A2LA’s ISO/IEC 17065:2012 Transition and Applications Mike Buzard – Senior Accreditation Officer Adam Gouker – Accreditation Manager American Association for Laboratory Accreditation Frederick, Maryland, U.S.A Presentation to the TCB Council – April 2014 Overview A2LA Recognition, Structure, and Processes Transition to ISO/IEC 17065:2012 ISO/IEC 17065:2012 Published “Explanations” ISO/IEC 17065:2012 Requested “Explanations” Common TCB Assessment Deficiencies Implementation of FCC KDB Revisions (April 2014) A2LA is: Non profit Non governmental Independent 3rd party Established in 1978 A2LA provides accreditation: ISO/IEC 17025:2005 – Testing and Calibration Laboratories ISO 15189:2012 – Medical Laboratories ISO Guide 34:2009 – Reference Material Producers ISO 17043:2010 – Proficiency Testing Providers ISO Guide 65:1996 – Product Certification Bodies ISO/IEC 17065:2012 – Product Certification Bodies ISO/IEC 17020:2012 – Inspection Bodies A2LA Recognition International Accreditation Forum (IAF) Multilateral Recognition Arrangement (MLA) Signatory International Laboratory Accreditation Cooperation (ILAC) Mutual Recognition Arrangement (MRA) Signatory Recognized Accreditation Body under the National Voluntary Conformity Assessment Systems Evaluation (NVCASE) Program FCC Recognized Test Firm Accrediting Body (TFAB) Various Gov’t to Gov’t MRA’s through NIST A2LA Structure A2LA Processes - Assessment Order ISO/IEC 17025 and/or ISO/IEC 17065 Read AB’s Supplemental Requirements Read Regulator / Certification Scheme Requirements Submit Application(s) Assessor Assigned (performs doc review) A2LA Processes - Assessment Conduct On-site Assessment CAR’s Following Assessment Decision on Accreditation Surveillance and Renewal Assessments A2LA Processes - Cycles Year 0: Initial Accreditation Year 1: On site Surveillance Assessment Year 2: Full Renewal Assessment Year 3: Annual Review, desk audit – could be on-site Year 4: Full Renewal Assessment Year 5: Annual Review, desk audit – could be on-site Note: this is one option per ISO/IEC 17011, clause 7.11.3 A2LA Processes - Scopes Document that identifies exactly what the organization is accredited for: For Labs – identifies specific tests & methods For CBs – identifies product categories, product specs, and/or certification schemes Identifies expiration date and physical location Must be confirmed by the assessor Organizations can be accredited for “limited” scope of activities A2LA Processes - Scopes SCOPE OF ACCREDITATION TO ISO/IEC 17025:2005 YOUR LABORATORY NAME 123 Elm Street Anywhere, MD 00000 Your Name Phone: 555 555 5555 ELECTRICAL (EMC) Valid To: December 31, 20xx Certificate Number: xxxx.01 In recognition of the successful completion of the A2LA evaluation process, accreditation is granted to this laboratory to perform the following electromagnetic compatibility tests: Test Technology Emissions Radiated & Conducted Test Method(s) 47 CFR, FCC Part 15, Subpart B (using ANSI C63.4-2009); 47 CFR, FCC Part 18 (using MP-5); AS/NZS CISPR 11; EN 55011; AS/NZS CISPR 13; EN 55013; EN 55022; IEC/CISPR 22; CNS 13438 (up to 6 GHz); A2LA Processes - Scopes SCOPE OF ACCREDITATION TO ISO/IEC 17065:2012 YOUR CB’S NAME 123 Elm Street Anywhere, MD 00000 Your Name Phone: 555 555 5555 PRODUCT CERTIFICATION CONFORMITY ASSESSMENT BODY (CAB) Valid To: December 31, 20xx Certificate Number: xxxx.02 In recognition of the successful completion of the A2LA Certification Body Accreditation Program evaluation, including the US Federal Communications Commission (FCC)requirements for the indicated types of product certifications, accreditation is granted to this organization to perform the following product certification schemes: Economy Scope Federal Communication Commission - (FCC) Unlicensed Radio Frequency Devices Licensed Radio Frequency Devices Telephone Terminal Equipment A1, A2, A3, A4 B1, B2, B3, B4 C *Please refer to FCC TCB Program Roles and Responsibilities, released April 4, 2012 detailing scopes, roles and responsibilities. A2LA Processes - Assessors Independent Peer Experts Each with over 10 years of experience in field Trained to Conformity Assessment Standard (e.g. ISO/IEC 17025 and/or ISO/IEC 17065) Ongoing training and evaluations (staff, AC, CAB) A2LA Transition to ISO/IEC 17065:2012 Following A2LA “R307 – Transition Memo to ISO/IEC 17065” Adheres to IAF three-year transition period – must be completed no later than September 15, 2015 Following our 2 year reassessment cycle: Began accepting 17065 applications March 31, 2013 No longer accepting “new” applicants for Guide 65 Current CB’s must undergo assessment to 17065 If not assessed to 17065 by March 1, 2015, must undergo onsite assessment by June 30, 2015 All requests to expand to 17065 require on-site assessment Explanations From ISO/IEC 17011:2004, section 4.6.2 Follow Q/A format - A2LA’s official “explanations” of the requirements of the relevant conformity assessment standard. It is expected that conformity assessment bodies will implement the requirements of the standard in accordance with the explanations listed. Otherwise, areas of non-conformance will be identified by the assessor during the on-site assessment. https://www.a2la.org/faq/faqfinder17065.cfm https://www.a2la.org/faq/faqfinder170252005.cfm Explanations Questions typically received from CAB’s and Assessors, but are welcome from all stakeholders Explanations are proposed to Technical Advisory Committee for review and approval Explanations then reviewed and approved by A2LA management Explanations finally reviewed and approved by Criteria Council ISO/IEC 17065:2012 Explanations (4.1.2.1) What is a “Legally Enforceable Agreement”, and will my assessor be responsible for determining its legality? Any signed or sign-able record between the certification body and its client/customer Must meet the requirements of clause 4.1.2.2 Must take into account the responsibilities of the two parties in that agreement Typically referred to as a “Contract” A2LA assessors will not be determining, nor can they be held responsible for, the legality of the certification body / client agreements ISO/IEC 17065:2012 Explanations (4.6.a) Does my organization’s “Publicly Available Information” need to explicitly address each of the procedures called out in this clause if one or more are not applicable to our certification activities? Yes, the Certification Body must address each required procedure under this clause, even if the certification activities being performed do not include those actions. For example, an organization operating a certification scheme which does not allow for extensions or reductions to the scope of certification must have documented some statement to the effect of, “We do not offer any extensions or reductions to our certifications.” Ensures clear understanding between CB, Clients, and Accreditation/Regulatory Bodies ISO/IEC 17065:2012 Explanations (5.2.2.a) My organization has invited numerous possible stakeholders to be part of our “Mechanism for Safeguarding Impartiality,” but all of those stakeholders have declined to participate. How can my organization show that we are maintaining the required balanced representation in light of this? Note 2 to clause 5.2.1 and Note 1 to clause 5.2.4 of ISO/IEC 17065 identify examples of mechanisms and potential invitees Notes should be examined prior to determining that all possible avenues have been exhausted The certification body must demonstrate (e.g. records) that they have identified and invited potentially interested parties, And that they have ensured that no single interest predominates (e.g. certification body cannot hold more than 50% stake in this Mechanism) Up to the certification body to take additional suitable actions to ensure that these balanced interest requirements are met ISO/IEC 17065:2012 Explanations (6.2.1) What are the “applicable requirements” that Internal Resources must meet in order for my organization to comply with this clause? Hierarchy: (1) should be defined by the Certification Scheme; (2) If not defined in the scheme, the Certification Body should define what requirements are or are NOT applicable in their quality system, with justification on any omitted clauses of the relevant International Standard(s); (3) If the CB and/or Scheme do not define the “applicable requirements,” an A2LA assessor will assume that all requirements in the relevant International Standard(s) are applicable. If an Evaluation standard (testing / inspection method specified in the Certification Scheme) explicitly requires an aspect of conformity assessment such as measurement uncertainty calculations, that cannot be excluded when considering whether or not the resource meets the requirements of those standards. ISO/IEC 17065:2012 Explanations (6.2.2.1) What are the “applicable requirements” that External Resources must meet in order for my organization to comply with this clause? Hierarchy: (1) should be defined by the Certification Scheme; (2) If not defined in the scheme, the Certification Body should define what requirements are or are NOT applicable in their quality system, with justification on any omitted clauses of the relevant International Standard(s); (3) If the CB and/or Scheme do not define the “applicable requirements,” an A2LA assessor will assume that all requirements in the relevant International Standard(s) are applicable. If an Evaluation standard (testing / inspection method specified in the Certification Scheme) explicitly requires an aspect of conformity assessment such as measurement uncertainty calculations, that cannot be excluded when considering whether or not the resource meets the requirements of those standards. ISO/IEC 17065:2012 Explanations (6.2.2.4) My Certification Body operates under a larger corporate umbrella, and we send portions of our Evaluation work to another department in the corporation. Is this considered “outsourcing” the work to an outside body? Note 2 of clause 6.2.2.1: “Use of external personnel under contract is not outsourcing.” Is a “contract” in place that covers cl. 6.1.3 requirements between the department and the Certification Body? If so, this is NOT outsourcing. (This also answers the question, “Is the resource under the direct control of the Certification Body?”– see clause 6.2.1) If the documentation linking the other department or its personnel to the Certification Body does not meet the requirements called out under clause 6.1.3, or if the Certification Body cannot provide evidence that the additional requirements stated under clause 6.1.2 are met for the personnel in question, then the actions taken by the Certification Body are considered “Outsourcing,” and the Certification Body must demonstrate that it complies with the requirements related to Outsourced activities. ISO/IEC 17065:2012 Explanations (7.3.2) A client has asked us to certify a new product which we have not certified before, but this new product is somewhat similar to ones we have been certifying in the past. How do we determine whether or not we have “prior experience” with the new product we are being asked to certify? CB should compare the new product to old products by examining the certification schemes (if different), the technologies, the required evaluation techniques/activities, and the technical knowledge of its own resources. The NOTE under this clause gives excellent guidance to the CB If the certification body determines that the new product is sufficiently similar, no records are needed The Certification Body may be asked to explain its rationale in determining that the new product is of the same type as ones that were previously certified If the assessor can justify that a certification was not “of the same type” as certifications previously granted, a deficiency may be written ISO/IEC 17065:2012 Explanations (7.3.3) What type of records are required to justify our organization’s competence and capability to perform a certification we have not performed before (such as called out in clause 7.3.2)? A2LA does not specify what form a record must take However, the records must show that an analysis was performed (comparison of scheme requirements, competencies of its resources, verification that the CB is capable of performing the certification activities) Records should be sufficiently detailed such that the assessor can reasonably reach the same conclusions as the CB If insufficient information for undertaking the new certifications is presented, or evidence that the certifications were improperly granted, a deficiency may be cited ISO/IEC 17065:2012 Explanations (7.12.3) The certification scheme operated by my organization requires that we reevaluate products on a four month cycle. Does the language in this clause mean that we only have to keep records for 8 months total, in order to meet the “current and previous” cycle requirement? Clause 8.4.2 - Certification Body’s procedures for record retention must be consistent with any contractual and legal obligations. Those legal and contractual obligations would take precedence over the shorter retention cycle given in the example above. Above and beyond any legal or scheme obligations for record retention, A2LA requires that the accredited (or applicant) organization must keep copies of records for the entire time period between on-site assessments Legal and scheme obligations may require longer retention periods, but under no circumstances may the Certification Body dispose of records in any shorter time period ISO/IEC 17065:2012 Explanations (7.13.7) How should my organization demonstrate compliance to this clause if we receive an anonymous complaint? It may not be possible for a certification body to give a formal notice of complaint resolution to the complainant (e.g. complaint is received anonymously, complainant does not leave contact info, complainant changes contact information such as being dismissed from an employment position). Possible evidence could include records of attempted emails with read receipts, phone logs, voicemails, certified postal mailings, or generalized resolution notices to alternate persons that are known to be related to the original complainant. These examples are not intended to be all-inclusive, nor are they mandatory actions that must be undertaken by the Certification Body. Ultimately, the Certification Body must show evidence that they have done reasonable due diligence in attempting to contact or locate the original complainant In all cases, records of attempts to contact must be kept as required by clause 7.13.1. ISO/IEC 17065:2012 Explanations (8.3.1) What does A2LA consider to be “External documents” that my organization must control under our document control procedures? Current versions of the normative documents (e.g. test methods) that are vital to maintaining their accreditation and to perform their certification activities. These documents include ISO/IEC 17065:2012 General A2LA policy documents Any specific A2LA program requirement documents relating directly to their field of accreditation A2LA does not consider “terminology documents”, such as ISO/IEC 17000 and the VIM, to be normative documents that an organization must control within their system Example on next slide ISO/IEC 17065:2012 Explanations (8.3.1) Telecommunications Certification Bodies (TCB) would be expected to possess (or have direct access to) and have under its document control system current versions of the following A2LA documents: R307 - General Requirements - Accreditation of ISO-IEC 17065 Product Certification Bodies P101 - Rules for Making Reference to A2LA Accredited Status R102 - Conditions for Accreditation R308 - Specific Requirements - 17065 - Telecommunication Certification Body Accreditation Program Furthermore, such a TCB would be expected to control copies of all test methods (e.g. ANSI C63.4, FCC Rule Parts) called out in the schemes on their scope, as well as copies of the schemes themselves ISO/IEC 17065:2012 Explanations (8.5.1.1) I am a Certification Body getting ready to apply for accreditation to ISO/IEC 17065, do I have to perform a complete Management Review before I can become accredited? A2LA assessors will look for evidence during the on-site assessment that a complete management review has been conducted in accordance with their documented procedure and pre-determined schedule (8.5.1.1). If only a partial review has been conducted by the time of the on-site assessment, a deficiency will be cited and the full review must be completed before initial accreditation can be granted. ISO/IEC 17065:2012 Explanations (8.6.1) I am a Certification Body getting ready to apply for accreditation to ISO/IEC 17065, do I have to perform a complete Internal Audit before I can become accredited? A2LA assessors will look for evidence during the on-site assessment that a complete internal audit has been conducted in accordance with their documented procedure (8.6.1) and pre-determined schedule (8.6.3). If only a partial audit has been conducted by the time of the on-site assessment, a deficiency will be cited and the internal audit must be completed before initial accreditation is granted. ISO/IEC 17065:2012 Explanations (8.6.1) My internal audit process consists of only completing the A2LA C309 checklist – is this sufficient to demonstrate a complete internal audit? Not necessarily A CB must provide evidence that their internal audit consists of at least the following: Determination of compliance with all ISO/IEC 17065 requirements Determination of compliance with all policies, procedures, instructions, etc. that form its management system Review of all Certification Process steps (i.e. application, evaluation, review, decision, certification documents, and surveillance, where applicable) Determination of compliance with all relevant A2LA policies and requirements (e.g. “Ad Policy” / use of Accredited mark) ISO/IEC 17065:2012 Explanations (8.6.1) My Scope of Accreditation includes multiple product types under a larger scheme. Does my internal audit have to include every product type on my Scope? Review of records related to each Product Type on the organization’s Scope of Accreditation must be included in their Internal Audit to ensure that the management system is being properly implemented across all certifications The Internal Audit is considered incomplete if the organization fails to include each Product Type during its internal audit ISO/IEC 17065:2012 Explanations (8.6.3) What does the standard mean when it says that my internal audit shall “normally” be performed at least once every 12 months? Language of the standard states that the certification body may choose to “Reduce or Restore” the frequency - A2LA currently does not permit a schedule which extends beyond the 12 month period specified by the standard (e.g. 8 month audit schedules are permitted, but not 16 months) CB’s initial internal audit schedule can/should show that internal audits will be performed once in a 12 month period (or over a rolling 12 month period) If more frequent audits are needed (feeling or evidence), do not hesitate to adjust the schedule accordingly Any changes to the schedule (including restoring to the maximum 12 month time frame), as well as the rationale behind the decisions to change, must be documented and kept as a formal record Changes must be supported by records that demonstrate ongoing stability and effectiveness of the management system ISO/IEC 17065:2012 Explanations (8.6.4.d) What does the standard mean when it states that my organization must ensure that any actions resulting from our internal audits are taken in a timely and appropriate manner? A2LA cannot define what “timely and appropriate” means for its certification bodies. The intent of this clause is for the organization to take action as soon as they are able, in order to ensure that the organization’s quality system is running smoothly, and that the certifications being offered are not negatively impacted. An assessor may cite a deficiency if there is evidence that the quality system or offered certifications are being affected by lack of action on an internal audit finding. The certification body is still responsible for meeting all requirements related to corrective actions (section 8.7) and preventive actions (section 8.8) when acting upon their internal audit findings. Proposed Explanations From A2LA PCAC Meeting (April 4, 2014) Clause 4.3.1 – define what is “adequate” in terms of insurance Clause 4.4 – pricing and discrimination (expedite fees) Clause 7.6.4 – clarification of applicability to clause 7.6.3 Clause 7.9.1 & 7.9.3 – scheduling and other details of surveillance activities IA F A2 LA 8 7 6 5 4 3 2 1 0 TC JP B Q M HK ID A IC FC C 15 14 13 12 11 10 9 8. 2 8. 1 8 7 6 5. 2 5. 1 5 4. 9 4. 10 4. 8 4. 7 4. 6 4. 5 4. 4 4. 3 4. 2 4. 1 Common TCB Assessment Deficiencies ISO Guide 65:1996 2011 2012 2013 8 7 6 5 4 3 2 1 0 8 Sh .8 em e A2 TC LA B Q M 8. 7 8. 6 8. 5 8. 4 8. 3 8. 2 8. 1 7. 9 7. 10 7. 11 7. 12 7. 13 7. 8 7. 7 7. 6 7. 5 7. 4 7. 3 7. 2 7. 1 6. 2 6. 1 5. 2 5. 1 4. 6 4. 5 4. 4 4. 3 4. 2 4. 1 Common TCB Assessment Deficiencies ISO/IEC 17065:2012 17065 Implementing FCC KDB Revisions (April 2014) FCC KDB 668797 – TCB Checklist FCC KDB 610077 – TCB Post Market Surveillance FCC KDB 641163 – TCB Program Roles & Responsibilities Questions? Mike Buzard – Senior Accreditation Officer - Email: mbuzard@A2LA.org - Phone: 240 575 7484 Adam Gouker – Accreditation Manager - Email: agouker@A2LA.org - Phone: 301 644 3217