GENERAL RULES REGARDING MANAGEMENT SYSTEMS CERTIFICATION SRAC-R-01. Approved GENERAL MANAGER. eng. Mihaela Cristea

Transcription

1 SRAC-R-01 Approved GENERAL MANAGER eng. Mihaela Cristea Edition: 3 Revision: 4

2 LIST OF UPDATES Edition Revision Contents of the modification Modified pages Date 1 0 Initial issue Addition of provisions in view of a All better customer information 2 0 Addition of the provisions related to the All documents sent to the applicant organization; Changes further to IAF MD1:2007 Introduction of Annex 1 Re-numbering 2 1 Update of references ISO 9001:2008, All OHSAS 18001:2007. Elimination of subclause x regarding the documents that must be sent for mandatory area 2 2 Update of references ISO 27006:2007 4, 9, Including EMAS, SR EN ISO 16001, ISO Including ISO :2005, and other modifications regarding the consequences of major nonconformities on the audit results 3 0 Changes due to revision of SR EN ISO/CEI 17021:2011 and of SRAC flow chart 3 1 Inclusion of QMS certification in compliance with R Transition from SR EN to ISO Update of reference documents 3, 5, 10, 11, All All All All Modified FSMS requirements Pg. 7 Pg 2 / 23

3 SCOP 1.1. These Rules define the requirements to be fulfilled by an organization applying for certification for:: quality management systems, ISO 9001 Medical devices. Quality management systems, Requirements for regulatory purposes, SR EN ISO environmental management systems, ISO Eco-Management and Audit Scheme (EMAS), CE Regulation no. 1221/2010 Quality management system in compliance with Council Regulation (EU) no. 333/2011 of 31 March 2011 establishing criteria determining when certain types of scrap metal cease to be waste under Directive 2008/98/EC of the European Parliament and of the Council. (abrev - R333). Quality management system in compliance with Commission Regulation (EU) No 1179/2012 of 10 December 2012 establishing criteria determining when glass cullet ceases to be waste under Directive 2008/98/EC of the European Parliament and of the Council. (abrev R-DSt). Food safety management system, ISO occupational health and safety management systems OHSAS information security management systems, ISO/IEC Energy Management Systems, ISO quality management systems in the mandatory area (Factory Production Control, lifts, non-automatic weighing instruments) IT Service management systems, ISO :2011 Integrated management systems (e.g. referential ISO ISO 14001; ISO OHSAS 18001; ISO ISO OHSAS 18001, etc.). Or in order to obtain, maintain, renew, extend, reduce, suspend and withdraw SRAC certification. These Rules are an integrating part of the Certification Contract SRAC Certificate and IQNet Certificate are documents proving that the certified organization: - has effectively documented and implemented a management system in compliance with the requirements of the reference standard; - Is able to systematically achieve its stated policy and objectives The access to SRAC certification services is not conditioned upon the size of the organization or its membership to any association or group SRAC certification services do not include any form of consultancy for the certification applicant (elaboration of the management system documents or the implementation of the system) 1.5. SRAC is registered at the Trade Register as a legal entity with legal liability The correct application of these rules is verified by the Advisory Board, including all the parties interested in the certification activities without the prevalence of party interest. The following principles are implemented and provide guidelines for the decision making: - impartiality: the decisions are made based on objective evidence of compliance (or noncompliance) and are not influenced by other interests or other parties; - competence: the demonstrated ability of SRAC personnel to apply knowledge and skills, at all levels; - responsibility: SRAC has the responsibility to assess sufficient objective evidence, using an adequate sampling within the organization s management system, upon which to base the certification decision; - openness: SRAC provides adequate access to, or disclosure of, non-confidential information about its audit and certification process and about the certification status (i.e. the granting, extending, Pg 3 / 23

4 maintaining, renewing, suspending, reducing the scope of, or withdrawing the certification) in order to gain confidence in the integrity and credibility of certification; - confidentiality: SRAC keeps confidential any proprietary information about the client, ensuring an adequate balance between the principles of openness and confidentiality; - Responsiveness to complaints: the complaints of the interested parties are always investigated and adequately processed. 2. REFERENCE DOCUMENTS 2.1. SR EN ISO / CEI 17021:2011 Evaluarea conformitatii. Cerinte pentru organisme care efectueaza audit si certificare de sisteme de management 2.2. ISO/TS 22003: Food safety management systems - Requirements for bodies providing audit and certification of food safety management systems SR ISO / TS 22003:2007 Sisteme de management ale sigurantei alimentului. Cerinte pentru organisme care efectueaza audit si certificare de sisteme de management ale sigurantei alimentului ISO / TS 22003:2013 Sisteme de management ale sigurantei alimentului. Cerinte pentru organisme care efectueaza audit si certificare de sisteme de management ale sigurantei alimentului 2.3. ISO/TS 22003: Food safety management systems - Requirements for bodies providing audit and certification of food safety management systems 2.4. ISO 9001: Quality management systems Requirements SR EN ISO 9001:2008 Sisteme de management al calitatii. Cerinte ISO 14001: Environmental management systems - Requrements with guidance for use SR EN ISO 14001:2005 Sisteme de management de mediu. Cerinte si ghid de utilizare 2.6. EMAS-Regulamentul Parlamentului European şi al Consiliului (CE) nr. 1221/2009 EMAS European Parliament and Council Regulation (EC) no. 1221/ BS OHSAS 18001: Occupational health and safety management systems - requirements SR OHSAS 18001: Sisteme de management al sănătăţii şi securităţii ocupaţionale. Cerinţe 2.8. ISO 22000: Food safety management systems - Requirements for any organization in the food chain SR EN ISO 22000: Sisteme de management al sigurantei alimentelor-cerinte pentru orice organizatie din lantul alimentar 2.9. ISO/IEC 27001: Information technology Security techniques Information security management systems. Requirements SR ISO/CEI 27001: Tehnologia informaţiei. Tehnici de securitate. Sisteme de management al securităţii informaţiei. Cerinţe SR ISO/CEI 27001: Tehnologia informaţiei. Tehnici de securitate. Sisteme de management al securităţii informaţiei. Cerinţe ISO 9000: Quality management systems -- Fundamentals and vocabulary SR EN ISO 9000: Sisteme de management al calitatii. Principii fundamentale si vocabular ISO :2009 Environmental management Vocabulary IAF MD 1:2007 IAF Mandatory Document for the Certification of Multiple Site Based on Sampling ISO/IEC 27006:2011 Information technology. Security techniques. Requirements for bodies providing audit and certification of information security management systems SR EN ISO : 2012: Dispozitive medicale. Sisteme de management al calitatii. Cerinte pentru scopuri de reglementare. ISO /TR : 2010 : Medical devices Quality management system-guidance on the application of ISO : ISO 50001:2011 : Sisteme de management al energiei. Cerinte si ghid de utilizare ISO :2011 Information Technology Service management Part 1: Service management system requirements Pg 4 / 23

5 2.17. ISO :2012 Information Technology Service management Part 2: Guidance on the application of service management systems Regulamentul 333/2011/UE al Consiliului din 31 martie 2011 de stabilire a criteriilor de determinare a condițiilor în care anumite tipuri de deșeuri metalice nu mai constituie deșeuri în temeiul Directivei 2008/98/CE a Parlamentului European și a Consiliului (abrev - R333). Council Regulation (EU) no. 333/2011 of 31 March 2011 establishing criteria determining when certain types of scrap metal cease to be waste under Directive 2008/98/EC of the European Parliament and of the Council Regulamentul 1179/2012/UE al Comisiei din 10 decembrie 2012 de stabilire a criteriilor de determinare a condițiilor în care cioburile de sticla inceteaza sa mai fie deșeuri în temeiul Directivei 2008/98/CE a Parlamentului European și a Consiliului (abrev R-DSt). Commission Regulation (EU) No 1179/2012 of 10 December 2012 establishing criteria determining when glass cullet ceases to be waste under Directive 2008/98/EC of the European Parliament and of the Council 3. DEFINITIONS The definitions provided in the standards enumerated at chapter 2 shall be applied. 4. GENERAL TERMS 4.1. The certification itself involves the compliance of management systems with reference standards and does not involve the fulfilment of the legislation in force, which is exclusively under the responsibility of the organization. However, the management system standards require to the organization to meet all legal and regulatory requirements applicable within the management system. In order to obtain and maintain the certification, the organization shall: - observe the requirements of the reference standard and the applicable legislation; - observe the requirements of these general rules; - observe the requirements on the use of the certificate and conformity mark; - make all necessary arrangements for the conduct of the assessment, including arrangements for document and record review, access in all areas for the persons appointed by SRAC to carry out the assessment, surveillance, special audits or investigating complaints; - pay in time the invoices issued by SRAC in compliance with the signed certification contract During the audit activities, SRAC auditors shall consider as contact persons the ones provided in the organization chart. In case the organization wants other persons to participate in the audit (e.g. consultants), it is bound to ensure that their role is of observers On the other hand, SRAC audit team may also include observers (e.g. accreditation body assessors, monitoring persons) and/or auditors in training The general flowchart of the certification stages is presented in Annex CLASSIFICATION OF THE FINDINGS AND NON-CONFORMITIES 5.1. The audit findings are classified by SRAC into, major nonconformities, minor nonconformities, observations and potential for improvement Major nonconformity: -The failure or lack of capability to implement or maintain one or more of the management system standard requirements, or - a situation that, based on the available objective evidence, may lead to significant doubts on the quality of the organization s products/services - a minor non-conformity which persists (or was not solved as agreed with the organization) shall be upgraded as major non-conformity. Pg 5 / 23

6 5.3. Minor nonconformity lack of discipline or control during the implementation of the system / documented requirements which do not indicate the failure of the system or raise no doubts on the fact that that the products/services are meeting the requirements. The whole management system is designed, implemented and is effective Observation An observation is not non-conformity but may lead to non-conformity if it is allowed not to be corrected Potential for improvement Opportunities for improvement related to the organization s areas/ processes which meet the minimum requirements of the standard but may be improved Strengths a statement of recognition made to the customer, based on: - the situations in which the organization has made significant improvements from the last audit; - The performance beyond expectations in terms of efficiency and/or effectiveness and may be an excellence model. 6. NONCONFORMITIES MANAGEMENT 6.1. The consequences of major nonconformities on audit results are: - in case of certification/renewal/extension/restraint audit the certificate is not granted - in case of surveillance audits lead to the suspension of certificate for a period of max. 6 months, during which the organization does not have the right to use the certificate or the conformity mark in its relation with third parties, until the corrective actions are being solved and the nonconformities closed. In both cases the organization shall determine the root cause, undertake corrections and implement corrective actions within a lap of time established by common agreement with SRAC, which shall not exceed 6 months from the date when the audit was finalized. Afterwards a follow-up audit is initiated, with the purpose of assessing the effectiveness of implemented corrective actions, in order to eliminate the causes of found major nonconformities (through on-site visit or document review). This follow-up audit is established through an addendum to the existing contract and is paid by the client. The CEA/ Lead auditor shall have the client s approval on the Major nonconformity Report and shall inform the client with respect to the addendum which is to be elaborated for the follow-up audit, through the completion of these aspects in the Minute of the Closing Meeting of the audit (so it would generate the suspension of the certification and the need of a follow-up audit and the addendum on the contract). The Lead auditor and the client shall sign upon the Minute. The client shall also apply the organization s stamp. The CEA/Lead auditor has the obligation to bring the audit documents to SRAC in max 7 days from the end of the audit, in order to close the addendum for the follow-up audit in due time. The duration of the followup audit depends on the amplitude of actions which are to be implemented by the client and is established by the Technical director. The follow-up audit shall be performed in max. 6 months from the end of the certification/renewal/extension/restraint/surveillance audit. If stated nonconformities have not been solved during this period (6 months), - in case of certification/renewal/extension/restraint audits the initial audit shall be carried out again, at a date established with the client, after he/she has signed the addendum or a new contract for carrying out again the certification/renewal/extension/restraint audit. - In case of surveillance audits the certificate is voided, and if the client still wants the certification, the certification cycle shall be carried out again from the beginning, as for a new client In case of multi-site organizations, during the decision making process for the initial certification, SRAC shall apply the provisions of the specific procedures. To that extent, if a single site has a non-conformity Pg 6 / 23

7 related to the un-fulfillment of one or several requirements of the MS standard or raises significant doubts on the ability of the customer to meet the intended outputs, the certification is refused to the entire network, until satisfactory corrective actions are undertaken It is not accepted for the organization to seek the exclusion from its scope of the problematic site during the certification process, with the aim to overpass the obstacle represented by the existence of a non-conformity to the respective site 7. CERTIFICATION PROCEDURE 7.1. General aspects The organization fills in all the applicable sections of the application for certification/recertification After the receipt of the application (depending on each certification scheme) filled in by an authorized representative of the applicant organization, SRAC carries out the application review and establishes the audit duration based on the information provided by the company: - requirements of the relevant management system standard; - size and complexity of organization; - general data of the applicant organization, including name, address(es) of the physical location(s); - the requested scope of certification, including general information on its activities, human and technical resources, positions and relationships in a larger corporation (if appropriate); - specific aspects of processes and activities; - technological and regulatory context; - any outsourcing of any activities included in the scope of the management system; - number of sites and multi-site considerations (including the size of productive units and geographical area); - number of product groups; - results of any prior audits; - existence or non-existence of any other certified management system SRAC sends to every organization applying for certification a personalized offer based on the fees approved by the Board of Directors Once SRAC offer is accepted, the organization shall communicate its official agreement based on which the certification contract is concluded. By returning a signed copy of the certification contract, the organization undertakes to observe the specifications and general terms of the contract as well as these general rules regarding management systems certification and the regulation for using SRAC mark, integrating annexes to the certification contract In order to initiate the certification, the organization shall send to SRAC the documents of the management system/ regulated area for which it requested the certification/ conformity assessment, as follows (in all cases, the submittal of the documents provided at par is mandatory): For all systems: - the Certificate of Registration with its annexes or legally valid registration document to clearly state the activity, locations and related addresses (for the head office and for each location to be audited) - the organization chart For the Quality Management System:: a) QMS Manual Pg 7 / 23

8 b) Document Control procedure c) Record Control procedure d) Internal Audit procedure e) Control of Non-conforming Product procedure f) Corrective Actions procedure g) Preventive Actions procedure For the environmental management system: a) Environmental manual (optional) b) Environmental policy c) Documents control d) Records control e) Nonconformities, corrective and preventive actions f) Internal Audit g) Identification of the environmental aspects h) Legal requirements i) Assessment of compliance j) Measuring and monitoring k) Preparation for emergency situations and responsiveness l) Communication For the food safety management system: a. List of applicable regulations b. matrix of responsibilities for the correlation between the requirements of the applicable certification standard/standards and the documentation of the organization (annex 1) c. list of products/ product categories considered finished d. list of authorizations/ licenses issued by authorities e. list of Operational Pre-requisite programs (PRPs) and one example of a PRP f. list of PCC and a HACCP plan as example g. Procedures: h. DOCUMENTS CONTROL i. RECORDS CONTROL j. HANDLING THE POTENTIAL UNSAFE PRODUCTS k. WITHDRAWAL l. INTERNAL AUDIT Note: The minimum documentation mentioned abobe shall be sent for the documents review before the initial certification audit. Before every surveillance/renewal audit, the modified documents from the list above shall be sent. In case these documents are not sent, and the auditor finds that there are changes, an additional period of audit shall be added for the management review For the occupational health and safety management system: a) Occupational health and safety Manual (optional) b) OHSAS Policy c) Documents Control d) Records Control e) Nonconformities, corrective and preventive actions Pg 8 / 23

9 f) Internal Audit g) Preparedness for emergency situations and responsiveness h) Measuring and monitoring i) Participation, consultation, communication j) Assessment of compliance k) Legal requirements l) Hazard identification and risk evaluation and control measures establishment m) Investigation of incidents For the information security management system: a) Manual for information security management (optional) b) Control of documents procedure c) Control of records procedure d) Internal audit procedure e) Security incidents management procedure f) Corrective action procedure g) Preventive action procedure h) Declaration of applicability SOA For EMAS: a) Documents related to ISO management system (mentioned at chapter plus the following : b) Environment declaration and Environment policy see Annex 3 of the Regulation (EU) no. 1221/2009 of the European Parliament and of the Council c) Description of the manner of implementation of the environment management system in compliance with Regulation (EU) no. 1221/2009 of the European Parliament and of the Council (Environment mannual) d) Procedure for the identification of the environment aspects and the final environment analysis in compliance with Annex 1 of Regulation (EU) no. 1221/2009 of the European Parliament and of the Council e) Procedure of internal audit and the last performed Internal Audit Report that covers the entire required certification scope f) The document that confirms the last assessment of compliance with the applicable legal requirements g) The record of the last management review regarding the functioning of the EMS in compliance with Regulation (EU) no. 1221/2009 of the European Parliament and of the Council For Energy Management System: a) Energy Manual (optional) b) Policy regarding energy c) Analysis regarding energy + Methodology and criteria used for the elaboration of the analysis regarding energy d) Control of documents e) Control of records f) Nonconformity, corrective action, preventive action g) Internal Audit For the quality management system Medical Device:: a) QMS-MD Manual b) Control of documents procedure c) Control of records procedure Pg 9 / 23

10 d) Internal Audit procedure e) conforming product procedure f) Corrective Action procedure g) Preventive Action procedure For the IT management service: a) IT Service management Manual (optional) b) Control of documents procedure c) Control of records procedure d) Internal Audit procedure e) Management of configuration procedure f) Management of change procedure g) Management of reviews/release procedure h) Corrective Action procedure i) Preventive Action procedure j) SOA- Applicability declaration For the quality management system in compliance with R333: The client sends the documentation needed for the preliminary analysis, namely documented procedures regarding every one of the following aspects: a) Control for acceptance of used waste as input for the recovery operation, in compliance with section 2 of annexes I and II; b) Monitoring the processes and techniques of treatment presented in section 3.3 of annexes I and II; c) Monitoring of the quality of metallic waste that result from the recovery operation, in compliance with section 1 of annexes I and II (including prelevation and analysis of the samples) ; d) Efficiency of the radiation monitoring, in compliance with section 1.5 of annexes I and II; e) Opinions of the clients regarding the conformity with quality for metallic waste ; f) Record of the results of the monitoring realized in compliance with letters (a)-(d); g) Revision and improvement of the quality management system; h) Personnel training. These documents shall prove the conformity of the QMS with the criteria mentioned at 3 and 4 of R For the quality management system in compliance with R-DSt: The client sends the documentation needed for the preliminary analysis, namely documented procedures regarding every one of the following aspects: a) Control for acceptance of used waste as input for the recovery operation, in compliance with section 2 of annex I (of Regulation no / 2012); b) Monitoring the processes and techniques of treatment presented in section 3 of annex I (of Regulation no / 2012); c) Monitoring of the quality of glass cullets that result from the recovery operation in compliance with section 1 of annex I (Regulation no / 2012); d) Feedback-ul from clients regarding the compliance with the quality requirements applicable to glass cullets; e) Record of the results of the monitoring realized in compliance with letters (a)-(c) (Regulation no / 2012); f) Revision and improvement of the quality management system (procedures for internal audit, management review, corrective/preventive actions, etc.) g) Personnel training. These documents shall prove the conformity of the QMS with the criteria mentioned at 3 and 4 R-DST. Pg 10 / 23

11 7.1.6 The contractual terms keep their validity provided that the organization proceeds with the organization within 6 months from the date of the application for certification. If this interval is exceeded, the application for certification/re-certification shall be filled in again and, considering the changes (if appropriate), SRAC is entitled to amend the contract terms For the certification against ISO 22000, SRAC defines the certification scope in terms of food chain level (e.g. primary production, food processing, and production of packaging material), category and sectors. The organization cannot exclude from the scope (and SRAC shall not accept) part of processes, sectors, products or services whether these influence the food safety of finite products The multi-site certification applies for the organization meeting the following criteria: - there is one head office managing an unitary management system, planning, coordinating, controlling and auditing the relevant activities of the locations and deciding the necessary corrective/ preventive actions, including at site level; - the sites provide similar products/services, based, mainly, on similar procedures; - in case the organization is not an unique legal entity, the locations have a legal or contractual relation with the head office and have a common management system, established, developed and submitted to continuous assessment and improvement from the head office Not all the organizations covered by the multi-site definition are eligible for sampling. 7.2 Eligibility criteria for sampling: General and specific aspects for ISO 9001, ISO 13485, R333 and R-DSt All locations or group of locations selected as population for sampling have to carry out substantially the same type of activities and the products and/or services provided by each location shall be substantially similar. The management system shall be centrally structured and managed and subjected to regular internal audits at all sites/locations as well as to a management review at central level. All locations, including the head office shall be subject to a complete internal audit program prior to the conduct of SRAC assessment. The organization shall be able to demonstrate that it collects and reviews the data from all sites, including the head office, and that it has the authority and possibility to initiate organizational changes, if appropriate, in relation with: - system documents and system modifications; - management review; - complaints; - assessment of the corrective actions; - planning the internal audit and assessment of the results - Legal requirements. The organization shall appoint the Management Representative(s) with overall responsibility for the maintenance of the management system. Limited variations are allowed in the local working practices, generated by differences in the available equipment or size of the local organization (e.g. in the small sites it might occur that a person to be in charge of several tasks ) Specific aspects for ISO and EMAS Pg 11 / 23

12 In the case of organizations with multi sites, sampling can be applied provided that there are: comparable environmental aspects (qualitative and quantitative) in the respective locations (input materials, wastes, used water, emissions); technical equipment for similar environmental technology Specific aspects for OHSAS Comparable conditions related to occupational health and safety at the work place. In case of sampling which includes several countries, it might be possible that several specific labour requirements are applicable. In order to integrate these locations in the sampling procedure, it is necessary to demonstrate that comparable conditions exist in all locations in terms of hazards and potential risks. In case of companies with structures on several levels (such as head office regional branches sites/subsidiaries/offices), each of these hierarchical levels represent a different group. Special attention shall be paid in case an organization with multiple sites in different countries and different regulations requires a multi-site certification Specific aspects for information security management systems and for IT service management system, in addition to the ones mentioned for ISO 9001 : The decisions for sampling in case of multiple sites, for the ISMS certification scope, are more complex than the same decisions for the quality management systems. For sampling the following aspects shall be taken into consideration: internal audits results of the head office and of the sites; the results of management reviews; size of the respective sites; type of activity of the sites; complexity of ISMS; complexity of the informatics systems from different locations; work practices; the performed activities; potential interaction with systems with critical information or with informatics systems that process sensitive information; any other legal requirements Specific aspects for food safety management system ISO The use of multi-site sampling is possible only in the case of organizations with over 20 sites/ subsidiaries and only for the following categories: A Agriculture (animals) B Agriculture (plants) G Catering H Distribution J Transport and storage The sampling for more than 20 sites shall be of 1 site out of 5, with a minimum number of 20. All sites shall be randomly selected Specific aspects for SR EN In the situation of organizations with multi sites sampling can be applied provided that there are: comparable energy aspects (qualitative and quantitative) in the respective locations (electrical energy, fuels, natural gases, etc.); similar technical equipment In the situation of locations with specific significant energy consumption the sampling procedure is not applicable Whether not all sites of a service provision organization subject to certification are ready to be certified in the same time, the organization shall inform SRAC in relation with the sites willing to include in certification and those to be excluded. Pg 12 / 23

13 The audit periods and names of the appointed auditors shall be communicated to the organization which has to agree The organization is entitled to request one time the replacement of the audit team or of one member of the audit team, in writing and with justification, within 3 days from the notification. If no objection is received within this interval, SRAC considers that the audit team was tacitly confirmed The audits shall be conducted in those periods when the organization operates a significant number of production lines, categories and sectors in the scope for which it applied for certification and the organization responsible to is ensure this aspect. THE GENERAL FRAME FOR AUDIT CONDUCT 7.3 The initial management system (MS) certification audit The initial MS certification audit is conducted in 2 stages: Stage 1 and Stage Stage I Stage I consists of the following steps: a) Evaluation of client s location and of the specific conditions of the location discussions with the organization representatives to determine the preparedness for the Stage II; b) General review of MS status against the requirements of the reference standard, with the identification of key performance or significant aspects, processes, objectives and operations for the functioning of MS. c) Collection of information and objective evidence regarding the main aspects of the MS, scope, processes, locations, statutory and regulatory aspects and compliance (e.g. quality, environment, legal aspects of client s activity, associated risks, etc.) d) Establishing the conclusions regarding the acceptance of exclusions related to requirements of ISO 9001/ISO 27001/ISO declared by the client. e) Exclusions are admitted only when they do not influence the organization s capability of providing a product that fulfils the client s requirements and the applicable legal requirements. Exclusions of subclasses of Section 7 of ISO 9001 and ISO must be carefully approached, by assessing in all the situations the objective state and the effects of the elimination of these requirements against the needs and expectations of the organization s clients. Otherwise the lead auditor shall not accept the exclusion declared by the client and shall suggest to the client to review the exclusion opportunity and to deal with the requirement. f) Providing a starting point for the planning of Stage 2 of the audit through the sufficient understanding of the client s management system and of the activities on site, in the context of the possible significant aspects; g) Evaluation of the planning and conduct of internal audit and management review in order to check whether the level of implementation of management system substantiates that the client is ready for the Stage II. h) Reviewing, in agreement with the client, the allocation of resources and planning for Stage II; i) Drawing up the Audit Report Stage I : - Communication to the client at the closing meeting of the results of the Stage I audit, conclusions/findings and any other issues that have to be solved by Stage 2. - By agreement with the client the period of audit Stage 2 shall be established so that the client can solve the findings of Stage 1. - The period for the solving of these aspects must not be longer than 6 months. Otherwise the Stage I shall be conducted again and changes in the certification contract between SRAC and the client shall be operated. - The Stage I findings (documented and justified) may generate changes in the contract between SRAC and the organization (if the audit scope was not properly required, if there are more sites than declared if there is a significantly bigger number of personnel, etc.) Pg 13 / 23

14 - If results of Stage I audit, documented in the Stage I audit report, allow the proceeding with Stage II the LAT draws up and disseminated to the client the Audit Plan, code SRAC-PS-12.04, for Stage In case of multi-site certification, in Stage I of audit, the assessment of the management system is conducted at the head office or/and to a location with a large number of employees and/or, if applicable, with a high degree of relevance over environment, occupational health and safety. All requirements of the relevant standards shall be taken into consideration. Additionally, the lead auditor, as part of the system review, verifies whether the management system really covers all the locations and whether is adequately implemented at the moment of the assessment. If applicable, an additional review of the system shall be conducted to the organization locations, which are not covered by the sampling procedure The assessment of the internal audits by the certification audit must confirm that all sites have been audited as part of the internal audit procedure Whether the management review and internal audits have not been finalized by the time of system review, completion shall be ensured until the assessment is conducted Whether non-conformities are found during the performance of an internal audit or conducted by the partners (second party), this situation shall be considered also for the other locations. As a general rule, the corrective actions shall be implemented at the entire organization level. The head office shall ensure that the corrective actions are implemented and are effective. The Lead Auditor shall verify whether the organization internally applies these regulations Stage II The objectives of Stage 2 of the audit are: a) Conformity assessment of the MS implementation against the reference standard(s) and of the MS effectiveness b) Assessment of the capacity of the management system to ensure that the client s organization complies with the applicable legal and contractual requirements Stage 2 audit performance at the client s site(s) During this stage of the audit the following steps occur: a) The client receives from the lead auditor Audit plan stage 2. The performance of the initial certification audit, Stage 2, takes place in compliance with the Audit Plan accepted by the client. b) The meeting of the audit team at the audited organization s headquarters, the client has to provide to the audit team an adequate space for this. c) Opening meeting, that is led by the LAT and that is attended by the management of the audited organization and has the role of providing a short description of the manner in which audit activities are performed and it shall include the following elements. The details should take into consideration the client s degree of familiarity with the auditing process. d) Communication during audit - LAT periodically communicates to the client the evolution of the audit and any problems that may appear. - When the available audit evidence indicate that the audit objectives are not accomplishable or when they suggest the presence of an immediate and significant risk (e.g. security risk), the leader of the audit team shall report this to the client and, if possible, to the certification body, in order to determine the appropriate actions to be taken. These actions may include: - Reconfirmation or modification of the audit plan modification is made directly on the audit plan with the signature of the LAT and of the audited organization - Modifications of the audit objectives or of the audit scope LAT shall review together with the client any need of modification of the audit scope that occurs as the auditing activities on site are in progress. The modified audit scope, recommended for certification shall be mentioned in the Audit Report signed by the organization s management. Cease of the audit situation when LAT informs the client regarding the aspects that occurred and that Pg 14 / 23

15 do not allow the continuation of the audit and he draws up the Audit Report where he specifies the number of audit days performed until the cease of the audit, with signature and stamp of the organization s representative. He informs the client that in this situation the audit shall be performed again and an addendum of the contract shall be signed. e) Observers and guides - Observers the presence of observers during the auditing activities must be agreed between the certification body and the client before the performance of the audit. The audit team shall ensure that the observers do nu influence or interfere with the audit process or audit results. NOTE: Observers may be members of the client s organization, consultants, and personnel of the accreditation body, authorities or other persons whose presence is justified. - Guides every auditor must be accompanied by a guide, except for the situation when there is a different agreement between the LAT and the client. The guide(s) appointed for the audit team have the role to facilitate the audit. The audit team must ensure that the guides do not influence or interfere with the audit process or the audit results. NOTE: Responsibilities of a guide may include: a) Establishing contact and programing the interviews; b) Organization of visits in certain parts of the site or of the organization; c) Ensuring that the rules regarding security at the site and the security procedures are known and observed by the members of the audit team; d) Participation at the audit as witness of the client; e) Providing clarification or information upon auditor s request. f) Collection and verification of information - During the audit the relevant information for the objectives, scope and criteria of the audit (including information related to interface between functions, activities and processes) are collected through appropriate sampling and are being verified in order to become audit evidence. - The methods for the collection of information must be used by the audit team and include, but are not limited at: o interviews; o observation of processes and activities; o review of documentation and records. g) Identification and record of the audit findings - The audit findings are communicated by the LAT to the audited organization s representatives at the end of audit day and at the closing meeting. - Nonconformities are discussed with the client in order to ensure that the evidence is correct and that the nonconformities are understood. Still, the auditor shall abstain from suggesting the cause or the solution of the nonconformities. - LAT must solve any divergent opinions between the audit team and the client regarding the evidence or the findings of the audit and the unsolved issues must be recorded in the Audit Report. h) Closing meeting - This meeting shall be attended by the audit team together with the client s management and, when necessary, with the ones responsible for the audited functions or processes. - The purpose of the closing meeting is to present the conclusions of the audit, including the recommendation regarding the certification. Pg 15 / 23

16 - Any nonconformity shall be presented in such a manner that is it understood and signed by the audited and the term for resolution proposed by the audited must be agreed by the lead auditor. NOTE Understood does not necessarily mean that the nonconformity was accepted by the client. i) Elaboration of the Audit Report The lead auditor elaborates the Audit Report that will be disseminated to the client. This contains the findings of the respective audit. j) Review of the causes of the nonconformities The client has the obligation of analyzing the cause and establishing the specific correction and the necessary corrective actions in order to eliminate the identified nonconformities in a defined period of time. k) Efficiency of corrections and corrective actions -If, during the certification audit, minor non-conformities and observations result, as communicated in the closing meeting, the organization s representatives identify the non-conformity causes/ corrections/ corrective actions and the proposed deadlines for their implementation. - The organization has 7 days from the date when the audit was closed to fill in and send to the lead auditor the identification of the non-conformity causes, the corrections/corrective actions established and the implementation deadlines, filled in on the non-conformity and observation forms of the Audit Report - If, after the certification audit, major non-conformities result, these are communicated to the client at the closing meeting. The organization has 6 months form the date the audit was closed to solve the established corrective actions and accepted by the lead auditor for the resolution of the major nonconformities. Otherwise the audit shall be performed again, including Stage 1. For the assessment of the manner in which nonconformities were closed, an additional audit is needed. - Additional audit complete or limited The additional audit has the purpose of checking the closing of the minor/major nonconformities and the efficiency of the undertaken corrective actions. The audited organization shall be informed by the LAT at the closing meeting if, for the verification of the efficiency of the correction and of the corrective action necessary for the closing of the identified nonconformities, it will be needed: a) A complete additional audit (audit Stage 2 shall be performed again) ; b) A limited additional audit ( a number of audit days at client, proposed by the LAT/LA in the Audit Synthesis and established by the person that analyses the file for the certification decision); c) Or documented evidence (that must be confirmed during future surveillance audits) by specifying this aspect in the Nonconformities Reports elaborated by the LAT/LA. The additional audit that requires visit to the client shall take place in maximum 6 months from the date of the initial certification audit Stage 2, with a visit to the organization s headquarters. - Complete additional audit it means that Audit Stage 2 shall be performed again, so it takes place in the same manner, using the same templates with the specification of the audit type complete additional for initial certification. - Limited additional audit has the following steps: Planning the audit (if a visit to the audited client is required) LAT/ LA sends to the audited a Notification letter for the additional audit, after they established together with the audited the date of the follow-up audit. Performance of the audit, that implies: o LA goes to the audited or receives from the audited the documents needed for the closing of the nonconformity ; Pg 16 / 23

17 o LA analyses and assesses the information and the objective evidence presented by the audited that prove the manner of solving the nonconformity and the efficiency of the undertaken corrective actions. o LA fills in the Nonconformities Reports from the previous Audit Report with the result of the verification. Reporting of the Audit : o LA elaborates the Additional Audit Report to which attaches the Close Major Nonconformities Reports; o LA sends to the audited, when the audit was closed, a copy of the Additional Audit Report and of the Major Nonconformities Reports that contain the finding made by the LAT/LA that the corrective actions have been done and they are efficient Issue of the certificates and authorization to use the certification mark - After stage II of the initial certification audit is completed and the corrections/corrective actions are agreed and/or their implementation verified as well as subsequent to the technical review of the certification file, SRAC shall issue to the organization the certificate with an unique registration number. SRAC and IQNet certificates define: - the name of the applicant; - the address of the registered office and of the sites; - the reference standard; - the activities for which the certification was granted; - the date of issue/expiration of the certificate. - In case of multi-site certification, SRAC issues a list of all sites to which the certificate refers, either on the certificate, either on an annex to the certificate or in another manner if referenced. For example, in case of a very large number of sites, a controlled list can be included in the certification file. The certification scope shall clearly specify that these activities are performed by the network of listed sites. If the activities of the sites are only a part of the broader organization scope, the applicable scope for all the sites shall be clearly stated. - The certification documents may be issued to the organizations for each site covered by certification, with the condition that these include the same scope of sub-scope and include a clear reference to the main certification documents. - Where in the scope are also included temporary sites, these shall be identified as temporary in the certification documents. - The list of sites shall be kept updated. In this purpose, SRAC shall require the client to inform it in relation with the closure of any of the sites. Where the organization fails to provide this information, SRAC shall consider the certification as misused and shall act consequently, as provided in its procedures. - Where the site is not a subsidiary of the certificate holder but a different legal entity, SRAC shall supervise and additionally control the use of any certification marks at the site level. - In case of joint certification (cooperation with another certification body) of an organization with several sites, upon the customer request to issue of an extract or certificate per site, by the co-certifying organization, the cooperating certification body shall issue first a certificate based on the main certificate and subsequently, based on it, issues the certificate/extract for the site. The co-certifier cannot issue an extract/certificate for site based on an extract/certificate for site issued by the organization which issued the main certificate. - At the existing certification additional sites may be attached, as a result of the surveillance or recertification or extension activities, according to SRAC procedures; - IQNet certificate and conformity mark shall be used only together with SRAC certificate and conformity mark. IQNet certificate and conformity mark are not granted in case of the certifications in the mandatory area. - During the validity of the certificate, the organization is granted the right to use the conformity mark, in compliance with the regulations for using the conformity mark, attached to the contract. Pg 17 / 23

18 - The certification mark shall not be used on the product or product packaging or in any other manner that could be interpreted as connected to product certification. The organization can make public its certification. However special attention shall be paid to any misleading statement Publications Information on certified organizations is recorded in the register of certified organizations, published by SRAC on its website or in other publications of SRAC group Maintenance of certification The certificate of conformity is valid for 3 years from the issuing date, provided that the management system is maintained implemented and effective. This shall be demonstrated during the surveillance audits. Before the certificate expiry, a re-certification audit shall be carried out and a new certification cycle shall begin. Maintenance of the validity of SRAC certificates is conditioned by the performance of the programmed surveillance audits and by the payment of these audits, and it is confirmed by the application of the annual visa on the certificates Surveillance Activities General Surveillance activities have the purpose to constantly monitor and to take into consideration the changes appeared at the certified client and its management system Surveillance activities include on-site audits to assess if the certified client s management system complies with the specified requirements of the standard for which certification was granted The surveillance activities can include other activities too: - Request of information addressed to the certified client regarding some aspects of the certification, and provision of documents and/or records (on paper or online) - Review of any client s declarations regarding its activities (for example promotional, website, etc.) - other means of monitoring the performances of the certified client Surveillance Audit The surveillance audits are onsite audits, but they are not necessarily complete audits of a management system and they must be planned together with other surveillance activities so that there is a confirmation that the certified management system continues to comply with the requirements between the recertification audits During the surveillance audit at lest the following shall be assessed: a) Internal audits and management review; b) A review of the actions taken for the nonconformities identified during the previous audit; c) Management of complaints; d) MS efficiency regarding the fulfillment of the certified client s objectives; e) Evolution of the activities planned for continuous improvement; f) Continuity of the operational control; g) Review of any changes and h) Use of marks and/or any other references to certification The program of the surveillance audits provides performance of two audits scheduled: - 11 months after the closing of the certification/recertification audit - 22 months after the closing of the certification/recertification audit. NOTE: Date of the closing of the certification/recertification audit is considered the last day of the audit Stage At least 30 days before the month when programed audits shall be performed, SRAC notifies (by fax/ /post) the certified organization about the month when the audit shall be performed and asks for the organization s agreement for this. The surveillance audits can be shifted with +/- one Pg 18 / 23

19 month. For exceptional situations (force majeure), a maximum of 3 months shift can be given, the certificates being valid during this period, after which the suspension process shall be started The surveillance audits can be combined with other types of audits (initial for other management systems or extension/withdrawal audits) Un-programmed audits The re-certification process shall proceed by the organization with at least 3 months before the certificate expiry. The organization shall send to SRAC a firm order to conclude the re-certification addendum to the certification contract The re-certification audit is aimed at confirming the continued fulfilment of all of the requirements of the relevant management system standard or other normative documents, as well as the continued conformity and effectiveness of the management system as a whole and its applicability for the certified scope The re-certification audit covers all the standard requirements and includes the document review as well as the review of the previous surveillance audit reports The re-certification audits shall include an on-site audit and is carried out similar to stage II of the initial audit. The re-certification audit may have a stage I audit only in the situations where there have been significant changes to the management system, the client or the context in which the management system is operating (e.g. changes to legislation) When, during a re-certification audit, non-conformities are identified, SRAC together with the organization shall define time limits for the organization to implement corrections and corrective actions thus their verification (by on-site or documentary follow-up audit) to be carried out prior to the expiration of the certificate 7.8. Audituri neplanificate SRAC can perform audits at certified clients on short notice, generated by different situations as for example: a) To investigate complaints: - Regarding activities for which the organizations were certified; - Regarding the misuse of SRAC and IQNet certificates and marks; b) As an answer to significant changes in the organization, notified by the client c) Occurrence of accidents with repercussions on the environment; d) Occurrence of work accidents; e) Occurrence of situations generated by food that is not safe for consumption; f) As follow-up audits at clients whose certificates were suspended g) Occurrence of major information security incidents that question the efficiency of the information security management system Combined audits If possible, combined audits shall be conducted (all types of combined audits are allowed except for SA8000). The standards may be easily integrated and are complementary. An integrated audit report may be issued Additional guidelines for temporary sites and for the activities performed off-site Temporary sites It is necessary to judge the situation and review the difference between a temporary site and the activities carried out off-site. The difference is a degree. Typically, a temporary site is where a specific site management exists, such as a building, construction, major installation, or long-term provision of a large extent service activity. These types of sites shall be taken into consideration within the entire range of the concerned customer activities (e.g. civil buildings, roads, mining, bridges, etc.), various stages of a construction project (e.g. contract review, site preparation, construction, commissioning, maintenance of records), extent of various projects undergoing at any moment and the related risks for each project type. The various aspects and capabilities shall be verified during the initial audit and further surveillance and re-certification audits as adequate. Pg 19 / 23

20 The Acquisitions Directorate and the Lead Auditor shall decide the adequate size of the sample and the audit duration at the temporary sites. For guidelines in calculating the number of sites, a coefficient of 0.30 ( No. of temporary sites), always rounded to the upper number of locations, with minimum 1 site and maximum 20. In the selection process several factors shall be taken into account. They shall include: - The criticality of operations performed during the audit - Stages of the project - Coverage in terms of activity range - Locations of projects performing similar activities - Level of customer organization and involvement Activities performed off-site These are taken into consideration where individuals or a small team are employed in activities at customer premises or in other locations specified by the client, or are involved in mobile activities. Typical examples could be: repairing of domestic appliances, installations of computer systems, health care visit at patient premises, sales visits, guarding and security, courier, etc. The audit plan and audit record shall evidence that the adequate records of the system have been reviewed at the certified location, with the audit activity conducted off-site at a degree reflecting the risk involved and the degree in which such a visit would produce additional relevant objective evidence of compliance with the procedures. The reasons of the decisions shall be recorded. NOTE: The types of sites, temporary and off-site are not eligible for own certification. Any sampling of the activities conducted to such sites is performed to confirm the activities of the permanent office of the organization, whose system is subject to certification. Even though the temporary sites / off-site shall be an integrating part of each audit, these shall not be included on the certificate Additional sites When applying for a new group of sites to join to a network of sites already certified, each new group of sites shall be considered as an independent set, with the purpose of determining the sample size. After the new group is included in the certificate, the new sites should be cumulated to the previous ones, to determine the sample size for the future surveillance or re-certification audits. 8. TRANSFER OF CERTIFICATES In case an organization holds a certificate issued by an IQNet partner accredited by an MLA signatory (Multilateral Agreement within the International Accreditation Forum), SRAC following its own decision shall issue a secondary certificate. 9. NOTICE OF CHANGES 9.1 Changes related to the certification scheme In case of important changes on the certification rules (including the fees) and/or the reference standard SRAC shall: - post on SRAC web-site the update of the present Regulation; - notify the organizations involved - take into consideration any comment from stakeholders regarding the changes - specify the date when the changes shall be applied, granting a reasonable period of time for the organization to comply with these changes. The organization (already certified or undergoing certification) is entitled to waive the certification should it consider that it cannot comply with the new requirements. Such a decision should be notified in writing and sent to SRAC with at least 30 days before the deadline for compliance. 9.2 Notice of changes undertaken by the organization The organization shall inform SRAC, without delay, on any changes that might affect the capability of the management system to continue to fulfil the requirements, such as: Pg 20 / 23