General Rules for the Certification of Management Systems Code: RG Drafted on: 1 April 2012 Effective from: 1 October 2012
TABLE OF CONTENTS CHAPTER TITLE PAGE CHAPTER 1 GENERAL 3 CHAPTER 2 REFERENCE STANDARD / CERTIFICATION REQUIREMENTS 4 CHAPTER 3 INITIAL CERTIFICATION 5 CHAPTER 4 MAINTAINING THE VALIDITY OF THE CERTIFICATE 7 CHAPTER 5 RECERTIFICATION 8 CHAPTER 6 PERFORMANCE OF THE AUDITS 10 CHAPTER 7 MANAGEMENT OF CERTIFICATES OF CONFORMITY 15 CHAPTER 8 AMENDMENT OF CERTIFICATION AND COMMUNICATION OF 16 MODIFICATIONS CHAPTER 9 SPECIAL REQUIREMENTS FOR MULTI-SITE ORGANIZATIONS 17 CHAPTER 10 TRANSFER OF ACCREDITED CERTIFICATES 19 CHAPTER 11 SUSPENSION, REINSTATEMENT AND WITHDRAWAL OF CERTIFICATION 19 CHAPTER 12 RENUNCIATION TO CERTIFICATION 21 CHAPTER 13 CONTRACTUAL CONDITIONS 21 2
CHAPTER 1 GENERAL 1.1 These Rules shall describe the procedures implemented by RINA SIMTEX Certification Body for the purpose of certifying the Management Systems and how Organizations can apply for, obtain, maintain and use this certification, as well as the possible suspension and revocation of such certification. For any issues not covered by this document, reference is made to the GENERAL CONTRACTUAL CONDITIONS GOVERNING MANAGEMENT SYSTEM, PRODUCT AND STAFF CERTIFICATION, which can be downloaded at www.rina-simtex.ro. 1.2 RINA SIMTEX Certification Body shall issue the certificate in accordance with the requirements of SR EN ISO/CEI 17021 standard to Organizations whose Management System was acknowledged as complying with all the requirements of the reference standard and/or other regulatory document. For every standard relative to a Management System, RINA SIMTEX shall publish specific rules integrating the requirements of these rules. 1.3 Access to certification is open to all Organizations and is not conditional on their membership in a particular association or group. RINA SIMTEX shall apply its current certification fees and guarantee impartiality and uniformity of application. RINA SIMTEX shall be entitled not to accept requests for certification coming from Organizations that were subject to or whose production or activities were subject to restrictive, suspension or prohibition measures by a public authority. When RINA SIMTEX rejects a request, the reasons are communicated to the client. 1.4 The certificate issued by RINA SIMTEX shall pertain exclusively to a single Organization; Organization means a group, company, enterprise, body or institution, or parts and combinations thereof, whether associated or not, public or private, with its own functional and administrative structure. For Organizations with more than one operating unit, each operating unit can be defined as an Organization. 1.5 The requirements provided for in these rules shall also be applicable when the Management System certification is requested under the provisions of the General RINA SIMTEX Rules; in such case, any additional requirement for the management system must be complied with according to these rules. 1.6 The participation of observers shall be agreed in advance between RINA SIMTEX and the Organization. The Accreditation Bodies of RINA SIMTEX may require its observers to take part in the certification audits performed by RINA SIMTEX in order to ascertain whether the audit procedures adopted by RINA SIMTEX comply with the applicable standards for certification 3
bodies. If the Organization does not allow the observers of Accreditation Bodies to participate, the certificate issued by RINA SIMTEX Certification Body shall be suspended. 1.7 The terminology used in these Certification Rules complies with SR EN ISO/CEI 17000 standard. CHAPTER 2 REFERENCE STANDARD / CERTIFICATION REQUIREMENTS 2.1 Any Organizations wishing to obtain the RINA SIMTEX certification for their Management System must first and henceforth meet the requirements of the reference standard or the regulatory document and those indicated in the following paragraphs of this chapter, together with any additional elements provided by the accreditation bodies. During its accreditation activities, RINA SIMTEX must abide by certain reference documents issued by the Accreditation Bodies. Such documents can be obtained from RINA SIMTEX or directly from the Accreditation Bodies (by visiting their websites, for example). 2.2 In particular, in order to obtain the Management System certification, the Organization must: 2.2.1 Have implemented a Management System and kept it active and fully operational, in total compliance with the requirements of the reference standard or regulatory document. The Management System shall be deemed as being fully operational when: it has been implemented for at least three months; the internal audit process was fully implemented and its effectiveness can be demonstrated; at least one management review of the system was carried out and documented, the objectives and processes required to obtain results, in agreement with customer requirements and organization policy, have been defined; the processes were identified, monitoring and measurements of the processes and products with respect to established policies, objectives and requirements were performed and registered; actions for continuous process improvement were implemented. 2.2.2 Have prepared a manual: defining the goal/scope of the Management System, describing the main system processes and elements and their interactions and containing or referring to the relative documented procedures; the description of the processes and their interactions must be extended to all those identified by the Organization (also to outsourced processes) required to manufacture/provide a product/service that are determining as regards the capacity of the product/service to meet the applicable requirements. This can be done in various ways: descriptions; flow charts or logograms; 4
tables and matrices; others; taking into consideration the requirements of the reference standard and providing a description, not necessarily detailed, of the resources and procedures used to ensure compliance with these requirements; containing a suitable description of the company Organization. All the information received from the client Organization shall be treated as confidential. 2.3 The conformity of the Management System with the reference standard shall be checked by means of an audit programme comprising: a two-stage initial certification audit. a surveillance audit in the first year. a surveillance audit in the second year. a certification renewal audit in the third year. The following shall be considered when establishing the audit programme: the size of the Organization, the scope and complexity of the Management System, the products and processes, the level of effectiveness of the Management system and the previous internal audit results, and any certificates already issued to the client or other audits already performed (e.g. second-party audits). CHAPTER 3 INITIAL CERTIFICATION 3.1 Organizations wishing to obtain certification for their Management System must provide RINA SIMTEX Certification Body with their main organisation data and site location by filling in all the sections of the Informative Questionnaire form for quotation, available at www.rina-simtex.ro and by sending it to RINA SIMTEX, which will use it to prepare a quotation. In particular, the informative questionnaire requires information to be provided on: the scope of requested certification; the standard(s) according to which the Organization wishes to be certified and any admissible exclusions; the general characteristics of the Organization; the number of permanent and temporary sites subject to certification, including the name and addresses of the physical location(s) and the relative activities performed; the company processes and relative dedicated resources; any relationships with other larger companies (if applicable); all processes outsourced by the Organization which may have an effect on the compliance with requirements; any certificates already obtained; the use of any Management System-related consultancy services. Based on this information, RINA SIMTEX shall prepare a suitable quotation. 3.2 Prior to performing the audit, RINA SIMTEX shall make sure that: 5
a) there is enough information concerning the applicant Organization and its Management System to perform the audit; b) the certification requirements are clearly established and documented and are submitted to the applicant Organization; c) any difference of interpretation between RINA SIMTEX and the applicant Organization has been removed; d) RINA SIMTEX has the competence and capacity to perform certification activities; 3.3 If Organizations accept the offer, they must formalize their request by submitting to RINA SIMTEX the specific form attached to the offer, indicating the reference standard and, if relevant, any other reference regulatory document according to which certification is sought. Upon receipt of the request for certification and the relative annexes and after making sure they are complete, RINA SIMTEX shall send the Organization the written acceptance of its request. The Organization s request for certification of the Management System, which makes specific mention of these Rules and its acceptance by RINA SIMTEX, shall contractually formalise the relationship between RINA SIMTEX and the Organization, and the applicability of these Rules and the specific rules applicable to the system for which certification is sought. The agreement concluded between RINA SIMTEX and the Organization shall include: the initial certification audit comprising two stages and, if the outcome of the assessment is that of granting the certification, the issue of the certificate; subsequent surveillance and recertification audits; any additional services specified in the offer During the initial certification audit, the Organization must demonstrate that the Management System has been fully operational for at least three months and has been effectively implementing the documented system and procedures. 3.4 Simultaneously with or following the request for certification, the Organization must make the following documents available to RINA SIMTEX: the Organization s Management Manual (current version) referring to the policy, objectives and programmes for the Management System; the list of management system procedures; the copy of the Chamber of Commerce registration certificate attesting the existence of the Organization and the Confirmation issued by the Trade Register or an equivalent document specifying the authorized activity/activities; the organisational chart; the latest Management Review; the internal audit planning; the list of the main laws and/or rules applicable (to the product/service provided) or required for the correct implementation of the Management System; the list of current sites, with a description of the activities performed there, where applicable. 6
RINA SIMTEX may also request to review other documents, apart from those previously mentioned, that are deemed relevant for the assessment of the Management System. RINA SIMTEX shall examine the compliance of the above documents with the reference standard and these General Rules. The audit criteria, irrespective of stage, are: - the reference standard; - the Management System documentation (current version); - the legal, regulatory and contractual requirements; - the Regulation regarding the use of the RINA SIMTEX certification logo (except for the initial certification audit) 3.5 The initial certification audit comprises two stages: Audit stage 1, which can be performed: - partly in the RINA SIMTEX office and partly at the Organization s site or - entirely at the Organization s site Audit stage 2 at the Organization s site. During the initial certification audit, the Organization must demonstrate that the Management System has been fully operational for at least three months and has been effectively implementing the relative documented procedures. 3.6 After RINA SIMTEX completed the initial certification audit and if the conclusion hereof was to grant the certification, then a Certificate of Conformity with the reference standard, valid for three years, shall be issued for the Management System in question. The certificate contains the name and address of the company, the address of the operative site(s) included in the certification, the scope of certification, the date of initial issue, the current date of issue and the date of expiry. The validity period of the certificate shall be conditional on the performance of the subsequent annual surveillance and three-year recertification audits of the Management System and the results thereof. The frequency of the subsequent audits for maintaining the certification shall be established by RINA SIMTEX on a case-by-case basis by drawing up an audit plan for the three-year validity period of the certificate, which is to be submitted to the Organization. For details on the management and validity of the Certificates of Conformity issued by RINA SIMTEX, see chapter 7. CHAPTER 4 MAINTAINING THE VALIDITY OF THE CERTIFICATE 4.1 The Organization must ensure its Management System continues to meet the requirements of the Reference Standard or the regulatory document. 4.2 7
The Organization must record any complaints and the relative corrective actions taken and must make these records available to RINA SIMTEX together with the corrective actions taken to address the nonconformities found during the annual audits (surveillance). 4.3 RINA SIMTEX shall conduct the annual audits of the Management System in order to assess whether it remains compliant with the requirements of the reference standard, according to the methods described in Chapter 6. 4.4 RINA SIMTEX shall also reserve the right to conduct within the Organization any additional audits to those established in the audit programme for the three-year validity period of the certificate, in the following circumstances: if it receives complaints or reports deemed as particularly relevant with respect to the failure of the Management System to meet the requirements of the reference standard and these General Rules; depending on the complexity of the modifications occurred within the Organization; the certification was suspended. If the Organization rejects, without a justified reason, the performance at the deadline set of the surveillance audits and the additional audits within the time limits set, RINA SIMTEX may decide to suspend/withdraw the certification. If RINA SIMTEX deems the complaints and reports are justified, the additional audit costs shall be incurred by the Organization. 4.5 The validity of the certificate shall be confirmed following the annual surveillance audit, by the decision to maintain the certification system. 4.6 In case of major non-conformities, the Organization shall be subject to an additional audit within the time limits set by RINA SIMTEX in relation to the importance of the nonconformities and, in any case, no more than three months after the end of the audit in order to check the effectiveness of proposed corrections and relative corrective actions. If the major nonconformities are not removed within the set term, RINA SIMTEX may suspend the certification until such major nonconformities are removed, as specified in Chapter 11. All costs relative to any additional audits arising from the shortcomings of the Management System shall be incurred by the Organization. CHAPTER 5 RECERTIFICATION 5.1 For the recertification audit of the Management System conducted every three years, the Organization must contact RINA SIMTEX Certification Body approximately three months before the expiry date of the Certificate of Conformity (as indicated in the audit plan for the validity period of the certificate) in its possession and send the Certification 8
Informative Questionnaire (available at www.rina-simtex.ro) in order to allow RINA SIMTEX to schedule the activity and agree on the date of the recertification audit. 5.2 The recertification audit sets out to confirm the maintenance of the conformity and effectiveness of the Management System as a whole and it is mainly based on an audit conducted on the client s site, having, in general, the same objectives as the initial certification audit stage 2. 5.3 The recertification procedure must be successfully completed before the expiry date indicated on the certificate. This date cannot be extended by RINA SIMTEX. Consequently, the recertification audit must be successfully completed at least one month before the expiry date indicated on the certificate, that is enough time to allow RINA SIMTEX Certification Body to take a decision on recertification and reissue the certificate on the date needed to ensure continuity. If the Organization fails to meet the above deadlines and obtain the certificate before the date of expiry, the certificate must be regarded as expired as of the following day after the expiry date indicated on the certificate. Organizations intending to obtain certification following the expiry of the certificate must submit a new request and, generally, repeat the entire initial certification procedure. 5.4 In case of major nonconformities, the Organization must effectively implement the relative corrections and corrective actions before the expiry date of the Certificate of Conformity. This means that RINA SIMTEX must perform the additional audit to check whether such major nonconformities were removed enough time before the subsequent issue of the certificate. The times set within which the additional audit must be performed shall be indicated in the recertification audit report. The audit team may decide to perform the additional audit on site. All costs relative to any additional audits arising from the shortcomings of the Management System shall be incurred by the Organization. 5.5 Following the completion of the recertification audit with the decision of recertification being taken, RINA SIMTEX shall reissue the Certificate of Conformity. The confirmation by RINA SIMTEX of recertification approval with subsequent issue of the certificate shall be submitted to the Organization in writing. For details on the management and validity of the Certificates of Conformity issued by RINA SIMTEX, see Chapter 7. The failure to perform the recertification audit for maintaining the validity of the certificate shall oblige the Contracting Parties to conduct the surveillance audit for year 3 S3, which is charged at the same value as the surveillance audit for year 2 S2. CHAPTER 6 PERFORMANCE OF THE AUDITS 6.1 GENERAL 9
6.1.1 An Audit Plan shall be drawn up for each audit according to the requirements of SR EN ISO/CEI 17021, which is submitted in due time to the client Organization. RINA SIMTEX also uses the Audit Plan to inform the Organization on the names of the auditors and technical experts appointed to perform the audit and the observers names, selected based on the competence required to perform the audit. The Organization may object to the appointment of these auditors provided it gives a justified reason. The audit has the following objectives: a) Determine the compliance of the management systems with the audit criteria for the scope of certification required by the client; b) Evaluate the ability of the management system to ensure the compliance of the client Organization with the applicable statutory, regulatory and contractual requirements; NOTE: A management system certification audit is not an audit of compliance with legal regulations. c) Evaluate the effectiveness of the management system; d) As the case may be, identify the areas for potential improvement of the management system. e) Check the compliance with the laws and regulations applicable to the scope of certification; f) Check that processes and procedures are documented, implemented and kept efficient so as to ensure confidence in the management system of the Organization; g) Check traceability between the Organization s policy, objectives, targets and the outcome achieved; any inconsistencies must be reported to the Organization to enable it to take appropriate measures. The Audit Plan indicates the tasks assigned to each auditor. The structure, policy, processes, records and documents related to the Management System must be reviewed and checked for each Organization. 6.1.2 To facilitate the performance of the audit, each auditor must be accompanied by a guide appointed by the Organization, who can have the following responsibilities: a) establish contacts and timing for interviews; b) arrange visits to specific parts of the site or the Organization; c) ensure the site safety rules and security procedures are known and observed by the audit team members; d) assist the audit on behalf of the Organization; e) provide the clarifications or information requested by an auditor 6.1.3 A report shall be drawn up for each audit indicating any major nonconformities, minor nonconformities and improvement recommendations. A copy of the report shall be sent to the client Organization. RINA SIMTEX shall keep the original report. The Organization may indicate any comments concerning the findings made by RINA SIMTEX auditors in the relative space in the audit report. The contents of this report shall be subsequently confirmed by RINA SIMTEX in writing. If no written communication is received by RINA SIMTEX, the report shall be deemed as confirmed 12 days after the copy was submitted to the Organization. 10
6.1.4 After establishing the causes for the major nonconformities identified and documented in the audit report, the Organization must inform RINA SIMTEX on its proposals for correction and corrective action required and the deadlines provided for their implementation within no more than 12 days after the date of the audit. In this respect, the Organization shall fill in the respective fields of the Nonconformity Sheets (on paper or electronic format) drawn up by the audit team members and shall submit them to the RINA SIMTEX office. NOTES: Nonconformity. Failure to meet one or several requirements, a deviation from a standard. Major nonconformity (type A): Failure to meet one or several requirements of the reference standard applicable to the audited management system leading to a situation which raises serious doubts on the capacity of the client s management system to achieve the intended outputs. Minor nonconformity (type B): Failure to meet one or several requirements of the reference standard applicable to the audited management system, which has no effect on its capacity to generate the intended outputs. 6.1.5 If major nonconformities are found, the Organization shall be bound to establish and implement the appropriate corrections and corrective actions within the set period. The audit team members shall check by an additional audit conducted on the client s site within no later than 3 months after the initial audit the implementation effectiveness of the corrective/preventive actions which led to the removal of the major nonconformities. The certification decision shall only be taken by the Certification Body after all major nonconformities were removed. The implementing effectiveness of the corrections and corrective actions to remove the minor nonconformities found in the initial certification audit shall be checked by the team of the certification body in the first surveillance audit. In case of finding only minor nonconformities in the initial certification audit, the decision to grant the certification may be taken provided that the corrective/preventive actions for such nonconformities are appropriate. All costs relative to any additional audits arising from the shortcomings of the Management System shall be incurred by the Organization. 6.2 THE INITIAL CERTIFICATION AUDIT The initial certification audit shall be conducted in two stages. 6.2.1 Stage 1 The initial certification audit stage 1 sets out to: - review the Organization s Management System documents; - review the location and special conditions of the client s site and interview the client s staff in order to establish the level of preparedness for audit stage 2; - review the client s understanding of the standard, especially as regards the identification of key performances or significant aspects, processes, objectives and the operation of 11
the Management System; - obtain the necessary information concerning the scope of the Management System, the processes and the site(s) of the client, including the relative legal and regulatory aspects and the conformity with the same; - review the allocation of resources for audit stage 2 and agree on the performance details of audit stage 2 with the client; - plan the performance of audit stage 2, acquiring sufficient knowledge on the Management System and the activities performed at the client s office and on its secondary sites, as regards possible significant aspects; - review whether the internal audits and management review have been planned and performed and whether the level of implementation of the Management System proves the client s preparedness for the initial certification audit stage 2. The outcome of audit stage 1 shall be communicated to the Organization by way of submitting the audit stage 1 report which, inter alia, indicates all comments, including those that could be classified as nonconformities (major or minor) during audit stage 2 and therefore regarded as critical for obtaining the certification. The actions undertaken by the Organization to remove these findings shall be, in general, checked during the audit stage 2 referred to in paragraph 6.2.2. Any comments classified as critical must be removed before proceeding to stage 2 on the Organization s site; if stage 1 and stage 2 are performed consecutively, stage 2 must be rescheduled and postponed. At least part of stage 1 shall be performed at the Organization s site(s). 6.2.2 Stage 2 The initial certification audit stage 2 must be performed within 6 months as of the completion of stage 1; otherwise stage 1 must be repeated. In special cases, RINA SIMTEX may decide to extend this time limit to 12 months. The initial certification audit stage 2 shall be performed at the Organization s site for the purpose of checking the effective implementation of the Management System. Before conducting audit stage 2, RINA SIMTEX shall submit to the Organization s site(s) an audit plan giving a detailed description of the activities and requirements for conducting the audit. If the Organization carries out its activity on more than one operative site, the audit shall be conducted according to the criteria established by RINA SIMTEX and communicated to the Organization. Audit stage 2 shall be performed by qualified RINA SIMTEX auditors, based on the findings of audit stage 1 and the following updated documents drawn up by the Organization: Management System policy; Management System manual; Informative Questionnaire filled in by the Organization; List of internal procedures; Management procedures and other Management System documents; Other specific documents for the correct and effective implementation of the Management System. Audit stage 2 comprises the following main phases: 12
an initial meeting with the representatives of the Organization in order to explain and confirm the audit objectives and the audit methods indicated in the audit plan; review the effective implementation of the corrective actions related to the findings identified during audit stage 1; an inspection of the production site(s) of the Organization to check the compliance of the Management System with the reference documents and the applicable legal regulations; a closing meeting to present the conclusion of the evaluation. The objectives of the initial certification audit stage 2 are the following: - information and evidence regarding the compliance with all requirements of the standard applicable to the management system or other informative documents; - monitoring, measuring, reporting and analyzing performance against key objectives and targets (consistent with the expectations of the management system standard or other applicable regulatory documents); - client s performance and management system in terms of compliance with the legislation; - operational control of the client s processes; - internal auditing and management review; - management responsibility for the client s policies; - links between normative requirements, policies, objectives and performance-related targets (consistent with the expectations of the management system standard or other applicable normative documents), any applicable legal requirement, responsibilities, staff competence, operations, procedures, performance data and internal audit findings. If major nonconformities are found, an additional audit must be performed within three months for the purpose of checking the effective implementation of the corrective actions proposed. If the above period is exceeded, the Management System shall be completely reviewed within six months as of the completion date of the initial certification audit stage 2. If the six-month period has elapsed and the Organization still has not removed the major nonconformities, RINA SIMTEX shall reserve the right to definitively close the certification file and claim the expenses incurred up to that moment. In such a case, if the Organization wishes to proceed with the RINA SIMTEX certification, it must submit a new application and repeat the certification procedure. In special cases, the above time limits may be modified at the request of the Organization, if considered justified by RINA SIMTEX. If minor nonconformities are found in step 2, the Organization shall establish appropriate corrective actions. If upon assessing the corrective actions established by the Organization to remove minor nonconformities they are deemed appropriate, the Certification Body shall take the decision to grant the certification. The implementing effectiveness of the corrective actions for the minor nonconformities found shall be checked in the first surveillance audit. 6.3 SURVEILLANCE AUDITS 6.3.1 13
The dates of the surveillance audits shall be agreed with the Organization, provided they are conducted at an interval of no more than 12 months. RINA SIMTEX shall perform periodic audits on the Management System in order to evaluate whether it is maintained compliant with the requirements of the reference standard, at least once every 12 months as of the certification date. The interval within which the audits must be performed shall be indicated in the three-year audit plan which is in the possession of the Organization. This programme may be modified by RINA SIMTEX according to the results of the previous surveillance audits. If the time limits for the surveillance audits are exceeded for justified reasons, this situation must be agreed with RINA SIMTEX in advance and recovered during subsequent audits. In any case, the first surveillance audit following the initial certification must be performed within 12 months as of the last day of the initial certification audit stage 2, the second surveillance audit at 24 months and the recertification at 36 months as of the final date of the initial certification audit stage 2. 6.3.2 Surveillance audits shall be performed at the Organization s site(s), according to a three-year programme which enables each item contained in the reference standard according to which the Management System was certified to be audited at least once during the three-year validity of the Certificate, taking into consideration the documents provided in paragraph 3.4. The following targets (aspects) shall be considered during the surveillance audits: a) internal audits and management review; b) review of the action taken as a result of the nonconformities identified during the previous audit; c) handling of complaints; d) effectiveness of the Management System as regards achieving the objectives of the certified client; e) progress of activities planned for continuous improvement; f) continuity of operational control; g) review of any modifications; h) use of logos and/or any other certification reference. The details of the activities and the instructions for performing surveillance audits on site(s) shall be described in the surveillance audit plan which RINA SIMTEX submits to the Organization before performing the audit. 6.4 RECERTIFICATION AUDITS 6.4.1 A recertification audit shall be planned and performed for the purpose of assessing whether all requirements of the management system standard or other relevant regulatory documents continue to be met. The recertification audit aims at confirming the continuous conformity and effectiveness of the management system as a whole, as well as its continuous relevance and applicability to the scope of certification. In particular, the recertification audit comprises an on-site audit aiming, inter alia, at the following aspects: - the performance of the Management System during the certification period; 14
- a review of the previous surveillance audit reports. If significant modifications were made to the Management System or to the context in which the Management System operates, it may be required to perform the audit stage 1. The recertification audit has the following objectives: a) the effectiveness of the Management System as a whole in the light of internal and external modifications and its continuous relevance and applicability to the scope of certification; b) the commitment proven as maintaining the effectiveness and improving the Management System for the purpose of increasing overall performance; c) the extent to which the activities of the Management System contribute to the achievement of the Organization s policy and objectives. The Certification Body must take the decision to renew the certification based on the results of the certification audit and the results of the system review during the certification period and the complaints received from certification users. CHAPTER 7 MANAGEMENT OF THE CERTIFICATES OF CONFORMITY 7.1 The Certificate of Conformity issued by RINA SIMTEX shall be valid for three years starting from the last day of the initial certification/recertification audit. 7.2 Since the day RINA SIMTEX issues the certificate, this certificate and the three-year audit plan shall be made available to the Organization. The effective date of the certificate must not precede the date of the certification decision. 7.3 7.4 The certificate of conformity must identify the following: a) name and geographical location of each client whose management system is certified (or the geographical location of the head office and any site within the scope of multi-site certification); b) granting, extension or renewal dates; c) expiration date or the expected date for recertification, according to the recertification cycle; d) a unique identification code; e) the standard and/or other regulatory document, including the issue and/or revision number, used for the certified client s audit; f) the scope for certification by product (or service), process, etc., as applicable to each location; g) the name, address and certification logo of the Certification Body; other logos can also be used (for example, the accreditation symbol), provided they are not misleading or ambiguous; h) any other information required by the standard and/or other regulatory document used for certification; i) when issuing revised certification documents, a means of distinguishing the revised documents from any previous obsolete documents. 15
The validity of the certificate, throughout the three years of validity, shall be maintained according to the results of the subsequent surveillance audits. The Certificate of Conformity shall be reissued following the audit whose conclusion is that of granting the certification/recertification. The validity of the certificate may be suspended, withdrawn or relinquished in accordance with the provisions of Chapters 11 and 12. RINA SIMTEX shall directly publish and update the following on its website www.rina.org: a) the list of certified Organizations; b) the validity status of the certificates issued (indicating the valid, suspended or invalid status for each certificate); RINA SIMTEX shall provide information on the reasons for suspending/withdrawing the certificate. CHAPTER 8 AMENDMENT OF CERTIFICATION AND COMMUNICATION OF MODIFICATIONS 8.1 An Organization possessing a certification may request a modification or extension/limitation of the scope by submitting a new request for certification, accompanied by the duly updated documentation indicated in paragraph 3.4. RINA SIMTEX shall reserve the right to examine the requests on a case-by-case basis and to decide the evaluation methods for the purpose of issuing a new certificate according to the GENERAL CONTRACTUAL CONDITIONS GOVERNING MANAGEMENT SYSTEM, PRODUCT AND STAFF CERTIFICATION and the reference standard or a regulatory document for the Management System. 8.2 The Organization must promptly inform RINA SIMTEX of any modifications in factors that may affect the capacity of the Management System to continue to meet the requirements of the reference standard used for certification. This requirement shall refer, for example, to amendments to: a) the legal, commercial, organisational or ownership status; b) the organisation and management (e.g. key managers or technical staff involved in the decision-making process); c) the contact addresses and sites; d) the scope of the activities covered by the certified Management System; e) significant changes to the management system and processes. RINA SIMTEX shall reserve the right to perform additional audits on the Organization if the amendments communicated are deemed particularly significant as regards maintaining the compliance of the Management System with the requirements of the reference standard and these rules or to review the economic conditions for the potential amendment of the contract. 8.3 16
RINA SIMTEX shall notify promptly the Organization of every amendment in the reference standards or certification rules as a result of updating the Accreditation Body rules. CHAPTER 9 SPECIAL REQUIREMENTS FOR MULTI-SITE ORGANIZATIONS 9.1 If an Organization operates on more than one permanent sites and a single certificate is required, the audit activities shall be performed by sampling the sites subject to audit, provided the following conditions are observed: the processes of all the sites are substantially of the same type and are performed using similar methods and procedures. If different processes are performed on different sites, they must be connected (e.g. the manufacturing of electronic components on one site, the assembly of these components performed by the same Organization on various other sites); the management system is managed and administrated on a central level and reviewed by the central management. The Organization must also prove that the central office has in place a management system compliant with the reference standard and that the entire Organization meets the requirements hereof. In particular, at least the following activities must be managed by the central function of the Organization: - assessment of regulatory requirements; - control and modification of documents; - management review; - handling of complaints; - assessment of the effectiveness of corrective and preventive actions; - planning and execution of internal audits and assessment of results; - existence of different legal requirements. Prior to the initial audit conducted by RINA SIMTEX, the Organization must have performed an internal audit for each site and must have checked the compliance of its management system with the reference standard. 9.2 If the Organization complies with the previous requirements, RINA SIMTEX shall always check the feasibility of sampling in all sites and may decide to limit this sampling depending on: - the requirements related to local variable factors; - the sectors or activities covered by the scope of certification; - the size of the sites suitable for a multi-site audit; - the changes in the local implementation of the management system, such as the need to frequently use in the sphere of the management system the plans concerning different activities or different contractual or regulatory systems; - the use of temporary sites (worksites). 17
For Organizations providing services, if not all the sites performing activities subject to certification are prepared to be submitted for certification at the same time, the Organization must notify promptly RINA SIMTEX on which sites it wishes to include in the certification and which sites must be excluded. 9.3 Based on the information provided by the Organization, RINA SIMTEX shall establish the applicable sampling plan. This activity is generally performed during the audit process and may also be performed after the audit is completed at the head office. In any case, RINA SIMTEX shall inform the client on which sites must be included in the sample. 9.4 RINA SIMTEX shall issue a single certificate with the name and address of the head office and the scope. A list of all the sites and the activities they perform to which the certificate refers shall be indicated in an annex or on the certificate. The Organization may be issued with an extract of the certificate for each site covered by certification, provided it indicates the same purpose or a sub-element and includes a clear reference to the main certificate. 9.5 For any nonconformities (major or minor) found on one site during audits, the Organization must assess whether these are due to shortcomings common to more than one site and, if so, it must take corrective/preventive actions both at head office and the other sites. If, instead, the nonconformities (major or minor) and/or comments are not of the same type, the Organization must provide suitable evidence and the reasons for limiting its followup corrective actions. If nonconformities are found even on a single site, the certification process shall be suspended for the entire network of listed sites until such nonconformities have been corrected and, in any case, in accordance with the provisions of paragraph 11.1. The Organization may not exclude this (these) site(s) from the scope during the certification process to avoid the obstacle created by the existence of nonconformity. 9.6 The Organization must inform RINA SIMTEX of the closure of any site covered by certification. If this information is not communicated, RINA SIMTEX may decide whether or not to proceed according to the provisions of paragraph 11.1. Additional sites can be included in an existing certificate following surveillance or recertification audits or following specific extension audits. CHAPTER 10 TRANSFER OF ACCREDITED CERTIFICATES 10.1 If an Organization with a valid certificate issued by another Management System Certification Body, a member of the IAF/MLA mutual recognition agreement, wishes to transfer its certification to RINA SIMTEX, it must submit to RINA SIMTEX the Informative 18
Questionnaire, according to paragraph 3.1, and a copy of the of Management System Certificate. RINA SIMTEX shall check that: the certificate is valid; the certificate is not suspended; the accreditation of the Certification Body that issued the certificate is not suspended; the client s certified activities fall within the accredited scope of RINA SIMTEX; and shall issue an offer for the transfer of certification, only after having found the Organization s certification was valid. If the Organization accepts the business offer, it must submit to RINA SIMTEX the Request for Certification together with the following documents: copy of the Management System Manual and the list of procedures; copy of the certification audit report or the last recertification audit report and the subsequent surveillance audit reports; evidence of the corrective actions taken in relation to the nonconformities found during the previous audit or evidence of the review, acceptance and verification of effectiveness by the previous Certification Body; the audit programme prepared by the previous Certification Body; the list of any complaints received and the relevant actions taken; the reasons for requesting the transfer of certification; any comments or reports by national or local authorities. The contract between RINA SIMTEX and the applicant shall be managed as indicated in paragraph 3.1, depending on the scope of the auditing activities. After the satisfactory completion of the above activities, a Certificate of Conformity of the management system, which generally maintains the deadline established by the body having issued the previous certificate, shall be issued. In general, the surveillance and recertification audits shall also be conducted according to the plan established by the Organization having issued the previous certificate. CHAPTER 11 SUSPENSION, REINSTATEMENT AND WITHDRAWAL OF CERTIFICATION 11.1 The certification may be suspended as indicated in GENERAL CONTRACTUAL CONDITIONS GOVERNING MANAGMENT SYSTEM, PRODUCT AND STAFF CERTIFICATION and in the following specific cases: if the Organization refuses to allow the scheduled audits to be performed at the frequencies and within the periods set by programme; if nonconformities are found in the management system, which were not removed within the time limits established by RINA SIMTEX; if the Organization fails to meet the deadlines established for the communication of the corrective actions to remove the nonconformities/comments indicated in the audit report; if the Organization made ample changes to its site(s) or moved to another site without informing RINA SIMTEX on such changes; 19
if the Organization made changes to its management system that were not accepted by RINA SIMTEX; if the Organization underwent an important restructuring and failed to report it to RINA SIMTEX; if it refuses or obstructs the participation in audits of the observers of an accreditation body; if there is evidence that the Management System does not guarantee the observance of the laws and regulations applicable to the supplied products/services, activity and/or site(s); if any justified and serious complaints received by RINA SIMTEX are confirmed. The Organization may also make a justified request to suspend certification, normally, for no more than six months and under any circumstances after the expiry date of the certificate. This suspension shall be notified in writing, stating the conditions for re-instating certification and the date by which the new conditions are to be complied with. The suspension of the certification shall be made public by RINA SIMTEX directly on the website www.rina.org, as indicated in paragraph 7.3. 11.2 The reinstatement of certification shall be subject to checking whether the shortcomings having led to suspension were removed. This shall be achieved by means of an audit checking the compliance of the Management System with all the requirements of the reference standard. It shall be notified to the Organization in writing and made public by RINA SIMTEX on its website www.rina.org, as established in paragraph 7.3. 11.3 The failure to meet the conditions of paragraph 11.2 above by the set date shall lead to the revocation of the Certificate of Conformity. The revocation of the Certificate of Conformity may be decided according to the indications in the GENERAL CONTRACTUAL CONDITIONS GOVERNING MANAGEMENT SYSTEM, PRODUCT AND STAFF CERTIFICATION and in the following specific cases: when there are reasons for suspension, such as those indicated in paragraph 11.1, which are deemed as particularly serious; if the Organization ceases the activities or services covered by the certified Management System for over six months as a rule; if the Organization does not accept the new business conditions established by RINA SIMTEX as a result of an amendment in the contract; for multi-site Organizations, if the head office or one of the sites fails to meet the criteria required to maintain certification; for any other major reason, at RINA SIMTEX discretion, such as the proven incapacity of the system to pursue its objectives regarding the applicable laws in force or the legal contractual or product safety requirements. The withdrawal of the Certificate of Conformity shall be notified in writing to the Organization and/or made public by RINA SIMTEX, as indicated in paragraph 7.3. 20
Any Organization which, following revocation of its Certificate, wishes to be re-certified, must submit a new application and follow the entire procedure all over again. CHAPTER 12 RENUNCIATION TO CERTIFICATION A certified Organization may submit a formal communication of renunciation to certification to RINA SIMTEX before the expiry of the certificate, including if the Organization does not wish to or cannot comply with the new provisions established by RINA SIMTEX. Upon receipt of this communication, RINA SIMTEX shall initiate the procedure to invalidate the certificate. In general, within one month from the date of the communication, RINA SIMTEX shall update the validity status of the certificate. CHAPTER 13 CONTRACTUAL CONDITIONS As regards the contractual conditions, the provisions of the current edition of the document GENERAL CONTRACTUAL CONDITIONS GOVERNING THE MANAGEMENT SYSTEM, PRODUCT AND STAFF CERTIFICATION shall be applicable. 21