FAQ 36

Posted on by IAF CMC

A type A Inspection Body hires external inspectors (not exclusively) who are otherwise engaged in design or manufacture of products. These external resources are salaried and employed by a company engaged in the design and manufacturing of these products. The external inspectors perform a full inspection work with a complete judgment of conformity of these products. The IB doesn’t appoint these external inspectors to inspect products designed or manufactured by themselves or by the company which employs them. The IB appoints these external inspectors to inspect similar products which are designed or manufactured by other manufacturers. The IB argues that it complies with the requirements for type A independence of ISO/IEC 17020 (Annex A – A1 b/) and ILAC P15 (Annex A – Aa). Considering the application guidance provided in ILAC P15, is the situation acceptable?

STANDARD: ISO/IEC 17020  ·  CLAUSE: 6.1  ·  TOPIC: Type A independence  

Answer:

The situation described is not acceptable if the inspection has to be carried out by a type A inspection body, and if the similar designed or manufactured products referred to fall within a product category defined in the scope of accreditation of the inspection body. The requirements to independence apply equally to all personnel involved in inspection activities, whether external or internal to the CAB. In fact, there are no requirements in section 6.1 of the standard applying exclusively to internal personnel, as the standard is indifferent to the channel used by the CAB in contracting its personnel.

On the issue of whether the inspectors may be engaged to perform inspection of products similar to those produced by the organization where they are employed, the requirements in A.1b) apply. Here it is stated that “The inspection body and its personnel shall not engage in any activities that may conflict with their independence of judgment and integrity in relation to their inspection activities.” Working for an organization marketing competitive products to those subject to inspection may constitute such an activity. Further, in the 2nd sentence of A.1b) it is specified that “In particular, they shall not be engaged in the design, manufacture, supply, installation, purchase, ownership, use or maintenance of the items inspected.” ILAC P15 states that “The items in this case are those items that are specified in the accreditation body’s certificate/annex with respect to the accredited scope of the inspection body”. It follows that ILAC P15 expects that the field and range of inspection listed in the scope for accreditation provides information that suffice to define the item inspected as referred to in Annex A of ISO/IEC 17020. This means that if the products inspected, and the products produced by the organization employing the contracted inspectors, constitute the same object of conformity assessment thus specified in the scope of accreditation, then the requirement in the 2nd sentence of A.1b) applies.

FAQ35

Posted on by IAF CMC

Is there any procedure or guidance for the use of digital signatures in inspection certificates or inspection reports? When assessing the implementation of requirements relevant to the use of digital signatures, are there aspects that need special consideration?

STANDARD: ISO/IEC 17020  ·  CLAUSE: 7.4  ·  TOPIC: Inspection reports and certificates 

Answer:

ILAC has not produced any guidance on the use of digital signatures in inspection certificates or inspection reports. The requirements in ISO/IEC 17020 applicable to digital signatures are those specified in 7.4.2e) and 7.4.4. In the former clause it is specified that an inspection certificate/report shall include the signature or other indication of approval by authorized personnel. In the latter clause it is emphasised that this information needs to be correct, accurate and clear. For this to be the case the inspection body would need to have arrangements in place to ensure that the signature applied originate from a person authorised to approve the report/certificate. The wording “or other indication of approval” used in 7.4.2e) indicates that the standard does not expect an advanced arrangement designed to eliminate any conceivable possibility for misuse, but rather expects a safety level on par with that provided by a signature made by pen. It should be noted that the focus of the standard is competence, impartiality and consistency, not the stringent imposition of information security measures.

When assessing the use of digital signatures the following aspects may need to be considered:

1) Is the inspection body using digital signatories of individuals that have left the employment or ceased a contractual relationship with the inspection body? In cases where this individual was the only person in the inspection body with particular competencies supporting part of the scope, there may be incentives in place for this to happen.

2) Is the application of digital signatures appropriately controlled/restricted? E.g. a scanned signature saved on an unrestricted network would not be acceptable.

FAQ34

Posted on by IAF CMC

If the inspection body uses results from testing (from a laboratory) within its report, is that considered to be subcontracting in any way? (1)

What if the laboratory and the inspection body are different departments performing different activities within the same entity/ organization? (2)

-Does it matter whether the two departments are implementing the same management system (integrated) or not? (3)

-Does it matter if the required tests/analyses influence the outcome of the inspection results or the interpretation of the results, or are just tests required by the client? (4)

STANDARD: ISO/IEC 17020  ·  CLAUSE: 6.3  ·  TOPIC: Subcontracting  

Answer:

1.ISO/IEC 17020 makes reference to ISO/IEC 17000 for definition of terms. ISO/IEC 17000 makes reference to ISO 9000 for related terminology. ISO CASCO standards, see e.g. ISO/IEC 17065 clause 6.2.2.1, refers to “outsourcing” and “subcontracting” as synonyms. The definition of outsource in ISO 9000 is “make an arrangement where an external organization performs part of an organization’s function or process”. If an inspection scheme or contract calls for the performance of a test to provide input to the inspection, then performance of this test is part of an inspection body’s process and clause 6.3.1 of ISO/IEC 17020 is applicable. If an inspection scheme or contract calls for the review of test results provided by e.g. a manufacturer or supplier, then performance of this test is not part of an inspection body’s process and clause 7.1.6 is applicable. This holds true even where the manufacturer/supplier is not the performer of the test, but is commissioning this service.

2. It is the responsibility of the accreditation body to define the accredited body, see 17011:2017, clause 7.8.1. According to clause 5.1.1 of ISO/IEC 17020 the inspection body can be a legal entity or a defined part of a legal entity. If the laboratory is within the organisation thus defined as the inspection body, then it is not a subcontractor. If it is not within the defined organisation, then it is a subcontractor. However, if the two parts of the organization work according to the same management system, it would be expected that the accredited body is defined to include both entities, limiting the extent of subcontracting.

3. Yes. ISO/IEC 17020 does not allow for the inspection body to have multiple non-integrated management systems. See clause 8.1.1. If the inspection body and the laboratory have the same management system, or if the two systems are integrated, the answer to question 2 still applies.

4. The important consideration is; what has the inspection body contracted to deliver? In particular, does the client require all of the work to be covered by accreditation, and if not, which parts do they require the accreditation to cover? Many clients want a one-stop-shop for a variety of inspections and may contract an inspection body to provide a range of work under one contract that may include:

1. Inspections within the inspection body’s scope of accreditation, defined by an inspection scheme

2. Inspections within the inspection body’s scope of accreditation, not defined by an inspection scheme

3. Inspections outside of the inspection body’s scope of accreditation

4. Tests outside of the inspection body’s scope of accreditation but which are required to support an inspection decision that is covered by the inspection body’s scope of accreditation

5. Standalone tests (not supporting an inspection) outside of the inspection body’s scope of accreditation.

For the work in (1) the inspection body may do the work themselves or, in unusual circumstances, may subcontract the work. [clause 6.3.1 applies]

For the work in (2) the inspection body may do the work themselves or, in unusual circumstances, may subcontract the work. [clause 6.3.1 applies]

For the work in (3) the inspection body may do the work themselves (but cannot claim endorsement)

For the work in (4) the inspection body may do the work themselves or may subcontract the work [clause 6.3.1 applies] or may accept information (test results) provided by a third party [clause 7.1.6 applies]. In this case the inspection body may claim endorsement, but will have to put a disclaimer to test results not produced under accreditation or to the outcome of the inspection if individual test results are not included in the inspection report.

For the work in (5) the inspection body may do the work themselves or subcontract it to an organisation that is or is not accredited for the tests, in neither case can the inspection body claim endorsement.

FAQ33

Posted on by IAF CMC

“The liability can be assumed by the State in accordance with national laws, or by the organization of which the inspection body forms a part”. A.    Does this mean that a governmental inspection body is deemed to satisfy this requirement by just being a governmental inspection body without having an actual provision (reserves/insurance), or even without a statement of commitment by the state towards the inspection body work, or without a clause in a law specifying rules concerning governmental liability? B. If the inspection body is a part of an organization, can it be assumed that the organization is responsible for inspection body’s liabilities or does there have to be a statement of commitment by the organization and a clear provision (with evidence) to cover the inspection body’s liabilities?

STANDARD: ISO/IEC 17020  ·  CLAUSE: 5.1.4  ·  TOPIC: Provision for liabilities  

Answer:

A.     If an inspection body makes a statement that the state accepts responsibility for its liabilities, for example in the case of a government inspection body, the accreditation body shall seek evidence that this is the case. The evidence must be objective and sufficient to convince the accreditation body that clause 5.1.4 is met.

B.    It cannot be assumed that the liabilities are automatically covered by the larger organisation. There are many ways that an inspection body can be “part of an organization”. For example, it is common for many legal entities to exist in one organization in order to separate the liability of different parts of the organization. In all cases, the inspection body should be able to provide evidence of fulfilment of 5.1.4. 

FAQ32

Posted on by IAF CMC

What is the importance of the quality manual (or whatever the document is called) and are there fixed items which it is mandatory to cover in it? Considering that the standard ISO 9001:2015 no longer requires its existence, does this mean that if an IB uses Option B it is not mandatory to have a quality manual, while an IB which uses Option A must have a quality manual, or is it voluntary in both cases?

STANDARD: ISO/IEC 17020  ·  CLAUSE: 8.1.3  ·  TOPIC: Management system documentation 

Answer:

ISO/IEC 17020 only refers to “manual” in the 1st bullet of clause 8.1.2. Here it is referenced as a type of “management system documentation”. Therefore, whether option A or B is chosen, there is no requirement to have a “manual”. What is required in both cases is to have a “management system” capable of achieving the consistent fulfilment of the requirements of ISO/IEC 17020.

FAQ31

Posted on by IAF CMC

Can the publicly available terms &conditions of the inspection body, containing its policy and/or a commitment statement concerning the protection of the clients’ information, be considered as a legally enforceable commitment to confidentiality? Consequently, can the client of the inspection body use these terms & conditions as legal evidence to the responsible authority when the inspectin body discloses confidential information concerning the client? In other words, do such published terms & conditions have the same strength as the contractual agreement referred to in the above-mentioned clause?

STANDARD: ISO/IEC 17020  ·  CLAUSE: 4.2  ·  TOPIC: Confidentiality  

Answer:

It is the responsibility of the inspection body to understand the prevailing legal system and demonstrate that the commitments they have established are legally enforceable under that legal system. In this particular case, it should be checked if the inspection body’s commitment through “publicly available terms & conditions” is considered as a legally enforceable commitment under the legal system in question.

FAQ30

Posted on by IAF CMC

Can an organization undertaking non-destructive testing be classified as an inspection body?

STANDARD: ISO/IEC 17020  ·  CLAUSE: 3.5  ·  TOPIC: Defining inspection body  ·

Answer:

Bodies performing non-destructive testing activities may be accredited using either ISO/IEC 17025 or ISO/IEC 17020. EA (European co-operation for Accreditation) has published a document, EA-4/15 Accreditation for Non Destructive Testing, to ensure that, whichever route is chosen, accreditation is carried out using the same technical criteria.

FAQ29

Posted on by IAF CMC

Can inspection companies accredited under ISO/IEC 17020 (Type A) be qualified to assess compliance with regulatory requirements to Automotive Service Stations and to issue certificates of compliance/conformity? Further, can bodies accredited under ISO/IEC 17065 also provide this service?

STANDARD: ISO/IEC 17011  ·  CLAUSE: 4.6.3  ·  TOPIC: Conformity assessment schemes

Answer:

If the scope of accreditation of the conformity assessment body (CAB) covers this service (compliance with regulatory requirements to Automotive Service Stations and issue certificates of compliance/conformity), the CAB can provide the services under accreditation. However, it is up to the scheme owner (regulator in this case) to decide: a. what type of conformity assessment body can assess compliance with specified requirements in the particular scheme b. what if any requirements for competence, consistency and impartiality (e.g., ISO/IEC 17020, ISO/IEC 17065) conformity assessment bodies must meet c. what if any demonstration of fulfilment of requirements for competency, consistency and impartiality (e.g., accreditation) the conformity assessment body must complete d. if accreditation bodies are involved in the scheme what if any requirements for competence, consistency and impartiality (e.g., ISO/IEC 17011) such bodies must meet e. if accreditation bodies are involved and must meet requirements for competence, consistency and impartiality, what if any demonstration of fulfilment of such requirements (e.g., peer assessment within the ILAC MLA) accreditation bodies must complete

It should be noted that ISO/IEC 17020 and ISO/IEC 17065 are not equivalent standards. Each has its own area of applicability. As indicated above, it is up to the scheme owner to judge which standard is the most appropriate choice for the particular scheme.

FAQ28

Posted on by IAF CMC

If the inspection body subcontracts some tests to a laboratory, but for unforeseen circumstances this laboratory is obliged to subcontract a part of these required tests to another laboratory, is it the responsibility of the inspection body to investigate the competence of the subcontractor of his subcontractor or not (1)? When informing the client about the inspection body’s intention to subcontract the testing part of the inspection, is it mandatory only to mention the first subcontractor or also the subcontractor of the first subcontractor (2)? And does it require the client’s permission for both subcontractors or only for the first one? (3)?

STANDARD: ISO/IEC 17020  ·  CLAUSE: 6.3.2  ·  TOPIC: Subcontracting  

Answer:

1. ISO/IEC 17020 makes reference to ISO/IEC 17000 for definition of terms. ISO/IEC 17000 makes reference to ISO 9000 for related terminology. ISO CASCO standards, see e.g. ISO/IEC 17065 clause 6.2.2.1, refers to “outsourcing” and “subcontracting” as synonyms. The definition of outsource in ISO 9000 is “make an arrangement where an external organization performs part of an organization’s function or process”. Thus, an activity subcontracted by a subcontractor is still an outsourced activity from the perspective of the IB. Consequently, the subcontractor’s subcontractor should be considered as a subcontractor of the IB itself. This is to say that it is the responsibility of the inspection body to secure the competency of the subcontractor at all levels. The situation therefore needs to be covered by the contract between the inspection body and the subcontractor. The answer to the question is therefore “yes”.

2. Following the trail of the answer to question 1, the answer is “yes” also to this question.

3. ISO/IEC 17020 does not require the IB to seek permission from the client for the use of subcontractors. The requirement is only to inform the client.

FAQ27

Posted on by IAF CMC

Even though the inspection body demonstrates that it has eliminated and minimized all identified risks to impartiality, it is difficult to determine whether all risks have been identified. In particular, risks associated with any kind (financial, trade, administrative, moral or other) of pressure exerted on the inspector. How far does the accreditation body need to go to ensure that the requirement is fulfilled?

STANDARD: ISO/IEC 17020  ·  CLAUSE: 4.1.3  ·  TOPIC: Identifying risks 

Answer:

Clause 4.1.3 requires the inspection body to identify risks to its impartiality on an ongoing basis. In order to demonstrate fulfilment of this requirement the inspection body will need to show that it has a process to accomplish this, and it will need to show that this process generates a credible output. In order to confirm this, the accreditation body may review records such as complaints, management review records, internal audit reports or correspondence directly to the accreditation body, e.g. from regulators or competitors to the inspection body, as indications that there may be risks that have not been recognised or have not been effectively managed. The standard does not require the inspection body to prove that it has identified every circumstance that may pose a risk to the impartiality of the inspection body, but there is an underlying expectation that the major/most likely risks are indeed identified. Failure to do so shall be considered as a non-compliance. Note that clause 4.1.2 explicitly states that “commercial, financial or other pressures” shall not be allowed to compromise impartiality. This can only be ensured if the corresponding risks are identified and managed. Consequently, the inspection body is expected to carefully consider what pressures may be exerted, and how to deal with or prevent them.