This is a train-the-trainer program developed by Randy Dougherty, one of the co-conveners of WG 21, which was reviewed and includes input by other members of WG21. This presentation is an overview of the standard and changes, as well as additional information about accreditation. Another presentation addresses the changes related to the audit process, and a third presentation addresses the changes related to competence.
ISO/IEC 17021 Developed by ISO/CASCO Working Group 21 Co-conveners Alister Dalrymple, France-AFNOR AFAQ, a management system certification body Randy Dougherty, US-ANSI ANAB, an accreditation body for management system certification bodies Note: CASCO is the Conformity Assessment Committee When this project was initiated, the convener of WG21 was Lars Waldner of Swedac, appointed by the then chair of CASCO chair, John McDonald. When Lars was unable to continue as convener, CASCO chair Mario Wittner appointed Dalrymple and Dougherty as co-conveners. This was the first time a CASCO WG had co-conveners. This has been a successful team effort lead by individuals working for CBs and ABs. The standard was completed under the leadership of Mario Wittner as the CASCO chair. Graeme Drake, then Peter Dennehy, served as secretary of CASCO during the period of development of this standard when the Dalrymple and Dougherty were co-conveners. Discussions about part 2 were initiated under Wittner and Drake, but concluded under the leadership of Olivier Peyrat as CASCO Chair and Sean MacCurtain as CASCO Secretary. 2 2
ISO/IEC 17021 Intent of WG21 for 17021 To replace Guides 62 and 66 To be applicable to any management systems To incorporate IAF guidance To incorporate latest technology To be consistent with the common elements (WG23) Principles-based performance requirements (where possible) The original intent was to simply replace Guides 62 and 66 while also incorporating applicable IAF guidance. This was soon expanded to make it applicable to any MS standard. CB associations influenced the additional intent to incorporate latest technology, and to have principles- based requirements. WG21 developed 17021 during the same period that WG23 was developing the common elements, so work by WG21 influenced the work of WG23, and the work or WG23 influenced the work of WG 21, for the sections dealing with impartiality, complaints and appeals, confidentiality, and management systems. 3 3
ISO/IEC 17021:2006 ISO/IEC 17021:2006 Conformity assessment—Requirements for bodies providing audit and certification of management systems Published 15 September 2006 The standard was published in September 2006 as ISO/IEC 17021:20XX entitled Conformity assessment—Requirements for bodies providing audit and certification of management systems 4 4
ISO/IEC 17021 Part 2 To replace references to ISO 19011 guidelines with requirements applicable to any third party MS audit Audit process CB management of competence, including the competence of audit teams Template for specific auditing requirements that can be applied to other ISO TCs TC 176 for ISO 9001, TC 207 for ISO 14001, TC 34 for ISO 22000, etc. The primary goal is to replace in 17021 any reference to ISO 19011. The secondary goal is to improve the understanding, and management, of competence. 5 5
Generic Requirements for 3rd Party Auditing & Management of Competence (based on 19011) ISO/IEC 17021 Part 2 Framework for Developing Specific Requirements for 3rd Party Auditing & Management of Competence QMS Competent Body, e.g. ISO/TC176 EMS Competent Body, e.g. ISO/TC207 FSMS Competent Body, e.g. ISO/TC34 ISMS Competent Body e.g. ISO/TC178 xMS Competent Body This graphic was include in the NWIP for CASCO, and explains in graphic the scope of the NWIP. WG21 will be developing requirements generic to any management system----and not any requirements specific to specific management systems. In other words, WG21 will not specify QMS o rEMS specific requirements. However, it plans to develop a framework for others to add the specific requirements. The best current example is 22003, which adds specific requirements for food safety management systems under ISO 22000: for scoping, competence, audit duration and multi-site sampling. QMS Specific Competence Requirements EMS Specific Competence Requirements FSMS Specific Competence Requirements ISMS Specific Competence Requirements xMS Specific Competence Requirements Developed by a competent body using the 17021 Part 2 framework, in consultation with CASCO, and published as separate sector documents Included in 17021 Part 2, developed by WG 21 with input from competent bodies 6 6
ISO/IEC 17021 Part 2 WG 21 meetings on Part 2: December 2006, February and June 2007: WD1 October 2007: WD2 January 2008: DC1 for five-month comment October 2008: CD2 comment ballot passed April and June 2009: DIS1 ballot passed June 2010: FDIS February 2011: Published as ISO/IEC 17021:2011 The development of part 2 was approved in September 2006, the same month that ISO/IEC 17021:2006 was published, and the entire process for developing part 2 took about 4.5 years. 7 7
ISO/IEC 17021:2011 ISO/IEC 17021:2011 Conformity assessment—Requirements for bodies providing audit and certification of management systems Published 1 February 2011 The standard was published in 1 Febuary 2011 as ISO/IEC 17021:2011 with the same title, Conformity assessment—Requirements for bodies providing audit and certification of management systems 8 8
ISO/IEC 17021:2011 with part 2 new text integrated in existing standard and shown with a grey background, and It was published as a revision an expanded scope. The review and revision process was limited, though, to the scope of the NWIP. So it was limited to CB competence and replacing references to ISO 19011 with requirements specific to third party certification audits. So the document with show the new text and also show any deleted text. 9 9
ISO/IEC 17021:2011 As decided by ISO/CASCO prior to the ballot, there will be a systematic review of entire document 12 months after publication It was decided that all other comments received about other requirements in the 2006 first edition will be held over and considered during the systematic review, which will begin in early 2012. So far Dalrymple and Dougherty have agreed to stay on as co- conveners of WG21 for the systematic review. 10 10
ISO/IEC 17021:2011 Contents 1 Scope 2 Normative references 3 Terms and definitions 4 Principles 5 General requirements 6 Structural requirements 7 Resource requirements 8 Information requirements 9 Process requirements 10 Management system requirements for CBs There were no changes to the 10 sections of the standard. However, of the 10 sections, 6 sections had changes. Some, such as Sections 2, 4 and 10, simply has some deletions. So the three sections with significant changes were Section 3 in which definitions had to be added, Section 7 of course to address competence requirements, and Section 9 for the audit processes adding detail that in the past was by reference to ISO 19011. 11 11
ISO/IEC 17021:2011 Contents Annex A (normative) Required knowledge and skills Annex B (informative) Possible evaluation methods Annex C (informative) Example of a process flow for determining and maintaining competence Annex D (informative) Desired personal behaviors Annex E (informative) Third-party audit and certification process Annex F (informative) Considerations for the audit programme, scope or plan Bibliography The new standard has 6 annexes: one normative and five informative. The one normative annex and 3 of the 5 informative annexes (A, B, C, and D) all relate to the competence and performance of CB personnel. The other 2 informative annexes, E and F) related to the audit and certification processes. 12 12
Changes Deleted all normative references to ISO 19011 Section 2 Normative references reference and note Section 7 7.2.5, 7.2.11 Section 9 9.1.2, 9.1.3, 9.1.9, 9.1.10 Section 10 10.2.5 There is one remaining reference to ISO 19011, in addition to the Bibliography, which is the note to, the requirement for the CB to conduct internal audits, but being in a note it is not a normative reference. 13 13
Changes Replaced most normative references to ISO 19011 with specific requirements related to competence and third party certification audits 14 14
Changes Section 3 Terms and definitions Added 7 new definitions 3.4 third party certification audit 3.5 client 3.6 auditor 3.7 competence 3.8 guide 3.9 observer 3.10 technical area Many of the new definitions were necessary because we deleted reference to ISO 19011. However, we also had to define a third party certification audit because some members of ISO/TC176 (which is responsible for revising ISO 19011) feel that there are other kinds of third party audits. We also decided on a different definition of competence, deleting the word ‘demonstrated ‘ from the definition. Competence still has to be demonstrated , but this is state in requirements in section 7. We also defined ‘technical area’ and further elaborated with specific examples as notes in section 7. 15 15
Changes Section 4 Principles Edited 4.3 to delete one sentence that was no longer consistent with the new definition (3.7) of competence 16 16
Changes Section 7 Resource requirements Added 2 new requirements 7.1.2 Determination of competence criteria with reference to normative Annex A 7.1.3 Evaluation processes with reference to informative Annex B Revised 7.2.4 Deleted applicable personal attributes Added a note making reference desired personal behaviors in an informative Annex D There are only two new clauses added to Section 7 and a very slight revision to another clause, but the changes are quite significant. It takes our industry a few steps further down the road toward competence and away from qualifications. We are now focused on knowledge and skills, having remove personal attributes from the definition. The new requirements are process focused: determine and document competence criteria then evaluate personnel for conformance to the documented criteria. 17 17
Changes Section 9 Process requirements 9.1 General requirements 9.2 Initial audit and certification 9.3 Surveillance activities 9.4 Recertification 9.5 Special audits 9.6 Suspending, withdrawing or reducing the scope of certification 9.7 Appeals 9.8 Complaints 9.9 Records of applicants and clients Considering that ISO 19011 was focused on QMS and EMS management system audits, it makes sense that most of the changes are in Section 9, the audit and certification process requirements of the standard. And nearly all of the changes are an expansion of the general requirements in 9.1. There is only one slight change to the initial audit and certification process. 18 18
Changes 9.2 initial audit and certification 9.1 general requirements 9.1.1 Audit programme 9.1.2 Audit plan 9.1.3 Audit team selection and assignments 9.1.4 Determining audit time 9.1.5 Multi-site sampling 9.1.6 Communication of audit team tasks 9.1.7 Communication concerning audit team members 9.1.8 Communication of audit plan 9.1.9 Conducting on-site audits 9.1.10 Audit report 9.1.11 Cause analysis of nonconformities 9.1.12 Effectiveness of corrections and corrective actions 9.1.13 Additional audits 9.1.14 Certification decision 9.1.15 Actions prior to making a decision 9.2 initial audit and certification This is a list of the 15 general requirements of section 9.1 of ISO/IEC 17021:2006 except that each clause now has a title. With the exception of the title, the subject is the same. However, there are significant additions for each of the clauses shown in color to add in additional requirements based on what was in ISO 19011. And of these, 9.1.9 has been expanded the most. The other clauses have no changes or very minor changes. 9.1.1 1 new requirement 9.1.2 6 new requirements 9.1.3 4 new requirements 9.1.4 1 new requirement 9.1.9 16 new requirements 9.1.10 1 new requirement-content of report 9.1.11 1 new requirement-records of verification of effectiveness 19 19
Changes 9.2 initial audit and certification Added 1 new requirement record of reasons for declining an application 20 20
Transition An IAF Technical Committee task force to recommended the transition period of 24 months following publication, which was agreed by the IAF TC, IAF General Assembly, and IAF-ILAC-ISO Joint Working Group Joint IAF-ISO Communiqué Deadline of 1 February 2013 for the transition As most of you may note, the length of the transition period, 24 months, is the same as we had when we first published ISO/IEC 17021:2006. Many CBs are already close to conformance with this revision. But we expect that some CBs (and perhaps some ABs) will struggle to truly understand competence as compared to qualifications. NOTE THAT THE DEADLINE FOR CONFORMANCE IS 24 MONTHS AFTER PUBLICATION. 21 21
Transition IAF ID2:2011Information on the Transition of Management System Accreditation to ISO/IEC 17021:2011 from ISO/IEC 17021:2006 Published 1 February 2011 Roger Bennett who lead the IAF TC TF that developed the IAF guidance on the transition to the 2006 standard also lead the TF that has developed the informative document on the transition to the 2011 standard. The document is informative which means CBs and ABs are not required to follow it. 22 22
ISO/IEC 17021:2006 Transition Suspensions and Withdrawals Globally 19 of 52 IAF member ABs suspended or withdrew accreditation of 68 CBs UKAS (12) RENAR (8) CAI (7) EMA (6) ENAC (5) ANAB, SINCERT, SAS (4 each) NAT, RVA (3 each) OAA, COFRAC, IPAC (2 each) CGRE/INMETRO, JAS-ANZ, BAS ESYD, INAB, LA (1 each) Many have asked if ISO/IEC 17021:2006 made any difference. These were results of the transition to the 2006 standard, as reported to IAF in October 2008. You can see that not all CBs made the transition. What about the transition from ISO/IEC 17021:2006 to ISO/IEC 17021:2011? Will it make a difference? Many certification bodies will need to re-visit their report formats and include more free text areas where the auditor indicates how audit objectives were evaluated and confirmed. Auditors will require further training in the process approach to auditing (even after all this time), but better audit plans should help. Auditors will be expected to understand the client processes better in order to effectively audit the system to ensure it meets/delivers against customer/contractual requirements, regulatory and statutory requirements. Audit reports should indicate/justify why the audit team are confident to recommend certification, Accreditation bodies will need to review and challenge audit reports more critically to ascertain if the information confirms all the audit objectives were met and sufficient information is available an informed decision. Accreditation bodies will need to witness more critically to confirm the audit evaluates effectiveness. This said, we do not anticipate similar drop out due to the 2011 standard. 23 23
CB auditor competence IAAR-ANAB project to identify and agree on “technical areas” and how to apply them to QMS, EMS, and OHSMS to fulfill new ISO/IEC 17021 part 2 requirements on competence Recognizing that identification of ‘technical areas’ will be one of the more significant challenges, ANAB is working with the IAAR to document key processes related to the products or services identified for the NACE 2 revision of codes, then to document the significant environmental aspects and impacts associated with those processes, and the worker health and safety risks. Our plan it is to make this compendium of information publicly available. 24 24
AB assessment of CB competence IAF Technical Committee task force to harmonize AB assessments of CBs for competence to ISO/IEC 17021:2011 Trevor Nash is leading an IAF TC TF to develop an IAF document on how ABs assess CBs to the competence requirements of the 2011 standard. The goal is to have consistent application by all ABs. 25 25
auditor competence Joint program by RABQSA and IRCA based on ISO/IEC 17021:2011 Plan to offer competence-based certification of auditors for specific technical areas. Tools to be made available to ABs and CBs RABQSA and IRCA are working together to try to develop processes and services related to auditor competence. Their plans included evaluating competence for specific technical areas. Their processes and services will lead to a competence based auditor certification program, but they are planning to make some of the processes available to CBs (and ABs) that may help the CBs and ABs manage competence without necessarily having their auditor s and assessors certified. 26 26
How to seek clarification CASCO to ask a question CASCO for an interpretation Sean MacCurtain ( IAF regarding the application Norbert Borzek ( Questions will arise about a requirement in the standard. Even though the standard was written to be unambiguous, on occasion two individuals will have a different understanding of what is stated, or sometimes upon translation into other languages the requirement may not be as clear. So how do you obtain clarification? The first step would be to contact the CASCO Secretary, probably by email. If Sean cannot answer the question directly, he will send it to the co-conveners, Alister and Randy. Although the response to a question will not be ‘official’, it will come from knowledgeable sources. If there is a question about what the words actually mean, there may be a need for an interpretation. CASCO has a documented process for making interpretations. This process takes about 3 months. Note, however, that the interpretations have no legal status in that no party is obliged to accept or use an interpretation until a standard is revised to take on such wording. If the question is about how the requirement is to be applied by a CB, the question can be put to the IAF Technical Committee for its decision. This is be means of a discussion paper to the IAF TC. This can be initiated by contacting the IAF TC Chair, Norbert Borzek of Dakks, who will send a form to be completed to initiate a discussion paper. Discussion papers are considered twice a year. 27 27