Certification committee2019-06-04T16:14:51+00:00

The answers presented here represent the consensus view of the EA Certification Committee – they are intended for informational purposes and should not be used as official guidance for the implementation of the requirements of the standards concerned. 

When reading questions and answers take into consideration whether transition periods are on-going.

Search in EA FAQ

Table of contents

Questions relating to ISO/IEC 17021-1: 2015 – Management Systems Certification

Question 32.1 Road Traffic Safety MS Scoping

The ISO/IE TS 17021-7 does not refer to differences for scoping purposes. The differences are based on context as referred to in table A 1 in the annex of ISO 39001. Some ABs scope in accordance with NACE codes, others in accordance with Table A1. What would be the appropriate scoping for ISO 39001?

September 2016

Table A 1 would appear to be the most appropriate mans of scoping for ISO 39001

Question 32.2 GFSI

GFSI is requiring Scheme owners to comply with their requirements like additional new audit items, but also to ‘audit’ all elements during every audit. This appears in contradiction with the methodology of MS certification as determined for QMS and EMS through IAF MD5 or FSMS through ISO/TS 22003, which applies the audit time reduction for surveillance and recertification audits (of 2/3 and 1/3 of the initial time respectively). Yet AB’s are giving with their accreditation logo’s the impression that auditing all elements is equally effective as covering them during the whole cycle. The clearest example is comparison of ISO22000 versus FSSC22000.

The question is:

  1. How do we interpret that GFSI based schemes have to ‘audit’ all criteria whereas the methodology of MS certification applies the assessment of all criteria over the certification cycle which therefore allows to give a reduction for surveillance and recertification audits.
  2. To enable the same amount of confidence to these different types of certification audits, should we require that these schemes apply a different time allocation scheme as well (i.e. above ISO/TS 22003)?

September 2016

GFSI Guidance Document – Version 6.4 / November 2015 – Part II § 3.5.1 states :
“The scheme owner shall have a clearly defined and documented audit frequency programme, which
shall ensure a minimum audit frequency of one audit per year of an organisation’s facility and has the scope
to assess all elements of the scheme’s standard.”
General understanding of the clause and the sentence is that the requirements of assessing all elements lies with the audit programme and not with the annual audit (which is in the sentence the first requirement put on the audit programme). There are no contradiction between GFSI requirements and ISO/IEC 17021-1 ISO/TS 22003 and related IAF MD documents.

Question 32.3 Duration

Background: ISO/IEC 17021-1:2015 does not specify requirements for audit time and audit duration. IAF-MD5 and e.g. ISO/TS22003 describe this in more detail. MD5 describes in §4.1 that audit duration (on-site) should not be less than 80% of the audit time indicating that planning and reporting should typically be <20% of the audit time. ISO/TS22003 is a bit clearer by mentioning that preparation (and reporting) are not included in audit time.
In practice it is noted that CAB’s consider to allocate time for reporting (else no report would be made), but time for planning and more importantly preparation of the audit team is not included (nor mentioned) and thus depends on the personal time of the team members.

Question: Could it be considered to suggest an amendment to IAF-MD5 to identify whether preparation time is required, that this be justified and recorded, and potentially indicate a ‘minimum’?

September 2016

Clause 9.1.4 of ISO/IEC 17021-1:2015 specifies the overriding requirements for audit time and requires that ‘for each client the certification body shall determine the time needed to plan and accomplish a complete and effective audit of the client’s management system.’ This is confirmed by clause 0.6 of IAF MD 5 which states that ‘notwithstanding the guidance provided by this document (MD 5) the time allocated for a specific audit should be sufficient to plan and accomplish a complete and effective audit of the client’s management system.’

It is, therefore, clear that preparation time to plan an audit is required by both ISO/IEC 17021-1:2015 and IAF MD 5.

There will be evidence from witnessed audits and reports to determine whether or not the certification body has an effective process for planning audits. Providing the certification body has demonstrated an effective process for planning audits and is allocating sufficient on site time to accomplish a complete and effective audit, there is no need for it to separately justify and record planning time.

Question 32.4 2-Stage

Some of the wording of the standard ISO/IEC 17021-1, related to stage I and stage II, having to be considered as one audit, conducted in two stages (9.3.1.1) cause some interpretation problems.
It is stated in a NOTE under 9.3.1.2.1 that “Stage 1 does not require a formal audit plan (see 9.2.3).”
Secondly, 9.2.3.1 states that “The certification body shall ensure that an audit plan is established prior to each audit identified in the audit programme…”.

Related questions are the following:

  1. What is required as the audit plan for a stage I? Is a telephone conversation acceptable?
  2. Since the stage II audit is not a separate audit, a formal audit plan is not required either?
  3. Or does this mean that the stage II audit (or the overall «initial audit») plan has to be prepared prior to stage I (i.e. prior to «the initial audit»), maybe in a more generic way, but with the objective that the stage I provides further focus/adaptation to this plan (ref. 9.3.1.2.2.f)?
  4. Do the requirements for 9.2.3 (and more specifically 9.2.3.2) apply to the audit plan for a stage II (even though that is not a separate audit)? Particular attention is requested to the requirement in 9.2.3.2.a (objectives) which are quite different for a stage I (9.3.1.2.2) from a stage II ‘audit’ (9.3.1.3).
  5. Can it be required that the CAB prior to the stage I at least will have to inform the client that prior to stage II an audit plan is prepared in line with the requirements of 9.2.3?
  6. A note normally does not contain requirements; how then can a note make requirements not applicable (as is the case here)?

September 2016

The sequence of clauses in ISO/IEC 17021-1 is as follows :

  • § 9.1.3.2 and 9.3.3.1 : the initial audit (part of the audit programme)is a two-stage audit
  • § 9.2.3.1: … an audit plan is established prior to each audit identified in the audit programme to provide the basis for agreement regarding the conduct and scheduling of the audit activities.
  • § 9.2.3.2: “The audit plan shall be appropriate to the objectives and the scope of the audit.”
  • § 9.2.3.2 and 9.2.3.3: give the elements to be found in each formal audit plan for each audit; It may come that some elements are not applicable/ necessary for stage 1.

Then an audit plan is required before the initial audit (then before stage I) so that the organisation to be audited is aware of what is to be audited and when (“agreement regarding the conduct and scheduling of the audit activities”). The CB may choose to draft one unique plan for stage I and II, in the form required per § 9.2.3.2 and 9.2.3.3, the plan addressing all elements of 9.3.1.2.2 and 9.3.1.3. If there is only one plan, it has to be reminded to the client that the plan may be adjusted after stage 1, following the conclusions of stage I.
If the CB chooses to have a plan in 2 parts, one for stage I, and then, after stage I, one specific for stage II it may accommodate the form of the stage I plan, as all points of § 9.2.3.2 and 9.2.3.3 may not apply. What is captured in the NOTE, is not to say that a plan is not required but is only waiving the formal aspects of the plan.

From there answers to questions :

  1. A plan (whether separate or not) is required but does not have to be formal, focusing on the objectives stated in § 9.3.1.2.2. If the plan is specific to stage 1 (where not the full team is present and not all elements are audited) it may waive some points of § 9.2.3.2 (c-d-e-f) as not yet identified at this stage, and of 9.2.3.3 (b-c). As does not have to be formal maybe an email or a phone call is acceptable. Records on what has been agreed with the client needed to demonstrate implementation of requirements (e.g. 9.2.3.1)
  2. See above: stage II plan is required, whether specific or integrated in the global “initial audit” plan
  3. An overall plan may be prepared before stage I (in other words the audit plan communicated before stage 1 may include the elements of stage 2), with the information known by the CB at this stage , to be reviewed after stage I conclusions
  4. All apply
  5. Yes, it has to be required in the case that the plan is not drafted in once
  6. According to ISO, Information marked as “NOTE” is intended to assist the understanding or use of the document. The NOTE intends to waive the “formal aspects” of the plan and not the full requirement

Question 32.5 2-stage

Some of the wording of the standard ISO/IEC 17021-1, related to stage I and stage II, having to be considered as one audit, conducted in two stages (9.3.1.1) cause some interpretation problems.

In 9.3.1.2.3, it is stated in a NOTE that “The stage I output does not need to meet the full requirements of a report (see 9.4.8). “

We do consider that the report of the “initial audit” in its totality (i.e. the full report prepared after conclusion of stage II), does need to comply with the requirements of 9.4.8. This means that it shall also include or refer to the “k) audit findings (see 9.4.5), reference to evidence and conclusions, consistent with the requirements of the type of audit” (i.e. findings, evidence and conclusions consistent with the requirements of stage I and stage II). So although the stage I findings don’t have to be reported immediately after the stage I in a report complying with all requirements of 9.4.8 (since then only “Documented conclusions with regard to fulfilment of the stage I objectives and the readiness for stage II shall be communicated to the client, including identification of any areas of concern that could be classified as a nonconformity during stage 2.” have to be reported), the stage I findings (positive and negative) should find their way into the overall “initial audit” report after stage II.

Please confirm that the above position, i.e. the report (whether consisting from several documents or not) in its totality shall comply with all requirements of 9.4.8 for both stage I and stage II audits.

September 2016

In 9.3.1.2.3, it is stated that “Documented conclusions with regard to fulfilment of the stage 1 objectives and the readiness for stage II shall be communicated to the client, including identification of any areas of concern that could be classified as a nonconformity during stage II.”

Actually “Documented conclusions” refers to “Stage I Audit Report” that does not need to meet the full requirements of a report as given in 9.4.8. That means not all items of audit report given in 9.4.8 are covered.

This report or “documented conclusions” shall be communicated before stage II. Since the standard is not saying “immediately communicated”, it can be communicated immediately or later stage I. However, it shall be communicated before stage II.

According to related requirements of the standard, the CB can prepare one “Initial Audit Report” consisting of two separate parts (e.g. Stage I and Stage II) or prepare two seperate audit reports; “Stage I report” and “Stage II report”. In the second case, most of requirements of 9.4.8 should be covered including sub-item “k)” “audit findings” since there is no need to report the conclusions of Stage I as “nonconformity”, just “identification of any areas of concern that could be classified as a nonconformity during Stage II” is enough.

Since the stage I “documented conclusions” shall be communicated in any format with the client of CB and these have to be based on findings (positive and negative), these (stage I findings) should find their way into the overall “initial audit” report after stage II provided that the conclusions are communicated with the client after or at the end of Stage I, and before Stage II.

Question 32.6 2-stage

Some of the wording of the standard ISO/IEC 17021-1, related to stage I and stage II, having to be considered as one audit, conducted in two stages (9.3.1.1) cause some interpretation problems.

Clause 9.4.1 states that “The certification body shall have a process for conducting on-site audits. This process shall include an opening meeting at the start of the audit and a closing meeting at the conclusion of the audit.”

Does this mean that the initial audit require only an Opening Meeting (meeting the requirements of 9.4.2) at the start of the stage I audit and a Closing Meeting (meeting the requirements of 9.4.7) at the end of the stage II audit (i.e. no Closing Meeting at end of stage I or Opening Meeting at the start of stage II)?
These would seem like a silly consequence as these audits have clear and distinct objectives, i.e. both need full Opening and Closing Meetings.

September 2016

Clause 9.4.2 of ISO/IEC 17021-1:2015 states that the purpose of the opening meeting is to ‘…..provide a short explanation of how the audit activities will be undertaken.’ Since the audit objectives and activities for stage one and stage two are different, the requirement of clause 9.4.2 can only be met if there is an opening meeting for each stage.
The requirement of clause 9.4.7 relate to a formal closing meeting which includes the recommendation regarding certification. A formal meeting complying with clause 9.4.7 is, therefore, not required at the end of stage one. However, clause 9.4.3.1 requires the audit team leader to ‘….periodically communicate the progress of the audit and any concerns to the client.’ Clause 9.3.1.2.2 requires that an objective of stage one is to ‘….undertake discussions with the client’s personnel to determine the preparedness for stage two.’ Whilst a formal closing meeting, in accordance with clause 9.4.7 is not required at the end of stage one, there is clearly a need for a meeting with the client, at the conclusion of stage one, in order that the certification body can meet the requirement for communication with the client and the objectives of stage one.

Question 32.8 logos

ISO/IEC 17021:2015, 8.3.1 denies any possibility of a labelling of products by an enterprise which is certified (only) with its management system.

In contrast, the PEFC rules allow the use of the logo “on product” for forest owners (see PEFC ST 2001:2008 , 7.2.1 : „The PEFC Logo can be used on-product by a PEFC Logo user with valid PEFC Logo usage license for group B (forest owners and managers) and group C (forest related industries).“ This is also possible for the group members respectively members of the Regional Working Groups in Germany.

In practice, the mark of conformity is not placed on the wood coming from forests under PEFC management, but there is one possible exemption to be discussed: a sign marking the entrance of the forest under PEFC management as “This wood is different. Certified and managed based on the accepted PEFC standards. Please ask for wood and paper with the PEFC logo”. This statement is connected with the PEFC logo and the certification number.
This can be interpreted as incorrect logo use.

September 2016

As far as the question is about the use of the phrase “This wood is different. Certified and managed based on the accepted PEFC standards. Please ask for wood and paper with the PEFC logo”, connected with the PEFC logo and the certification number (but no CB marks) as far as the mark of the CB is not used This statement is OK. There are no rules for the use of the Scheme owner marks (PEFC).
The PEFC document was prepared in 2008 and revised in 2010 and “PEFC ST 2001:2008”, date of entry into force is 2010-11-26. As a scheme owner, PEFC marks are different to CBs Marks.

PEFC selected ISO/IEC 17021-1:2015 as accreditation standard for “Sustainable Forest Manegement System” certification bodies. According to EA-1/22 requirements 3.5 and 3.6, the scheme owner shall not contradict or exclude any of requirements of ISO/IEC 17021-1:2015 as EA MLA Level 3 standard.

EA-1/22: 

“3.5 The conformity assessment process described or chosen by the SO shall fall within the scope of one of the EA MLA Level 3 standards (see EA-1/06).

3.6 Scheme specific requirements placed on CABs by the SO shall not contradict, or exclude, any of the requirements included in the standard referred t: o in 3.5.”

All the above mentioned considers that the PEFC logo is not a third party mark of conformity, cl. 3.1, in ISO 17030 (“Conformity assessment. General requirements for third-party marks of conformity applies”).

Question 33.1 Impartiality

This relates to clause 5.2.7 of ISO 17021-1:
5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.

Several CBs accredited by a particular NAB use contracted auditors (not ‘subcontractors,’ but individuals contracted to work for the CB, under the CB’s management system). Most of these auditors also provide consultancy. The NAB has, in the past, accepted that CBs could certify the management systems of clients who received consultancy from one of these contractors, as long as it was demonstrated that satisfactory controls were in place – transparency, different auditors, informing the impartiality committee, etc.

Clause 5.2.7 could be understood to mean that this practice can no longer continue.
However, it is proposed that this clause does not apply in the scenarios described above, because
a) Clause 5.2.7 refers to ‘a body,’ and the consultancy here is provided by individuals; and
b) Furthermore, clause 5.2.7 states that “A recognized mitigation of this threat is…” Because the word recognized is used, it means that there may be other ways of mitigating the threat; it is not mandated that the CB shall not certify the management system for two years.
Does the CC agree with the NAB’s position?

March 2017

An individual that has his/her own consultancy company would be considered as a body in terms of ISO/IEC 17021-1 and in this case clause 5.2.7 should be invoked and the “2 year” rule should be invoked, or a similar mitigation.

Question 33.2 OH@SMS EA-3/13M

As defined in EA 3/13 M: 2016 – G 9.2.1.3:
“Once the scope is defined, the OH&SMS shall include activities, products and services within the organization’s control or influence that can impact the organization’s OH&SMS performance.

Temporary sites, for example construction sites, shall be covered by the OH&SMS of the organization that has control of these sites, irrespective of where they are located. The need to visit such sites and the extent of sampling shall be based on an evaluation of the risks of failure of the management system to control the OH&S risks associated with the client’s operations (see clause B.9 of Appendix B)”.

Question: Considering the same importance and dignity of all the workers of an organization, that can affect the organization’s OH&SMS performance, is it mandatory to include into the scope of the certificate all the sites of the organization? In other words, can an organization decide to certify only a part of the organization, excluding some sites?

Example: An organization has 1 headquarter and a network of 10 sites. The organization applies the OH&SMS only in the headquarters and in 5 sites. Is it acceptable, or the company has to apply for the certification of the OH&SMS of the full organization? In this case, it could be acceptable that the organization establishes a plan in order to certify all sites.

March 2017

Clause G 9.2.1.3 of EA-3/13 relates to audit scope not scope of certification. EA-3/13 does not make any reference to whether or not all sites shall be included in the scope of certification. The core requirement is Clause 8.3.4 (g) of ISO/IEC 17021-1 which states that that the certified client ‘does not imply that the certification applies to activities and sites that are outside the scope of certification’. The existence of this requirement accepts that it is possible that not all sites are covered by the scope of certification. EA-3/13 provides no additional guidance to clause 8.3.4 of ISO/IEC 1702-11, therefore, it is acceptable that some sites could be excluded from the scope of certification.
The CB should report on the rationale/justification for not including all sites.

Question 33.3 OH@SMS EA-3/13M

As defined in EA 3/13 M: 2016 – G 9.2.1.3:
“Once the scope is defined, the OH&SMS shall include activities, products and services within the organization’s control or influence that can impact the organization’s OH&SMS performance”.

Question: Considering that all the activities, products and services within the organization’s control or influence can impact the organization’s OH&SMS performance, is it mandatory to include into the scope of the certificate all the activities, products and services of the organization?
In other words, can an organization decide to certify only a part of its activities, excluding some activities, products and services?

Example: An organization produce cars and trains. The organization applies the OH&SMS only in the cars production. Is it acceptable, or the company has to apply for the certification of the OH&SMS of the full organization? In this case, it could be acceptable that the organization establishes a plan in order to certify all production activities, products and services.

March 2017

Clause G 9.2.1.3 of EA-3/13 relates to audit scope not scope of certification. EA-3/13 does not make any reference to whether or not all activities, products and services shall be included in the scope of certification. The core requirement is Clause 8.3.4 (g) of ISO/IEC 17021-1 which states that that the certified client ‘does not imply that the certification applies to activities and sites that are outside the scope of certification’. The existence of this requirement accepts that it is possible that not all activities, products and services are covered by the scope of certification. EA-3/13 provides no additional guidance to clause 8.3.4 of ISO/IEC 17021, therefore, it is acceptable that some activities, products and services could be excluded from the scope of certification

However the OH&SMS should reflect the core activities of the organisation i.e. a manufacturing company should have the manufacturing activity as part of the OH&SMS, not just for example the office activities.

The CB should report on the rationale/justification for not including all activities.

Question 33.6 Operational Control

If a certification body does not have any agency, representative or branch office, is the Clause 6.2.2 still applicable to check their own operational controls? I mean, is 6.2.2 independent from Clause 6.2.1 or a subclause linked with it?

March 2017

Clause 6.2.2 is independent and that it apples to the certification body’s own operational controls as well as control of activities delivered by branch offices, partnerships, agents, franchisees, etc.,

Question 33.7 Organisational Control

What does the following mean?

“The person(s) [excluding members of committees (see 6.1.4)] assigned by the certification body
to make a certification decision shall be employed by, or shall be under legally enforceable arrangement with either the certification body or an entity under the organizational control of the certification body.”
Who are these persons?
Are these persons from the entities where explained in bullets a, b and c in the same clause? Or these persons can be different?

March 2017

*These persons can be from the entities explained in the bullets a,b,c and also persons employed by, or shall be under legally enforceable arrangement with either the certification body or an entity under the organizational control of the certification body.
IAF Technical Committee Decision 15/10/02 is relevant to this question.
It is acceptable for CB decision taking group to be composed of people who are hired as external personnel; provided the personnel meet the competence requirements outlined in ISO/IEC 17021 and ISO/IEC 17021-1 (e.g. section 7.2.8) and the CB has organizational and operational control outlined ISO/IEC 17021-1, section 6.2 as it relates to the decision making person/s.
There are many examples today of this type of situation and ABs have found it acceptable in accordance with ISO/IEC 17021.
Note: ISO/IEC 17021 (nor ISO/IEC 17021-1) does not differentiate between permanent and non-permanent staff.
This means that the persons do not have to be from the entities listed in bullets a), b) and c), but that they shall be under a legally enforceable arrangement with the certification body or one of the entities listed in bullets a), b) and c) and must be under the certification body’s operational control.

Question 33.8 Operational Control

What is the interaction between clause 6.2 and 7.5?
Does status of an organisation having a relationship with the CB for performing any part of the certification activities of the CB fall in clauses 6.2.1 and 7.5.1?
Under which circumstances such an organization does not fall in the clause 7.5?

March 2017

Clause 6.2 is concerned with the certification body having operational control over its certification activities performed by its branch offices, joint ventures, agents and franchises etc.

Clause 7.5 covers the certification body’s process for outsourcing (subcontracting) of any part of the certification activities to another organisation. Organisations listed in Clause 6.2 which are part of the certification body, for example branch office, joint ventures are not subject to the requirements of Clause 7.5. Organisations listed in Clause 6.2 which are not part of the certification body, for example some particular agents and franchises are subject to the requirements of Clause 7.5.

Question 33.10 Product References Primary Packaging

Is it possible to use the statement (ref requirement 8.3 of ISO/IEC 17021-1:2015) on the primary packaging, the one that is in direct contact with the product like the tomatoes’ can, or the milk bottle?

The standard clearly stat that is not possible to add the certification mark on the packaging but is not so clear about the statement use.
“A certification body shall have rules governing the use of any statement on product packaging or in accompanying information that the certified client has a certified management system. Product packaging is considered as that which can be removed without the product disintegrating or being damaged. Accompanying information is considered as separately available or easily detachable. Type labels or identification plates are considered as part of the product.”

March 2017

It was agreed that according to the standard it is not possible to add the certification mark on the primary product packaging.

Bottles are packaging material, so the statement can appear on the bottle. The statement must refer to the management system not to the product.

Question 33.11 Quoting of 17021 parts

Relating to ISO/IEC17011: 2004 Clause 7.9.4
The accreditation body shall provide an accreditation certificate to the accredited CAB. This accreditation certificate shall identify (on the front page, if possible) the following:
……..
g) a statement of conformity and a reference to the standard(s) or other normative document(s), including
issue or revision used for assessment of the CAB.

The Question: With the recent issuance of requirements document ISO/IEC17021-3: 2016 to support accreditation to ISO/IEC17021-1: 2015 EMS, do AB’s have to make reference to this normative document on EMS accreditation scoping documentation in the same manner as Level 4 documents such as ISO27006.

March 2017

This was discussed at the IAF Technical Committee meeting in Frankfurt in April 2017; the question has been raised before in 2014.

IAF Decision log states

Some ABs reference ISO/IEC 17021 on the certificate with the assumption that it includes the dash standards (e.g. ISO/IEC 17021-2) as it is applicable to the scope of accreditation, and they do not reference all the parts. The ABs feel this is appropriate because the foreword of ISO/IEC 17021 standard states, ISO/IEC 17021 consists of the following parts…

Some ABs include all normative documents used in the assessment of the CB (per ISO/IEC 17011), including all individual parts of ISO/IEC 17021 (e.g. ISO/IEC 17021-2) and IAF MDs. One word of warning with including everything (including versions) is that it can become an issue of maintenance; however, it is the ABs decision on the level of detail included.

The TC reached consensus that the ABs can decide how to manage the accreditation certificate on their own, recognizing accreditation certificates can vary in level of detail. “

Question 33.14 medical Devices Scoping

According to ISO 13485 standard it can be used by organizations involved in one or more stages of the life-cycle of a medical device, including design and development… Furthermore, it can also be used by suppliers or other external parties providing product (e.g. raw materials, components, subassemblies…) to such organizations. The supplier or external party can voluntarily choose to conform to the requirements of ISO 13485 or can be required by contract to confirm.

In case the product cannot be unambiguously defined to be a medical device or any of the related products identified in the ISO 13485 but the manufacturer still wants to certified against ISO 13485 – is this acceptable or not?

And more generally can ISO 13485 be used for certification purposes in the voluntary field outside the proper scope of the standard?

March 2017

Supplier or external party shall demonstrate the intention of its “product” (item such a device, part incorporated in a device, raw material etc.) or service in the context of an application or use of a medical device.

  • CAB (certification body) has to perform a contract review considering the elements stated in this answer (see below) including the national interpretation of medical devices performed by the national regulatory authorities (apply list of medical devices or family of medical devices). .
  • Activity or product shall fall into the definition of (ISO 13485:2016 – 3 Terms and definitions – 3.11 medical device (see also source GHTF/SG1/N071:2012, 5.1 and 5.2 ( note GHTF/SG1/N071:2012 5.2 is not mentioned in ISO 13485:2016. Therefore, ISO 13485:2016 is not fully clear in the non-regulated field of IVD.

The supplier or external party seeking certification according to ISO 13485:2016 shall justify all not applicable clauses of ISO 13485:2016. The CAB shall critically audit the reason for not applying the requirements. Certification bodies shall always avoid certifying when it has some indication that a standard is applied in a way to only pretend compliance in the medical device field and in reality, it does not fit the encountered activity. The contract review of the supplier or external party shall always include an investigation of the purpose of the use of the ordered “product” or service.
Conclusion: If no clarity is reached the supplier or external party should better be certified against ISO 9001:2015 only. Therefore, there shall be no certification outside the proper scope of the standard ISO 13485:2016. The only difficulty lies in the evaluation of the boundary of the scope of the standard ISO 13485:2016 as it will contain some arbitrary components and perhaps some national particularities.

Question 33.15 Consultancy

5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.

Many CB’s external auditors are owners of one man consultancy enterprises and the contracts with the CB are signed by the enterprise.
We have understood the changes in wording of the standard in a way that in such cases the relationship constitutes a significant threat to impartiality as the contractor is the enterprise/body – not an individual and thus 5.2.8 does not apply.

In addition, we recently faced a case where at the same time the CB made an annual surveillance of ISO 9001:2008 certification by auditor X an external auditor Y of the same CB was giving consultancy to the same company for ISO 9001:2015.

What would be your reaction in such cases?

March 2017

Clause 5.2.8 refers to outsourcing (sub-contracting) and this is different to contracting-in external resources.

An individual that has his/her own consultancy company would be considered as a body in terms of ISO/IEC 17021-1 and in this case clause 5.2.8 should be invoked and the CB should not outsource audits to them

An individual used as a contracted-in external resource does not come under 5.2.8 however impartiality rules still apply in terms of ensuring previous relationships do not compromise the impartiality of the audit process.

Question 33.16 Annual Indicators

IAF MD 15 defines the data an AB shall collect on an annual basis as indicators of CBs activities.

The NAB has included the indicators in the request for information we regularly ask the CBs to provide before the assessment. However we have not received relevant information concerning “overdue audits”. According to the NAB’s experiences the CBs have not even defined when an audit is ”overdue” or any consequences of delayed/overdue audits.

The NAB has raised a NC of this type of findings in several assessments.

To be discussed: Have other NABs similar experiences or findings? What actions have been taken? An NC raised against MD15 documents?

March 2017

IAF TC Dec log April 2016 (see below) shows some explanation about what is an “overdue audit” helping to the definition of overdue audits.

The information is collected is for exploitation of the AB during assessments. There are no requirements at the IAF MD 15 about the need to define consequences of delayed/overdue audits. The indicators could provide an insight into the effectiveness of the Certification Body’s processes. The requirements about due date of audits are at the ISO 17021-1 : first surveillance (only for ISO 17021:2006 and 2011) second surveillance and recertification audit (each calendar year and before the expiry date of the certificate)

Question 33.19

The CB shall periodically evaluate the performance of each auditor on-site. The frequency of on-site evaluations shall be based on need determined from all monitoring information available

Is there any upper limit of frequency (in years) recommended? (some CB perform yearly monitoring of personnel audit, other CB extend the frequency to many years.)

March 2017

There is not any specified upper limit for on-site monitoring in ISO/IEC 17021-1:2015, IAF MD-10 and any other relevant normative documents. But, in practice the most of CBs perform at least one on-site monitoring every three years. According to ISO/IEC 17021-1:2015 clause 7.2.9 “There shall be a documented process for monitoring competence and performance of all persons involved, based on the frequency of their usage and the level of risk linked to their activities.”. This frequency should be based on assignment frequency and the level of risk.

Another factor, linked to risk, which should be considered is the results of previous monitoring. It is reasonable to expect that auditors where issues have been identified are monitored more frequently than those where no issues have been raised.

In ILAC P15:07/2016 clause 6.1.9b, for inspection body’ inspectors there is a limit saying that “at least once during the accreditation re-assessment cycle”.
For ABs, ISO/IEC 17011:2004 clause 6.3.2 says that “Each assessor shall be observed on-site regularly, normally every three years.”

Question 34.2 Incorrect References to certification

Due to a delay in the re-certification process (application of clause 9.6.3.2.5) an organization is temporally without a certificate. (delay of audit + closure of non-conformities) but it seems that the certification status could be reinstalled within 6 months from expiry date.

How is ISO/IEC 17021-1:2015, 8.3.5: “The CB shall … take action to deal with incorrect references to certification status” to apply? The organization makes promotion with the certification status on their website and on their business documents (stationery). They state that they need the certification to get business.

Shall the CB enforce clause 8.3.5 for this short period (up to 6 months) that the organization deletes the publicity as “certified company” from the website and shall the CB request stopping the use of the business documentation (stationery) with the certification status as “certified”?

September 2017

During the period between the certificate expiring and the successful completion of the re-certification process, the organization is not certified, according to § 9.6.3.2.4 “then recertification shall not be recommended and the validity of the certification shall not be extended. Τhe client shall be informed and the consequences shall be explained”.

During the suspension period, the status “certified company” as mentioned in its communication, business documentation, but also in the contracts with its own customers (this should not be forgotten), is incorrect, and the CB has to take action in case of incorrect reference to certification status as per § 8.3.5

Question 34.3 Appeals

A CB has a rule for handling complaints and appeals:
“Cost of complaints and appeals will be charged to the complainant/appellant in the case of a negative decision against the complaint or appeal.”
Is this a discriminatory action against the appellant if the CB charges the appellant only in a negative case or decision?

September 2017

This question was subsequently discussed at IAF and an IAF Decision was recorded:

Consensus of the IAF TC: Decision Log: 17/10/05

Charging of Fees for the handling of unsuccessful Appeals

If the entity considers the risk to impartiality and have mitigated any identified risks and the process is considered effective; then it is up to the entity if they are going to charge a fee or not.

Question 34.4 Conflicts of Interest

See

9.5.1.1 The certification body shall ensure that the persons or committees that make the decisions for
granting or refusing certification, expanding or reducing the scope of certification, suspending or restoring certification, withdrawing certification or renewing certification are different from those who carried out the audits.

5.2.12 All certification body personnel, either internal or external, or committees, who could influence
the certification activities, shall act impartially and shall not allow commercial, financial or other pressures to compromise impartiality.

Therefore, there is no requirements that states that the sales person (internal or external sale agent) has to be are different from those who carry out the audits or take decision.
However if the sales person takes a fee from the CB for selling the certification service, there is a high risk of impartiality if the same sales agent is involved also in auditing or decision.

So, is it an acceptable risk the fact that a sales person could act, for the same client, also as an auditor or a decision maker?

Example:

  • Mr. Smith (sales agent) takes the fee of 100 € from the CB for each contract signed by a new client, and other 500 € if the Client maintains the certification for the first certification cycle.
  • After the signature of the contract, the CB assigns to Mr. Smith also the responsibility to perform the audits or the decision
  • if the audit goes well Mr. Smith earn extra 500 €.. a good incentive to grant a certificate!

September 2017

There is no requirement of ISO/IEC 17021 which specifically prevents a sales person being involved in audits or decisions of clients he/she has introduced to a certification body. Clause 5.2.1 of ISO/IEC 17021 requires that certification body shall be responsible for the impartiality of its conformity assessment activities and shall not allow commercial, financial or other pressures to compromise impartiality. In the example quoted, there will clearly be a potential conflict of interest which could compromise the impartiality of the certification process and Clause 5.2.3 of ISO/IEC 17021 requires the certification body to:

  • have a process to identify, analyse, evaluate, treat, monitor, and document the risks related to conflict of interests arising from provision of certification;
  • document and demonstrate how it eliminates or minimizes such threats and document any residual risk
  • (top management) shall review any residual risk to determine if it is within the level of acceptable risk
    This is reinforced by Clause 5.2.13 of ISO/IEC 17021 which requires the certification body to
  • require personnel, internal and external, to reveal any situation known to them that can present them or the certification body with a conflict of interests;
  • record and use this information as input to identifying threats to impartiality raised by the activities of such personnel or by the organizations that employ them;
  • not use such personnel, internal or external, unless they can demonstrate that there is no conflict of interest.

It may be possible that a sales person could be involved in the certification process, provided the certification body can demonstrate that its process for managing impartiality has evaluated that there is no conflict of interest. The fact that for clients the sales person has introduced to the certification body, he/she will receive payment depending on a positive audit/decision, means there is a conflict of interest and he/she cannot be used in the certification process (ref. ISO/IEC 17021 Clause 5.2.13). This would not, necessarily, prevent the sales person being used for clients he/she did not introduce to the certification body.

Clause 5.2 note 1 should also be noted: Source of threats to impartiality of the certification body can be based on :payment of a sales commission or other inducement for the referral of a new clients etc.

Question 34.5 Certification Marks

The CB would like use a mark accompanied with the picture where only the name of the corporate appears together with letters indicating the country. Of course the certification requirement is referenced too e.g. ISO 9001 or ISO 14001.

The problem is that XXXXXX has a lot of other activities outside certification (training, advisory services etc.) and the certification activities are performed by the daughter company of XXXXXX, the legal entity XXXXXX Certification Ltd which is the CAB (legal entity) accredited.

We would appreciate view of other NABs on implementation of clause 8.3.1 of ISO/IEC 17021-1 which the proposal maybe doesn’t comply with.

I think the traceability to the certification body is becoming more and more important once the references to certification can appear also in product packages.

Unfortunately send the model cannot be attached for confidentiality reasons.

September 2017

The important factor to take into account here is the traceability of the certificate to the accredited Certification Body

Quesiton 34.6 IAF MD5

IAF MD 5:2015 clause 4.4:”The CAB shall provide the audit time determination and the justification to the client organization as a part of the contract and make it available to its Accreditation Body upon request”.

To what extent does the information supplied to the client need to be client specific? See below examples:

Question part 1; Which of below listed alternatives can be accepted as audit time determination and justification to be provided to the client organization as part of the contract-

  • To state the total days offered and refer to IAF MD 5:2015 and the factors specified in the document? Example “Audit time has been calculated in accordance with requirements in the document IAF MD5:2015, available at iaf.nu”
  • To state the total days offered and refer to IAF MD 5:2015 and the factors specified in the document, complemented with information that a more detailed explanation will be included in the audit report of Stage 1?
  • To state the total days offered and include a general explanation on the calculation method with examples of factors that may potentially be used as a basis of addition/reduction for audit time calculation?
  • To state the total days offered and include information on the number of personnel used, the complexity level used and a specification of the actual factors that has affected the audit time calculation of the client?
  • The full man-day calculation shall be included, fully traceable with adjustments in percentages etc. (This “determination and justification” would in this case have the same level of detail as the one available to the Accreditation Body at assessment)

Question part 2; Is it acceptable to state in the contract that, due to confidentiality reasons, the information will be made available for the client upon request?

September 2017

This question was subsequently discussed at the IAF Technical Committee in Vancouver October 2017, the recorded decision was: –

Consensus of the IAF TC: Decision Log: 17/10/02

MD5 clauses 2.3.2 and 4.4

The justification included in the written contract must be enough for the client to understand the calculation and may not include all of the calculations the CAB used to determine the audit time (which can be reviewed by the AB within the CAB records).
The detail in the contract may include; determination and number of effective personnel, the number of audit days, and the factors without the percentage that were applied based on the information supplied by the organization seeking certification, for all of the requirement documents (e.g. IAF MD 11).
It is not acceptable for the contract to just refer to IAF MD 5 to understand the audit time determination.
Note; the contract may include annexes that include this level of detail. As long as the annex is part of the contract this would be acceptable in meeting IAF MD 5.

Additional Discussion
The reason for the new requirements in IAF MD 5 was to make sure the CAB was open and transparent with the clients, as well as the ABs (upon request). And to prevent unfair competition by withholding information from the client.
If we focus too much on the numbers, we have lost the intent as it relates to the value of the audit and it will be lost on the client. We question getting too prescriptive.
There is a need to build awareness with the clients to understand the outliers and the jeopardy that has on the certification. The information should be enough to understand the outliers.

Question 34.7 Assessment for Notification Purposes

Are the IAF Mandatory Documents obliged to use as the criteria of the conformity assessment (IAF MD 1, IAF MD 2, IAF MD 5) when accreditation for notification purposes is according to ISO/IEC 17021-1?

September 2017

A new revision of EA 2/17 will begin soon, managed by the HHC, this point will be clarified as part of that revision process.

The consensus of the CC was that the Mandatory documents apply for Accreditation for Notification wherever that standard is used as the preferred standard. But care should be taken because, for example, for Module D and E ISO/IEC 17065 has been identified as the preferred standard and so the MDs in question would not apply. The only Module with ISO/IEC 17021-1 as the preferred standard is Module H.

Question 34.9 Identification of revised certification documents

ISO 17021-1, clause 8.2.2 The certification body shall provide by any means it chooses certification documents to the certified client
i) in the event of issuing any revised certification documents, a means to distinguish the revised documents from any prior obsolete documents.
Can this requirement be considered as fulfilled if the revised certification document has a unique serial number/date different from the obsolete document or shall the revised document have a reference to the obsolete document

September 2017

Both cases can be acceptable.
The CB can use any means to distinguish or differentiate these two versions of the obsolete document.

Question 35.1 Decision Making Competence

The expected knowledge of the decision-making committee or person includes all the criteria and procedures for certification, shall this also include the knowledge of the various industrial scopes.

Shall the person(s) or committee(s) who will take the decision have the competence:

  • in accreditation scheme requirement (ISO/IEC 17021-1 & ISO/IEC 17021-3)
  • the conformity assessment scheme requirements (ISO 9001)
  • as well as in the industrial scope (39 fields)?

If yes what is the difference between an assessor and the decision-making person.

March 2018

According to: ISO/IEC 17011 clause 6.2.1 “6.1.2.1 The accreditation body shall have a documented process for determining and documenting the competence criteria for personnel involved in the management and performance of assessments and other accreditation activities. Competence criteria shall be determined with regard to the requirements”

Therefore, with regard to the items in the question:

–           Yes, they should have competence in the conformity assessment standard

–           Yes, they should have knowledge of the scheme requirements

–           No, generally there would be no requirements for the m to have detailed knowledge of the industrial scope

It is not expected that the decision makers should have the same level of knowledge as an assessor, but they need to now sufficient to ensure that everything relevant has been covered by the assessment. Decision makers can call on expertise as part of their review.

Question 35.2 ISO 27001 ISMS Scoping

We have a certification body with an client for ISO 27001 that has within its (client of the CB) scope ‘cloud storage’ but this is hosted by a third party company. We have required evidence of how this can be included in the scope and how it can be incorporated into the client’s ISMS. We have accepted this situation if the third-party company carrying out the ‘cloud storage’ has an accredited ISO 27001 certificate for this activity and the CB’s client has to ensure that this is current and maintained.

Does the committee consider this acceptable?

March 2018

It is the responsibility of the certified client to ensure the cloud storage provider meets requirements:

ISO 27001 requires in #8.1 Operational planning and control

“The organization shall ensure that outsourced processes are determined and controlled.”

Although ensuring the cloud storage provider holds an accredited ISO 27001 certificates is, of course, one means to control that process (“cloud storage”) is not the only one possibility.

Question 35.3 ISO 27001 ISMS calculation of audit time

This question concerns how the calculation of auditor time for ISMS audits should be carried out. One CB we have is applying a formula to calculate ‘effective personnel’ and then applying the tables in Annex B and Annex C of ISO 27006. There is a concept of ‘effective personnel’ contained in ISO 50003 but there is no such term used in ISO 27006. IAF MD 5 also includes the concept of ‘effective personnel’ for QMS and EMS audits.

Does the committee consider this acceptable?

March 2018

Annex B of ISO 27006 states:

“The total number of persons doing work under the organization’s control for all shifts is the starting

point for determination of audit time.”

The concept in the 2 documents is the same: the effective personnel is the personnel falling into the scope of the QMS or ISMS, which means potentially each and every person who is utilizing the ISMS or the QMS.

The concept in ISO 50003(Annex A) is different as the effective personnel is defined as personnel “who materially impact the EnMS”.

The criteria of IAF MD5, i.e. the effective number of personnel, should be the one taken into account for implementing ISO 27006.

Question 35.6 Accreditation to Draft Standards

When we had the transition from ISO 9001:2008 and ISO 14001:2008 to the new revision, we had some accreditation bodies that accredited CABs already on the draft of the 2015 revision.

So, we had CABs accredited on the F-DIS before the publication of the standard.

Soon we will have the publication of ISO 45001:2018, and we are facing the same situation.

Questions:

  1. Can an AB accredit against a draft of the standard already circulated for public consultation (but not yet published)?
  2. Can an AB accredit against a draft of the standard not yet circulated for public consultation but available as a draft within the working group?

March 2018

The consensus of the Certification Committee is that accreditation can only be delivered against a formal, published, standard, not against a DIS or FDIA.

  1. According to 765 Reg:
    • Accreditation shall mean an attestation by a national accreditation body that a conformity assessment body meets the requirements set by harmonised standards and, where applicable, any additional requirements including those set out in relevant sectoral schemes, to carry out a specific conformity assessment activity;
  1. EA MLA Coverage
    • Conformity Assessment Schemes (CAS) covered by the EA-MLA (according to EA MLA Coverage) are:
      • Accreditation according to ISO/IEC 17025
      • Accreditation according to ISO/IEC 15189
      • Accreditation according to ISO/IEC 17020
      • Accreditation according to ISO/IEC 17024, etc.

Question 35.8 Exclusion of “design and development”

With the requirements of ISO 9001:2015, is it still possible to exclude “design and development” in the application phase and to give an a-priori reduction on the time allocation?

In the opinion of RvA, the new standard requires that “The organization shall establish, implement and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services.” Though it is accepted that for some organisations, an appropriate process may be a simple process to audit, however, all organisations will perform some form of design and development (if only to enable changes to the internal processes and services). The appropriateness of the process will have to be audited (especially in initial audits).

It is our opinion that a statement like “the scope of certification does not specify ‘design and development’ and therefore we reduce 10 – 30 % of audit time” is not in line with the current requirements and intent of ISO 9001:2015 and of ISO 17021-1, cl. 9.1.4. 2.a.

March 2018

The consensus view of the CC is that YES, it is possible to exclude design and development but that such an exclusion must be justified.

It is agreed that most organisations carry out some type of design and development although it may not always be Recognised as such.

Design and development could be excluded of the scope of the QMS of an organization provided the organization has demonstrated (§ 4.3 and annex A5 of ISO 9001) that it has not to fulfill the requirement of § 8.3 of ISO 9001.

But the CB shall evaluate this demonstration and the real scope of the organization before deciding it can or not reduce audit time; This could be an output of stage I.

Question 35.9 Accreditation Cycle for MD17

Would it be possible to harmonise the concept of accreditation cycle for the purpose of equivalent application of the requirements for NAB’s in IAF MD17 (and others such as MD16, etc.).

MD17 requires NAB’s to determine the number of witness audits per accreditation cycle. For the purposes of harmonization, could we state that this should be read as the number of witness audits per 4 years and that if NAB’s have an accreditation cycle of 5 years, that the number of witness audits in the cycle should be 20% higher. The discrepancy between the cycle lengths would negate part of the harmonization efforts that are intended by this IAF MD.

March 2018

This question was put to the IAF Technical Committee in Frankfurt in March 2018, IAF MD17 was subsequently updated and is in draft form.

The draft introduced a standard first period of 5 years of accreditation for witnessing irrespective of the accreditation cycle, this was subsequently agreed at the IAF TC.

But the CB shall evaluate this demonstration and the real scope of the organization before deciding it can or not reduce audit time; This could be an output of stage I.

Question 35.10 Definition of nonconformity

During the assessment of a certification dossier (initial certification), RvA noted the following: though generally the nonconformities are rated and resolved appropriately, for one of the nonconformities the following is noted. Minor nonconformity X reads “The Management Review does not demonstrably include inputs “the effectiveness of actions taken to address risks and opportunities” and “opportunities for improvement” (ref. 9.3.2 e and f). The nonconformity was classified as minor, because the topics related to these sub elements could be shown to have been managed within the QA dept.

The client had taken the following (paraphrased) corrective action: The management review template was changed to include these topics (demonstrated); and new method will be implemented next year. This had resulted in closing the minor nonconformity and issuing the ISO 9001 certificate (effective implementation to be verified at the first surveillance).

The CAB had used the definitions in line with ISO/IEC 17021-1 (3.12 and) 3.13 to the letter. However, this means that the CAB has certified a client, while they have demonstrated that a nonconforming situation had not yet been demonstrably closed, i.e. it had demonstrated that the client does not comply with all requirements.

In our opinion, this is a clear and straightforward example of where the current definition of nonconformity does not function properly. Under the requirements of ISO/IEC 17021:2011, the CAB should have raised a major nonconformity, because, in line with cl. 9.1.15 b1, the “nonconformity represented 1) failure to fulfil one or more requirements of the management system standard” and the CAB was required to verify effective implementation of corrective actions prior to closure.

It is our opinion that in this type of cases “non-fulfillment of the requirement of the standard”, even though it is not demonstrable (or even if it is just not clear whether) this nonconformity affects the capability of the management system to achieve the intended results, should be raised as major nonconformities.

This topic may be as applicable to many other nonconformities, e.g.

“The organization did not define the audit criteria and scope for each internal audit” (9.2.2.b);

“The organization did not retain documented information that identifies the authority deciding the action in respect of the nonconformity”(8.7.2.d);

“It is not demonstrable that, in determining the extent of post-delivery activities that are required, the organization has considered customer feedback or customer requirements (cl. 8.5.5 d and e).

“It is not demonstrable that the organization has taken into consideration, the effectiveness of the controls applied by the external provider” (8.4.2.c.2);

Etc.

We ask if this item can be raised as a broader concern with the aim of ensuring that if a nonconformity is raised which represents “a failure to fulfill one or more requirements of the standard”, then the consequence is that such a nonconformity shall be closed only after effective implementation of corrective action has been demonstrated. This is to ensure that the CAB’s statement of conformity is not supported with an audit that has demonstrated a failure to fulfill a requirement of the standard.

March 2018

In the soul of the standard, writers concern two type nonconformities (see 3.11, 3.12 and 3.13 of ISO/IEC 17021-1:2015). One can be closed conditionally (without reviewing corrective action evidences for effective implementation), the other one can not (reviewing corrective action evidences for effective implementation is MUST).

Actually, it depends on the nature or context or content of the NC. According to new High Level Structure approach, the intended results can be changed from one organization to other one. Even the organisations are almost at the same size and in the same business sector. Their intended results may vary depending on what they want or expect from the implementation of ISO 9001 or any MS standard.

To support this comment, we should take into consideration Clause 9.5.2 b) and c) of ISO/IEC 17021-1:2015 given below.

3.11

nonconformity

non-fulfilment of a requirement

 

3.12

major nonconformity

nonconformity (3.11) that affects the capability of the management system to achieve the intended results

Note 1 to entry: Nonconformities could be classified as major in the following circumstances:

  •  if there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements;
  •  a number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.

 

3.13

minor nonconformity

nonconformity (3.11) that does not affect the capability of the management system to achieve the intended results

 

9.5.2 Actions prior to making a decision

The certification body shall have a process to conduct an effective review prior to making a decision for granting certification, expanding or reducing the scope of certification, renewing, suspending or restoring, or withdrawing of certification, including, that:

  1. b) for any major nonconformities, it has reviewed, accepted and verified the correction and corrective actions; (actually the decision is not conditional)
  1. c) for any minor nonconformities it has reviewed and accepted the client’s plan for correction and corrective action. (actually the decision is conditional, effective implementation of correction or corrective action will be verified during the next audit e.g. first surveillance)

Question 36.4 Scope of Accreditation for ISO 13485

Scope of Accreditation for ISO 13485 is defined to Annex 1 of IAF MD8:2017. The category 1.7 (parts or services) has explicit reference to Calibration Services along with the note “Organizations providing calibration services should be accredited to ISO/IEC 17025”. (We consider that Organizations providing calibration services shall be accredited to ISO/IEC 17025.) This IAF MD8 reference can easily create confusion to people who are not fully aware about the difference of accreditation and accredited certification.

Question

Is it ok for a NAB not to accept accreditation for calibration services based on ISO 13485?

September 2018

Accreditation of calibration services shall be made to ISO 17025. A NAB can not use ISO 13485 to accredit calibration services. EA and ILAC MLA for calibration are based on ISO 17025

The NOTE tries to explain that situation.

The accreditation of a CB according to ISO 17021 to certify ISO 13485 is limited to certification services and is not intended for accreditation (for example a testing lab may be certified to ISO 9001 under accreditation and this does not mean that is accredited for testing).

It should be also remembered:

Annex 1: IAF-ILAC JGA 2007 Sydney Resolution 7 – Certification to accreditation standards The IAF and ILAC Joint General Assembly, acting on the recommendation of the JCCC, resolves that when a Conformity Assessment Body (CAB), accredited by an Accreditation Body (AB), is providing certification to any standard used as a basis for accrediting CABs (e.g. ISO/IEC 17025 or ISO 15189), the AB shall initiate its process for suspension of accreditation, as this behaviour of the CAB will put the AB, against its will, in the condition of providing the same service that a CAB performs, in violation of clause 4.3.6 of ISO/IEC 17011. Further decisions shall be based on the actions taken by the CAB. All IAF and ILAC AB members shall include a suitable provision on such a possibility in their contracts with CABs. Note: It is accepted that a CAB may have to assess subcontractors to confirm that they meet the CABs’ requirements, which may include accreditation standards e.g. ISO/IEC 17025. Documentation issued to subcontractors as a result of a successful assessment should clearly state that this is only for the purposes of the subcontract and is not certification or accreditation in accordance with ISO/IEC 17011.

Question 36.5

Is the time requirement of a mandatory extra day for certification bodies necessary for recertification audits when all requirements will be audited anyway?

“Where migration audits are carried out in conjunction with scheduled surveillance or recertification (i.e. progressive or staged approach) then a minimum of 1 auditor man-day is required to be added to cover existing and new requirements implied by ISO  45001:2018”

September 2018

Yes.

According to IAF MD 21:2018, 4.2.2

“Based on the agreement with the organizations certified to OHSAS 18001:2007, CB’s can conduct migration activities during a routine surveillance, recertification audit or a special audit.

Where migration audits are carried out in conjunction with scheduled surveillance or recertification (i.e. progressive or staged approach) then a minimum of 1 auditor man-day is required to be added to cover existing and new requirements implied by ISO 45001:2018.

Recognizing that each client and migration audit is unique and audit duration will be increased above the minimum as needed to sufficiently demonstrate conformity to ISO 45001:2018”.

The recertification audit covers the requirements of the old standard.

The new standard is clear: “Minimum one-man day is required to be added to cover existing and new requirements implied by ISO 45001:2018”.

Question 36.7 Statistical Sampling

Is there a good practice on application of statistical sampling on the number of certification files that are to be evaluated during the on-site assessment by the assessment team in order to provide a representative assessment of accredited CAB activities?

What practical experience do ABs have on this matter?

September 2018

It was agreed that there are certain principles that are important such as coverage of scope.

Reconsider the question focusing on “sampling” instead of statistical sampling.

If the CAB considers introduce statistical techniques, then statistics as a tool can be applied to sampling.

Think about the question in terms of things to take into account.

Question 36.8 Audit time for ISO/IEC 27006

Does the numbers of personnel in Table ISMS B.1 should be seen as a continuum rather than a stepped change? There is no note in the standard as in the IAF MD 5 document

September 2018

It was agreed at the IAF TC that this would be a continuum.

Question 36.10 Scopes of Certification

IAF Decision Number 16/10/03 on Scopes of Certification states that ‘Referencing a standard/normative document/code of practice that is outside of the scope of accreditation is not allowed due to being misleading on an accredited certificate.  Refer to ISO/IEC 17021-1, 8.2.2 e & f.’

What is the meaning of “that is outside the scope of accreditation”?

For example, a nonconformity was raised by an assessor against a Certification Body for issuing an ISO 9001 certificate with the following scope: –

“Furniture removals and storage in compliance with BS 8522: 2009, BS 12522: 1998, BS 14873: 2005 and BS 18477: 2010”

The quoted British Standards are Service Specification’s for furniture removals and storage, therefore it could be argued that they are inside the “management system” scope of accreditation, as they relate to the main area of furniture removal specification delivered by the “management system”.

–           Does the EACC consider that standards can be included in ISO 9001 scopes if they are related to the scope of accreditation?

–           Would the EACC consider the above scope example to be acceptable if the wording was clarified to show “X Company Ltd has demonstrated that the management system complies with ISO9001: 2015 for the provision of Furniture Removals and Storage, in support of industry specifications BS 8522: 2009…………….)?

[Assumption: The CB would also need to demonstrate that their relevant personnel (auditors etc.) are competent in the service requirements detailed in the related Normative requirement.]

September 2018

In ISO webpage, it is written that “A management system is the way in which an organization manages the inter-related parts of its business in order to achieve its objectives. These objectives can relate to a number of different topics, including product or service quality, operational efficiency, environmental performance, health and safety in the workplace and many more.” According to this definition, a management system does not directly focus on the product or service quality or its conformity for any specification or standard or normative document requirements.

ISO/IEC 17021-1 states that

8.2.2 The certification document(s) shall identify the following:

  1. e) the management system standard and/or other normative document, including indication of issue status (e.g. revision date or number) used for audit of the certified client;
  2. f) the scope of certification with respect to the type of activities, products and services as applicable at each site without being misleading or ambiguous;

Above questions are answered below:

What is the meaning of “that is outside the scope of accreditation”?

Does the EACC consider that standards can be included in ISO 9001 scopes if they are related to the scope of accreditation?

In the accreditation of MS certifications, the scopes are defined in different documents e.g. ISO 9001 and ISO 14001 scopes in IAF ID 1, ISO 13485 scopes in IAF MD 9, ISO 45001 scopes in IAF MD 22 and ISO 50001 scopes in ISO 50003 etc. All of these scopes there is not any reference to any other conformity assessment specifications or standards to avoid misleading.

Due to this fact, as long as not defined in the scheme requirements, the standards cannot be included in ISO 9001 scopes.

Would the EACC consider the above scope example to be acceptable if the wording was clarified to show “X Company Ltd has demonstrated that the management system complies with ISO9001: 2015 for the provision of Furniture Removals and Storage, in support of industry specifications BS 8522: 2009……..)?

An AB should focus on the main reason of these type scope definitions. The AB should be ensure that whether CB intentionally want to imply that in addition to ISO 9001 conformity, the products or services of client organization subjected to MS certification confirms relevant product or service standards at the same time or not?

To avoid misleading or creating confusion or being ambiguous, the AB should not consider the above scope example to be acceptable or applicable even if the CB claims its relevant personnel are competent in the product or service requirements in the related normative document referenced in the scope.

Question 36.12 IAF MD8

The IAF MD 8 document sets the requirement for accreditation of certification bodies auditing and certifying ISO 13485. It also can be used for regulatory purposes (and here the trouble starts…)

The IAF-based mandatory document is not clear in many points and we (SAS) have since the beginning pointed to this unclear situation. The most obvious weakness is the incorporated “dualism” of management system certification according to ISO 13485 and “medical device related requirements”, covered in Europe by the new EU legislation (and most probably in other parts of the word by other regulatory approaches).

Now, we have faced two problems when assessing certification bodies for ISO 13485:2016 to cover management systems of organisations dealing with the following categories of medical devices:

Part A:

IAF MD 8:2017, Annex 1, Table 1.1

“Non-active medical devices other than specified above”

IAF MD 8:2017 Annex 1, Table 1.2.

“Active (non-implantable) medical devices other than specified above”

Please tell us what exactly these two categories in the annex 1 are and what distinct technical competence it would require to cover it a) in the assessment team and b) in the certification body.

Part B:

Even when the IAF document is in the issue 3 (IAF MD 8:2017) it still refers to ISO/IEC 17011:2004 and does not take into consideration ISO/IEC 17011:2017. That is why formally the mandatory document is no more applicable when the accreditation body switches to ISO/IEC 17011:2017.

  1. What is your point of view?
  2. And as the document should be probably again updated to the ISO/IEC 17011:2017 version, would it be a good idea to get rid of this above mentioned “dualism” that makes this IAF mandatory document hardly applicable in Europe (see situation together with the requirements of the EU legislation on medical devices).

NOTE: Please note that in many cases (probably in most of the cases), ISO 13485 is applied to non-manufacturer of medical devices but rather to suppliers / vendors and subcontractors not really in the same status as a classical manufacturer of medical devices that want to put on the market their devices.

Such companies normally could get along very easily with an ISO 9001:2015 certification but due to market power, they need an ISO 13485 certification for very little in house activity concerning “medical devices” (most of the time they make only small parts of the device and do not know for what exactly they are intended in the device) and ISO 13485 as the management system of choice to cover them.

Under such access approach it is also not at all appropriate to have such a severe (yearly) surveillance regime as stated in IAF MD 8!

September 2018

Part A

The main concern in this question is that there is not any exact border or separation in between “Non-active medical devices other than specified above” and the rest of the Annex 1 Table 1.1. This situation is valid for Annex 1 Table 1.2. and other parts excluding 1.7.

Unfortunately, this is the weakest point of IAF MD 8 and 9. To remove this challenge, we can propose to establish link between IAF MD 8 & 9 and IAF ID 13 for more clarification or giving particular product examples in each Table in Annex 1 of IAF MD 8.

Note: EA CC should forward this question to IAF TC and IAF WG Medical Devices.

Part B

As far as we know, IAF MD 8 and 9 are under revision by IAF WG Medical Devices. Even if relevant IAF MDs are not updated, all ABs must follow the new version of ISO/IEC 17011.

a) In Annex A Table A1 of ISO/IEC 17011:2017, the requirements for the knowledge and skills for competence are so generic and this document is “informative”. But, the Annex 2 of IAF MD 8 (Required types of knowledge and skills for personnel involved with the IAF ISO 13485 activities) is normative and covers specific knowledge and skills requirements for AB’s personnel for medical devices. IAF can put additional requirements for competence as normative for specific conformity assessment fields, although ISO/IEC 17011:2017 Annex A is informative.

NOTE: This situation is similar to ISO/IEC 17021-1 Annex A (normative) and ISO/IEC 17021-3 requirements cover mandatory items by using “shall”, but its Annex A (Knowledge for QMS auditing and certification) covers informative requirements in particular, for ISO 9001 auditing and certification.

b) There is general agreement that dualism should be avoided whenever possible and all efforts should be made to achieve this.

Question 36.13 External auditors and experts

The certification body shall require external auditors and external technical experts to have a written agreement by which they commit themselves to comply with applicable policies and implement processes as defined by the certification body. The agreement shall address aspects relating to confidentiality and impartiality and shall require the external auditors and external technical experts to notify the certification body of any existing or prior relationship with any organization they may be assigned to audit.

NOTE Use of an individual or employee of another organization individually contracted to serve as an external auditor or technical expert does not constitute outsourcing.

Question:

A: Does it mean that an external auditor or technical expert has to disclose all mandates he/she actually has or had in the past e.g. as a consultant or product specialist, even not knowing whether he/she will be appointed in the audit team in the future?

In many cases, companies that look for external support do not want that the consultant or product specialist make such a relationship public to third parties. To be discreet is one of the main assets in the medical device and pharmaceutical business. Not respecting this, will put the person out of business forever in this specialized field and depending on the contract cost him/her a lot of compensation.

B: Would it be enough as soon as the certification body will ask him/her to become a part of an audit team to tell simply that it is not possible to work for this particular certification task. Is it acceptable to reject the task without further detailed explanation?

In any case, the certification body can think about it, and make its own risk analysis and consequently mandate somebody else as external auditor for the particular task.

September 2018

Both option A and option B satisfy the requirements of clause 7.3 of ISO/IEC 17021-1.

It is acceptable to reject a task without giving a reason. however, it is the CB in control of the relationships and so it would be best practice for the CB to have the relevant information to demonstrate assessment of the risk of a conflict of interest.

Question 36.14 Corrections and corrective actions

Standard, initial certification:

If the certification body is not able to verify the implementation of corrections and corrective actions of any major nonconformity within 6 months after the last day of stage 2, the certification body shall conduct another stage 2 prior to recommending certification.

Re-certification:

Following expiration of certification, the certification body can restore certification within 6 months if the outstanding recertification activities are completed, otherwise at least a stage 2 shall be conducted. The effective date on the certificate shall be on or after the recertification decision and the expiry-date shall be based on prior certification cycle.

Question:

A1: What is the maximum time of the duration of an initial audit, if it has not been conducted in consecutive days?

A2: Example: A CB starts a “stage 2” audit with some time lags, that the whole audit will be conducted in a period of more than 6 months (e.g. a gap of 9 months between two parts of the stage 2 audit). Is the result of the first part of this audit still valid at the end of the second part of this stretched “stage 2” audit?

NOTE: Many references in the standard limit time of corrective action implementation to 6 months, but for the duration of an (interrupted) stage 2 audit there is no limit.

September 2018

The risk-based approach comes into play here.

As indicated in the question, there are no requirements or guidance for an interrupted stage 2 audit.

A certification body will need to take a number of factors into account when determining the audit time for the second part of an interrupted stage 2 audit, for example:

  • the requirements of IAF MD 5;
  • the reason for the delay – was it due to major nonconformities being identified?
  • have there been any changes in top management since the first part of the stage 2 audit?
  • have there been any other significant changes in the client’s organization?
  • are the results of the first part of the stage two audit still valid?

The real question that must be asked is why is it necessary for the stage 2 audit to be interrupted for a period of nine months? That suggests that there were some serious issues (major nonconformities) that delayed completion of the stage 2 audit, in which case the requirement of clause 9.5.3.2 of ISO/IEC 17021-1 would be applicable.  If there is a delay of nine months between two parts of a stage 2 audit, it is difficult to see that the audit time could be less than if it were a new stage 2 audit.  The underlying requirement of ISO/IEC 17021-1 (clause 9.1.4.1) is that ‘for each client the certification body shall determine the time needed to plan and accomplish a complete and effective audit of the client’s management system’.  Therefore, irrespective of the requirements of IAF MD5, the certification body must be able to demonstrate that the audit duration is sufficient to meet this underlying requirement and the accreditation body must evaluate the output from the audit to satisfy itself that the audit duration was sufficient to do so.

Question 36.15 New schemes

The main federal regulator in the medical field has set up a complex certification scheme under ISO/IEC 17021-1 (management system) for data protection in patient health care. Accreditation of CB is the base for the acceptance of certification bodies by the regulator to work in this field.

The requirements in the legislation are already set up, but in practice the scheme is still under development, (the legislation text has several requirements that shall be tested by a special software).

Unfortunately, due to some problems, a considerable delay occurred and the software as a key element in this data protection scheme is not available yet.

Nevertheless, the federal regulator urged the NAB to start the assessment process of the potential applicant certification bodies and the certification bodies shall start with the first step of the scheme (certification according to ISO 27001). The reason why this happened, are not clear.

Question:

Is it possible to refuse in general the assessment task when a “scheme is not fully developed and available”? In addition, at this moment the NAB has no prove that the scheme will be based on rugged procedures. Even when it is based on a federal ordinance.

A1) What can be used as arguments (backed up by EA, IAF or normative criteria) to still perform the work as requested? What provisos shall be made?

A2) What arguments (backed up by EA, IAF or normative criteria) can be used to refuse such an (unfinished) work?

September 2018

This question is not specific to Certification and could also be provided to the HHC.

consensus is that the situation is as described in A2 with the arguments that accreditation to a specific accreditation scheme cannot be delivered if requirements of ISO/IEC 17011 § 4.6 are not fulfilled.

In the present case, it looks that these requirements cannot yet be fulfilled.

And an AB shall fulfill whole ISO/IEC 17011, as per EC 765/2008 and the IAF and EA MLAs.

Another way would be to allow each CB to develop its own scheme based on the already published requirements and that the NAB evaluate each certification scheme implementing ISO/IEC 17011 §4.6. But this would be very difficult for the NAB and leading to potential different certification schemes and then certification results, which would be very risky and does not seem to be the need of the regulator in such a complex and regulated area.

Question Energy Audits

Is the performance of energy audits, in accordance with ISO 50002 or BSEN 16247, as well as environmental and/or energy management system certification for the same client considered to be an unacceptable threat to impartiality?

March 2017

Consensus Position
An energy audit may be used to support the “Energy review”, which is a key process and forms the basis for an energy management system according to ISO 50001. An energy audit according to ISO 50002 (or BS EN 16247) is defined as a “systematic analysis of energy use and energy consumption within a defined energy audit scope, in order to identify, quantify and report on the opportunities for improved energy performance”. Performing a full energy audit according to ISO 50002 or BS EN 16247 contains elements of management system consultancy, including the following examples:

  • “establish and evaluate the current energy performance”;
  • “The energy auditor shall identify energy performance improvement opportunities based on analysis and the following: a) their own competency and expertise …
  • “When reporting the energy audit results, the energy auditor shall: … f) provide a prioritized list of energy performance improvement opportunities; … g) suggest recommendations for the implementation of the opportunities.”
  • “The energy audit report shall include the following topics: d) opportunities for improving energy performance: 1) recommendations and the suggested implementation programme; 2) assumptions and methods used in calculating energy savings, and the resulting accuracy of
    calculated energy savings and benefits; 3) assumptions used in calculating costs of implementation, and the resulting accuracy; 4) appropriate economic analysis, including known financial incentives and any non-energy gains; 5) potential interactions with other proposed recommendations; 6) measurement and verification methods recommended for use in post-implementation assessment of the recommended opportunities;”.

Therefore, the performance of energy audits, in accordance with ISO 50002 or BSEN 16247, as well as environmental and/or energy management system certification for the same client is considered to be an unacceptable threat to impartiality. It is noted that providing EMS or EnMS certification to entities, related to the client where the Certification Body has provided an energy audit, who could use those energy audit results (i.e. through having a similar energy profile) shall also be considered to be an unacceptable threat to impartiality.

When EnMS and EMS Certification Bodies demonstrate through their regular mechanisms awareness and mitigation of the risks to impartiality arising from the consultancy elements as listed above, the performance of energy audits at other clients is not considered to be an unacceptable threat to impartiality.

Question CW2017 1

This question is the result of a workshop held at the EACC meeting in March 2017

Can a Certification Body offer management systems related training?

March 2018

ISO/IEC 17021-1: 2015 – Clause 5.2.1 and 5.2.3

The consensus position of the EACC is that training can be offered as long as it is generic and not tailored to a particular customer and as long as it does not offer direct solutions to the customer’s management system implementation.

Attendance at training courses must not be compulsory and customers sending delegates must not be given any preferential treatment.

The provision of training should be covered within the CB’s risk management system.

Question CW2017 2

This question is the result of a workshop held at the EACC meeting in March 2017

How much should the organisation’s consultant be involved in the CB audit process.

March 2018

ISO/IEC 17021-1: 2015 – clause 9.1.1; 9.2.2.3; and 9.3.1.3

The consensus position of the EACC is that there is no restriction on the presence of the consultant in the audit process.

The role of the consultant (e.g. ranging from being observer/guide to acting Quality Representative) shall be clearly established and the participation should be accordingly (e.g. no interference vs answering/contributing as QR).

Notwithstanding the above, the following points should be noted by the CBs auditor:

  • The management system should be owned by the organization with the consultant’s assistance, the organization must be able to demonstrate that there is effective leadership in terms of the implementation of the management system
  • If the consultant is present during the audit, it is important that the CB is able to see that the system is effectively implemented by the organization and is not just “owned” by the consultant.

Question CW2017 3

This question is the result of a workshop held at the EACC meeting in March 2017

Can the CB offer internal auditing to its clients

March 2018

ISO/IEC 17021-1: 2015 – Clause 5.2.6

The consensus position of the EACC is that this is not possible for existing clients of the CB, internal auditing can be offered to other organisations not certified by the CB. There should be a suitable gap (2 years) between the CB offering internal audit and the customer becoming certified by that CB.

Question CW2017 4

This question is the result of a workshop held at the EACC meeting in March 2017

Can a CB provide finders fees to consultants

March 2018

ISO/IEC 17021-1: 2015 – Clause 5.2.1; 5.2.3; Attention is drawn to the IAF Technical Committee decision 10/10/01 which his reproduced here: –

It should be noted that this decision was made in 2010 and there have been some changes since then, for example the bullet point referring to Impartiality Committee, which is no longer a requirement; reference should be made to the risk processes of the certification body.

“Consensus of the IAF TC is that there are alternative methods to the 2-year option to manage impartiality in the case of payment of commission/finder’s fee to consultants.  A CAB has to demonstrate the following:

  • Transparency – all documentation relevant to this relationship are recorded and available on request to AB. The client and relevant CAB personnel are aware of this relationship and/or payment of commission/finder’s fee and that the CAB does not provide special treatment.
  • Management of the CAB has signed the relevant declaration of impartiality that includes reference to such relationships and their management.
  • Risk assessment conducted for the specific relationship between the involved parties. Special attention given to the threats arising from relationships of the parties/individuals involved.
  • Impartiality committee reviews the effectiveness of management of risk due to such relationships.
  • A process is established to ensure there is no special treatment of clients during the certification process.
  • Instances of pressure or influence from management, consultant or client are reported and mitigated.
  • Additional witnessing of the audits may need to be conducted by the CAB.
  • Closer scrutiny of audit output and certification / recertification decisions.
  • Monitoring of such relationships through internal audit.
  • An AB may need additional time to assess the management of such relationships and may also need to conduct additional witness audits.”

Questions relating to ISO/IEC 17065 – Product Certification

Question 32,7 Other standards

The question concerns certification schemes where inspection is (part of) the evaluation activities. Which independence criteria would apply to inspection bodies or individually hired inspectors?

As certification and the inclusive components like inspection are a third party activity, we would assume that the requirements of ISO/IEC 17020: 2012 Clause 4.1.6.a / Clause A.1. apply in full.

September 2016

It is for the certification scheme (and accordingly for the scheme owner) to specify the independence requirements applicable to the nature of the evaluation activity. So in general, inspection bodies type A, B or C might be specified to be used where inspection is (part) of the evaluation activities. In the other hand it is for the CB to demonstrate that both internal and external resources meet the independence requirements stipulated in the relevant standard.

A) Individually hired inspectors (ISO 17065 6.2.1 internal resources )
The requirements for personnel including the inspectors are described in the Standard.(ISO/IEC 17020:2012) regardless of the type (A, B or C ) of inspection body from which they derive.

B) Outsourced Inspection body (ISO 17065 6.2.2 external resources )
ISO 17065 6.2.2.2 allows the CB to outsource activities to “non independent” bodies like the testing lab. of the client of the certification body. Certification is a third-party activity, but Inspection as a part of the certification scheme may include “different parties´” activities: from Type A inspection Bodies (third-party inspection), Type B and/or Type C inspection bodies (first party inspection for its parent organization ).

Type A inspection bodies may always be used for evaluation activities complying with the rest of requirements of the ISO 17065.

The use of type B and C implies that the CB analyzes the potential conflicts of interest and adopts measures to eliminate or reduce it. Type B inspection bodies all should not be involved in the certification of its parent company but may be used for evaluation activities complying with the rest of requirements of the ISO 17065.The use of Type C inspection bodies as part of the evaluation may be used for evaluation activities complying with the rest of requirements of the ISO 17065 but this fact should be communicated in advance to the client of certification.

Probably it is going to be easier for a CB to demonstrate independence when using Type A inspection bodies while it will require more work when using Type C inspection bodies.

Question 33.4 Discrimination

Clause 4.4 of ISO/IEC 17065 reads:

4.4.1 The policies and procedures under which the certification body operates, and the administration of them, shall be non-discriminatory. Procedures shall not be used to impede or inhibit access by applicants, other than as provided for in this International Standard.[…] 4.4.3 Access to the certification process shall not be conditional upon the size of the client or membership of any association or group, nor shall certification be conditional upon the number of certifications already issued. There shall not be undue financial or other conditions.
During a recent assessment an assessor raised following NC against 4.4:
Within „certification case XYZ“, the fee was reduced without reason (compared to the fee schedule). The rules and procedures of the CB foresee such reductions but without reasoning. (The CB is internationally active and subject to assessments of several AB. Furthermore, the reduction of the fee was decided on by a “non CL” office, not the accredited office itself.)

1) Does the EA CC support the interpretation that individual, “freeform” discounts of certification fees without reasoning and general applicability are not in line with the requirements of ISO/IEC 17065 and constitute a discrimination especially looking at equal treatment of clients?

2) More generally, what is the stance of the EA CC toward discounts and application of fee schedules? Are discounts acceptable? Under which circumstances?

3) Does the EA CC support a submission of this query to the ISO/CASCO?

March 2017

A certification body does not have to charge all clients that are in the same condition the same fee. Offering discounts does not ‘impede or inhibit’ access by applicants, neither does it impose ‘undue financial or other conditions’.

The fees charged by a certification body are a purely commercial decision for the certification body and it is perfectly acceptable for a CB to charge different clients different fees, providing the certification process is applied equally to all clients. Certification bodies operate in a competitive environment. Most clients obtain multiple quotations for certification and cost will be one of the factors taken into account. Certification bodies need the flexibility to vary their fees in order to attract clients. There is no requirement in ISO/IEC 17065 for the CB to justify the reasons for the fees it charges or for applying a discount.

Question 33.5 Group Certification

EA 6/04 stresses that groups under an umbrella organization, where only this umbrella organization is certified, may NOT sell their products individually as certified.

How is this issue dealt with in face of the fact, that at least GLOBALG.A.P. as a major scheme owner does allow group members to sell their products individually, due to market pressure in the US?

What is the opinion of the EA CC in general in relation to group certificates, especially within product/process/service certification and their use by individual members?

The reply will be the more important since a solid stance on this will be part of the revised EA 6/04.

March 2017

In a group, certification is granted based on the sampling performed and based on the assessment that the group has done on all the operators that comprise it. An operator belonging to a certified group cannot receive an individual certificate (sub certificate) as far as it has not been evaluated.

Question 33.9 certification of Feeds

Regulation (EC) No. 834/2007 in the second paragraph of the first article provides products originating from agriculture, to which the latter regulation applies as follows:

(A) live or unprocessed agricultural products;
(B) processed agricultural products for use as food;
(C) feed and
(D) vegetative propagating material and seeds for cultivation.

Our assessment procedures take into account those four areas when assessing the qualifications of persons to carry out certification procedures. If all conditions for accreditation in these areas are fulfilled, they are also listed in the annex to the accreditation certificate.

Certification bodies accredited for certification of organic production and processing under Regulation (EC) No. 834/2007, in section “C” – feed include only customers – companies which produce feeds in the production process (eg. mixing concentrated feed). Customers which produce feed on their own farms (eg. grass, hay, corn, other cereals, etc.) are included in the area “A” or “B”.

We are kindly asking for your opinion if the current classification of the customers in the area “C” – feed is appropriate or whether it is necessary to include in this area all farms producing mainly unprocessed agricultural products (usually only for animal feed) kept on their own farms.

March 2017

3 different situations can be considered :

If an operator produces feed for his livestock on his own farm (eg grass, corn, cereals …), he must be included in unprocessed plant products, provided that the feed is intended exclusively for his own livestock. The operator may add to the agricultural products, substances complying with Annex V or additives listed in Annex VI to R (EC) 889. Category A

If the operator produces raw materials for animal feed, he can market them to third parties with the scope of unprocessed plant products. Category A

If the operator mixes the raw materials from his own holding and adds them to the substances listed in Annex V or additives of Annex VI and wishes to market the feed to third parties, he must be included in processed agricultural products for animal feed.

(It was agreed that this question would be forwarded to DG AGRI for further consideration)

Question 33.12 Notified Body Stating of Product Standards

Is it possible for an accredited CB, when acting also as a Notify Body, to issue a certificate of conformity to the producer for a given type of product, without mentioning the product standards or specifications against which conformity has been demonstrated?

Note for example the Lifts Directive: The Commission Communication 2016/C 138/03 published the list of harmonized standards to be used for the conformity assessment. So, the list of applicable standards is defined in the law, and anyone can access it.

If the conformity certificate is a positive one (approval without exclusions) the absence of identification of the standards becomes administrative and may be omitted as long as the assessment report contains the details of the conformity assessment, including the standards used?

March 2017

ISO/IEC 17065:2012 says that in 7.1.2 “The requirements against which the products of a client are evaluated shall be those contained in specified standards and other normative documents.” and in 3.10 “scope of certification identification of

  • the product(s), process(es) or service(s) for which the certification is granted,
  • the applicable certification scheme, and
  • the standard(s) and other normative document(s), including their date of publication, to which it is judged that the product(s), process(es) or service(s) comply”

If manufacturer choses non-harmonised product conformity standard, in this case they should conduct risk analysis and show its (non-harmonised standard) applicability and validity.

On the other hand, in some EU directives, there is no defined harmonised standard for specific products and in this case, it is left to manufacturer’s decision to choose the most relevant product conformity standard or criteria.

In both cases, the product conformity certificate should give reference to relevant standard or criteria (normative document). For other cases (when EU Directive mandates to use any harmonized product conformity standard), there is no need to give additional reference in the product conformity certificate

ΝΟΤΕ
All the technical specifications and standards (harmonized or not) of these products normally is a part of their technical files.

Question 33.17 Response to nonconformities

Situation: The certification process in the CB is as follows :

  • The CB auditor performs the audit and writes non conformities in case there are. His/her action stops after that.
  • The reviewer (technical officer inside the CB) is in charge of the follow up of the audit which includes analysis of the answers from the client to the nonconformities and recommendation on closing or not the nonconformity
  • The reviewer is in charge of reviewing other results from the evaluation process (e.g. test results)
  • This reviewer makes a recommendation for the certification
  • The certification decision is taken by the CB’s Director

Question: Is the analysis of the answers from the client to the nonconformities (and opinion on closing or not the nonconformity) part of the audit or can it be considered as part of the review?,

  • In other words is the analysis of the answers from the client to the non conformities is an evaluation task and shall be considered as an evaluation activity or is this analysis of client answers part of the evaluation process without being considered as an evaluation task belonging to evaluation activities?

Depending on the answer, is it fulfilling (or not) 7.5 requirements that the reviewer performs the analysis of the answers from the client to the non conformities raised in audit?

Mars 2017

Clause 7.5.1 of ISO/IEC 17065 states “7.5.1

  • The certification body shall assign at least one person to review all information and results related to the evaluation. The review shall be carried out by person(s) who have not been involved in the evaluation process.”

Therefore in, an independent review is required. The review, acceptance and verification of answers to nonconformities is an evaluation activity and the individual performing these tasks cannot, therefore, perform the review required by clause 7.5.1 of ISO/IEC 17065.

If the product certification scheme requires that the certification body performs management system auditing as part of product certification, it shall meet the applicable requirements of ISO/IEC 17021-1. The applicable requirements concerning handling the client’s response to non-conformities are specified in Clause 9.5.2 of ISO/IEC17021-1 which states that prior to making a certification decision:

  • that for any major non-conformities, the certification body has reviewed, accepted and verified the correction and corrective actions and
  • that for any minor nonconformities it has reviewed and accepted the client’s plan for correction and corrective action.

In this case, the review and acceptance of the client’s plan for correction and corrective action, in respect of minor non-conformities, is not part of the evaluation as there is no verification of the correction and corrective action, and the individual performing these tasks can perform the review required by clause 7.5.1 of ISO/IEC 17065

Question 33.20 witnessing for CPR

In the area of Product Certification, the NAB performs demo witness assessments in the initial accreditation or scope extension assessments for the CABs that are not designated as NB yet by notifying authority and applied first time in the field of CPR (Reg.No. 305/2011) for a certain scope and makes decision about CAB’s competence according to this demo witness assessment.

The question is whether CABs can use the reports and outcomes of this demo witness assessment as a basis for certification decision and issuing real certificate under CPR for relevant producer, after being accredited by NAB and being designated as Notified Body by authorities without performing a new audit to relevant producer?

Does any other NAB faced a similar case in their country and what is the general implementation about this issue in other EA member countries?

Note: The national authority requests the NAB’s opinion about this issue and expects the NAB to determine some rules in accreditation procedures for preventing this issue.

March 2017

When CPR came into force there was two options for the initial accreditation:
One possibility with DEMO witness assessment and the other possibility with conditional accreditation.

The first possibility takes place in the initial accreditation for the CABs which are not notified. If the AB follow all the procedures regarding accreditation then it is not needed new audit to the relevant producer after the Notification.( DEMO witnessing assessment) – however the NB would need to carry out a review to ensure that the processes used in the DEMO witnessed are still valid in terms of the processes under which the CAB achieved Notification.

The second possibility was a practice suggested by the European Union. This means accreditation shall be gained without witness assessment and under the condition that the first witness assessment will take place with the AB. (conditioning accreditation)

Question 34.1 Interrpetation of Organizational Control

One applicant certification body has two owners (persons) . These two owners are also the owners of another company. The second company is a provider of the certified services. This two people owns all the shares of both companies.

Do you consider that the second company (the provider of certified services) is under the “organizational control” of the certification body?

4.2.6 The certification body and any part of the same legal entity and entities under its organizational control (see 7.6.4) shall not:

  • be the designer, manufacturer, installer, distributer or maintainer of the certified product;
  • be the designer, implementer, operator or maintainer of the certified process;
  • be the designer, implementer, provider or maintainer of the certified service;

7.6.4 A certification body’s organizational control shall be one of the following:

  •  whole or majority ownership of another entity by the certification body;
  • majority participation by the certification body on the board of directors of another entity;
  • a documented authority by the certification body over another entity in a network of legal entities (in which the certification body resides), linked by ownership or board of director control.

The standard states “whole or majority ownership of another entity” by the certification body, as a mean to exercise organizational control but nothing is said about the same situation for the owners of the certification body.

September 2017

The two persons own all the shares of the CB, then they are legally responsible for the CB and they have full authority on the CB. They shall be then considered as being the CB.

Therefore, the answer is yes: the second company (providing the certified services) is under the organizational control of the CB

Clause 4.2.3 should also be noted, this requires the CB to identify risks to its impartiality on an ongoing basis, including risks that arise from its relationships, or from the relationships of its personnel. The Note to this clause states that a relationship that threatens the impartiality of the certification body can be based on ownership, governance, management, personnel. Such common ownership should be identified as a risk to impartiality.

Question 35.5 Competence criteria

Relating to ISO/IEC 17065 Clause 6.1.2.1 the certification body shall determine the criteria for the competence of personnel for each function in the certification process (see Clause 7).

Does the above requirement include the determination of competence criteria for each function identified in Clause 7, for example for personnel:

  • handling complaints and appeals (Clause 7.13)
  • implementing changes affecting certification (Clause 7.10) ?

March 2018

Yes, the highlighted roles are considered to be a function of the certification process and therefore competence needs to be determined.

Question 36.3 External Sources

What is the difference between external source (cl. 6.2.2 ISO/IEC 17065) and subcontractor (for ex. article 45 of CPR together with Blue Guide, article 5.2.5)? Is there any difference based on who is providing education/training or paying the person? What are the criteria, requirements?

September 2018

Use of external resources and subcontracting are essentially the same and are outsourcing of assessment and verification activities.  The requirements of clause 6.2.2 of ISO/IEC 17065, Article 45 of the CPR (which refers to Article 43) and clause 5.2.5 of the Blue Guide are consistent.

They all require that external resources/subcontractors:

  • are competent to perform the tasks they are allocated;
  • shall not be the designer, manufacturer, supplier, installer, purchaser, owner, user or maintainer of the construction products which it assesses, nor the authorised representative of any of those parties;
  • shall not become directly involved in the design, manufacture or construction, marketing, installation, use or maintenance of those construction products, nor represent the parties engaged in those activities;
  • shall not engage in any activity that may conflict with their independence of judgement and integrity related to the activities for which they have been employed and
  • do not affect the confidentiality, objectivity and impartiality of the assessment and/or verification activities they perform..

It is the responsibility of the Notified Body to ensure that the external resources/subcontractors they use have the necessary competence for the tasks they perform on their behalf.  Providing it does not affect confidentiality, objectivity and impartiality, how they gained this competence and who paid for their education and training is irrelevant.  Where a subcontractor has worked for or with a client of the Notified Body it is appropriate for the Notified Body to establish a minimum time period before the subcontractor can perform assessment/verification activities on that client or its products.  For example in the case of management systems consultancy, this is a minimum of two years (ref clause 5.2.7 of ISO/IEC 17021-1)

It is the responsibility of the Notified Body to pay its external resource/subcontractors for the tasks they perform.

Question 36.11 Mandatory Documents v Notified Bodies

Shall Notify Body follows the relevant MD IAF documents when they are assessing Manufacturer quality system (i.e. Conformity to EU-type based on quality assurance of the production process – Module D)?

Shall in particular be considered mandatory the followed documents: IAF MD5 (duration of audit), MD2 (transfer of certification), MD1 (multiple sites sampling)?

September 2018

As in the example given in the question:

(In Blue Guide 2016)

D Conformity to EU-type based on quality assurance of the production process

Covers production and follows module B. The manufacturer operates a production (manufacturing part and inspection of final product) quality assurance system in order to ensure conformity to EU- type. The notified body assesses the quality system.

Module Description EN/ISO/IEC 17065 EN/ISO/IEC 17020 EN/ISO/IEC 17021 EN/ISO/IEC 17025
D Conformity to type based on quality assurance of the production process 1 + qa 1 + qa 1 + pk

qa: Ability to assess and approve manufacturer’s quality systems where required. To this end, fulfillment of clause 9 in EN ISO/IEC 17021:2011 shall be demonstrated.

pk: Ability to make professional judgments related to product requirements where required. To this end fulfilment of clauses 6.1.2, 6.1.3 and 6.1.6 to 6.1.10 in EN ISO/IEC 17020:2012 shall be demonstrated.

 Also, for Module D (Conformity to EU-type based on quality assurance of the production process) ISO/IEC 17065 is preferred standard.

 In ISO/IEC 17065:2012

6.2.1 Internal resources

 When a certification body performs evaluation activities, either with its internal resources or with other resources under its direct control, it shall meet the applicable requirements of the relevant International Standards and, as specified by the certification scheme, of other documents. For testing, it shall meet the applicable requirements of ISO/IEC 17025; for inspection, it shall meet the applicable requirements of ISO/IEC 17020; and for management system auditing, it shall meet the applicable requirements of ISO/IEC 17021. The impartiality requirements of the evaluation personnel stipulated in the relevant standard shall always be applicable.

NOTE Examples of reasons as to why some requirements are not applicable include the following:

  • expertise is available within the certification body when using the results of the evaluation activity;
  • the extent of control the certification body has over testing (including witnessing the testing), inspection (e.g. specifying inspection methods or parameters) or management system assessment (e.g. requiring specific details of a management system);
  • a particular requirement is covered in an equivalent way by this International Standard, or is not needed to give confidence in the certification decision.

 It can be noticed from above definitions and requirements, there is a strong link between accreditation for notification purposes for quality management system-based modules and accreditation requirements for MS certification bodies. In almost all cases, it is appropriate for Notified Bodies to take into account the relevant MD IAF documents while assessing quality management system-based modules e.g. Modules D, E, H and their derivatives, especially IAF MD5 (duration of audit), MD2 (transfer of certification), MD1 (multiple sites sampling), or the Notified Bodies should take applicable IAF MDs as reference in relevant issues i.e. audit or evaluation time allocation, multi-site sampling and transfer of certification.

Questions relating to ISO/IEC 17024 – Certification of Persons

Question 32.0 restriction

The situation concerns invoicing of an initial certification which can in the same CB follow 2 different routes :

  • Registration directly to the CAB: payment of fees for initial and 1st surveillance in one go
  • Registration via a training body (with which the CBs has an agreement): payment of fees in 2 steps part before the initial examination, the other part before the 1st surveillance
  • The total amount of fees is the same in both cases

One possible interpretation of the case is that these provisions are not acceptable regarding § 4.3.3 and 4.3.4 as they lead to 2 different treatments of the certified person :

  • In the first case, the applicant has to pay for the whole process no matter he/she succeeds in the certification or continue to work after the certification
  • in the second case, under the same circumstances, the applicant will have paid only a part.

The CBs argues that :

  • conformity to § 4.3.3 from the definition of fairness (3.16 fairness : equal opportunity for success provided to each candidate (3.14) in the certification process (3.1)) the CB argues that the difference of invoicing does not affect the opportunity of success
  • Conformity to §4.3.4 : the CBs argues that
  • The price is the same for all applicants
  • The fact that there are 2 steps of invoicing is due to the fact as part of the initial exam can be included in some training financial support (which exist in some cases for helping working persons to go on professional training)
  • Each applicant is informed of this possibility and can apply through a training body

Then the question is what interpretation of the 2 above is acceptable regarding (§4.3.3 and § 4.3.4 of the standard).

September 2016

ISO/IEC 17024 states :

4.3.3 : Policies and procedures for certification of persons shall be fair among all applicants, candidates and certified persons.

4.3.4 : Certification shall not be restricted on the grounds of undue financial or other limiting conditions, such as membership of an association or group. The certification body shall not use procedures to unfairly impede or inhibit access by applicants and candidates.

There is no apparent breach of clauses 4.3.3 (the opportunities to be certified are the same by either of the two ways) or 4.3.4 (access is not restricted or limited arbitrarily (unfairly) to a candidate to the detriment of another), as long as both options are available to all and the relationship between the CB and the training organisations meets all other requirements of the standard.

Question 33.18 publicly available information

According to ISO 17024 cl 7.2.2, and 7.2.3, the only information that shall be publicly available without request, is that regarding the “scope” of the scheme (cl 8.2. a)) a general description of the certification process and the prerequisites (cl 8.2. e)).
Please give us your opinion (agreement or not with and if not, details for justification) on the following:

a) the previous paragraph,

b) that the standard clearly excludes the required “competencies” of the person (cl 8.2 c) be publicly available without request, and

c) Upon request, both the “competencies” (cl 8.2 c) and the “job description” (cl 8.2 b) shall be provided (this does not exclude the right of the scheme owner to be paid for that information (please note that this is the case of the Standardization Bodies)

March 2017

As a preliminary, the standard has 3 different levels of diffusion regarding information :

  • The one without request (4.3.1, 7.2.2 ,7.2.3, 9.2.2, 9.8.3, 9.9.2) to any one
  • The one upon request i.e. to anyone requesting
  • The one for applicants (9.1.1) : this is also upon request (through the application)

a. Not in agreement: we do not interpret the clauses like this: the minimum mandatory publicly available information are 8.2.a and 8.2.e). This doesn’t prevent CBs to have other publicly available information if they wish to do.

b. Not in agreement (from answer to a))

c. Partial agreement: as per §9.1.1, the CB shall make available “the requirements for certification and its scope”. The “requirements for certification” of 9.1.1 are considered to be equal to the “c) required competence; » of 8.2.c. It is not nevertheless mandatory to give the 8.2.b, even upon request

Question 35.4 Welder Qualification EN ISO 9606

Criterion 6.3 (EN ISO 9606-1: 2014) Welding conditions states “The welding qualifier tests must be performed using pWPS or WPS prepared according to EN ISO 15609-1 or EN ISO 15609-2.

Criterion 10 (EN ISO 9606-1: 2014) The welder certificate contains the text “… The recommended format is in Annex A. It shall contain all the particulars listed in Annex A.” And annex A requires “WPS – Reference:” without any note or explanation.

1) Is it necessary to always state the WPS reference on the personal certificate?

I.e. : WPS has to be used for welder test or where pWPS was used for the test: at the time of certificate issuing, there must exist WPS which was verified with WPQR and which was identical to pWPS used for the test.

2) Is the personal certificate, where only pWPS is stated, acceptable?

3)  In case the test was performed using pWPS (not verified with WPQR), is it acceptable to issue a personal certificate declaring that test was performed using WPS?

4) Is it acceptable on the certificate to be written the only number e.g. “192” in the part “WPS reference” without informing it is pWPS and is not WPS?

5) In case the test was performed using pWPS (not verified with WPQR), is it acceptable to issue a personal certificate where in the part “WPS reference”  is replaced with “pWPS/WPS reference” and it is not clarified which document version was used for the test?

6) Is a such a situation at a factory in line with special technical standards in the field of welding? A welding supervisor (in a company which has certified management system according to ISO 9001 and ISO 3834-x) accepts a personal certificate based on pWPS /WPS from a different location (e.g. issued by accredited certification body for personnel, where test/conditions are not the same as in the company) without any additional activity/measures?

March 2018

EWF (European Welding Federation) was consulted on this question and replied as follows:

  1. As stated in clause 6.3,  a WPS or a pWPS can be used. A certificate can be issued solely based on a pWPS or on a WPS.
  2. Yes.
  3. No. If a pWPS was used, that pWPS has to be referenced not a WPS.
  4. If the WPS or pWPS is referenced in the certificate, the correct reference has to be written to guarantee the traceability. Annex A is informative, but all information within the annex is mandatory to present. How to present it is not mandatory but our opinion is that in the certificate it should be clear if a pWPS or a WPS was used. Example: “pWPS nº/WPS nº:” (strike what is not applicable).
  5. If the test was done according to a specific pWPS, that pWPS has to be traceable to the test. If the pWPS is referenced in the certificate, the reference might not contain details of which type it is, but in the certificate it should be clear if a pWPS or a WPS was used. Example: “pWPS nº/WPS nº:” (strike what is not applicable). The identification code of an WPS or pWPS used on the welder certificate must be traceable to the test records.
  6. If the certificate is valid, yes. ISO 9606-1 states all the conditions to perform the tests (minimum dimensions, tests to perform, etc.), and also allows to use a pWPS or WPS. So there could be differences on the dimensions of the test pieces used, different tests used, etc. But all these are permitted by the standard since all minimum test conditions are guaranteed, and for that reason the certificate remains valid. It is up to the company to accept it, or ask for further tests.

Question 36.6 Scheme Owners

Scheme owner, who is not a Certification body, manages scheme and all tests.

Scheme for personnel certification is structured on computer-based examination where results and score of theoretical knowledge is checked by IT system.

Scheme does not contain any practical or oral tasks.

Does it mean that CB is not obligatory to have examiners and implement ISO/IEC 17024:2012 6.2.2?

Please, share ABs experience for assessment of CBs (ISO/IEC 17024) with e- assessment.

September 2018

AI or computer- based system will have to be accepted in the short term.

those systems are created by individuals, the designers and therefore these persons have a role and that of the examiner to that extent. By this, the examiner is not completely out of the picture. Instead as the designer he/she is validating the system for the examination.

Examination covers preparation of the questions, answers, it is the full mechanism which involve the competencies of the examiner at some point even if at the exam stage, the examiner is not present.

Conclusion

At the end we do not need an examiner provided that examiners are involved in the design of the process at the validation stage in particular.

The CB does not need to have examiners, but examiners are needed at the validation stage.

Questions relating to all Certification Standards

Question 36.1 Schemes on certificates

How shall a certification scheme be indicated on accreditation certificate for product/persons/management systems CB?

For certification scheme that is based on ISO/IEC 17067, on ISO 3834-2 or type of scheme like GMP+ or Global.G.A.P (for products), on ISO 9606-1, on ISO 9712 (for persons), or on ISO 9001 (for management systems), not legislation based.

September 2018

The certification scheme needs to be identified on the certificate, this is the case whether the scheme is based on a national or international standard and if the scheme is based on a specific scheme document.

The scheme would normally be identified by its name and this should appear on the certificate.

When the standard or scheme gives all information about the “scheme” requirements and assessment methods, there is no need to list all details.

Depending on the scheme it may also be necessary to include the issue status or date.

(However, for management systems schemes please be aware of IAF Decision Number 16/10/03 on Scopes of Certification states that ‘Referencing a standard/normative document/code of practice that is outside of the scope of accreditation is not allowed due to being misleading on an accredited certificate.”)

Question 36.2 Evaluation of schemes

Has the NAB duty to evaluate a conformity assessment scheme (not based on legislation) that is not listed in “Results of CA schemes analysis for use by EA NABs according to EA-1/22” but other AB is providing accreditation according to it? Is there any difference in case of granting initial accreditation or reaccreditation?

September 2018

If the CAS is not in the list, this means that the Scheme owner has not applied for an evaluation of its CAS by EA using the home AB system.

In this case, the CAS has to be evaluated by each AB that is proving accreditation for this CAS.

An AB may use elements of the evaluation of the scheme by another AB for its own evaluation of the CAS, but it will have to take full responsibility the evaluation.

This evaluation is to be done prior normal initial accreditation process of the CAB (see requirement ISO/IEC 17011 § 4.6.3) does not need to be repeated at reaccreditation if the CAS has not been modified.

This evaluation has to be revised in any case of revision of the CAS.

In such a case, the most efficient way to proceed is to get in contact with the SO and suggest to go through an EA1/22 evaluation using the home AB process.