Many readers of In Compliance Magazine have seen the word “certification” bandied about in their professional lives. A smaller subset of those readers likely have some indirect exposure to the formal certification process, either through involvement in their company’s product compliance programs, as an engineer or technician in a testing laboratory, or maybe as an inspector or factory line auditor. We can likely further narrow the readership into an even smaller subset that knows that an international conformity assessment standard exists for the operation of a certifying organization (known as a Certification Body, or CB), and possibly even fewer that have direct experience with the requirements of that standard.
The standard we speak of is ISO/IEC 17065, “Requirements for bodies certifying products, processes and services,” and its most recent revision was published in September 2013. Its predecessor, ISO/IEC Guide 65, had been in existence since the mid-1990s and was referenced and used by industries and regulators around the world. Many of these industries and governments are shifting towards requiring third-party accreditation of the CBs which certify the products, processes, or services entering or being used in the country or region where the regulators have oversight responsibilities.
The Role of Certification Schemes
Before we investigate the inner workings of the ISO/IEC 17065 standard, we must be aware of one overarching fact: Certification Schemes, the set of requirements put in place by industry, regulators or other entities, are the driving documents for all certifications. Without a Certification Scheme, there is no information about the criteria with which the certified product, process, or service complies. The end user of the certified “thing” does not know if the “thing” is safe, or if it will provide a desired output, or if it will lead to a savings in energy consumption, or … the list goes on and on about what Certification Schemes can define as the requirements the product, process, or service must meet.
These Schemes also typically include additional requirements above and beyond those outlined in ISO/IEC 17065. These additional items could include (but are not limited to) requiring management system registration/certification at the manufacturer level, periodic audits of the factory line, accreditation or other recognition of the testing/inspecting/auditing body, and specifications on how to demonstrate that a product, process, or service is certified by a legitimate body.
Beyond the requirements for the certified product, process or service itself (safety limits, efficiency requirements, and so on), and possibly restrictions on participants in the overall process, Schemes generally also include instructions for how the certified product, process, or service can maintain its certification after its initial certification is granted, an activity known as “surveillance.” Ensuring that the certified product, process, or service continues to meet applicable requirements after the initial evaluation is extremely important in many cases, although there may be some things that are certified but for which the concept of surveillance is not relevant.
The importance of a Certification Scheme cannot be understated, as the ISO/IEC 17065 standard itself makes reference to the Scheme more than thirty times in its normative text and accompanying notes. Some Schemes with which many In Compliance readers are likely to be familiar include the Telecommunication Certification Body (TCB) program of the U.S. Federal Communications Commission (FCC), the IECEE “CB Scheme,” the CQC Certification program for the People’s Republic of China, and the ENERGY STAR program of the U.S. Environmental Protection Agency (EPA).
ISO/IEC 17065 in Detail
Let’s move on from the individual Certification Schemes (as there are many in the world, and each is unique to its own interests) to the contents of the ISO/IEC 17065 standard itself so that readers can understand the requirements with which CBs abide. ISO has begun harmonizing the general layout of its international standards and is moving towards an 8-section layout with which future standards (new documents as well as revisions to current standards) will align.
The first three sections of ISO/IEC 17065 are informative in nature and include references to
other international standards that are used by ISO/IEC 17065.
Section Four—General Requirements
Section Four of ISO/IEC 17065 deals with the activities and setup of the CB on a general level. This section includes requirements for legal stature, presence of a “Certification Agreement” with the clients of the CB and the minimum contents of the agreement, use of certification marks and licenses, financial support and liability coverage, non-discrimination practices, a description of information that must be made available by the CB upon request and, finally, requirements on confidentiality and impartiality.
Impartiality is stressed throughout the standard, and the deviation away from requiring complete independence from other bodies is a positive change in the modern world. The writers of this international standard acknowledged the intricate web of relationships between businesses (including their employees and contractors) and other people and organizations, and realized that to require pure independence would create significant barriers to the certification of products and to their final market destinations.
There are some independence-like restrictions placed on certain personnel within the CB in Section Four of the standard, but these are generally set forth in such a manner as to clearly ensure that the final certification decisions are made by persons without a material interest in the product receiving its desired certification. Business relationships between the CB and other interested parties are permitted so long as the CB can account for any potential risks to its impartiality, and can address those risks in an appropriate manner.
Section Five of ISO/IEC 17065 addresses the organizational layout requirements of the CB. This section is relatively short and straightforward, but the 2012 publication of this standard incorporated something that was not present in previous iterations, that is, the mechanism for impartiality. This mechanism (typically formed as a group of persons which are stakeholders in the certification process for the products being certified) is created and enabled to provide input to, and oversight of, the CB’s impartiality status.
This mechanism is required to have balanced interest representation, and the standard indicates that the CB’s personnel (if included in the mechanism) are only to be considered as a single interest point. The mechanism is empowered by the standard to report to outside bodies, such as the Scheme owner/writer, regulators, and accreditors, if the CB is ignoring the inputs and warnings given to the certifier, but the mechanism must meet the same confidentiality requirements as the personnel within the CB.
Section Six of the standard begins accounting for the people (known as “resources” in the standard) involved in the certification process. Requirements are set in place for personnel competencies, training and monitoring, and compliance with the CB’s rules and procedures. In addition, the standard also discusses the requirements that must be met for the CB’s “internal resources” (full- or part-time employees, and persons operating under contract) to ensure compliance with all rules and procedures the CB has in place, as well as “external resources” (another term for “subcontractors”) that provide evaluation services to the certifier. Evaluation is discussed in more detail in section seven of the standard, but typically involves process(es) such as testing, inspecting, auditing, or otherwise gathering information on the characteristics of the product being certified (in order to later compare that information against the scheme requirements).
These resource requirements call out other international standards, including ISO/IEC 17025 (for testing), ISO/IEC 17020 (for inspection), and ISO/IEC 17021 (for audits of management systems). If a CB chooses to use an external resource (subcontractor) for its testing or other evaluation tasks, the standard further defines the requirements that the CB must meet in order to justify use of that external resource. ISO/IEC 17065, for the first time in its normative text, mentions the concept of independence when it accounts for the use of non-independent bodies as external evaluation resources, and what the CB must do in order to use that outside entity. Ultimately, the CB is responsible for the evaluation results it chooses to use in its decision-making process, but the standard has laid out steps that must be followed in all cases.
Section Seven—the Certification Process
Section Seven of the standard covers the requirements the CB must follow while performing the various steps in the certification process. This includes receiving and reviewing the client’s application for certification (which, in many cases, is different from the previously mentioned certification agreement that must be in place), ensuring the product, process, or service is appropriately evaluated, and then having a person or persons independent of the evaluation review and make a final decision upon whether or not all certification requirements have been met. This section also includes the required information on documents given to the client to signify that their product, process, or service has been certified.
Furthermore, Section Seven of the standard discusses the situations when surveillance activities are necessary. The section ends with the inclusion of the CB’s responsibilities when it comes to ensuring that certified products, processes, or services continue to meet Scheme requirements if the Scheme is changed, what tasks the CB must take when an adverse decision is made, (such as suspending or withdrawing certification), and finally what duties the CB has for handling complaints and appeals related to its certification activities.
Section Eight—Management Systems
Section Eight of ISO/IEC 17065 covers the requirements for a management system that must be in place within the CB. Many of the requirements are similar to those found in ISO 9001. The CB must have a collection of management system documents (note that this standard has done away with the concept of requiring a central quality manual, an idea present in many previous conformity assessment standards), controlled documents and records, and must perform management reviews and internal audits in accordance with defined procedures and schedules. Finally, the CB is required to address corrective as well as preventive actions, two tasks that should be familiar to any readers that implement their own internal quality system regardless of their organization’s purposes.
Accrediting the Certification Bodies
We have mentioned previously the fact that many regulators are beginning to (or currently do) leverage existing conformity assessment infrastructures in their regions, leaning on recognized third-party Accreditation Bodies (ABs) to accredit CBs for certain types of products, processes, and services that are the responsibilities of those regulatory agencies. Even when laws don’t require accreditation of certifiers, many industries and unique-scheme CBs have chosen to pursue accreditation from a third party AB in order to demonstrate the quality, competence, and impartiality of their certifications.
Most of the regulatory agencies, and many of the voluntarily-complying CBs, recognize the benefits of the International Accreditation Forum Multi-Lateral Agreement (IAF MLA), and choose to specify or select only those ABs which are signatories to this international agreement. Each AB that is a signatory member of this MLA is rigorously peer-evaluated (against ISO/IEC 17011) on a regular basis to ensure that appropriate and consistent assessments against the ISO/IEC 17065 standard (along with particular scheme requirements implemented by the CB being assessed) are being performed. Oftentimes these regulators also attend the peer evaluations as observers in order to form their own opinions of the AB before beginning a business relationship to recognize the accreditations granted.
The IAF MLA is separated into Scopes, and the IAF has separated its recognition into “Main Scopes,” covering the accreditation of conformity assessment activities like Product Certification Bodies (addressing accreditations to ISO/IEC 17065), and Management System Certification Bodies (under ISO/IEC 17021 and its associated documents). The MLA is further divided into a tiered set of sub-scopes of certain types of management systems (Level 4 being applicable to Quality Management Systems under ISO 9001, covering certain well-known schemes such as Global GAP, and Level 5 applicable to further sub-sets of management systems such as Information Security under ISO/IEC 27001, Environmental Management Systems under ISO 14001, Food Safety under ISO 22000, and Supply Chain Security under ISO 28000). IAF’s stated goal is “Certified Once, Accepted Everywhere.”
As mentioned previously, ISO/IEC 17065 underwent significant revision and was published in September 2012. The IAF has stated that all ABs which are signatory members of the IAF MLA must have their accredited Product Certification Bodies transitioned over from ISO/IEC Guide 65 to the current ISO/IEC 17065 no later than September 15, 2015, as the old Guide 65 accreditations would cease to be recognized past that date. Interested parties can find more information on the IAF, the IAF MLA and the mandatory transition period at www.IAF.nu.
Many ABs and other independent organizations offer training on the standard to educate CBs, their clients, and other stakeholders in the certification process about these requirements in depth. If your organization has an interest in learning more about the process of becoming accredited, or the requirements of the ISO/IEC 17065 international standard, we encourage you to reach out to one of the recognized ABs, such as A2LA, for more information.