and have no direct Corrective Action review responsibilities.

Note: The NAB should demonstrate that the options 1-3 have been considered, and have been deemed to be not feasible, prior to using TA/TE with a potential risk for impartiality.

Question 39.4 ISO/IEC 17024:2012, clause 9.2.6

Standard 17024 cl. 9.2.6 Where the CB takes into account work performed by another body, it shall have appropriate reports, data and records to demonstrate that the results are equivalent to, and conform with, the requirements established by the certification scheme.

2 CBs certify persons to the same scope of certification. The scheme requires that for recertification a person should go through refresher training and to take an exam in a lesser extent.

Certified person wants to go for recertification to the other CB. Is it enough if he/she has certificate from another CB, has passed refresher training and will perform an exam in lesser extent. Is it enough or should this person do the full exam, because CB has no initial exam result and records.

Is it a transfer? Whether such transfer during recertification under such conditions is possible?

March 2020

Yes, it could be a transfer.

It is necessary to ensure the both CBs work under the same scheme. The CB’s records shall demonstrate that it has available and analyzed the appropriate reports, data and records to demonstrate that the results are equivalent to, and conform with, the requirements of the scheme. Moreover, the transfer can be done if the new CB have all evidences in according to cl. 7.1.1, 9.4.1b, 9.4.4 and 9.6 of ISO/IEC 17024

It is necessary to ensure the both CBs work under the same scheme. Only in that case and If the scheme owner allows for transfer, it is possible (ISO 17024 cl. 8.).

Please review for information the attached IAF TC Frankfort 2019 decisions, where transfer under 17024 is more or less allowed but for the moment no IAF guidelines are going to be developed.

19/10/12 Transfer of Persons Certification Under ISO/IEC 17024 Statement of the issue:

Is transfer of persons certification a possibility and should IAF define rules for transfer of certification for persons under ISO/IEC 17024?

Consensus of the IAF TC: Decision Log: 19/10/12

After discussing the request, the MSC WG did not feel that there was support for the development of any criteria to support effective transfer.

Frankfurt 12.12

Question 39.10 Recertification based just on documented evidence

Is a recertification based just on documented evidence for personnel possible?

Several international standards (i.e. EN ISO 15257 annex C.3.1) offers the opportunity of recertification of personnel without a new (theoretical or practical) test or an assessment. ISO/IEC 17024:2012 requires in article 9.6.1 that the certification body shall have (a) (documented) procedure(s) for implementation of the recertification process, in accordance with the certification scheme requirements.

If these certification scheme requirements are taken from the related standard (i.e. EN ISO 15257), the requirements concerning recertifications are just documented evidence of continuously successful work in CCP without significant interruptions and of the updating of technological knowledge in the respective area of application. (EN ISO 15258 normative annex C.3.1)

But ISO/IEC 17024:2012 requires in article 9.6.5 that in accordance with the certification scheme, recertification by the certification body shall consider at least the following: a) on-site assessment; b) professional development; c) structured interviews; d) confirmation of continuing satisfactory work and work experience records; e) examination; f) checks on physical capability in relation to the competence concerned.

The above mentioned “documented evidence” just reflects above mentioned article 9.6.5 letter d). Examination (letter e) like a theoretical or practical test or on-site assessment (letter a) like a witness-audits are not covered by the recertification scheme mentioned in EN ISO 15257. So, are all mentioned letters (a-e) are required “at least” or just mentioning opportunities?

If such a recertification based just on documented evidence is possible, what are the requirements within the recertification scheme if a revision of the technical standard (i.e. EN ISO 15257) addresses new or changed requirements?

Is it in that case also possible to have a recertification based just on documented evidence?

March 2020

This question can be divided into 3 sub-questions whose answers are:

a) Although ISO 17024 appears to require the fulfillment of several issues for recertification with the expression “at least” in article 9.6.5, it seems sufficient to consider one of these issues provided that certain conditions are met by the CAB as explained in ISO CASCO clarifications have submission date 2017-02-03. The main theme of these clarifications is summarized below;
“While documented confirmation of continuing satisfactory work and work experience records is acceptable as a recertification activity (see 9.6.5) the CAB must still provide evidence they have confirmed the continuing competence of the certified person.” and
“While documented fulfillment of training is acceptable as a recertification activity (see 9.6.5) the CAB must still provide evidence they have confirmed the continuing competence of the certified person.”

b) In that case, based on the scheme, the CAB can consider one or more relevant issues listed under article 9.6.5 of ISO/IEC 17024 such as “professional development”, “structured interviews” and “examination” etc. to evaluate the conformity of new or changed requirements.

c) No, it not enough. There should be responsibility or task of the CAB to assess whether supplied documented evidence is enough or not.

It is the responsibility of the CAB to ensure an impartial assessment of the ongoing competence of the person involved. The CAB cannot base itself solely on documents provided by the person or their organization, since that does not constitute third party certification.

Note: EN ISO 15258 does not exist. It should be wrongly written in the text.

Question 38.11 Accreditation of ISO/IEC 17024 applied to welding

Harmonisation of accreditation procedures and requirements of EN ISO/IEC 17024 (applied in the field of welding)

In 2015, the finding in the area of certification bodies certifying persons (area of welding) was identified during the EA evaluation. Specifically, it was in the field of certification of welders according to EN ISO 9606-1 and welding operators according to EN ISO 14732 respectively. These specific articles have been identified in both Standards and they are not consistent with requirements of EN ISO / IEC 17024 (full control over the certificate from the CB point of view). It is an article 9.3.c) in EN ISO 9606-1 and 5.3.c in EN ISO 14732.

It was later found that there was a variation across ABs and CBs in the way in which the specific requirements of EN ISO 9606-1, and specifically the parts of this standard that do not align with ISO/IEC 17024.

The CC was asked to consider how harmonisation can be achieved, across EA.

September 2020
Updated January 2022

For this specific case, a Task Force Group including representation from the European Welding Federation, was convened to investigate and consider the issue. The consensus opinion of this group is reflected in the answer below, subsequent comments from EACC members have also been taken into account.

It is agreed that certain aspects of EN ISO 9606-1 do not align with the requirements of ISO/IEC 17024, including EN 9606-1 clause 9.3c on Revalidation. The 3rd revalidation method as stated in EN ISO 9606-1 is based on continuing employment for the same employer and the measurement of ongoing competence documented by the manufacturer, and does not provide for 3rd party assessment of ongoing competence, as required by ISO/IEC 17024.

Upon investigation it was found that there are 2 methods by which Certification Bodies have dealt with this problem. In some cases, it is covered within the scheme rules that do not allow the third option clause 9.3c from EN ISO 9606-1, in other cases the actual scope of certification issued by the Accreditation Body includes an exception stating that this method cannot be used. As an example of the first method is, for purposes of European Regulation, Annex ZA of EN ISO 9606-1 that does not allow this method for Directive 2014/68/EU (PED).

It was agreed that EA needs to work with ISO and the EWF to harmonise the approach, in the meantime ABs should not allow certification of persons to be applied by accredited certification bodies in any case where the certification bodies do not demonstrate to the ABs compliance to all requirements of EN ISO 17024 . Either of the above methods of excluding this clause is acceptable as a method of dealing with this issue provided the Certification Bodies scope reflects that exclusion, any other method must be fully justified in terms of ensuring that the certified person continues to demonstrate the required practical and theoretical competences.

Where schemes are proposed that do not comply with ISO/IEC 17024 the NAB and/or CB concerned should feed this back to the scheme owner, requesting a change.

Question 41.5 ISO/IEC 17024:2012 Cl. 6.1.8

A CAB deals with both activities: inspection and certification of persons. According to national law, for certain inspections inspector shall have certificate of competency issued by an accredited certification bodies of persons.
In our country this CAB is the only certification body of persons who certify this kind of inspectors. This is situation when certification body certifies the persons of its own organization.
In our case also some of the examiners are the personnel of the inspection department. Furthermore, also external observer, who is not member of the examination committee, is involved in the process. His/her task is to monitor impartiality and fulfilment of procedures.

Is impartiality guaranteed when own colleagues are examined even when external observer is involved?

March 2021

Persons CBs may exceptionally certify its own personnel (ISO 17024 cl. 6.1.8) but this immediately set up a major conflict of interest (see CASCO clarifications). Specially as mentioned, when the examiners are personnel of the department providing the candidates. In this case the evaluation process can not be maintained as “normal business” and various robust impartiality measures have to be implemented (use a different set of evaluation test and keep it secret, select and train external examiners, etc. An external observer (when represents the scheme owner) may even contribute to ensure an impartial behavior of the examiner

External observers not necessarily pose a threat to impartiality if they sign a confidentiality agreement  and acts impartially (do not disclose the content of evaluations, etc.).

Question 42.8 Recertification after expiry date for ISO 9712 – Qualification and certification of NDT personnel

In certification schemes for Non Destructive Testing (NDT) personnel based on ISO 9712, the certification body has to fulfil the requirements of ISO/IEC 17024. Requirements (cl 5.2) ISO 9712 standard on which NDT’s certification schemes for persons are based, establish that NDT certificates expire at the end of a maximum period of validity of 5 years. This standard allows the “renewal” activity (cl 10.2) to be made up to 12 months after the expiration date.

For the activity of “recertification” (cl.11.1 ), it establishes that if recertification is applied for more than 12 months after expiry of the period of validity, it shall undergo a complete examination. This would imply that recertification process could be made within the following 12 months after the expiring date of the certificate.

Is this practice of applying for a renewal/recertification after the expiring date of the certificate consistent with third-party accredited certification under ISO 17024?

September 2021

ISO 17024 cl. 9.4.8 f) requires the certificate to include the date of expiry. Accordingly, the day after that date, the person is no longer certified: it cannot be assured that the person complies either with competence requirements or with scheme requirements, as a consequence, a normal recertification procedure cannot be applied to them, which is logically reserved for persons still certified (ISO 17024 cl. 9.6.2.).

Thus, with the rules of the certification schemes based on the international standard ISO 9712 , an alternative recertification procedure is introduced that may conflict with ISO 17024. So until the situation is clarified by the standardization bodies, this is only accepted as an exceptional situation under the following conditions:

  • The recertification has been applied for, but could not be concluded before the expiry date of the existing certificate, as it is expected under normal circumstances.
  • The resulting certificate must hold a recertification date consistent with the date of the recertification decision and must show the gap between the last certificate expiry date and the recertification, where the person has not been certified. The expiry date shall be based on prior recertification cycle.

This acceptance means that under the above conditions, the rules of the scheme for recertification may be applied.

Note 1. The answer only refers to “recertification” because the “renewal” activity does not correspond to a certification process according to ISO 17024.

Note 2. The question was received for ISO 9712:2012 but the answer is also applicable to ISO 9712:2021

Question 44.3 ISO 17024 – General & Clause 8.3. d) and 9.5

An authority has developed a scheme and rules are given in a statuary order and there is a guidance document as well.

In the documents conditions for withdrawing of a certification are given, but nothing is mentioned regarding suspension.

It is the understanding by DANAK that it is acceptable that conditions for suspension are not given in the statuary order if the CB has policies and procedures. This corresponds to schemes for certification of welders, where there are no rules for suspension in e.g. ISO 9606.

Regarding this scheme/statuary order: CB A has made their own rules for suspension which are rather close to the rules for withdrawing.  CB B has made their own rules for suspension saying they do not suspend certificates, they only withdraw certificates, as there are no requirements in the statuary order regarding suspension.

Q1: Is both the solutions made by CB A and CB B acceptable, as they both have a policy and documented procedures (ISO 17024 clause 9.5)

Q2: Can the scheme owner claim, that suspension is not permitted, as it is not mentioned in the statuary order – or will the normal practice prevail that if there are no specific extra requirements in a scheme the rules in the level 3 standard are valid, i.e., the CB can use suspension as a tool it they fulfill the requirements and have a policy and a procedure?

September 2022

According to §8.3d) of ISO/IEC 17024, the certification scheme shall include criteria for the suspension and withdrawal of certification. Furthermore, ISO/IEC 17024 9.5.1 requires the certification body to have policies and documented procedures in place for the suspension and withdrawal of certification. Considering that no criteria for the suspension of certification are foreseen in the statutory order and the guidance document, the certification scheme is not in compliance with the provisions of EA-1/22 (§1.2a)).

A1: The lack of established requirements for the suspension of certification as part of the certification scheme (statutory order and guidance document) is not in conformance with the respective requirements of ISO/IEC 17024 with regard to the content of a certification scheme. However, in the case of CB A, this deficiency is supplemented by the CB’s own rules and policies on suspension of certification for the specific certification scheme. On the other hand, CB B has missed developing rules and policies specific to the suspension of certification, contrary to the requirements of ISO/IEC 17024. To this end, the approach of CB A can be considered acceptable, which is not the case for CB B.

A2: To proceed with an accreditation towards ISO/IEC 17024, the standard’s requirements applicable to the development of a certification scheme shall be respected, including the requirements imposed by EA-1/22 for the evaluation of conformity assessment schemes (see §1.2a)). Given that no requirement of the standard may be omitted, any claims of the scheme owner that suspension is not permitted because it is not foreseen in the statutory order, are not considered valid.

Question 46.6 Certification scheme prerequisites according to ISO/IEC 17024 § 8.2 e)

Q1: In the case of a certification scheme based on a standard EN or ISO or UNI in Italy, if the CAB decides to apply access prerequisites that are not foreseen or in any case different from what is foreseen by the standard itself, should this approach be considered as a proprietary scheme?

For example, ISO 9606 does not foreseen:

  • any prerequisites for applicant;
  • any third party surveillance activity for issued certificates.

Q2: Does CAB undertaking prerequisites for applicant and/or surveillance activity should be considered as a scheme owner?

Q3: If yes, an evaluation according EA 1/22 shall be implemented or the evaluation of the certification scheme shall be conducted during accreditation assessment?

September 2023

A1: Yes, prerequisites are an element of the certification scheme (ISO 17024 cl. 8.2 e)) and surveillance methods are process requirements (ISO 17024 cl. 8.2 c)). By making a change/addition to the scheme, the CAB automatically becomes the scheme owner.

A2: Yes. The evaluation of the certification scheme shall be conducted during the accreditation assessment.

A3: No, there is no need to proceed with an EA 1/22 evaluation, as #2.1 states: “This document does not apply to CAS only established by a CAB and used by that CAB only. Nevertheless, the content of Annex 2 may be used as guidance for the validation of the CAS by the CAB.”

Note: ISO 9606 is a series of standards (currently in revision), that requires additional elements to become a certification scheme.

Questions relating to ISO/IEC 17029:20219 & ISO 14065:2013 – Validation and Verification

Question 41.8 ISO/IEC 17029 Validation and Verification

Should 17029 be used to confirm that a statement is correct? The method to be used and the competence required shall be described in the scheme. There will eventually be many different schemes (NA has had two interested “stakeholders” so far, one was to verify/validate authenticity of CVs and the other was to verify/validate that international trade is transacted according to the correct ethical guidelines). The question is, what is thought about evaluating the various schemes according to EA-1/22?

March 2021

In ISO/IEC 17029, the object of conformity assessment is a claim.

The claim (3.1) is the information declared by the client (3.13)

So the object of conformity is not a (third party) statement.

In the example, if the object of the verification is the CV, then each person concerned by the CV is the client.

The scheme developed by the VB shall comply with clause 8 of the standard.

In case the SO is not a VB and in case the scheme is international (refer to the definition of a CAS in EA-1/22), it must be examined through the EA1/22 process (if the SO agrees).

In any case, as for other schemes, EA-1/22 can be used as a guidance.

Questions relating to all Certification Standards

Question 36.1 Schemes on certificates

How shall a certification scheme be indicated on accreditation certificate for product/persons/management systems CB?

For certification scheme that is based on ISO/IEC 17067, on ISO 3834-2 or type of scheme like GMP+ or Global.G.A.P (for products), on ISO 9606-1, on ISO 9712 (for persons), or on ISO 9001 (for management systems), not legislation based.

September 2018

The certification scheme needs to be identified on the certificate, this is the case whether the scheme is based on a national or international standard and if the scheme is based on a specific scheme document.

The scheme would normally be identified by its name and this should appear on the certificate.

When the standard or scheme gives all information about the “scheme” requirements and assessment methods, there is no need to list all details.

Depending on the scheme it may also be necessary to include the issue status or date.

(However, for management systems schemes please be aware of IAF Decision Number 16/10/03 on Scopes of Certification states that ‘Referencing a standard/normative document/code of practice that is outside of the scope of accreditation is not allowed due to being misleading on an accredited certificate.”)

Question 36.2 Evaluation of schemes

Has the NAB duty to evaluate a conformity assessment scheme (not based on legislation) that is not listed in “Results of CA schemes analysis for use by EA NABs according to EA-1/22” but other AB is providing accreditation according to it? Is there any difference in case of granting initial accreditation or reaccreditation?

September 2018

If the CAS is not in the list, this means that the Scheme owner has not applied for an evaluation of its CAS by EA using the home AB system.

In this case, the CAS has to be evaluated by each AB that is proving accreditation for this CAS.

An AB may use elements of the evaluation of the scheme by another AB for its own evaluation of the CAS, but it will have to take full responsibility the evaluation.

This evaluation is to be done prior normal initial accreditation process of the CAB (see requirement ISO/IEC 17011 § 4.6.3) does not need to be repeated at reaccreditation if the CAS has not been modified.

This evaluation has to be revised in any case of revision of the CAS.

In such a case, the most efficient way to proceed is to get in contact with the SO and suggest to go through an EA1/22 evaluation using the home AB process.

Question 37.20 ISO/IEC 17065 – Ownership/use of accreditation

Background: There is a global company comprised of many separate legal entities worldwide. The owner of the accreditation is one of the legal entities and based in Norway. The accredited legal entity in it own country does not have competence in-house for a certain directive.

Question: Can this accredited certification body outsource or use external personnel for the certification process? (Accepting and review of the application, all evaluation activity, review and certification decision)

March 2019

As the case is described “a global company comprised of many separate legal entities worldwide”, it seems that it refers to multi-site CB and cross-frontier activity and not to subcontracting.

The answer is then yes, provided that requirements of EA-2/13 are fulfilled, especially “the registered legal entity – the owner of accreditation – shall have the full operational control and appropriate competence and resources to assure control over the full scope of accreditation.”

By the way, this case does not appear to be specific to NBs nor to ISO/IEC 17065 but applicable to all accredited CABs.

Question 37.27 ISO 9001 certificate referencing another standard

Question concerning EN 15713:2009 – Secure destruction of confidential material – Code of practice.

A certification body wishes to issue an accredited certificate that makes reference to EN 15713:2009. It currently issues an unaccredited ISO 9001 certificate with a scope of ‘Security shredding to EN 15713:2019 standard’.

If this is to be included under accreditation, should this be assessed as a new scheme or is it possible to include it as accredited within the existing ISO 9001 certificate?

March 2019

According to IAF Decision Number 16/10/03 on Scopes of Certification:

“Referencing a standard/normative document/code of practice that is outside of the scope of accreditation is not allowed due to being misleading on an accredited certificate.”

Question 39.9 Judgement of risk-based approach

Is it within the assessment of CABs a requirement to judge the risk-based approach of the CABs or just to check if it was done and that within the assessment no findings have been identified which would not be occurred if the risk based approach would have been done in a proper way?

In several standards like ISO/IEC 17021:2015 (article 4.8), or other standards within the ISO/IEC 17000 family there are requirements concerning risk-based approaches. The CABs are requested identifying and analysing these risks and if they are concerned about some of these risks, they have to initialize action to avoid or minimize these risks. But in none of these standards an information is given with respect of the necessary level of documentation, the necessary level of analysing risks, a distinction between “critical” or “non-critical” risks or that this approach or analysis are to be judged by the NABs with regards to the content.

March 2020

The full performance of a CAB for which requirements exist in the accreditation standard, must be assessed for conformity and for efficiency. I.e. this includes an evaluation of the reliability and appropriateness of the CAB’s risk approach, and a conclusion thereof.

Question 40.6 ISO/IEC 17065 & 17021-1 Remote evaluation/audit activities

If a scheme doesn’t have specific rules regarding remote evaluation/audit, is it possible that CABs (depending on the risk analysis done by the CAB) perform all the evaluation/audit activities remotely for initial certification or part of initial certification?

Assuming that a CAB has developed a scheme based on an international standard and defined that initial certification can be performed remotely in certain circumstances such as pandemic or disaster cases etc. Is it acceptable?

Note that: In IAF FAQ:

“Q5: Is it possible to perform a full certification audit remotely?

A: Yes, in theory it is possible, if for the specific scheme all the requirements can be evaluated remotely, including observation of activities. However, this could change for specific schemes.”

It isn’t clear what “full certification audit” covers.

September 2020

The IAF FAQ is valid here during the pandemic, if the scheme has no specific requirements, then all auditing activities for the initial certification can be carried out remotely, including Stage 1 and Stage 2, as long as all necessary evidence can be gathered and reviewed in that way.

Note should also be taken of the requirements of IAF ID 3 and MD 4.

Question 43.7 Assessment process

When assessing a certification body (witness), should a technical expert be used on the IAF code of the scopes of accreditation or should the Technical Evaluator or Team Leader have competence on the IAF codes.

March 2022

The required competence of an assessment team for the task of conducting a witness audit of the performance of a management system’s audit for a specific activity within the scope of accreditation of a CB, with regards to the technical area, can be covered either by the Team Leader (Lead Assessor)/Assessor or a Technical Expert to be included in the team. Also, there is a need for competence for the assessment team to be able to judge the effectiveness of the MS audit. In any case, at least one member of the assessment team (Team Leader/Lead Assessor or Assessor or Technical Expert) must have demonstrated competence in the technical area to be witnessed.

Question 43.8 EA-6/02 M:2022

Confirmation for the correct application of the following requirements of EA-6/02 M:2022 document:

  • 4.1 states: “Technical Experts shall be recognized by the Conformity assessment body as experienced specialists in a specific welding field, or trained and qualified to the level of I/EWE or equivalent, or for group1, 2, 8 and 22 without PWHT (Post Welding Heat Treatment) to the level of I/EWT or equivalent…” According to ACCREDIA interpretation, qualification of auditors/technical experts have to be carried out in 2 ways: I/EWE or I/EWT competence certification or through a CAB procedure that ensure equivalence to I/EWE or I/EWT certification. Is that correct?
  • 6.1.2 states: “For testing, the manufacturer or sub-contractor shall meet the applicable requirements of EN ISO/IEC 17025 and for inspection, shall meet the applicable requirements for EN ISO/IEC 17020”. What kind of evaluation has to be carried out by Certification Body in order to comply to this requirement? Manufacturers and/or sub-contractors typically are not ISO 17025 or ISO 17020 accredited bodies. Furthermore ISO 17065 states at §6.2.1 and §6.2.2 that this kind of evaluation is in charge of the Certification Body and not of the customer.

March 2022

Answers:

  1. ACCREDIA’s interpretation is correct. Cla. 4.1 states that “Technical Experts shall be recognized by CAB or trained and qualified …”, in this respect, the technical experts can be trained and qualified by a CAB or this competence can be proven by recognized certification for the level of I/EWE or its equivalent, or for group 1, 2, 8 and 22 without PWHT to the level of I/EWT or its equivalent. Both cases seem to be acceptable according to EA-6/02 M:2022.
  2. Indeed, the manufacturers and/or subcontractors are typically not the accredited CABs, but they should have the ability or capability to conduct requested conformity assessment activities, such as testing or inspection, as a separate body. The accreditation is not mandatory, but having conditions given in the relevant accreditation standard is required. According to ISO/IEC 17065 cla. 6.2.2.2, the CB can use its client’s laboratory (meaning a laboratory inside the client’s premises) as an outsource. In this case, the activities of this client laboratory shall meet the applicable requirements of ISO/IEC 17025.

Question 44.4 Fines as a sanction in a certification scheme

Is a fine acceptable as a sanction in a certification scheme?

a) is there a different answer for a scheme for the ISO/IEC 17021 or for the ISO/IEC 17065?

b) is there a different answer between a initial certification assessment, a reassessment and/or a surveillance assessment?

c) is there a different answer between the two options for issuing a fine mentioned below as stated in the scheme?

Background information on the scheme:

The scheme states two options for issuing a fine:

1) The non-conformity forms a threat to the achievement of the system goals. According to the scheme the non-conformity cannot be corrected. The fine is said to be used in order to prevent these non-conformities, but when this type of fine is issued, the non-conformity remains open/issued as well.

2) To eliminate economic advantage of a non-conformity for which corrections are possible, the scheme uses the option of a fine in addition to corrections/corrective actions. So corrections and corrective actions are expected from the potential certificate holders. The fine is an additional sanction.

The scheme has the option to issue a certificate when a fine has been given to the potential certificate holder. And also to keep the certificate in place when a fine has been given.

September 2022

The imposition of a fine is not considered an acceptable means to compensate for an outstanding non-conformity (either susceptible to corrections/corrective actions or not). In the aforementioned cases, the CB is expected to impose sanctions such as suspension and withdrawal according to the respective provisions foreseen in relevant accreditation standards.

If we think on the basis of requirements of standards, there is no difference in initial certification and/or re-certification and/or surveillance assessments. The scheme owner (e.g., a regulatory authority) may impose a fine at its own discretion based upon the additional requirements of the certification scheme. It shall not be the CAB’s responsibility or authority to impose fines. If the CB wants to apply any administrative burden, it can be acceptable, but not a fine.

  1. No
  2. No
  3. No