How To Audit A Site

Transcription

1 BELAC Rev LIGNES DIRECTRICES OBLIGATOIRES POUR L APPLICATION DE LA NORME ISO/IEC A L'USAGE DES ORGANISMES DE CERTIFICATION PROCEDANT A LA CERTIFICATION DES SYSTEMES DE MANAGEMENT Les versions des documents du système de management de BELAC telles que disponibles sur le site internet de BELAC ( sont seules considérées comme authentiques. Mise en application : BELAC Rev /61

2 BELAC Rev /61

3 HISTORIQUE DU DOCUMENT Révision et date d approbation Rév 0 Secrétariat Motifs de la révision Remplace BELAC et suite à la mise en application de la norme ISO/IEC Aucune ligne directrice n est actuellement prévue en ce qui concerne le texte proprement dit de la norme ISO/IEC mais les annexes des documents de guidance précédents restent d application, à savoir: Portée de la révision Pas d adaptation signification par rapport au contenu des documents d origine. - Annexes à IAF Guidance on the application of ISO/IEC Guide 62 issue 4 December 2005 Rév 1 CC Rév 2 CC Rev 3 Secrétariat Rév 4 CC Rév 5 Secretariaat Annexes à IAF Guidance on the application of ISO/IEC Guide 66 issue 4 August 2006 Modification complète du document pour incorporer les Mandatory documents d IAF: MD1, MD2, MD3 et MD4 d application à partir du 15 septembre 2008 et MD5 d application à partir du 1 mai 2009 Intégration du document EA-7/05 (EA Guidance on the application of ISO/IEC 17021:2006 for combined audits) d application à partir du 25 ocotbre Passage à la norme NBN EN ISO/IEC :2011 : Adaptation des références - Adaptation de l annexe 1 par rapport au document IAF ID 1, issue 1 - Nouvelle version IAF MD 5 (IAF MD5:2013, issue 2) - Intégration du document IAF : IAF MD9:2011, issue 1, version 2 - Intégration du document IAF : MD11:2013, issue 1 - Suppression de la partie III (lignes directrices EA 7/05) - Introduction d une référence aux normes d accréditation qui complètent la norme NBN EN ISO/IEC Intégration du document IAF MD 10 :2013 Issue 1 Modification de la partie I et remplacement de la partie II L annexe 1 du document existant reste d application Modification de la partie I et ajout de la partie IIII lignes directrices EA Pas d adaptation signification par rapport au contenu des documents d origine. Partie II, chapitre 1 Partie II, chapitre 6 Partie II, chapitre 7 Partie III Partie I, point 1.1 Partie II, chapitre VIII BELAC Rev /61

4 TABLE DES MATIERES PARTIE I: INTRODUCTION 5 1. GÉNÉRALITÉS OBJECTIFS RÉFÉRENCES NORMATIVES 5 2. DESTINATAIRES 6 PARTIE II: LIGNES DIRECTRICES IAF OBLIGATOIRES 7 1. LIGNES DIRECTRICES OBLIGATOIRES POUR LES DUREES D'AUDITS QMS ET EMS (COPIE INTÉGRALE DU DOCUMENT MD5:2013: IAF MANDATORY DOCUMENT FOR DURATION OF QMS AND EMS AUDITS) 2. LIGNES DIRECTRICES OBLIGATOIRES POUR LA CERTIFICATION MULTI-SITES PAR ÉCHANTILLONNAGE (COPIE INTÉGRALE DU DOCUMENT IAF MD1:2007: IAF MANDATORY DOCUMENT FOR CERTIFICATION OF MULTIPLE SITES BASED ON SAMPLING) 3. LIGNES DIRECTRICES OBLIGATOIRES POUR LE TRANSFERT D UNE CERTIFICATION SOUS ACCRÉDITATION (COPIE INTÉGRALE DU DOCUMENT IAF MD2:2007: IAF MANDATORY DOCUMENT FOR THE TRANSFER OF ACCREDITED CERTIFICATION OF MANAGEMENT SYSTEMS 4. LIGNES DIRECTRICES OBLIGATOIRES POUR LES PROCÉDURES AVANCÉES DE SURVEILLANCE ET DE RENOUVELLEMENT (ASRP) (ISO 9001 ISO 14001) (COPIE INTÉGRALE DU DOCUMENT IAF MD3:2008: IAF MANDATORY DOCUMENT FOR ADVANCED SURVEILLANCE AND RECERTIFICATION PROCEDURES) 5. LIGNES DIRECTRICES OBLIGATOIRES POUR L UTILISATION DE TECHNIQUES D AUDIT ASSISTÉES PAR ORDINATEUR («TAAO») (COPIE INTÉGRALE DU IAF MD4:2008: IAF MANDATORY DOCUMENT FOR COMPUTER ASSISTED AUDITING TECHNIQUES (CAAT) 6. LIGNES DIRECTRICES OBLIGATOIRES POUR LES SYSTEMES DE MANAGEMENT DE LA QUALITE POUR LES DISPOSTIFS MEDICAUX (COPIE INTEGRALE DU IAF MD9:2011: IAF MANDATORY DOCUMENT FOR MEDICAL DEVICE QUALITY MANAGEMENT SYSTEMS) 7. LIGNES DIRECTRICES OBLIGATOIRES POUR LES AUDITS DES SYSTEMES DE MANAGEMENT INTEGRES (COPIE INTEGRALE DU IAF MD11:2013: IAF MANDATORY DOCUMENT FOR AUDITS OF INTEGRATED MANAGEMENT SYSTEMS) 8 LIGNES DIRECTRICES OBLIGATOIRES POUR LE MANAGEMENT DE SA COMPETENCE PAR L ORGANISME DE CERTIFICATION ET L EVALUATION PAR BELAC (COPIE INTEGRALE DU IAF MD10:2013 IAF MD10:2003 IAF MANDATORY DOCUMENT FOR ASSESSMENT OF CERTIFICATION BODY MANAGEMENT OF COMPETENCE IN ACCORDANCE WITH ISO/IEC 17021:2011) ANNEXE 1: ÉTENDUE DE L'ACCRÉDITATION (QMS) 61 BELAC Rev /61

5 LIGNES DIRECTRICES OBLIGATOIRES POUR L'APPLICATION DE LA NORME ISO/IEC A L'USAGE DES ORGANISMES DE CERTIFICATION PROCEDANT A LA CERTIFICATION DES SYSTEMES DE MANAGEMENT PARTIE I : INTRODUCTION 1. Généralités 1.1. Objectifs Les organismes de certification de systèmes de management sont tenus de se conformer aux exigences de la norme NBN EN ISO/IEC mais aussi aux exigences des normes qui la complètent, à savoir : - ISO/IEC TS pour les organismes de certification procédant à l audit et à la certification des systèmes de management ; - ISO TS pour les organismes de certification procédant à l audit et à la certification des systèmes de management de la sécurité des denrées alimentaires (FSMS); - ISO/IEC TS pour les organismes procédant à l audit et à la certification des systèmes de management de la sécurité de l information ; - ISO/IEC TS pour les organismes qui procèdent à l audit et à la cetification des systèmes de management environnemental. En complément, BELAC se doit de mettre en œuvre les lignes directrices obligatoires développées par IAF, et ce conformément aux dispositions régissant les accords de reconnaissance de IAF. Le présent document a pour objet de récapituler et présenter ces lignes directrices Références normatives ISO/IEC 17021:2011 IAF MD1:2007: IAF Mandatory Document for the Certification of Multiple Sites Based on Sampling (Issue 1, version 2, issued on 20 November 2007; Application from 15 September 2008) IAF MD2:2007: IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems (Issue 1, version 2, issued on 20 November 2007; Application from 15 September 2008) IAF MD3:2008: IAF Mandatory Document for Advanced Surveillance and Recertification Procedures (Issue 1, issued on 1 February 2008; Application from 15 September 2008) BELAC Rev /61

6 IAF MD4:2008: IAF Mandatory document for computer assisted auditing techniques (CAAT) (Issue 1, issued on 15 May 2008; Application from 15 September 2008) IAF MD5:2013: IAF Mandatory document for duration of QMS and EMS audits (Issue 2, issued on 4 March 2013; Application date: immediate) IAF ID 1 :2010 : QMS Scopes of accreditation issue 1 IAF MD9:2011: IAF Mandatory Document for the Application of ISO/IEC in Medical Device Quality Management Systems (ISO 13485) (Issue 1, version 2, issued on 15 July 2011; Application from 15 July 2012) IAF MD 10:2013: IAF Mandatory Document for Assessment of Certification Body Management of Competence in Accordance with ISO/IEC 17021:2011 (Issue 1, issued 11 February 2013 Application Date 11 February 2014) IAF MD11: 2013: IAF Mandatory Document for the Application of ISO/IEC for audits of Integrated Management Systems (Issue 1, issued on 25 March 2013; Application date: immediate). 2. Destinataires Avec suivi des mises à jour : - Les membres de la Commission de Coordination - Les membres du Bureau d accréditation - Le Secrétariat Accréditation - Les auditeurs pour l évaluation des organismes de certification de systèmes de management - Les organismes de certification de systèmes de management accrédités Sans suivi des mises à jour : - Tout demandeur BELAC Rev /61

7 PARTIE II : LIGNES DIRECTRICES IAF OBLIGATOIRES Le contenu des documents obligatoires (mandatory documents) est intégralement repris ciaprès dans la version originale en anglais. Les références à la norme ISO/IEC :2006 ont toutefois été remplacées par ISO/IEC sans mention de l année Pour tous les documents obligatoires la disposition suivante est d application: «The term should is used in these chapters to indicate recognised means of meeting the requirements of the standard. A Conformity Assessment Body (CAB) can meet these in an equivalent way provided this can be demonstrated to an Accreditation Body (AB). The term shall is used in this document to indicate those provisions which, reflecting the requirements of the relevant standard, are mandatory 1. LIGNES DIRECTRICES OBLIGATOIRES POUR LES DURÉES D'AUDITS QMS ET EMS Copie intégrale du contenu du document IAF MD-5:2013: IAF Mandatory document for duration of QMS and EMS audits (Issue 2, issued on 4 March 2013; Application date : immediate) : This document is mandatory for the consistent application of Clause of ISO/IEC 17021:2011 for audits of quality and environmental management systems and is based upon guidance previously provided in IAF GD2:2005 Annex 2 and GD6:2006 Annex 1. All clauses of ISO/IEC 17021:2006 continue to apply and this document does not supersede any of the requirements in that standard. Although personnel numbers (permanent, temporary and part time) of the client are used as the starting point when considering the audit duration, this is not the sole consideration and account shall be taken of other factors affecting audit duration. 1.0 INTRODUCTION This document provides mandatory provisions and guidance for CABs to develop their own documented procedures for determining the amount of time required for the auditing of clients of differing sizes and complexity over a broad spectrum of activities. It is intended that this will lead to consistency of audit duration between CABs, as well as between similar clients of the same CAB CABs shall identify the audit duration for the stage 1 and stage 2 initial audit, surveillance audits,and re-certification audits for each applicant and certified client This mandatory document does not stipulate minimum/maximum times but provides a framework that shall be utilized within a CAB s documented procedures to determine appropriate audit duration, taking into account the specifics of the client to be audited For accreditation purposes, it should be noted that nonconformity with this document (and/or the included tables) in individual instances does not automatically lead to nonconformity against ISO/IEC However, this situation could be grounds for further investigation into the completeness of the audit. Special consideration should be given to investigating the grounds for deviation from this mandatory document. BELAC Rev /61

8 1.0.5 If inconsistencies to this mandatory document are found on a more regular basis, this could form the basis for nonconformity against ISO/IEC on the grounds that the CAB cannot give a reasonable assurance that it gives its audit teams the time to perform a sufficiently complete audit as part of the certification process. 1.1 DEFINITIONS Audit Duration Audit duration for all types of audits is the effective time measured in auditor days required to carry out auditing activity Auditor Day The duration of an auditor day is normally 8 hours and may or may not include travel time or lunch depending upon local legislation Effective Number of Personnel The effective number of personnel consists of all full time personnel involved within the scope of certification including those working on each shift. Non-permanent (seasonal, temporary, sub-contractors and contracted personnel) and part time personnel who will be present at the time of the audit shall be included in this number Temporary Site A temporary site is one set up by an organization in order to perform specific work or a service for a finite period of time and which will not become a permanent site. (eg. a construction site) Complexity Category (EMS only) For environmental management systems, the provisions specified in this document are based on five primary complexity categories of the nature, number and gravity of the environmental aspects of an organization that fundamentally affect the auditor time. 1.2 APPLICATION Audit Duration Audit duration for all types of audits includes on site time at a client's premises and time spent off-site carrying out planning, document review, interacting with client personnel and report writing. It is expected that the audit duration involved in these combined activities (irrespective of whether the activities are undertaken off-site or on-site) should not typically reduce the total on-site audit duration to less than 80% of the time calculated following the methodology in Section 3. This applies to initial, surveillance and recertification audits. Where additional time is required for planning and/or report writing, this will not be justification for reducing on-site audit duration for any audit Auditor Day Tables QMS 1 and EMS 1 present audit durations calculated in auditor days on the basis of 8 hours per day. National adjustments on the number of days may be needed to comply with local legislation for travel, lunch breaks and working hours, to achieve the same total number of hours of auditing of Tables QMS 1 and EMS 1. BELAC Rev /61

9 The number of auditor days allocated shall not be reduced at the planning stages by programming longer hours per working day Effective Number of Personnel The effective number of personnel is used as a basis for the calculation of audit duration. Dependent upon the hours worked, part time personnel numbers may be reduced and converted to an equivalent number of full time personnel. Appropriate reduction should be made to the temporary unskilled personnel who may be employed in considerable numbers in some countries due to low level of technology and automation. Appropriate reduction of number of personnel also should be made where significant proportion of staff carry out a similar simple function for instance: transport, line work, assembly lines, etc. A CAB shall agree with the organization to be audited the timing of the audit which will best demonstrate the full scope of the client activities. Note: Timing of the audit to best demonstrate the full scope may include the need to audit outside normal working hours or suit the shift pattern employed. 1.3 METHODOLOGY FOR DETERMINING AUDIT DURATION The methodology used as a basis for the calculation of audit duration of an initial audit (stage 1 + stage 2) involves the interpretation of tables and figures for QMS and EMS audits respectively (see chapter 1.11 and 1.12). Chapter 1.11 (QMS) is based solely upon the effective number of personnel (see clause for guidance on the calculation of the effective number of personnel) but does not provide minimum or maximum duration. In addition to effective number of personnel, chapter 1.12 (EMS) is based also on the environmental complexity of the organization and does not provide minimum or maximum duration Using a suitable multiplier, the same tables and figures may be used as the base for calculating audit duration for surveillance audits (clause 5) and recertification audits (clause 6) The CAB shall have procedures that provide for the allocation of adequate time for auditing of relevant processes of the client. Experience has shown that apart from the number of personnel, the time required to carry out an effective audit depends upon other factors for both QMS and EMS. These factors are explored in more depth in clause This mandatory document lists the provisions which should be considered when establishing the amount of time needed to perform an audit. These and other factors need to be examined during the CAB s contract review process for their potential impact on the audit duration regardless of the type of audit. Therefore the relevant tables, figures and diagrams for both QMS and EMS which demonstrate the relationship between effective number of personnel and complexity, cannot be used in isolation. These tables and figures provide the framework for further audit planning and for making adjustments to audit duration for all types of audits For QMS audits, Figure QMS 1 provides a visual guide to making adjustments from the basic audit times and provides the framework for a process that should be used for audit planning by identifying a starting point based on the total effective number of personnel for all shifts. Where product or service realization processes operate on a shift basis, the extent of BELAC Rev /61

10 auditing of each shift by the CAB depends on the processes done on each shift, and the level of control of each shift that is demonstrated by the client. The justification for not auditing each shift shall be documented For an EMS audit it is appropriate to base audit duration on the effective number of personnel of the organization and the nature, number and gravity of the environmental aspects of the typical organization in that industry sector. The audit duration should then be adjusted based on any significant factors that uniquely apply to the organization to be audited. The CAB should exercise discretion to ensure that any variation in audit duration does not lead to a compromise on the effectiveness of audits. Where product or service realization processes operate on a shift basis, the extent of auditing of each shift by the CAB depends on the processes done on each shift, and the level of control of each shift that is demonstrated by the client. The justification for not auditing each shift shall be documented The starting point for determining audit duration shall be identified based on the effective number of personnel, then adjusted for the significant factors applying to the client to be audited, and attributing to each factor an additive or subtractive weighting to modify the base figure. In every situation the basis for the establishment of audit duration including adjustments made shall be recorded Audit duration determinations using the tables or figures in chapters 1.11 and 1.12 shall not include the time of auditors-in-training or the time of technical experts The reduction of audit duration shall not exceed 30% of the times established from Tables QMS 1 or EMS 1. Note: Clause may not apply to the situations described in IAF MD1 for the individual sites in multi-site operations where sampling of sites is permitted. In this situation a limited number of processes are present in such sites and the implementation of all relevant requirements of the management system standard(s) can be verified. 1.4 INITIAL AUDIT DURATION (STAGE 1 PLUS STAGE 2) Audit duration involved in combined off-site activities (clause 1.2.1) should not reduce the total on-site audit duration to less than 80% of the time calculated following the methodology in section 1.3. Where additional time is required for planning and/or report writing, this will not be justification for reducing on-site audit duration Table QMS 1 and Figure QMS 1 and Tables EMS 1 and EMS 2 provide a starting point for estimating the duration of an initial audit (Stage 1 + Stage 2) for QMS and EMS audits respectively. For each client, the CAB shall determine the time needed to plan and accomplish a complete and effective audit of the client s management system. The audit time determined by the certification body and the justification for the determination shall be recorded. Where a CAB has applied a reduction or an increase to the times established in Tables QMS 1 or EMS 1, it shall make the justification available to their Accreditation Body for review during Accreditation Body assessments and on request from the Accreditation Body Certification audit duration may include remote auditing techniques such as interactive web-based collaboration, web meetings, teleconferences and/or electronic verification of the client s processes (see IAF MD4). These activities shall be identified in the audit plan, and the BELAC Rev /61

11 time spent on these activities may be considered as contributing to the total on-site audit duration. If the CAB plans an audit for which the remote auditing activities represent more than 30% of the planned on-site audit duration, the CAB shall justify the audit plan and maintain the records of this justification which shall be available to an Accreditation Body for review. It is unlikely that the remote auditing activities represent more than 50% of the total on-site auditor time. NOTES: 1. On-site auditor time refers to the on-site auditor time allocated for individual sites. Electronic audits of remote sites are considered to be remote audits, even if the electronic audit is physically carried out on the organization s premises. 2. Regardless of the remote auditing techniques used, the client organization shall be physically visited at least annually. 3. It is unlikely that duration of a Stage 2 audit will be less than one (1) auditor/day. 1.5 SURVEILLANCE During the initial three year certification cycle, surveillance audit duration for a given organization should be proportional to the time spent on initial certification audit (stage 1 + stage 2), with the total amount of time spent annually on surveillance being about 1/3 of the time spent on the initial certification audit. An update of client data related to certification shall be available for the planning of each surveillance audit. The planned surveillance audit duration shall be reviewed from time-to-time, at least at every surveillance audit and always at the time of recertification, to take into account changes in the organization, system maturity, etc. The evidence of review including any adjustments to audit duration shall be recorded. 1.6 RECERTIFICATION The duration of the recertification audit should be calculated on the basis of the updated information of the client and is normally approximately 2/3 of the time that would be required for an initial certification audit (Stage 1 + Stage 2) of the organization if such an initial audit were to be carried out at the time of recertification (i.e. not 2/3 of the original initial certification audit duration). The audit duration shall take account of the outcome of the review of system performance (ISO/IEC cl ). The review of system performance does not itself form part of the audit duration for recertification audits. 1.7 INDIVIDUALIZED SECOND AND SUBSEQUENT CERTIFICATION CYCLES For the second and subsequent certification cycles, the CAB may choose to design an individualized surveillance and recertification program (see IAF MD3 for Advanced Surveillance and Recertification Procedures ASRP). If an ASRP approach is not chosen the audit duration should be calculated as indicated in clauses 5 and FACTORS FOR ADJUSTMENTS OF AUDIT DURATION (QMS AND EMS) The additional factors that need to be considered include but are not limited to: Increase in audit duration: BELAC Rev /61

12 Complicated logistics involving more than one building or location where work is carried out. e.g., a separate Design Centre must be audited; Staff speaking in more than one language (requiring interpreter(s) or preventing individual auditors from working independently); Very large site for the number of personnel (e.g., a forest); High degree of regulation (e.g. food, drugs, aerospace, nuclear power etc); System covers highly complex processes or relatively high number of unique activities; Activities that require visiting temporary sites to confirm the activities of the permanent site(s) whose management system is subject to certification. Increases in audit duration for EMS only o Higher sensitivity of receiving environment compared to typical location for the industry sector; o Views of interested parties; o Indirect aspects necessitating increase in auditor time; o Additional or unusual environmental aspects or regulated conditions for the sector. Decrease in audit duration: o Client is not "design responsible" or other standard elements are not covered in the scope (QMS only); o Very small site for number of personnel (e.g. office complex only); o Maturity of management system; o Prior knowledge of the client management system (e.g., already certified to another standard by the same CAB); o Client preparedness for certification (e.g., already certified or recognized by another 3 rd party scheme); o Low complexity activities, e.g. processes involve a single generic activity (e.g., Service only); Identical activities performed on all shifts with appropriate evidence of equivalent performance on all shifts based on prior audits (internal audits and CAB audits); Where a significant proportion of staff carry out a similar simple function. Note: For EMS, low complexity processes are captured in Table EMS 1. o Where staff include a number of people who work off location e.g. salespersons, drivers, service personnel, etc. and it is possible to substantially audit compliance of their activities with the system through review of records. All attributes of the client s system, processes, and products/services should be considered and a fair adjustment made for those factors that could justify more or less auditor time for an effective audit. Additive factors may be off-set by subtractive factors. Note: Additional factors to consider when calculating the duration of audits of integrated management systems are addressed in IAF MD TEMPORARY SITES In situations where the certification applicant or certified client provides their product(s) or service(s) at temporary sites, such sites shall be incorporated into the audit programmes. BELAC Rev /61

13 1.9.2 Temporary sites could range from major project management sites to minor service/installation sites. The need to visit such sites and the extent of sampling should be based on an evaluation of the risks of the failure of the QMS to control product or service output or the EMS to control environmental aspects and impacts associated with the client's operations. The sample of sites selected should represent the range of the client s competency needs and service variations having given consideration to sizes and types of activities, and the various stages of projects in progress and associated environmental aspects and impacts Typically on-site audits of temporary sites would be performed. However, the following methods could be considered as alternatives to replace some on-site audits: Interviews or progress meetings with the client and/or its customer in person or by teleconference; Document review of temporary site activities; Remote access to electronic site(s) that contains records or other information that is relevant to the assessment of the management system and the temporary site(s); Use of video and teleconference and other technology that enable effective auditing to be conducted remotely In each case, the method of audit should be fully documented and justified in terms of its effectiveness MULTI-SITE AUDIT DURATION In the case of multi-site audits, the starting point for calculating audit duration for each site shall be consistent with Table QMS 1, and Figure QMS 1 for quality management systems and Table EMS 1 for environmental management systems. However reductions can be made taking into account situations where certain management system processes are not relevant to the site and are the primary responsibility of the controlling site Requirements for multi-site audits are covered in more detail in IAF MD 1 for certification of multiple sites based on sampling. In this case, MD1 shall be used to select sites to be sampled prior to applying MD 5 to each selected site. BELAC Rev /61

14 1.11 TABLE AND FIGURE QUALITY MANAGEMENT SYSTEMS Table QMS 1 - Quality Management Systems BELAC Rev /61

15 1.12 TABLES ENVIRONMENTAL MANAGEMENT SYSTEMS BELAC Rev /61

16 BELAC Rev /61

17 Complexity categories of environmental aspects: The provisions specified in this document are based on five primary complexity categories of the nature and gravity of the environmental aspects of an organization that fundamentally affect the auditor time. These are: High environmental aspects with significant nature and gravity (typically manufacturing or processing type organizations with significant impacts in several of the environmental aspects); Medium environmental aspects with medium nature and gravity (typically manufacturing organizations with significant impacts in some of the environmental aspects); Low - environmental aspects with low nature and gravity (typically organizations of an assembly type environment with few significant aspects); Limited environmental aspects with limited nature and gravity (typically organizations of an office type environment); Special these require additional and unique consideration at the audit planning stage. Table EMS 1 covers the above four top complexity categories: high, medium, low and limited. Table EMS 2 provides the link between the five complexity categories above and the industry sectors that would typically fall into that category. The CAB should recognise that not all organizations in a specific sector will always fall in the same complexity category. The CAB should allow flexibility in its contract review procedure to ensure that the specific activities of the organization are considered in determining the complexity category. For example, even though many businesses in the chemical sector should be classified as high complexity, an organization which would have only a mixing free from chemical reaction or emission and/or trading operation could be classified as medium or even low complexity. The CAB shall document all cases where they have lowered the complexity category for an organization in a specific sector. Table EMS 1 does not cover the special complexity category and the audit duration shall be developed and justified on an individual basis in these cases. BELAC Rev /61

18 2. LIGNES DIRECTRICES OBLIGATOIRES POUR LA CERTIFICATION MULTI- SITES PAR ÉCHANTILLONNAGE Copie intégrale du contenu du document IAF MD1:2007: IAF Mandatory Document for the Certification of Multiple Sites Based on Sampling (Issue 1, version 2, issued on 20 November 2007; Application from 15 September 2008) : This document is mandatory for the consistent application of Clause of ISO/IEC and is based upon guidance previously provided in IAF GD2: 2005 Annex 3 and IAF GD6:2006, clause G G All clauses of ISO/IEC continue to apply and this document does not supersede any of the requirements in that standard. This mandatory document is not intended exclusively for Quality Management Systems (QMS) and Environmental Management Systems (EMS) and may be used for other management systems. However, relevant standards may provide specific requirements for multiple sites or preclude the use of sampling (e.g. ISO/IEC 27006, ISO/TS 22003). 2.0 INTRODUCTION This document is for the audit and, if appropriate, the certification of management systems in organizations with a network of sites to ensure that the audit provides adequate confidence in the conformity of the management system to the relevant standard across all sites listed and that the audit is both practical and feasible in economic and operative terms Normally initial audits for certification and subsequent surveillance and recertification audits should take place at every site of the organization that is to be covered by the certification. However, where an organization s activity subject to certification is carried out in a similar manner at different sites, all under the organization s authority and control, a certification body may put into operation appropriate procedures for sampling the sites at the initial audit and subsequent surveillance and recertification audits. This document addresses the conditions under which this is acceptable for accredited certification bodies including the calculation of sample size and audit duration This document does not apply to the audits of organizations that have multi-sites where fundamentally dissimilar processes or activities are used at the different sites, or a combination of sites, even though they may be under the same management system. The conditions under which certification bodies can make any reduction in the normal full audit of every site in these circumstances have to be justified at each site where a reduction is proposed This document is applicable to accredited certification bodies that employ sampling in their audit and certification of multi-site organizations. Nevertheless an accredited certification body may exceptionally deviate from this document under condition it is able to produce relevant justifications. These justifications shall, under evaluation by the accreditation body, demonstrate that the same level of confidence in the conformity of the management system across all the sites listed can be obtained When an organization is considered a candidate for certification based on sampling, the certification body shall have arrangements to explain the application of this document to the organization prior to the commencement of the audit. BELAC Rev /61

19 2.1 DEFINITIONS Organization The term organization is used to designate any company or other organization owning a management system subject to audit and certification Site A site is a permanent location where an organization carries out work or a service Temporary Site A temporary site is one set up by an organization in order to perform specific work or a service for a finite period of time and which will not become a permanent site. (eg. construction site) Additional Sites A new site or group of sites that will be added to an existing certified multi-site network Multi-site Organization A multi-site organization is defined as an organization having an identified central function (hereafter referred to as a central office but not necessarily the headquarters of the organization) at which certain activities are planned, controlled or managed and a network of local offices or branches (sites) at which such activities are fully or partially carried out APPLICATION Site A site could include all land on which activities under the control of an organization at a given location are carried out including any connected or associated storage of raw materials, by-products, intermediate products, end products and waste material, and any equipment or infrastructure involved in the activities, whether or not fixed. Alternatively, where required by law, definitions laid down in national or local licensing regimes shall apply Where it is not practicable to define a location (e.g. for services), the coverage of the certification should take into account the organization s headquarters activities as well as delivery of its services. Where relevant, the certification body may decide that the certification audit will be carried out only where the organization delivers its services. In such cases all the interfaces with its central office shall be identified and audited Temporary Site Temporary sites that are covered by the organization's management system may be subject to audit on a sample basis to provide evidence of the operation and effectiveness of the management system. They may, however be included within the scope of a multisite certification subject to agreement between the certification body and the client organization. Where included in the scope, such sites shall be identified as temporary. BELAC Rev /61

20 2.2.3 Multi-site Organization A multi-site organization need not be a unique legal entity, but all sites shall have a legal or contractual link with the central office of the organization and be subject to a common management system, which is laid down, established and subject to continuous surveillance and internal audits by the central office. This means that the central office has rights to require that the sites implement corrective actions when needed in any site. Where applicable this should be set out in the formal agreement between the central office and the sites. Examples of possible multi-site organizations are: Organizations operating with franchises Manufacturing companies with a network of sales offices (this document would apply to the sales network) Service companies with multiple sites offering a similar service Companies with multiple branches 2.3 ELIGIBILITY OF AN ORGANIZATION FOR SAMPLING The processes at all the sites have to be substantially of the same kind and have to be operated to similar methods and procedures. Where some of the sites under consideration conduct similar, but fewer processes than others, they may be eligible for inclusion under multi-site certification providing that the sites(s) which conduct the most processes, or critical processes are subject to full audit Organizations which conduct their business through linked processes in different locations are also eligible for sampling providing all other provisions of this document are met. Where processes in each location are not similar but are clearly linked, the sampling plan shall include at least one example of each process conducted by the organization (e.g. fabrication of electronic components in one location, assembly of the same components by the same company in several other locations) The organization s management system shall be under a centrally controlled and administered plan and be subject to central management review. All the relevant sites (including the central administration function) shall be subject to the organization s internal audit program and all shall have been audited in accordance with that program prior to the certification body starting its audit It shall be demonstrated that the central office of the organization has established a management system in accordance with the relevant management system standard under audit and that the whole organization meets the requirements of the standard. This shall include consideration of relevant regulations The organization should demonstrate its ability to collect and analyse data (including but not limited to the items listed below) from all sites including the central office and its authority and also demonstrate its authority and ability to initiate organizational change if required: System documentation and system changes; Management review; Complaints; Evaluation of corrective actions; BELAC Rev /61

21 Internal audit planning and evaluation of the results; Changes to aspects and associated impacts for environmental management systems (EMS) and different legal requirements Not all organizations fulfilling the definition of multi-site organization will be eligible for sampling Not all management systems standards are suitable for consideration for multisite certification. For example, multi-site sampling would be unsuitable where the audit of variable local factors is a requirement of the standard. Specific rules apply also for some schemes, for example those including automotive (TS 16949) and aerospace (AS 9100 series) and the requirements of such schemes shall take precedence Certification bodies should have documented procedures to restrict such sampling where site sampling is inappropriate to gain sufficient confidence in the effectiveness of the management system under audit. Such restrictions should be defined by the certification body with respect to: Scope sectors or activities (i.e. based on the assessment of risks or complexity associated with that sector or activity); Size of sites eligible for multi-site audit; Variations in the local implementation of the management system such as the need for frequent recourse to the use of plans within the management system to address different activities or different contractual or regulatory systems; Use of temporary sites that operate under the management system of the organization and which are not to be included within the scope of certification. 2.4 RESPONSIBILITY OF THE CERTIFICATION BODY The certification body shall provide information to the organization about the application of this document and the relevant management system standards before starting the audit process, and should not proceed if any of the provisions are not met. Before starting the audit process, the certification body should inform the organization that the certificate will not be issued if during an initial audit nonconformities are found Contract Review The certification body s procedures should ensure that the initial contract review identifies the complexity and scale of the activities covered by the management system subject to certification and any differences between sites as the basis for determining the level of sampling The certification body shall identify the central function of the organization with which it has a legally enforceable agreement for the provision of certification activities The certification body shall check, in each individual case, to what extent sites of an organization operate substantially the same kind of processes according to the same procedures and methods. See clause for sites which conduct fewer, but similar processes than other sites and clause for sites involving linked processes. Only after a positive examination by the certification body that all the sites proposed for inclusion in the BELAC Rev /61

22 multi-site exercise meet the eligibility provisions may the sampling procedure be applied to the individual sites If all the sites of a service organization where the activity subject to certification is performed are not ready to be submitted for certification at the same time, the organization shall be required to inform the certification body in advance of the sites that it wants to be included in the certification and those which are to be excluded Audit The certification body shall have documented procedures to deal with audits under its multi-site procedure. Such procedures shall establish the way the certification body satisfies itself that the same management system governs the activities at all the sites, is actually applied to all the sites and that all the eligibility criteria for the organization in clause 3 above are met. This requirement also applies to a management system where electronic documents, process control or other electronic processes are used. The certification body shall justify and record the rationale for proceeding with a multi-site approach If more than one audit team is involved in the audit or surveillance of the network, the certification body should designate a unique audit leader whose responsibility is to consolidate the findings from all the audit teams and to produce a synthesis report Nonconformities When nonconformities, as defined in ISO/IEC clause (b), are found at any individual site, either through the organization s internal auditing or from auditing by the certification body, investigation should take place to determine whether the other sites may be affected. Therefore, the certification body should require the organization to review the nonconformities to determine whether they indicate an overall system deficiency applicable to other sites or not. If they are found to do so, corrective action should be performed and verified both at the central office and at the individual affected sites. If they are found not to do so, the organization should be able to demonstrate to the certification body the justification for limiting its follow-up corrective action The certification body shall require evidence of these actions and increase its sampling frequency and/or the size of sample until it is satisfied that control is re-established At the time of the decision making process, if any site has a nonconformity, as defined in ISO/IEC clause (b), certification shall be denied to the whole network of listed sites pending satisfactory corrective action It shall not be admissible that, in order to overcome the obstacle raised by the existence of a non conformity at a single site, the organization seeks to exclude from the scope the "problematic" site during the certification process. Such exclusion can only be agreed in advance (See clause ). BELAC Rev /61

23 Certification Documents Certification documents can be issued covering multiple sites provided that each site included in the scope of certification has either been individually audited by the certification body or audited using the sample approach outlined in this document The certification body shall provide certification documents to the certified client by any means it chooses. Such certification documents shall comply in all respects with ISO/IEC These documents shall contain the name and address of the central office of the organization and a list of all the sites to which the certification documents relate. The scope or other reference on these documents shall make clear that the certified activities are performed by the network of sites on the list. If the certification scope of the sites is only issued as part of the general scope of the organization, its applicability to all the sites shall be clearly stated. Where temporary sites are included in the scope, such sites shall be identified as temporary in the certification documents Certification documents may be issued to the organization for each site covered by the certification under condition that they contain the same scope, or a sub-scope of that scope, and include a clear reference to the main certification documents The certification documentation will be withdrawn in its entirety, if the central office or any of the sites does not fulfil the necessary provisions for the maintenance of the certification The list of sites shall be kept updated by the certification body. To this effect, the certification body shall request the organization to inform it about the closure of any of the sites covered by the certification. Failure to provide such information will be considered by the certification body as a misuse of the certification, and it should act consequently according to its procedures Additional sites can be added to an existing certification as the result of surveillance or recertification activities or enhancement of scope. The certification body shall have documented procedures for the addition of new sites. 2.5 SAMPLING Methodology The sample should be partly selective based on the factors set out below and partly non-selective, and should result in a representative range of different sites being selected, without excluding the random element of sampling At least 25% of the sample should be selected at random Taking into account the provisions mentioned below, the remainder should be selected so that the differences among the sites selected over the period of validity of the certificate is as large as possible. BELAC Rev /61

24 The site selection may include among others the following aspects: Results of internal site audits and management reviews or previous certification audits; Records of complaints and other relevant aspects of corrective and preventive action; Significant variations in the size of the sites; Variations in shift patterns and work procedures; Complexity of the management system and processes conducted at the sites; Modifications since the last certification audit; Maturity of the management system and knowledge of the organization; Environmental issues and extent of aspects and associated impacts for environmental (EMS) management systems; Differences in culture, language and regulatory requirements; Geographical dispersion This selection does not have to be done at the start of the audit process. It can also be done once the audit at the central office has been completed. In any case, the central office shall be informed of the sites to be included in the sample. This can be on relatively short notice, but should allow adequate time for preparation for the audit Size of Sample The certification body shall have a documented procedure for determining the sample to be taken when auditing sites as part of the audits and certification of a multi-site organization. This should take into account all the factors described in this document The certification body shall have records on each application of multi-site sampling justifying it is operating in accordance with this document The following calculation is an example based on the example of a low to medium risk activity with less than 50 employees at each site. The minimum number of sites to be visited per audit is: Initial audit: the size of the sample should be the square root of the number of remote sites: (y=mx), rounded to the upper whole number. Surveillance audit: the size of the annual sample should be the square root of the number of remote sites with 0.6 as a coefficient (y=0.6 Mx), rounded to the upper whole number. Re-certification audit: the size of the sample should be the same as for an initial audit. Nevertheless, where the management system has proved to be effective over a period of three years, the size of the sample could be reduced by a factor 0.8, i.e.: (y=0.8 Mx), rounded to the upper whole number The certification body should define within its management system the risk levels of activities as applied above The central office shall be audited during every initial certification and recertification audit and at least annually as part of surveillance The size or frequency of the sample should be increased where the certification body s risk analysis of the activity covered by the management system subject to certification indicates special circumstances in respect of factors such as: BELAC Rev /61

25 The size of the sites and number of employees (e.g. more than 50 employees on a site); The complexity or risk level of the activity and of the management system; Variations in working practices (e.g. shift working); Variations in activities undertaken; Significance and extent of aspects and associated impacts for environmental management systems (EMS); Records of complaints and other relevant aspects of corrective and preventive action; Any multinational aspects; Results of internal audits and management review When the organization has a hierarchical system of branches (e.g. head (central) office, national offices, regional offices, local branches), the sampling model for initial audit as defined above applies to each level. Example: 1 head office: visited at each audit cycle (initial or surveillance or recertification) 4 National offices: sample = 2: minimum 1 at random 27 regional offices: sample = 6: minimum 2 at random 1700 local branches: sample = 42: minimum 11 at random Audit Times The audit time to spend for each individual site is another important element to consider, and the certification body shall be prepared to justify the time spent on multisite audits in terms of its overall policy for allocation of audit time The number of man-days per site, including the central office, should be calculated for each site using the most recently published IAF document for the calculation of mandays for the relevant standard Reductions can be applied to take into account the clauses that are not relevant to the central office and/or the local sites. Reasons for the justification of such reductions shall be recorded by the certification body. Note: Sites which carry out the most or critical processes are not subject to reductions (clause 3.1.1) The total time expended on initial assessment and surveillance is the total sum of the time spent at each site plus the central office and should never be less than that which would have been calculated for the size and complexity of the operation if all the work had been undertaken at a single site (i.e. with all the employees of the company in the same site) Additional Sites On the application of a new group of sites to join an already certified multi-site network, each new group of sites should be considered as an independent set for the determination of the sample size. After inclusion of the new group in the certificate, the new sites should be cumulated to the previous ones for determining the sample size for future surveillance or recertification audits. BELAC Rev /61

26 3. LIGNES DIRECTRICES OBLIGATOIRES POUR LE TRANSFERT D UNE CERTIFICATION SOUS ACCRÉDITATION Copie intégrale du contenu du document IAF MD2:2007: IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems (Issue 1, version 2, issued on 20 November 2007; Application from 15 September 2008) This document is mandatory for the consistent application of Clause of ISO/IEC and is based upon guidance previously provided in IAF GD2: 2005 Annex 4 and IAF GD6:2006 Annex 2. All clauses of ISO/IEC continue to apply and this document does not supersede any of the requirements in that standard. This mandatory document is not intended exclusively for Quality Management Systems (QMS) and Environmental Management Systems (EMS) and may be used for other management systems. 3.0 INTRODUCTION This document provides normative criteria on the transfer of accredited management system certification between certification bodies. The criteria may also be applicable in the case of acquisitions of certification bodies accredited by an IAF MLA signatory The objective of this document is to assure the maintenance of the integrity of accredited management system certifications issued by one certification body if subsequently transferred to another such body The document provides minimum criteria for the transfer of certification. Certification bodies may implement procedures or actions which are more stringent than those contained herein provided that a client organization's freedom to choose a certification body is not unduly or unfairly constrained. 3.1 DEFINITION Transfer of Certification The transfer of certification is defined as the recognition of an existing and valid management system certification, granted by one accredited certification body, (hereinafter referred to as the issuing certification body ), by another accredited certification body, (hereinafter referred to as the accepting certification body ) for the purpose of issuing its own certification. Note: Multiple certification, (concurrent certification by more than one certification body), does not fall under the definition above, and is not encouraged by IAF MINIMUM REQUIREMENTS Accreditation Only certifications which are covered by an accreditation of an IAF MLA signatory shall be eligible for transfer. Organizations holding certifications that are not covered by such accreditations shall be treated as new clients. BELAC Rev /61

27 Pre-Transfer Review A competent person from the accepting certification body shall carry out a review of the certification of the prospective client. This review shall be conducted by means of a documentation review and should, normally, include a visit to the prospective client. Reasons for not conducting a visit shall be fully justified and documented and a visit shall be conducted if no contact can be made with the issuing certification body. The review should cover the following aspects and its findings shall be fully documented: (i) confirmation that the client s certified activities fall within the accredited scope of the accepting certification body; (ii) the reasons for seeking a transfer; (iii) that the site or sites wishing to transfer certification hold an accredited certification that is valid in terms of authenticity, duration and scope of activities covered by the management system certification. If practical, the validity of certification and the status of outstanding nonconformities should be verified with the issuing certification body unless it has ceased trading. Where it has not been possible to communicate with the issuing certification body, the accepting certification body shall record the reasons; (iv). A consideration of the last certification or recertification audit reports, subsequent surveillance reports and any outstanding nonconformities that may arise from them. This consideration shall also include any other available, relevant documentation regarding the certification process i.e. handwritten notes, checklists. If the last certification, recertification or subsequent surveillance audit reports are not made available or if the surveillance audit is overdue then the organisation shall be treated a a new client; (v) complaints received and action taken; (vi) the stage in the current certification cycle. See Clause of this document; (vii) any current engagement by the organisation with regulatory bodies in respect of legal compliance Certification Normally, only valid accredited certification should be transferred. In cases where certification has been granted by a certification body which has ceased trading or whose accreditation has expired, been suspended or withdrawn, the accepting certification body may consider such a certification for transfer at its discretion. In such cases, before it proceeds with the transfer, the accepting certification body shall obtain agreement from the accreditation body, whose mark it intends to place on the certificate. In the case of acquisitions the acquiring certification body should, where practical, fulfil the contractual obligations of the acquired certification body Certification which is known to have been suspended or under threat of suspension shall not be accepted for transfer. If the accepting certification body has not been able to verify the status of the certification with the issuing certification body, the organisation shall be required to confirm that the certificate is not suspended or under threat of suspension Outstanding nonconformities should be closed out, if practical, with the issuing certification body, before transfer. Otherwise they shall be closed out by the accepting certification body. BELAC Rev /61

28 If no further outstanding or potential problems are identified by the pre-transfer review a certification may be issued following the normal decision making process. The programme of ongoing surveillance should be based on the previous certification regime unless the accepting certification body has conducted an initial or recertification audit as a result of the review Where doubt continues to exist, after the pre-transfer review, as to the adequacy of a current or previously held certification, the accepting certification body shall, depending upon the extent of doubt, either: - treat the applicant as a new client or - conduct an audit concentrating on identified problem areas. The decision as to the action required will depend upon the nature and extent of any problems found and shall be explained to the organization and the justification for the decision shall be documented and the records maintained by the certification body. BELAC Rev /61

29 4. LIGNES DIRECTRICES/ OBLIGATOIRES POUR LES PROCÉDURES AVANCÉES DE SURVEILLANCE ET DE RENOUVELLEMENT (ASRP) (ISO 9001 ISO 14001) Copie intégrale du contenu du document IAF MD3:2008: IAF Mandatory Document for Advanced Surveillance and Recertification Procedures (Issue 1, issued on 1 February 2008; Application from 15 September 2008) This document provides normative criteria for advanced surveillance and recertification procedures (ASRP) for consistent application of clause of ISO/IEC for determining subsequent adjustments to the audit program. This document addresses only Quality Management Systems (QMS) and Environmental Managements Systems (EMS), in which IAF members have had experience of implementing ASRP or its predecessor methodologies. The use of ASRP is not mandatory, but if an accreditation body wishes to permit their accredited certification body and its client(s) to opt for the use of ASRP, it is a requirement of IAF that the certification body and its client(s) conform to this document and be able to demonstrate conformity to the accreditation body INTRODUCTION For a client organization that has established confidence in its management system (QMS and/or EMS) by consistently demonstrating effectiveness over a period of time, the certification body, in consultation with the organization, may choose to apply the Advanced Surveillance and Recertification Procedures (ASRP) provided for in this document. Such an advanced surveillance and recertification program may place greater (but not total) reliance on the organization s internal audit and management review processes, include targeted surveillance topics, take into account specific design input from the organization and/or use other methods as appropriate, to demonstrate conformity of the management system The objective of this document is to assure the provision of more effective and efficient audits to organizations that have a proven performance record while at the same time maintaining the integrity of the accredited management system certificates they hold This document states minimum requirements for the application of the ASRP. Certification bodies may implement procedures or actions which are more stringent than those contained herein provided that an organization's justifiable request for the ASRP is not unduly or unfairly constrained MINIMUM REQUIREMENTS Prerequisite In order to utilize the ASRP, the certification body shall first demonstrate to an IAF MLA signatory accreditation body: a) That it has been operating an accredited certification scheme for the relevant management system (QMS and/or EMS) for a minimum of one complete accreditation cycle; b) That it is competent to design an ASRP program for each individual organization in the relevant management system (QMS and/or EMS), in accordance with the requirements of ISO 9001:2000 clause 7.3 and using the design input criteria mentioned in clause below. BELAC Rev /61

30 NOTE: Reference is made here to ISO 9001 since this specifies the requirements for the certification body to design a program for ASRP regardless of whether it is operating certification of QMS or EMS Accreditation Scope The competence of the certification body to meet clause 1.1 (b) above shall be assessed by the accreditation body after which, if successful, specific reference to the approval for ASRP for QMS and/or EMS, as appropriate, shall be included in the certification body s accreditation scope Eligibility and Design Input Criteria The certification body shall inform the accreditation body prior to every new utilization of ASRP for each specific organization, and shall be able to demonstrate that the following criteria in clauses and have been satisfied: Eligibility Criteria a) The certification body shall confirm that the organization s management system has been in demonstrated conformity with the requirements of the applicable standard(s) for a period of at least one complete certification cycle including initial, surveillance and recertification audits. NOTE: The certification body may base this confirmation of demonstrated conformity on the outcome of the first recertification audit (non-asrp) of the organization conducted at the end of a three-year certification cycle. b) All nonconformities raised during the certification cycle immediately prior to the utilization of ASRP shall have been successfully resolved. c) For an EMS, the certification body shall confirm that the organization has established compliance with applicable legal requirements and has not had any sanctions imposed by the relevant regulatory authority(ies) for the period of a) above. d) The certification body shall have agreed suitable performance indicators with the organization, on which to judge the ongoing effectiveness of the management system, and shall ensure that the organization is consistently meeting agreed performance targets. (i) For a QMS, these performance indicators shall address, as a minimum, the organization s demonstrated ability to consistently provide product that meets customer and applicable regulatory requirements (see ISO 9001:2000 clause 1.1), and shall incorporate requirements for the continual improvement of the effectiveness of the QMS. NOTE: For a QMS, indicator means the characteristic to be measured and target means the quantitative/qualitative requirements to be met. (ii) For an EMS, these performance indicators shall address, as a minimum, the organization s demonstrated ability to achieve its environmental policy, objectives and targets and comply with applicable legal and other requirements related to its environmental aspects (see ISO 14001:2004 clause 4.3.2), and shall incorporate requirements for the continual improvement and prevention of pollution. BELAC Rev /61

31 NOTE: For an EMS, indicator means the characteristic to be measured and target used in the context of performance target means the quantitative/qualitative requirements to be met, which is considered to be identical with environmental target as defined in ISO e) The certification body shall have enforceable arrangements with the organization to provide for access to relevant information. For a QMS, this information is all customer satisfaction data collected or otherwise available. For an EMS, this information is all relevant communication from external interested parties, and in particular the relevant regulatory authority(ies). When it becomes necessary for the certification body to communicate directly with the source of such information in order to validate the information, mutually agreed confidentiality policies and procedures shall be applied. f) The certification body shall verify that the organization s internal audit process is being managed in accordance with the guidance of ISO 19011, with particular reference to auditor competence defined in clause 7. The internal audit process shall be sufficiently coordinated and integrated so as to provide an evaluation of the management system as a whole, not only the performance of individual components. g) The certification body shall have contractually enforceable arrangements to enable it to increase the scope, frequency and duration of its audits in the event of a deterioration of the organization s ability to meet agreed performance targets Design Input Criteria In addition to organization-specific input criteria, the design of each individual ASRP shall address the following: a) The frequency and duration of the certification body audits shall be sufficient to allow the certification body to conform with this criteria document including the following b) and c), among others. For each proposed utilization of ASRP, the certification body shall determine the base level (non-asrp) auditor time using relevant IAF Guidance or Normative Criteria Documents, and, if applicable, IAF NCD Z for sampling of multi-sites. If the certification body plans an individual ASRP program that reduces the auditor time to less than 70% of this base-level, the certification body shall justify such reductions and seek specific approval from the accreditation body prior to its implementation. NOTE: IAF Mandatory Documents applicable to auditor time for QMS and EMS are under development. Until such documents become available, Annex 2 of IAF GD2 (and, where applicable, Annex 3) and Annex 1 of IAF GD6 (and, where applicable, clause G5.3.6) should continue to be applied to define the total audit time (Phase 1 + Phase 2). b) In addition to auditing a statistically significant number of samples of the organization s management system processes to confirm the adequacy and effectiveness of the internal audit process, the certification body itself shall continue to carry out the following activities at each on-site surveillance and recertification audit, as a minimum (with other activities defined by the ASRP; see clause 1.4 below): - interview top management and the management representative; - evaluate management review inputs and outputs, including a verification of the organization s ability to meet the agreed performance targets; BELAC Rev /61

32 - review the internal audit process, including the procedures and records of internal audits, and the competence of internal auditors; - review corrective and preventive actions plans, and verify their effective implementation. c) The certification body shall ensure that all the requirements for accredited certification (including the requirements of ISO/IEC and any applicable sector scheme) continue to be met Design Output The design output for each application of the certification body s ASRP program shall include the following (a) (f): a) The extent to which the certification body will utilize the organization s internal audit and management review processes to complement the certification body s activities; b) Criteria for witnessing the organization s internal audits, including sampling of both auditors and processes to be audited; c) Criteria for accepting and monitoring the competence of the organization s internal auditors and the method of reporting internal audit results; d) Criteria for ongoing adjustments to the audit program, taking into account the organization s demonstrated ability over time to meet the agreed performance targets; e) The components of the management system that will necessarily be audited by the certification body at each surveillance and recertification audit (see clause b); f) Specific competence criteria for certification body auditors and, where applicable, for technical experts Certificates The certification body shall not differentiate between ASRP and non-asrp methodologies on the certificates it issues. BELAC Rev /61

33 5. LIGNES DIRECTRICES OBLIGATOIRES POUR L UTILISATION DE TECHNIQUES D AUDIT ASSISTÉES PAR ORDINATEUR («TAAO») Copie intégrale du contenu du document IAF MD4:2008: IAF Mandatory document for computer assisted auditing techniques (CAAT) (Issue 1, issued on 15 May 2008; Application from 15 September 2008) This document is mandatory for the consistent application of ISO/IEC when computer assisted auditing techniques are used as part of the audit methodology. The use of CAAT is not mandatory, but if a certification body and its client opt to use CAAT, it is mandatory that they conform to this document and are able to demonstrate conformity to the accreditation body. 5.0 INTRODUCTION As information and communication technologies become ever-more sophisticated, it is important for certification bodies to be able to use Computer Assisted Auditing Techniques to enhance audit effectiveness and efficiency, and to support and maintain the integrity of the audit process. NOTE: Guidance on the use of Computer Assisted Auditing Techniques can be obtained from the website of the ISO/IAF Auditing Practices Group Such Computer Assisted Auditing Techniques ( CAAT ) may include, for example: - Teleconferencing, - Web meetings, - Interactive web-based communications, - Remote electronic access to the management system documentation and/or management system processes The objectives for the effective application of CAAT are: a) To provide a methodology that is sufficiently flexible and non-prescriptive in nature to satisfy the needs of industry, by allowing client organizations and their respective certification bodies to use CAAT to enhance the conventional audit process, and b) To ensure that adequate controls are in place with sufficient accreditation body oversight to avoid abuses and to prevent excessive commercial pressures that could compromise the integrity of the certification process. 5.1 REQUIREMENTS Confidentiality In accordance with ISO/IEC 17021, clause 8.5.1, the security and confidentiality of electronic or electronically-transmitted information is particularly important when a certification body is using CAAT. The certification body should agree on mutually acceptable information security measures with its client before using CAAT. BELAC Rev /61

34 5.1.2 Process requirements In addition to the requirements in ISO/IEC 17021, clause 9.1.2, the audit plan shall identify any computer-assisted auditing techniques that will be utilized In addition to the requirements in ISO/IEC 17021, clause 9.1.3, when using CAAT, specific attention shall be given to the auditors ability to understand and utilize the information technologies employed by the client organization to manage its management system processes In addition to the requirements in ISO/IEC 17021, clause 9.1.4, if a certification body uses CAAT, it may be considered as partially contributing to the total onsite auditor time. If remote auditing activities represent more than 30% of the planned on-site auditor time, the certification body shall justify the audit plan and obtain specific approval from the accreditation body prior to its implementation. NOTES: 1) It is expected that this "specific approval" will initially be done on a case-by-case basis, but does not preclude a "blanket approval" from the accreditation body for the certification body to go over a 30% reduction once the certification body has demonstrated that its process is robust. 2) On-site auditor time refers to the on-site auditor time allocated for individual sites. Electronic audits of remote sites are considered to be remote audits, even if the electronic audit is physically carried out from another of the client organization s premises In addition to the requirements in ISO/IEC 17021, clause , audit reports shall indicate the extent to which CAAT has been used in carrying out the audit, and how it contributes to audit effectiveness and efficiency In addition to the requirements in ISO/IEC 17021, clause (a) when the certification body is proposing to use CAAT for part of the audit, the application review shall include verification that the client organization has the necessary infrastructure to support this approach In addition to the requirements in ISO/IEC 17021, clause , regardless of the use of CAAT, the organization shall be physically visited at least annually In addition to the requirements in ISO/IEC 17021, clause 9.9.2, records shall indicate the extent to which CAAT has been used in carrying out the audit and certification. BELAC Rev /61

35 6. LIGNES DIRECTRICES OBLIGATOIRES POUR LES SYSTEMES DE MANAGEMENT DE LA QUALITE POUR LES DISPOSTIFS MEDICAUX Copie intégrale du contenu du document IAF MD9:2011: IAF Mandatory document for the application of ISO/IEC in Medical Device Quality Management Systems (Issue 1, version 2, issued on 15 July 2011; Application from 15 July 2011). THIS DOCUMENT IS MANDATORY FOR THE CONSISTENT APPLICATION OF ISO/IEC ALL CLAUSES OF ISO/IEC CONTINUE TO APPLY AND THIS DOCUMENT DOES NOT SUPERSEDE ANY OF THE REQUIREMENTS IN THAT STANDARD. THIS MANDATORY DOCUMENT IS EXCLUSIVELY FOR THE CERTIFICATION OF ORGANIZATION S MANAGEMENT SYSTEM TO ISO INTRODUCTION ISO/IEC is an International Standard that sets out the general requirements for bodies operating audit and certification of organizations management systems. If such bodies are to be accredited as complying with ISO/IEC with the objective of auditing and certifying Medical Device Quality Management System in accordance with ISO 13485, some additional requirements and guidance to ISO/IEC are necessary. This document follows the structure of ISO/IEC IAF specific criteria are identified by the letter MD followed with a reference number that incorporates the related requirements clause in ISO/IEC In all cases a reference in the text of this document to clause XXX refers to a clause in ISO/IEC unless otherwise specified. 6.1 SCOPE This document specifies normative criteria for CABs auditing and certifying organization s Quality Management System to ISO 13485, in addition to the requirements contained with ISO/IEC It is also appropriate as a requirements document for the peer evaluation process for the IAF Multilateral Recognition Arrangement (MLA) among accreditation bodies. 6.2 NORMATIVE REFERENCES For the purposes of this document, the normative references given in ISO/IEC and the following apply. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17021, Conformity Assessment - Requirements for bodies providing audit and certification of management systems ISO 13485, Medical devices Quality management systems Requirements for regulatory purposes ISO/TR 14969:2004, Medical devices Quality management systems Guidance on the application of ISO 13485:2003 ISO 14971:2007, Medical devices Application of risk management to medical devices The following GHTF documents should be considered for use. BELAC Rev /61

36 GHTF/SG4/N28R4:2008, Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 1: General Requirements GHTF/SG4/N30R20:2006, Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 2: Regulatory Auditing Strategy GHTF/SG4/N33R16:2007, Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 3: Regulatory Audit Reports GHTF/SG4 (00) 3:2000, Training Requirements for Auditors (Guidelines for Regulatory Auditing of Quality Systems of Medical Device Manufacturers - Part 1: General Requirements - Supplement 2) GHTF/SG4/N83:2010, Guidelines for Regulatory Auditing of Quality Management System of Medical Device Manufactures Part 4: Multiple Site Auditing GHTF/SG4/N84:2010, Guidelines for Regulatory Auditing of Quality Management System of Medical Device Manufactures Part 5: Audits of Manufacturer Control of Suppliers GHTF/SG1-N29R16:2005, Information Document Concerning the Definition of the Term "Medical Device" GHTF/SG1-N15:2006, Principles of Medical Devices Classification IAF MD5, Duration of QMS and EMS Audits 6.3 TERMS AND DEFINITIONS For the purpose of this document, the terms and definitions given in ISO/IEC 17021, ISO and the following apply. Regulatory Authority (RA) A government agency or other entity that exercises a legal right to control the use or sale of medical devices within its jurisdiction, and may take enforcement action to ensure that medical devices marketed within its jurisdiction comply with legal requirements. Note: Within the European Medical Devices Regulation the Regulatory Authority as defined above is titled Competent Authority. 6.4 PRINCIPLES General No additional principles for ISO Impartiality No additional principles for ISO Competence No additional principles for ISO Responsibility MD ISO requires the organization to comply with the statutory and regulatory requirements applicable to the safety and performance of the medical devices. The maintenance and evaluation of legal compliance is the responsibility of the client organization. The CAB is responsible for verifying that the client organization has evaluated statutory and regulatory compliance and can show that appropriate action has been taken in cases of non-compliance with relevant legislation and regulations, including the notification to the Regulatory Authority of any incidences that require reporting. BELAC Rev /61

37 6.4.5 Openness MD In order to increase the confidence from interested parties and specifically regulators that accept or take into consideration ISO accredited certification for the purpose of their recognitions, it is expected that CBs establish appropriate agreements with their clients to release audit report information to regulators that recognize ISO Confidentiality No additional principles for ISO Responsiveness to complaints No additional principles for ISO GENERAL REQUIREMENTS Legal and contractual matters Legal responsibility Certification agreement Responsibility for certification decisions Management of impartiality MD The CAB and its auditors shall be impartial and free from engagements and influences which could affect their objectivity, and in particular shall not be: a) involved in the design, manufacture, construction, marketing, installation, servicing or supply of the medical device b) involved in the design, construction, implementation or maintenance of the quality management system being audited c) an authorized representative of the client organization, nor represent the parties engaged in these activities The situations hereafter are examples where impartiality is compromised in reference to the criteria defined in a) to c): i. the auditor having a financial interest in the client organization being audited (e.g. holding stock in the organization) ii. the auditor being employed currently by a manufacturer producing medical devices iii. the auditor being a member of staff from a research or medical institute or a consultant having a commercial contract or equivalent interest with the manufacturer or manufacturers of similar medical devices. Note: Allowing a minimum period of two years to elapse following the end of the relationship is one way of reducing the threat to impartiality to an acceptable level Liability and financing BELAC Rev /61

38 6.6 STRUCTURAL REQUIREMENTS Organization structure and top management Committee for safeguarding impartiality MD The committee for safeguarding impartiality shall have access to individual(s) who have experience and knowledge related to medical devices in order to get expert opinions. 6.7 RESOURCE REQUIREMENTS Competence of management and personnel MD Management and personnel competence Where ISO/IEC Clause refers to (as relevant for the specific certification scheme) for ISO 13485, this should be understood to mean, medical devices and applicable legal requirements. All management and personnel involved in ISO certification shall meet the competency requirements of Annex B Personnel involved in the certification activities MD Auditor Each auditor shall have demonstrated competency as defined in Annex C. The CAB shall identify authorizations of its auditors/technical experts using the Technical Areas in Tables in Annex A. MD Auditor experience For a first authorization, the auditor shall comply with the following criteria, which shall be demonstrated in audits under guidance and supervision: a) have gained experience in the entire process of auditing medical devices quality management system, including review of documentation and risk management of medical devices, implementation audit and audit reporting. This experience shall have been gained by participation as a trainee in a minimum of four audits for a total of at least 20 days in an accredited QMS program, 50% of which shall be against ISO preferably in an accredited program, and the rest in an accredited QMS program; In addition to criteria a), audit team leaders shall fulfil the following: b) have experienced an audit team leader role under the supervision of a qualified team leader at least three ISO audits. MD Personnel making the certification decision The CAB shall ensure that personnel (group or individual) making the certification decision fulfil the competence in Annex B. This does not mean that each individual in the group needs to comply with all requirements, but the group as a whole shall meet the all the requirements. When the certification decision is made by an individual, the individual shall meet all the requirements Use of individual external auditors and external technical experts Personnel records BELAC Rev /61

39 6.7.5 Out sourcing 6.8 INFORMATION REQUIREMENTS Publicly accessible information MD Where it is required by law, the CAB shall provide the information about certifications granted, suspended or withdrawn to relevant Regulatory Authority Certification documents MD The CAB shall precisely document the scope of certification. The CAB shall not exclude part of processes, products or services (unless allowed by regulatory authorities) from the scope of certification when those processes, products or services have an influence on the safety and quality of products Directory of certified clients Reference to certification and use of marks Confidentiality Information exchange between a certification body and its clients Information on the certification activity and requirements Notice of changes by a certification body Notice of changes by a client 6.9 PROCESS REQUIREMENTS General requirements MD The audit team shall have the competency for the Technical Area (Annex A) for the scope of audit. MD Determining audit time The requirements from IAF Mandatory document MD5 (Duration of QMS and EMS Audit) apply except those for EMS and the table QMS 1. The Annex D, table D.1 replaces table QMS 1 and provides a starting point for estimating the duration of an initial audit (Stage 1 + Stage 2) for ISO certification. Audit duration is dependent on factors such as the audit scope, objectives and specific regulatory requirements to be audited, as well on the range, class and complexity of medical devices, and the size and complexity of the organization. When CABs are planning audits, BELAC Rev /61

40 sufficient time shall be allowed for the audit team to determine the conformity status of the client organization's quality management system with respect to the relevant regulatory requirements. Any additional time required to audit national or regional regulatory requirements and dossier reviews must be justified. Audit duration for all types of audits includes on site time at a client's premises and time spent off-site carrying out planning, document review, interacting with client personnel and report writing. It does not consider the time required for design dossier reviews, type examinations, pre-market approval audits and other similar activities. The audit duration should be adjusted to take into account the factors listed in Annex D which may increase or decrease the estimated audit time. MD Multi-site sampling Design and development and manufacturing sites cannot be sampled. MD Identifying and recording audit findings Examples of nonconformities are as follows: a) failure to address applicable requirements for quality management systems (e.g. failure to have a complaint handling or training system) b) failure to implement applicable requirements for quality management systems c) failure to implement appropriate corrective and preventative action when an investigation of post market data indicates a pattern of product defects d) products which are put onto the market and cause undue risk to patient and/or users when the device is used according to the product labelling e) the existence of products which clearly do not comply with the client s specifications and/or the regulatory requirements f) repeated nonconformities from previous audits g) an excessive number of any other nonconformities than ones shown in b) of of ISO/IEC against a particular requirement for quality management systems Initial audit and certification Application Application review Initial certification audit MD When a certification body has audited a client against a regulatory scheme that includes or goes beyond the requirements of ISO 13485, it does not need to repeat the audit for conformity with the elements of ISO previously covered, providing the certification body can demonstrate that all of the requirements of this document have been complied with. Note: Typical regulatory schemes that include or go beyond the requirements of ISO13485 are European Medical Device Directives: - Medical Device Directive (MDD) - In -Vitro Diagnostic Devices Directive (IVD) - Active Implantable Medical Devices Directive (AIMD) Other jurisdictions include: - Canada Health Canada, Canadian Medical Devices Conformity Assessment System (CMDCAS) - Australia Therapeutic Goods Administration, Therapeutic Goods Regulations BELAC Rev /61

41 Additionally other countries are adopting or considering adopting ISO into their Medical Device Regulations Stage 1 audit MD Where higher risk medical devices are concerned, the stage 1 audit should be performed onsite Stage 2 audit Initial certification audit conclusions Information for granting initial certification Surveillance activities General Surveillance audit MD In addition to requirements of Clause , the surveillance programme shall include a review of actions taken for notification of adverse events, advisory notices, and recalls Maintaining certification Recertification Recertification audit planning Recertification audit Information for granting recertification Special audits Extension to scope Short-notice audits MD Short notice audits may be required when: a) external factors apply such as: i) available post-market surveillance data known to the CAB on the subject devices indicate a possible significant deficiency in the quality management system ii) significant safety related information becoming known to the CAB BELAC Rev /61

42 b) significant changes occur which have been submitted as required by the regulations or become known to the CAB, and which could affect the decision on the client's state of compliance with the regulatory requirements. The following are examples of such changes which could be significant and relevant to the CAB when considering that a special audit is required, although none of these changes should automatically trigger a special audit: i) QMS impact and changes: New ownership Extension to manufacturing and/or design control New facility, site change Modification of the site operation involved in the manufacturing activity (e.g. relocation of the manufacturing operation to a new site or centralizing the design and/or development functions for several manufacturing sites) New processes, process changes Significant modifications to special processes (e.g. change in production from sterilization through a supplier to an on site facility or a change in the method of sterilization) QM management, personnel Modifications to the defined authority of the management representative that impact quality management system effectiveness or regulatory compliance the capability and authority to assure that only safe and effective medical devices are released ii) Product related changes: New products, categories Addition of a new device category to the manufacturing scope within the quality management system (e.g. addition of sterile single use dialysis sets to an existing scope limited to haemodialysis equipment, or the addition of magnetic resonance imaging to an existing scope limited to ultrasound equipment) iii) QMS & Product related changes: Changes in standards, regulations Post market surveillance, vigilance An unannounced or short-notice audit may also be necessary if the CAB has justifiable concerns about implementation of corrective actions or compliance with standard and regulatory requirements Suspending, withdrawing or reducing the scope of certification Appeals Complaints Records of applicants and clients 6.10 MANAGEMENT SYSTEM REQUIREMENTS FOR CERTIFICATION BODIES BELAC Rev /61

43 Options Option 1: Management system requirements in accordance with ISO General Scope Customer focus Management review Design and development Option 2: General management requirements General Management system manual Control of documents Control of records Management review General Review inputs Review outputs Internal audits Corrective actions Preventive actions BELAC Rev /61

44 6.11 ANNEX A: (NORMATIVE) MEDICAL DEVICES TECHNICAL AREAS The CAB shall use the Technical Areas described in the tables of this Annex a) to help define the scope of certification, b) to identify if any technical qualification, including competence in sterilization processes of its auditors is necessary for that particular technical area and c) to select a suitably qualified audit team. When using technical areas other than specified in the tables, the technical areas shall be detailed. BELAC Rev /61

45 BELAC Rev /61

46 BELAC Rev /61

47 6.12 ANNEX B: (NORMATIVE) REQUIRED TYPES OF KNOWLEDGE AND SKILLS FOR PERSONNEL INVOLVED WITH THE ISO ACTIVITIES The following table specifies the type of knowledge and skills that a CAB shall define for specific functions ANNEX C: (NORMATIVE) AUDITOR QUALIFICATION, TRAINING AND EXPERIENCE C.1 Education The CAB shall ensure that auditors have the knowledge corresponding to post-secondary education or equivalent work experience. Appropriate professional areas are listed below as examples: a) biology or microbiology; b) chemistry or biochemistry; c) computer and software technology; d) electrical, electronic, mechanical or bioengineering; e) human physiology; f) medicine; BELAC Rev /61

48 g) pharmacy; h) physics or biophysics. C.2 Work Experience The CAB shall ensure that auditors have adequate experience to perform their tasks. In general, auditors shall have a minimum of four years of full-time work experience in medical device related industry, including at least two years of work experience in one or more of the following: a) closely related industries and the workplace such as research and development, manufacturing; b) the application of the device technology and its use in health care services and with patients; c) testing the devices concerned for compliance with the relevant national or international standards; d) conducting performance testing, evaluation studies or clinical trials of the devices. Exceptionally, shorter duration of experience or experience in areas other than above listed may be considered as appropriate. In such cases, the CAB shall demonstrate that the experience of the auditor is equivalent and shall record the justification for the acceptance. C.3 Auditor Competency See Annex B. C.4 Development and maintenance of competency C.4.1 Continuous Professional Development (CPD) Each auditor shall undertake CPD activities such as training, participation in scientific meetings, and selfstudy. Such activities should ensure timely awareness of new or modified regulatory requirements, policies, procedures, etc., as well as emerging technologies. Training in emerging technologies may be provided through co-operation with manufacturers developing or using the concepts. Knowledge is also gained from experience in enforcing regulatory requirements, implementing procedures, and applying policies and interpretations. It is recognised that medical device manufacturing constitutes a highly specialised, technology driven and fast evolving sector. Additionally, new regulatory requirements, standards, policies, and procedures are introduced, and existing ones are modified from time to time. Therefore, the CAB shall ensure maintenance of the knowledge and skills of the auditors appropriate to cover the scope of audits of organizations, through appropriate and timely training and encouraging CPD. C.4.2 Advanced training elements for auditors As auditors gain competence in conducting audits, advanced and specialised training is recommended. The auditor s needs, weaknesses, and desires for career development may influence specific advanced training courses selected by an auditor. Subjects suggested for advanced training include: a) Risk management, including risk analysis; b) Process validation; c) Sterilisation and related processes; d) Electronics manufacture; e) Plastics manufacturing processes; BELAC Rev /61

49 f) Development and validation of software or hardware for devices and manufacturing processes; g) In-depth knowledge of specific medical devices and/or technologies ANNEX D: (NORMATIVE) Factors used to determine the audit time a) Factors which may increase the audit duration i) Number of ranges and/or complexity of medical devices. ii) Manufacturers using suppliers to supply processes or parts that are critical to the function of the medical device and/or the safety of the user or finished products, including own label products. When the manufacturer cannot provide sufficient evidence for conformity with audit criteria, then additional time may be allowed for each supplier to be audited. iii) Manufacturers who install product on customer s premises. Note: Time may be required for customer site visits or installation records review iv) Poor regulatory compliance by the manufacturer b) Factors that may reduce the audit duration i) Reduction of the manufacturer product range since last audit ii) Reduction of the design/or production process since last audit BELAC Rev /61