Technology Services – National Institute of Standards and Technology Conformity Assessment ANSI-HSSP Workshop Emergency Communications December 2, 2004 Presented by: Gordon Gillerman Conformity Assessment Advisor Homeland Security
Technology Services – National Institute of Standards and Technology Conformity Assessment “any activity concerned with determining directly or indirectly that relevant requirements are fulfilled” ISO/IEC Guide 2
Technology Services – National Institute of Standards and Technology Types of Conformity Assessment Supplier’s Declaration Inspection Testing Certification Registration Accreditation
Technology Services – National Institute of Standards and Technology ISO/IEC Guide 2 Definitions Accreditation - procedure by which an authoritative body gives formal recognition that a body or person is competent to carry out specific tasks Certification - procedure by which a third party gives written assurance that a product, process or service conforms to specified requirements Inspection - conformity evaluation by observation and judgement accompanied as appropriate by measurement, testing or gauging Registration - procedure by which a body indicates relevant characteristics of a product, process or service, or particulars of a body or person, in an appropriate, publicly available list Supplier’s Declaration - procedure by which a supplier gives written assurance that a product, process or service conforms to specified requirements Test - technical operation that consists of the determination of one or more characteristics of a given product, process or service according to a specified procedure Testing - action of carrying out one or more tests Type Testing - conformity testing on the basis of one or more specimens of a product representative of the production
Technology Services – National Institute of Standards and Technology Helpful Terminology The parties – who done it? Conformity Assessment can be conducted by: first party – seller or manufacturer second party – purchaser or user third party – an independent entity that has no interest in transactions between the 1 st and 2 nd parties government – has a unique role in regulation, but is the second party in procurement
Technology Services – National Institute of Standards and Technology Factors in CA System Design? The risks associated with non-compliance should be proportional to the rigor and independence of the CA system. System over-design will add too much cost. System Under-design will result in too little confidence of compliance. Penalties associated with non-compliance may reduce the needed rigor and independence of the conformity assessment system. Timely mechanisms that effectively remove non-compliant products from the market may also reduce the needed rigor and independence of the system.
Technology Services – National Institute of Standards and Technology Risk and Conformity Assessment Perceived Risk Independence and Rigor of Conformity Assessment Supplier’s declaration 1 st party conformity assessment certification 3 rd party conformity assessment
Technology Services – National Institute of Standards and Technology Risk and Conformity Assessment Perceived Risk Independence and Rigor of Conformity Assessment Supplier’s declaration 1 st party conformity assessment certification 3 rd party conformity assessment
Technology Services – National Institute of Standards and Technology Generally, private sector programs should be considered. Accreditation of conformity assessment organizations is a key tool for utilizing the private sector However, in some situations where security may be compromised the technical requirements (standard) and/or the CA system may need to be kept secure. Special Considerations – Homeland Security
Technology Services – National Institute of Standards and Technology Typical Use – Suppliers Declaration (1 st Party CA) Used when the risks associated with non- conformity are low to moderate and market and/or regulatory mechanisms are capable of adequately addressing non-conformities. Product, personnel and system characteristics
Technology Services – National Institute of Standards and Technology Typical Use –Certification (3 rd Party CA) Used when the risks associated with non- conformity are moderate to high. Includes evaluation, compliance decision evaluation and some form of surveillance. Always conducted by a third party. Products and personnel characteristics
Technology Services – National Institute of Standards and Technology Typical Use – Inspection (1 st, 2 nd or 3 rd Party CA) Used when the critical characteristics can be evaluated via physical examination or measurement. May be an element of a certification system. May be used to ensure that all Products, Parts of a system have been properly installed (ex. code inspection)
Technology Services – National Institute of Standards and Technology Typical Use – Testing (1 st, 2 nd or 3 rd Party CA) Used when the critical characteristics can be evaluated via measurement under specified conditions. Type test is a test carried out on samples that represent production for the purpose of determining conformity. May be an element of a suppliers’ declaration or certification system.
Technology Services – National Institute of Standards and Technology Typical Use – Surveillance (Gov’t or 3 rd Party CA) Used to ensure/enhance ongoing conformity. Key part of certification or registration system. May be conducted pre-market (at the factory) or post- market (in the marketplace). Periodic retesting may be required for personnel and product certification systems. Type and rigor should be balanced with the ability to remove non-compliant products/services/personnel from the market.
Technology Services – National Institute of Standards and Technology Typical Use – Registration (3 rd Party or Gov’t CA) Used to provide an assurance that a process meets requirements. In the US registration is associated with third party conformity assessment for management systems. This process includes initial assessment of process and implementation and surveillance audits. Useful for process critical applications such as software development/deployment, quality (ISO 9000), environmental (ISO 14000) and potentially risk management systems. Registration or elements of it can be used to support certification surveillance
Technology Services – National Institute of Standards and Technology Typical Use - Accreditation Used to assess and ensure/enhance conformity assessment body and program for competence, management and technical requirements. Used to attain needed confidence in testing operation and results. Used to attain needed confidence in certification or registration system.
Technology Services – National Institute of Standards and Technology Conformity Assessment’s Role Money Product, Service or System Contract Certification Supplier Standards and Technical Requirements Buyer, User Standards and Technical Requirements Supplier's Declaration Inspection Laboratory Accreditation Regulation Government Registrar Accreditation Calibration Laboratory Testing Registration Certification Accreditation Inspection Accreditation Confidence Accreditation
Technology Services – National Institute of Standards and Technology Useful Technical Documents NIST Resources International Standards ISO/IEC Guide 7:1994 Guidelines for drafting of standards suitable for use for conformity assessment ISO/IEC Guide 22:1996 General criteria for supplier's declaration of conformity ISO/IEC Guide 23:1982 Methods of indicating conformity with standards for third-party certification systems ISO Guide 27:1983 Guidelines for corrective action to be taken by a certification body in the event of misuse of its mark of conformity ISO/IEC Guide 28:1982 General rules for a model third-party certification system for products ISO/IEC Guide 43-1:1997 Proficiency testing by inter-laboratory comparisons -- Part 1: Development and operation of proficiency testing schemes ISO/IEC Guide 43-2:1997 Proficiency testing by inter-laboratory comparisons -- Part 2: Selection and use of proficiency testing schemes by laboratory accreditation bodies ISO/IEC Guide 53:1988 An approach to the utilization of a supplier's quality system in third party product certification ISO/IEC Guide 58:1993 Calibration and testing laboratory accreditation systems -- General requirements for operation and recognition ISO/IEC Guide 60:1994 ISO/IEC Code of good practice for conformity assessment ISO/IEC Guide 61:1996 General requirements for assessment and accreditation of certification/registration bodies ISO/IEC Guide 62:1996 General requirements for bodies operating assessment and certification/registration of quality systems ISO/IEC Guide 65:1996 General requirements for bodies operating product certification systems ISO/IEC Guide 68:2002 Arrangements for the recognition and acceptance of conformity assessment results ISO/IEC TR 13233:1995 Information technology -- Interpretation of accreditation requirements in ISO/IEC Guide Accreditation of Information Technology and Telecommunications testing laboratories for software and protocol testing services ISO/IEC TR 17010:1998 General requirements for bodies providing accreditation of inspection bodies ISO/IEC 17020:1998 General criteria for the operation of various types of bodies performing inspection ISO/IEC 17024:2003 Conformity assessment -- General requirements for bodies operating certification of persons ISO/IEC 17025:1999 General requirements for the competence of testing and calibration laboratories ISO/IEC 17030:2003 Conformity assessment -- General requirements for third-party marks of conformity