Check-list according to ISO/IEC 17065:2012 for bodies certifying products, processes and services

Transcription

1 Federal Department of Economic Affairs, Education and Research EAER State Secretariat for Economic Affairs SECO Swiss Accreditation Service SAS Check-list according to ISO/IEC 17065:2012 for bodies certifying products, processes Document No. 502.ew Edition August 2013, Rev. 06 Identification n.activity: Accreditation n : Body under assessment: Contact person within the body: Assessed sites (when the body has several sites): Assessment date: Lead assessor: Technical expert: Technical expert: 502.ew, , Rev e.docx 1/43

2 SAS: Check-list according to ISO/IEC 17065:2012 for bodies certifying products, processes Table of contents A General... 3 B Check-list definitions and explanations... 3 C Legal identity... 4 D Questions based on the norm ISO/IEC 17065: General requirements Legal and contractual matters Management of impartiality Liability and financing Non-discriminatory conditions Confidentiality Publicly available information Structural requirements Organisational structure and top management Mechanism for safeguarding impartiality Resource requirements Certification Body Personnel Resources for evaluation Process requirements General Application Application review Evaluation Review Certification decision Certification documents Directory of certified products Surveillance Changes affecting certification Termination, reduction, suspension or withdrawal of certification Records Complaints and appeals Management system requirements Options General management system documentation (Option A) Control of documents (Option A) Control of records (Option A) Management review (Option A) Internal audits (Option A) Corrective actions (Option A) Preventive actions (Option A) ew, , Rev e.docx 2/43

3 A General This check-list is based on the ISO/IEC 17065:2012 International Standard for the accreditation of bodies certifying products, processes, as well as documents relating to the European Co-operation for Accreditation (EA) and the International Accreditation Forum (IAF). It may be supplemented with questions concerning specific technical areas. This check-list follows the structure of the ISO/IEC 17065:2012 standard and uses the same numbering system. It does not fully cover the ISO/IEC 17065:2012 and the documents relating to EA and IAF. In the event of doubt, the texts of the standard and the documents relating to EA and IAF are the authentic versions. The terminology has been reproduced for the main part. Accreditation applicants must fill in the check-list giving references for each question (e.g. to the chapter of the management manual or to directives in question) and all explanations required for a proper assessment to be conducted. Requirements which are non-applicable must be marked as N/A (not applicable), in the References/Remarks column and this must be justified. The completed check-list must be sent to the lead assessor at least four weeks before the assessment as per the instructions indicated in document SAS 501e Guide for the accreditation of bodies certifying products, processes. B Check-list definitions and explanations (Also see ISO/IEC 17000: 2004, Conformity assessment - Vocabulary and general principles" and ISO/IEC 17065:2012, Chapter 3, Terms and definitions) Abbreviation, definition Definitions OAccD Ordinance for accreditation and designation (SR ) Cert. Body Cert. Scheme Documents, records. EA IAF MLA MS N Y Certification Body Certification Scheme As a general rule, documents and records may be in paper or electronic form. In the case of the latter, issues concerning accessibility, right of access and backups must be resolved. European Co-operation for Accreditation International Accreditation Forum Multilateral Agreement Management System No, incorrect / does not exist Yes, correct / exists 502.ew, , Rev e.docx 3/43

4 C Legal identity Questions Y N Reference / Remarks C.1 Company name and address C.2 Registration in Register of Commerce (which? -> attach a copy not older than 6 months) [OAccD, art. 4] C.3 Sector of activity of the company C.4 Name and address of the certification body C.5 Sector of activity of the certification body (in general) C.6 Sector of activity for which accreditation is requested C.7 In which countries are certification services offered? C.8 In what way are they provided? (e.g. through local branches, subsidiaries, contractual partnerships etc.) C.9 In which other company or companies does your company have a financial holding? Percentage of each holding (%)? C.10 Which other company or companies have a financial holding in your company? Percentage of each holding (%)? 502.ew, , Rev e.docx 4/43

5 D Questions based on the norm ISO/IEC 17065:2012 The numbering of the questions is based on the underlying norm points. In case of norm points, to which several questions have been defined, the numbering for each question is the same. 4. General requirements 4.1 Legal and contractual matters Questions Y N References/Remarks Legal responsibility Is the Cert. Body a legal entity or does it form part of a legal entity? Is the Cert. Body exclusively responsible for all certification activities it performs? Certification agreement Does the Cert. Body enter into legally enforceable agreement for the provision of certification services with its clients? Do these agreements cover the responsibilities of both the Cert. Body and its clients? Do said certification agreements oblige clients to meet the minimum requirements shown below: a) ongoing compliance with the certification requirements including the implementation of appropriate changes sent to them by the Cert. Body (see 7.1); b) ensuring that the certified product continues to comply with the product requirements when certification applies to mass production; c) make all necessary arrangements for 502.ew, , Rev e.docx 5/43

6 17065 Questions Y N References/Remarks 1) the conduct of the evaluation and the surveillance (if required), including the provision of elements for examination such as documents and records, access to relevant equipment, location(s), area(s), personnel and client's sub-contractors; 2) investigation of complaints; 3) participation of observers, if applicable; d) the client makes claims regarding certification consistent with the scope of (see 3.10); e) the client does not use its product certification in such a manner as to bring the Cert. Body into disrepute nor make declarations on the certification of products, which the Cert. Body may consider misleading or unauthorised; f) in the case of suspension, withdrawal or termination of the certification, cease use of all means of communication which make reference to it and fulfil all requirements set out in the Cert. Scheme (e.g. return of certification documents) and implement all other required measures; g) if the client provides copies of certification documents to third parties they must be reproduced in their entirety or as specified in the Cert. Scheme; h) in making reference to certification of products in communications materials such as documents, brochures or advertisements, the client complies with the requirements of the Cert. Body or the specifications of the Cert. Scheme; 502.ew, , Rev e.docx 6/43

7 17065 Questions Y N References/Remarks i) the client complies with any requirements that may be prescribed in the Cert. Scheme relating to the use of marks of conformity, and on information related to the product; j) the client keeps a record of all complaints made known to it relating to compliance with certification requirements and makes these records available to the Cert. Body when requested, and: 1) takes appropriate actions regarding complaints and deficiencies found in products, which affect compliance with certification requirements; 2) documents the actions taken; [See notes concerning these points in the k) the client informs the Cert. Body, without delay, of all changes that may affect its ability to conform with the certification requirements? Use of licenses, certificates and conformity marks Does the Cert. Body exercise control over - rights of ownership, - the use and display of licenses, certificates and conformity marks, as well as - any other mechanisms to indicate certification of a product, such as those set out in the Cert. Scheme? [See notes concerning these points in the 502.ew, , Rev e.docx 7/43

8 17065 Questions Y N References/Remarks Have appropriate measures been taken to counter incorrect reference to the certification system and to counter the misleading use of licenses, certificates, marks and any other device indicating that a product has been certified, including inscriptions appearing on documentation and other publicity materials? 4.2 Management of impartiality Does the Cert. Body ensure that certification activities are conducted on an impartial basis? Does the Cert. Body assume responsibility for impartiality and ensure that commercial, financial or other pressures do not compromise said impartiality? Does the Cert. Body identify risks that could affect their impartiality on an ongoing basis? Does this also cover risks arising from - its activities, - its relationships (including bodies with which it is connected ) or - relationships with its staff? [See notes concerning these points in the Can the Cert. Body provide proof that they have removed, or minimized as far as possible, the risks affecting its impartiality? Is this information reported to the mechanism indicated in 5.2? 502.ew, , Rev e.docx 8/43

9 4.2.5 Is the top management of the Cert. Body involved in impartiality matters? Does the Cert. Body and all other parts of the same legal entity under its operational control, meet the following requirements: - is not a designer, manufacturer, installer, distributor or maintainer of the certified product; - is not a designer, implementer, operator or maintainer of the certified process; - is not a designer, implementer, provider or maintainer of the certified service; - prohibits to offer or provide of consulting services to its clients; - prohibits to offer or provide management system consultancy or internal auditing to its clients, when the Cert. Scheme requires evaluation of the client s management system; [See notes concerning these points in the Does the Cert. Body ensure that the activities of legally separate entities with which the certification body or the legal entity of which it forms a part have a relationship, do not compromise the impartiality of its certification activities? In the event that the separate legal entity mentioned in above offers or manufactures the certified product (or product to be certified), or offers or provides consulting services, does the Cert. Body ensure that their staff comply with the following requirements: 502.ew, , Rev e.docx 9/43

10 - persons involved in the management of the Cert. Body, as well as staff in charge of certification review and decisionmaking processes, must not be involved in the activities of the separate legal entity; - the staff of the separate legal entity must not be involved in the management of the certification body nor the review or certification decision; Does the Cert. Body refrain from selling or offering activities associated with those of a consulting firm? Does the Cert. Body refrain from declaring or letting it be understood that certification will be simpler, easier, faster or less onerous, if they hired a specific consulting firm? Has the Cert. Body set the deadline before which staff providing consulting services for a given product must not either review or take certification decisions for this product? [See notes concerning these points in the Has the Cert. Body taken necessary actions to respond to any risks to its impartiality, arising from the actions of other persons, bodies or organizations? Is it guaranteed that all staff of the Cert. Body, whether internal or external, and committees which may influence certification activities, act in an impartial manner? 502.ew, , Rev e.docx 10/43

11 4.3 Liability and financing Has the Cert. Body implemented appropriate provisions (e.g. insurance or reserves) covering the liabilities arising from its activities? Is the Cert. Body financially stable and does it have the resources required for its operations? 4.4 Non-discriminatory conditions Is it guaranteed that the policy and procedures governing certification are not discriminatory? Is it guaranteed that the procedures are not used to hinder or prevent access to applicants, subject to the terms of the standard ISO/IEC 17065:2012? Does the Cert. Body make its services applicable to all applicants, when the business of the latter falls within the field of its activities? Is access to the certification process independent - of the size of the client; - of its belonging to an association or a group; - of the number of certificates previously awarded? Does said access exclude unfair financial or other conditions? Does the Cert. Body limit its requirements, its evaluation, its review, its decision and its surveillance (if applicable) to those matters specifically falling within the scope of certification? 502.ew, , Rev e.docx 11/43

12 4.5 Confidentiality Within the framework of its legally enforceable commitments, is the Cert. Body responsible for the management of all information obtained or created during the performance of certification activities? OBSERVATIONS With the exception of information which the client makes publicly available themselves, or which is subject to an agreement between the Cert. Body and the client, all information must be considered to be confidential. Does the Cert. Body inform the client of the information they are going to place in the public domain in advance? When the Cert. Body is authorised by law or by contract to communicate confidential information, does it inform the client or person in question of the information which will be communicated, unless otherwise prohibited by law? Does the Cert. Body treat information relating to the client, but obtained from sources other than the client (e.g. plaintiff, regulatory authorities), with the same confidentiality? 4.6 Publicly available information Does the Cert. Body maintain (through publications, electronic media or any other means), and make available on request, the following information: 502.ew, , Rev e.docx 12/43

13 a) information concerning (or referencing) the Cert. Scheme, including evaluation procedures, rules and procedures for granting, maintaining, extending or reducing the scope of, suspending, withdrawing or refusing certification; b) descriptions of the means by which the Cert. Body obtains financial support and general information about the fees charged to applicants and clients; c) descriptions of the rights and obligations of applicants and clients, including the requirements, restrictions or limitations on the use of the Cert. Body's name and the certification mark belonging to the Cert. Body, as well as the ways of referring to the certification granted; d) information relating to procedures for handling complaints and appeals? 502.ew, , Rev e.docx 13/43

14 5. Structural requirements 5.1 Organisational structure and top management Are the activities of the Cert. Body structured and managed in such a way as to safeguard impartiality? Has the Cert. Body a documented organizational structure, showing duties, responsibilities and authorities of management and other certification personnel and any committees? When the Cert. Body is a defined part of a legal entity, does the structure include the line of authority and the relationship to other parts of this same legal entity? To whom (Committee, team or person) are decision-making and oversight powers given in regard to the following activities: a) development of policies relating to the operation of the certification body; b) supervision of the implementation of policies and procedures; c) supervision of the finances of the Cert. Body; d) development of certification activities; e) development of certification requirements; f) evaluation (see 7.4); g) review (see 7.5); h) decisions on certification (see 7.6); i) delegation of authority to committees or personnel, as required, to undertake defined activities on its behalf; 502.ew, , Rev e.docx 14/43

15 j) contractual arrangements; k) provision of adequate resources for certification activities; l) responsiveness of complaints and appeals; m) personnel competence requirements; n) management system of the Cert. Body (see 8)? Does the Cert. Body have formal rules governing the appointment, the mission and the operation of all committees involved in the certification processes (see art. 7)? Is it guaranteed that these committees are free from commercial, financial and other pressures liable to influence their decisions? Does the Cert. Body have authority to appoint and remove members of these committees? 5.2 Mechanism for safeguarding impartiality Does the Cert. Body have an mechanism for safeguarding its impartiality applying to the following areas: a) policies and principles relating to the impartiality of its certification activities; b) any tendency on the part of a certification body to allow commercial or other considerations to prevent the consistent impartial provision of certification activities; c) matters affecting impartiality and confidence in certification, including openness? 502.ew, , Rev e.docx 15/43

16 [See notes concerning these points in the Is the mechanism duly documented such as to a) represent, in a balanced way, those parties having a significant interest and to guarantee that no interest can predominate in itself; OBSERVATIONS The internal and external personnel of the Cert. Body are deemed to represent a single interest and should not predominate. b) have access to all information necessary to enable it to fulfil all its functions? When the top management of the Cert. Body does not follow the rules of the mechanism, does the latter have the right to take independent action (e.g. inform the authorities, accreditation bodies, stakeholders)? Is it bound to comply with confidentiality requirements (see 4.5) relating to the client and the Cert. Body? OBSERVATIONS Input that is in conflict with the operating procedures of the Cert. Body or with other mandatory requirements must not be followed. It is important that the management documents the reasons behind the decision not to follow the input and maintain the document for review by appropriate personnel Does the Cert. Body identify and require the input of parties having a significant interest, but which are not represented in this system? [See notes concerning this point in the 502.ew, , Rev e.docx 16/43

17 6. Resource requirements 6.1 Certification Body Personnel General Does the Cert. Body employ, or have access to, a sufficient number of personnel to cover operations related to the Cert. Scheme, as well as to other applicable standards and to other normative documents? [See notes concerning these points in the Is the personnel competent for the functions they perform, including making required technical judgments, defining policies and implementing them? Do all persons (including members of committees, internal and external personnel and sub-contractors) handle information obtained or generated during the course of certification activities on a confidential basis, unless otherwise required by law or the Cert. Scheme? Management of competence of personnel involved in the certification process Has the cert. Body set out and implement, and does it maintain, a procedure for the management of competence of personnel involved in the certification process which covers the following requirements: a) determine the criteria for the competence of personnel for each function in the certification process, taking into account the requirements of the Cert. Schemes; 502.ew, , Rev e.docx 17/43

18 b) identify training needs and provide (based on needs) training programmes on certification processes, requirements, methodologies, activities and other relevant requirements of the Cert. Scheme; c) demonstrate that personnel have the required competences for the duties and responsibilities they undertake; d) formally authorize personnel for functions in the certification process; e) monitor the performance of the personnel? Does the Cert. Body maintain the following records on the personnel involved in the certification process: a) name and address; b) employer(s) and position held; c) educational qualification and professional status; d) experience and training; e) the assessment of competence; f) performance monitoring; g) authorizations held within the Cert. Body; h) the date of most recent updating of each record? Contract with the personnel Does the Cert. Body require personnel involved in the certification process to sign a contract or other document whereby the person undertakes to: 502.ew, , Rev e.docx 18/43

19 a) comply with the rules set out by the Cert. Body, including those relating to confidentiality (see 4.5) and independence from all commercial and other interests; b) declare all past and/or current relations, on their own behalf or on behalf of their employer, with: - a supplier or product designer of products, or - a service provider or developer of services, or - an operator or developer of processes to the evaluation or certification of which they are to be assigned; c) reveal any situation of which they are aware and which may create a conflict of interest for the Cert. Body (see 4.2)? Does the Cert. Body take into account this information to identify risks to impartiality raised by the activities of such personnel, or by the organizations that employ them (see 4.2.3)? 6.2 Resources for evaluation Internal resources Does the Cert. Body perform assessment activities, either using internal resources or using other resources placed under its direct control? In doing so, does it meet the requirements set out in the appropriate international standards (ISO/IEC 17025, ISO/IEC 17020, ISO/IEC 17021) and other documents specified in the Cert. Scheme? 502.ew, , Rev e.docx 19/43

20 Are impartiality requirements for the evaluation personnel stipulated in the appropriate standards always complied with? External resources (outsourcing) (Award of sub-contractor contracts) Does the Cert. Body outsource assessment activities exclusively to organisations which meet the requirements set out in the appropriate international standards (ISO/IEC 17025, ISO/IEC 17020, ISO/IEC 17021) and other documents, as specified in the Cert. Scheme or other documents? Are impartiality requirements for the evaluation personnel stipulated in the appropriate standards always complied with? [See notes concerning these points in the When assessment activities are outsourced to non-independent organisations (e.g. client s laboratories), does the Cert. Body guarantee that these activities will be managed so as to create confidence in the results? Can the Cert. Body justify this confidence through its records? Does the Cert. Body have a legally binding contract with the subcontractor, which also includes a confidentiality clause and provisions preventing conflicts of interest, as specified in c? Does the Cert. Body undertake the following: a) assume entire responsibility for all activities outsourced to another body; 502.ew, , Rev e.docx 20/43

21 b) guarantee that the sub-contractor, and the personnel that it uses, are not involved, either directly or by another employer, so as to compromise the credibility of the results; c) provide documents concerning the policy, procedures and records in regard to qualification, assessment and control of all sub-contractors engaged for certification activities; d) maintain a list of approved providers of outsourced services (subcontractors); e) implement corrective actions for all omissions in regard to contracts (as per ) or other requirements (as per 6.2.2) of which they become aware; f) inform clients in advance of those activities which are outsourced and give them the opportunity to object? 502.ew, , Rev e.docx 21/43

22 7. Process requirements 7.1 General Does the Cert. Body use one or several Cert. Scheme covering its certification activities? [See notes concerning these points in the Do the requirements used to evaluate a client s product appear in standards and other specific normative documents? If the explanations concerning the application of documents, as per 7.1.2, are required for a specific Cert. Scheme, are they written by pertinent and impartial persons or committees possessing the necessary technical competence? Are these explanations provided by the Cert. Body if requested? 7.2 Application When examining an application, does the Cert. Body collect all information necessary for the correct processing of certification in accordance with the relevant Cert. Scheme? [See notes concerning these points in the ISO/IEC 17065:2012 standard examples of necessary information] 502.ew, , Rev e.docx 22/43

23 7.3 Application review When reviewing information obtained (see 7.2), does the Cert. Body ensure that the following requirements are met: a) there is sufficient information about the client and the product to allow the certification process to be conducted; b) any differences in understanding identified between the Cert. Body and the client are resolved, including agreement on standards and normative documents; c) the scope of certification required is clearly defined; d) the means required for all evaluation activities are available; e) the Cert. Body has the required competence and capability to perform the certification activity? Has the Cert. Body a process to identify client certification applications concerning - a type of product, or - a normative document, or - a Cert. Scheme with which the Cert. Body does not have prior experience? In this cases (see 7.3.2), does the Cert. Body ensure that it has the competence and capability for all the certification activities required? Does it maintain records justifying the decision to proceed with certification? 502.ew, , Rev e.docx 23/43

24 7.3.4 Does the Cert. Body refuse to proceed with certification if it does not have the competence or capabilities required for the certification activities it must perform? If the Cert. Body omits certain activities, based on certifications that it has already granted to that client or to another, does it make reference to the certifications already granted? Does the Cert. Body justify omissions in its activities, if requested to do so by the client? 7.4 Evaluation Does the Cert. Body possess a plan for the evaluation activities allowing it to manage the required resources? Does the Cert. Body appoint members of staff to perform each of the evaluation tasks to be undertaken using internal resources? Does the Cert. Body make sure all information and/or documentation is available required for performing the evaluation tasks? Does the Cert. Body carry out evaluation activities it undertakes with internal resources in accordance with the evaluation plan (see 6.2.1). Is the Cert. Body capable of properly managing outsourced resources (see 6.2.2)? 502.ew, , Rev e.docx 24/43

25 Are products evaluated against the requirements covered by the scope of certification and other requirements specified in the Cert. Scheme? When the Cert. Body uses evaluation results obtained before the application for certification, does it assume responsibility for these results and ensure that the body which performed the evaluation meets the requirements indicated in and those specified in the Cert. Scheme? [See notes concerning these points in the Does the Cert. Body inform the client of all non-conformities? If, in spite of one or more nonconformities, the customer wishes to continue the certification process, does the Cert. Body inform him of the additional evaluation tasks that will be required to verify the resolution of non-conformities? If the client agrees to the performance of additional evaluation tasks, is the evaluation processes specified in 7.4 repeated for the performance of these tasks? Are the results of all evaluation activities documented before proceeding with the review (see 7.5)? [See notes concerning these points in the 7.5 Review Does the Cert. Body appoint at least one person to review all information and all results relating to the evaluation? 502.ew, , Rev e.docx 25/43

26 Is the review carried out by person(s) who have not been involved in the evaluation process? Are recommendations for a certification decision based on the review documented, given that the certification review and the decision are not handled by the same person? 7.6 Certification decision Is the Cert. Body responsible for its decisions and does it retain authority to this sole effect in regard to certification? Does the Cert. Body appoint at least one person to make the certification decision based on all information related to the evaluation, its review and other relevant information? Is the certification decision taken by a person or group (see 5.1.4) not involved in the assessment process (see 7.4)? [See notes concerning these points in the Those persons (with the exception of committee members as per 5.1.4) called on to make a certification decision, are they employed by - the Cert. Body, or - an entity under the organisational control of the Cert. Body (see 7.6.4)? Does organisational control of the cert. Body comprise - total or majority ownership of another entity by the Cert. Body, or 502.ew, , Rev e.docx 26/43

27 - majority participation of the Cert. Body on the administrative board of another entity, or - documented authority of the Cert. Body over another legal entity within a network of legal entities (which includes the Cert. Body), linked by ownership or board of director control? Are persons employed by, or under contract with, entities under organisational control subject to the same requirements of the ISO/IEC 17065:2012 standard as persons employed by, or under contract with, the Cert. Body? In the event that certification is refused, do clients receive notification of the decision with reasons? [See notes concerning these points in the 7.7 Certification documents Does the Cert. Body send clients a certification document identifying the following elements: a) name and address of the Cert. Body; b) the date on which certification was granted (this date must not be prior to the date on which the certification decision was taken); c) name and address of the client; d) the scope of certification; [See notes concerning these points in the e) the validity period or expiry date of 502.ew, , Rev e.docx 27/43

28 certification, when limited in time; f) all other information required by the Cert. Scheme? Does the certification document include the signature (or another method of authorization) of the person(s) assuming responsibility for said certification? Are certification documents issued after or at the same time as a) the decision to award certification or to extend its scope (see 7.6.1); b) satisfaction of all certification requirements; c) signing of the certification contract? 7.8 Directory of certified products Does the Cert. Body maintain a directory of certified products which includes at least the following information: a) identification of the product; b) the standard(s) and other normative documents with which conformity has been certified; c) the identification of the client? Do the parts of this information that need to be published or made available upon request in a directory (through publications, electronic media or other means) include all information stipulated by the relevant Cert. Scheme? 502.ew, , Rev e.docx 28/43

29 As a minimum, does the Cert. Body provide, on request, information about the validity of a given certification? [See notes concerning these points in the 7.9 Surveillance If surveillance is required by the certification scheme, or as specified in or 7.9.4, does the Cert. Body initiate surveillance of the product(s) covered by the certification decision in accordance with the Cert. Scheme? [See notes concerning these points in the When surveillance utilizes evaluation, review or a certification decision, are the requirements in 7.4, 7.5 or 7.6, respectively, fulfilled? Products: Is surveillance established when continuing use of certification mark is authorised for placement on a certified product (or its packaging, or information accompanying it)? Does this comprise periodic surveillance of marked products to ensure on-going fulfilment of product requirements? Processes : Is surveillance established when continuing use of a certification mark is authorized for a process or service? Does this comprise periodic surveillance activities to ensure ongoing validity of fulfilment of process or service requirements? 502.ew, , Rev e.docx 29/43

30 7.10 Changes affecting certification Does the Cert. Body make sure that new or revised requirements of a Cert. Scheme that affect the client, are communicated to all clients? Does the Cert. Body verify the implementation of the changes by its clients and take all actions required by the Cert. Scheme? Does the Cert. Body also take into account other changes affecting certification, including changes initiated by the client, and decide about appropriate action? Do actions to implement changes affecting certification include, if required, the following: - evaluation (see 7.4); - review (see 7.5); - decision (see 7.6); - issuance of revised certification documents (see 7.7) for the extension or reduction of the scope of certification; - issuance of certification documentation of revised surveillance activities (if surveillance is part of the Cert. Scheme)? Are these actions performed in accordance with the requirements applying in 7.4, 7.5, 7.6, 7.7 and 7.8? Do records exist (see 7.12) providing information on the reasons for the exclusion of the aforementioned activities (e.g. when a certification requirement, which is not a product re- 502.ew, , Rev e.docx 30/43

31 quirement changes, and no evaluation, review or decision activities are necessary)? 7.11 Termination, reduction, suspension or withdrawal of certification When non-conformities in regard to certification requirements are identified, does the Cert. Body examine these and take appropriate measures? When said measures include an evaluation, a review or a certification decision, are the requirements of 7.4, 7.5 and 7.6 met? If certification is terminated (by request of the client), suspended or withdrawn, does the Cert. Body undertake the actions specified in the Cert. Scheme? In this event, does the Cert, Body ensure that all certification documents, publicly available information, authorisations for use of marks etc. are modified in such a way that there is no mention indicating that the product is still certified? In the event that the scope of certification is reduced, does the Cert. Body take actions specified by the Cert. Scheme? 502.ew, , Rev e.docx 31/43

32 In this event, does the Cert, Body ensure that all certification documents, publicly available information, authorisations for use of marks etc. are modified in such a way that the client receives clear information concerning the reduced scope of certification, and that this is specified in an indisputable manner in certification documents and publicly available information? In the event that certification is suspended, does the Cert. Body appoint one or more persons to formulate and communicate the following to the client: - actions necessary to end suspension and restore certification for the products according to the Cert. Scheme; - any other actions required by the Cert. Scheme? Are the appointed persons competent in their knowledge and understanding of all aspects of the handling of suspended certifications (see 6.1)? If any evaluations, reviews or decisions are needed to resolve the suspension, or that are required by the Cert. Scheme, are they completed in accordance with the applicable parts of 7.4, 7.5, 7.6, and 7.9 and ? If certification is reinstated after suspension, does the Cert. Body ensure that all official documents, publicly available information, authorisations for use of marks etc. are modified in such a way that they clearly indicate that the product is continues to be certified? If a decision to reduce the scope of certification is made as a condition of reinstatement does the Cert. Body 502.ew, , Rev e.docx 32/43

33 ensure that all certification documents, publicly available information, authorisations for use of marks etc. are modified in such a way the reduced scope of certification is clearly communicated to the client and clearly specified in certification documentation and public information? 7.12 Records Does the Cert. Body retain records to demonstrate that all certification process requirements (those in the standard ISO/IEC and those of the Cert. Scheme) have been effectively fulfilled (see also 8.4)? Are records kept, transported, transmitted and transferred in a way that confidentiality is ensured at all times (see also 4.5)? If the certification scheme involves complete re-evaluation of the product(s) within a determined cycle, are records retained at least during the current and preceding cycles? In the event that the validity of certification is not limited in time, has the Cert. Body defined a time period during which records must be retained? 7.13 Complaints and appeals OBSERVATIONS An appeal is defined as the rejection of a certification decision. All other cases are considered to be complaints. 502.ew, , Rev e.docx 33/43

34 Does the Cert. Body have a documented process to receive, evaluate and make decisions on complaints and appeals? Does the Cert. Body record and track all complaints and appeals, as well as all actions taken to resolve them? On receiving a complaint or an appeal, does the Cert. Body confirm whether it concerns certification activities for which it is responsible, and, if so, address it? Does the Cert. Body acknowledge receipt of an formal complaint or appeal? Is the Cert. Body responsible for gathering and verifying all necessary information (as far as possible) to progress the complaint or appeal to a decision? Is the decision resolving the complaint or appeal made by, or reviewed and approved by, person(s) not involved in the certification activities related to the complaint or appeal? To prevent conflicts of interest, does the Cert. Body ensure that personnel (including those acting in a managerial capacity) who have provided consultancy (see 3.2) for a client, or been employed by a client, are not used by the certification body to review or approve the resolution of a complaint or appeal for that client within two years following the end of the consultancy or? As far as is possible, is the complainant formally informed of the results and the end of the complaints process? 502.ew, , Rev e.docx 34/43

35 Is the appellant formally informed of the results and the end of the appeals process? Does the Cert. Body take all subsequent actions needed to resolve the complaint or appeal? 502.ew, , Rev e.docx 35/43

36 8. Management system requirements 8.1 Options General Which option has the Cert. Body chosen for its Management System (MS), option A or option B? Option A Option B Does the MS include the following elements: - general MS documentation (e.g. policy manual, definition of responsibilities, see 8.2); - document controls (see 8.3); - record-keeping controls (see 8.4); - a management review (see 8.5); - internal audits (see 8.6); - corrective actions (see 8.7); - preventive actions (see 8.8)? If the Cert. Body has implemented a MS according to ISO 9001, can it demonstrate that the MS meets also the requirements of the standard ISO/IEC 7065? 8.2 General management system documentation (Option A) Did the Cert. Body's top management establish, document, and does it maintain, policies and objectives for fulfilment of the standard ISO/IEC and the Cert. Scheme? 502.ew, , Rev e.docx 36/43

37 Does the top management ensure that the policies and objectives are acknowledged and implemented at all levels of the Cert. Body s organization? Can the top management provide evidence of its commitment to the development and implementation of the MS and its effectiveness in achieving consistent fulfilment of the standard ISO/IEC 17065? Which member of the management team, irrespective of other responsibilities, is responsible for and in charge of the following: a) ensuring that processes and procedures needed for the MS are established, implemented and maintained; b) reporting to the top management on the performance of the MS and any need for improvement? Are all documents, processes, systems, records etc. associated with the implementation of this standard, included, referenced, or linked to documentation of the MS Are parts of the MS documentation and related information accessible to all personnel involved in certification activities, as far as applicable to their responsibilities? 8.3 Control of documents (Option A) Have procedures to control the documents (internal and external) that relate to the fulfilment of the standard ISO/IEC been established? Do these procedures include at least the following: 502.ew, , Rev e.docx 37/43

38 a) approve documents for adequacy prior to issue; b) review and update (as necessary) and re-approve documents; c) ensure that changes and the current revision status of documents are identified; d) ensure that relevant versions of applicable documents are available at points of use; e) ensure that documents remain legible and readily identifiable; f) ensure that documents of external origin are identified and their distribution controlled; g) prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose? 8.4 Control of records (Option A) Does the Cert. Body have procedures to define the controls needed for the - identification - storage - protection - retrieval - retention time and - disposition of its records? 502.ew, , Rev e.docx 38/43

39 8.4.2 Does the Cert. Body have procedures for retaining records (see 7.12) for a period consistent with its contractual and legal obligations? Is the access to these records consistent with the confidentiality arrangements? 8.5 Management review (Option A) General Has the Cert. Body established procedures to periodically review its MS in order to ensure its continuing suitability, adequacy and effectiveness, including the stated policies and objectives related to the fulfilment of the standard ISO/IEC 17065? Are these reviews performed at least once a year? Or, as an alternative, is a complete review broken up into segments performed within a 12-month time frame? Are records of the reviews maintained? Review inputs Does the input to the management review include the following information: a) results of internal and external audits; b) feedback from clients and interested parties related to the fulfilment of the standard ISO/IEC 17065; 502.ew, , Rev e.docx 39/43

40 c) feedback from the mechanism for safeguarding impartiality; d) the status of preventive and corrective actions; e) follow-up actions from previous management reviews; f) the fulfilment of objectives; g) changes that could affect the MS; h) appeals and complaints? Review outputs Do the review outputs include decisions and actions related to a) improvement of the effectiveness of the MS and its processes; b) improvements within the Cert. Body related to the fulfilment of the standard ISO/IEC 17065; c) needs in terms of resources? 8.6 Internal audits (Option A) Has the Cert. Body established a procedure for internal audits to verify that it fulfils the requirements of the standard ISO/IEC and that the MS is effectively implemented and maintained? Are internal audits planned, taking into consideration the importance of the processes and areas to be audited, as well as the results of previous? Are internal audits performed at least once every 12 months, or completed 502.ew, , Rev e.docx 40/43

41 within a 12-month time frame for segmented (or rolling) internal audits? Is a documented decision-making process followed, if the frequency of internal audits is changed (reduced or restored)? Are such changes based on the relative stability and on-going effectiveness of the MS? Are all decisions and reasons concerning changes to the frequency of internal audits, or the time frame in which they will be completed, including the rationale for the change, maintained? Does the Cert. Body ensure that a) internal audits are carried out by personnel who are qualified in certification, auditing and the requirements of the standard ISO/IEC 17065; b) auditors do not audit their own work; c) personnel responsible for the area audited are informed of the outcome of the audit; d) any actions resulting from internal audits are taken in a timely and appropriate manner; e) any opportunities for improvement are identified? 8.7 Corrective actions (Option A) Has the Cert. Body established procedures to identify and manage nonconformities in its operations? Does the Cert. Body, if necessary, also implement actions to eliminate the causes of nonconformities in or- 502.ew, , Rev e.docx 41/43

42 der to prevent recurrence? Are corrective actions appropriate to the impact of the problems encountered? Do the procedures for corrective actions define requirements regarding: a) the identification of nonconformities; b) the determination of the causes of nonconformities; c) the correction of nonconformities; d) the evaluation of the need for actions to ensure that nonconformities do not recur; e) the determination and implementation of the actions required in a timely manner; f) the recording of the results of the actions taken; g) the review of the effectiveness of the corrective actions? 8.8 Preventive actions (Option A) Has the Cert. Body established procedures to implement preventive actions to eliminate the causes of potential of nonconformities? Are the adopted preventive actions appropriate to the probable impact of the potential problems? Do the procedures for preventive actions include requirements regarding: a) the identification of potential nonconformities and their causes; b) the evaluation of the need for action 502.ew, , Rev e.docx 42/43

43 to prevent the occurrence of nonconformities; c) the determination and the implementation of the actions needed; f) the recording of the results of the actions implemented; e) the review the effectiveness of the preventive actions implemented? * / * / * / * / * 502.ew, , Rev e.docx 43/43