A2LA’s ISO/IEC 17065:2012 Transition and Applications

Mike Buzard – Senior Accreditation OfficerAdam Gouker – Accreditation ManagerAmerican Association for Laboratory

AccreditationFrederick, Maryland, U.S.A

Presentation to the TCB Council – April 2014

Overview A2LA Recognition, Structure, and Processes

Transition to ISO/IEC 17065:2012

ISO/IEC 17065:2012 Published “Explanations”

ISO/IEC 17065:2012 Requested “Explanations”

Common TCB Assessment Deficiencies

Implementation of FCC KDB Revisions (April 2014)

A2LA is: Non profit Non governmental Independent 3rd party Established in 1978

A2LA provides accreditation:

ISO/IEC 17025:2005 – Testing and Calibration Laboratories

ISO 15189:2012 – Medical Laboratories ISO Guide 34:2009 – Reference Material Producers ISO 17043:2010 – Proficiency Testing Providers ISO Guide 65:1996 – Product Certification Bodies ISO/IEC 17065:2012 – Product Certification

Bodies ISO/IEC 17020:2012 – Inspection Bodies

A2LA Recognition International Accreditation Forum (IAF) Multilateral

Recognition Arrangement (MLA) Signatory International Laboratory Accreditation Cooperation

(ILAC) Mutual Recognition Arrangement (MRA) Signatory

Recognized Accreditation Body under the National Voluntary Conformity Assessment Systems Evaluation (NVCASE) Program

FCC Recognized Test Firm Accrediting Body (TFAB) Various Gov’t to Gov’t MRA’s through NIST

A2LA Structure

A2LA Processes - Assessment Order ISO/IEC 17025 and/or ISO/IEC 17065 Read AB’s Supplemental Requirements Read Regulator / Certification Scheme

Requirements Submit Application(s) Assessor Assigned (performs doc review)

A2LA Processes - AssessmentConduct On-site AssessmentCAR’s Following AssessmentDecision on AccreditationSurveillance and Renewal

Assessments

A2LA Processes - Cycles Year 0: Initial Accreditation Year 1: On site Surveillance Assessment Year 2: Full Renewal Assessment Year 3: Annual Review, desk audit – could be on-

site Year 4: Full Renewal Assessment Year 5: Annual Review, desk audit – could be on-

site Note: this is one option per ISO/IEC 17011, clause 7.11.3

A2LA Processes - Scopes Document that identifies exactly what the

organization is accredited for: For Labs – identifies specific tests & methods For CBs – identifies product categories, product

specs, and/or certification schemes Identifies expiration date and physical

location Must be confirmed by the assessor Organizations can be accredited for

“limited” scope of activities

A2LA Processes - Scopes

SCOPE OF ACCREDITATION TO ISO/IEC 17025:2005

YOUR LABORATORY NAME 123 Elm Street

Anywhere, MD 00000 Your Name Phone: 555 555 5555

ELECTRICAL (EMC)

Valid To: December 31, 20xx Certificate Number: xxxx.01 In recognition of the successful completion of the A2LA evaluation process, accreditation is granted to this laboratory to perform the following electromagnetic compatibility tests: Test Technology Test Method(s)

Emissions

Radiated & Conducted 47 CFR, FCC Part 15, Subpart B (using ANSI C63.4-2009); 47 CFR, FCC Part 18 (using MP-5); AS/NZS CISPR 11; EN 55011; AS/NZS CISPR 13; EN 55013; EN 55022; IEC/CISPR 22; CNS 13438 (up to 6 GHz);

A2LA Processes - Scopes

SCOPE OF ACCREDITATION TO ISO/IEC 17065:2012

YOUR CB’S NAME 123 Elm Street

Anywhere, MD 00000 Your Name Phone: 555 555 5555

PRODUCT CERTIFICATION CONFORMITY ASSESSMENT BODY (CAB)

Valid To: December 31, 20xx Certificate Number: xxxx.02 In recognition of the successful completion of the A2LA Certification Body Accreditation Program evaluation, including the US Federal Communications Commission (FCC)requirements for the indicated types of product certifications, accreditation is granted to this organization to perform the following product certification schemes: Economy Scope Federal Communication Commission - (FCC) Unlicensed Radio Frequency Devices A1, A2, A3, A4 Licensed Radio Frequency Devices B1, B2, B3, B4 Telephone Terminal Equipment C *Please refer to FCC TCB Program Roles and Responsibilities, released April 4, 2012 detailing scopes, roles and responsibilities.

A2LA Processes - Assessors Independent Peer ExpertsEach with over 10 years of experience

in fieldTrained to Conformity Assessment

Standard (e.g. ISO/IEC 17025 and/or ISO/IEC 17065)

Ongoing training and evaluations (staff, AC, CAB)

A2LA Transition to ISO/IEC 17065:2012

Following A2LA “R307 – Transition Memo to ISO/IEC 17065” Adheres to IAF three-year transition period – must be

completed no later than September 15, 2015 Following our 2 year reassessment cycle:

Began accepting 17065 applications March 31, 2013No longer accepting “new” applicants for Guide 65 Current CB’s must undergo assessment to 17065 If not assessed to 17065 by March 1, 2015, must

undergo on-site assessment by June 30, 2015All requests to expand to 17065 require on-site

assessment

Explanations

From ISO/IEC 17011:2004, section 4.6.2 Follow Q/A format - A2LA’s official “explanations” of the

requirements of the relevant conformity assessment standard.

It is expected that conformity assessment bodies will implement the requirements of the standard in accordance with the explanations listed. Otherwise, areas of non-conformance will be identified by the assessor during the on-site assessment.

https://www.a2la.org/faq/faqfinder17065.cfm https://www.a2la.org/faq/faqfinder170252005.cfm

Explanations

Questions typically received from CAB’s and Assessors, but are welcome from all stakeholders

Explanations are proposed to Technical Advisory Committee for review and approval

Explanations then reviewed and approved by A2LA management

Explanations finally reviewed and approved by Criteria Council

ISO/IEC 17065:2012 Explanations (4.1.2.1)

What is a “Legally Enforceable Agreement”, and will my assessor be responsible for determining its legality? Any signed or sign-able record between the certification body

and its client/customer Must meet the requirements of clause 4.1.2.2 Must take into account the responsibilities of the two parties in

that agreement Typically referred to as a “Contract” A2LA assessors will not be determining, nor can they be held

responsible for, the legality of the certification body / client agreements

ISO/IEC 17065:2012 Explanations (4.6.a)

Does my organization’s “Publicly Available Information” need to explicitly address each of the procedures called out in this clause if one or more are not applicable to our certification activities? Yes, the Certification Body must address each required

procedure under this clause, even if the certification activities being performed do not include those actions.

For example, an organization operating a certification scheme which does not allow for extensions or reductions to the scope of certification must have documented some statement to the effect of, “We do not offer any extensions or reductions to our certifications.”

Ensures clear understanding between CB, Clients, and Accreditation/Regulatory Bodies

ISO/IEC 17065:2012 Explanations (5.2.2.a) My organization has invited numerous possible stakeholders to be

part of our “Mechanism for Safeguarding Impartiality,” but all of those stakeholders have declined to participate. How can my organization show that we are maintaining the required balanced representation in light of this? Note 2 to clause 5.2.1 and Note 1 to clause 5.2.4 of ISO/IEC 17065

identify examples of mechanisms and potential invitees Notes should be examined prior to determining that all possible

avenues have been exhausted The certification body must demonstrate (e.g. records) that they have

identified and invited potentially interested parties, And that they have ensured that no single interest predominates (e.g.

certification body cannot hold more than 50% stake in this Mechanism) Up to the certification body to take additional suitable actions to

ensure that these balanced interest requirements are met

ISO/IEC 17065:2012 Explanations (6.2.1) What are the “applicable requirements” that Internal Resources must

meet in order for my organization to comply with this clause? Hierarchy:

(1) should be defined by the Certification Scheme; (2) If not defined in the scheme, the Certification Body should define

what requirements are or are NOT applicable in their quality system, with justification on any omitted clauses of the relevant International Standard(s);

(3) If the CB and/or Scheme do not define the “applicable requirements,” an A2LA assessor will assume that all requirements in the relevant International Standard(s) are applicable.

If an Evaluation standard (testing / inspection method specified in the Certification Scheme) explicitly requires an aspect of conformity assessment such as measurement uncertainty calculations, that cannot be excluded when considering whether or not the resource meets the requirements of those standards.

ISO/IEC 17065:2012 Explanations (6.2.2.1) What are the “applicable requirements” that External Resources must

meet in order for my organization to comply with this clause? Hierarchy:

(1) should be defined by the Certification Scheme; (2) If not defined in the scheme, the Certification Body should define

what requirements are or are NOT applicable in their quality system, with justification on any omitted clauses of the relevant International Standard(s);

(3) If the CB and/or Scheme do not define the “applicable requirements,” an A2LA assessor will assume that all requirements in the relevant International Standard(s) are applicable.

If an Evaluation standard (testing / inspection method specified in the Certification Scheme) explicitly requires an aspect of conformity assessment such as measurement uncertainty calculations, that cannot be excluded when considering whether or not the resource meets the requirements of those standards.

ISO/IEC 17065:2012 Explanations (6.2.2.4) My Certification Body operates under a larger corporate umbrella, and we

send portions of our Evaluation work to another department in the corporation. Is this considered “outsourcing” the work to an outside body? Note 2 of clause 6.2.2.1: “Use of external personnel under contract is not

outsourcing.” Is a “contract” in place that covers cl. 6.1.3 requirements between the

department and the Certification Body? If so, this is NOT outsourcing. (This also answers the question, “Is the resource under the direct control of the

Certification Body?”– see clause 6.2.1) If the documentation linking the other department or its personnel to the

Certification Body does not meet the requirements called out under clause 6.1.3, or if the Certification Body cannot provide evidence that the additional requirements stated under clause 6.1.2 are met for the personnel in question, then the actions taken by the Certification Body are considered “Outsourcing,” and the Certification Body must demonstrate that it complies with the requirements related to Outsourced activities.

ISO/IEC 17065:2012 Explanations (7.3.2) A client has asked us to certify a new product which we have not

certified before, but this new product is somewhat similar to ones we have been certifying in the past. How do we determine whether or not we have “prior experience” with the new product we are being asked to certify? CB should compare the new product to old products by examining the

certification schemes (if different), the technologies, the required evaluation techniques/activities, and the technical knowledge of its own resources.

The NOTE under this clause gives excellent guidance to the CB If the certification body determines that the new product is sufficiently

similar, no records are needed The Certification Body may be asked to explain its rationale in determining

that the new product is of the same type as ones that were previously certified

If the assessor can justify that a certification was not “of the same type” as certifications previously granted, a deficiency may be written

ISO/IEC 17065:2012 Explanations (7.3.3) What type of records are required to justify our organization’s

competence and capability to perform a certification we have not performed before (such as called out in clause 7.3.2)? A2LA does not specify what form a record must take However, the records must show that an analysis was performed

(comparison of scheme requirements, competencies of its resources, verification that the CB is capable of performing the certification activities)

Records should be sufficiently detailed such that the assessor can reasonably reach the same conclusions as the CB

If insufficient information for undertaking the new certifications is presented, or evidence that the certifications were improperly granted, a deficiency may be cited

ISO/IEC 17065:2012 Explanations (7.12.3) The certification scheme operated by my organization requires that

we re-evaluate products on a four month cycle. Does the language in this clause mean that we only have to keep records for 8 months total, in order to meet the “current and previous” cycle requirement? Clause 8.4.2 - Certification Body’s procedures for record retention must be

consistent with any contractual and legal obligations. Those legal and contractual obligations would take precedence over the

shorter retention cycle given in the example above. Above and beyond any legal or scheme obligations for record retention,

A2LA requires that the accredited (or applicant) organization must keep copies of records for the entire time period between on-site assessments

Legal and scheme obligations may require longer retention periods, but under no circumstances may the Certification Body dispose of records in any shorter time period

ISO/IEC 17065:2012 Explanations (7.13.7) How should my organization demonstrate compliance to this clause if we

receive an anonymous complaint? It may not be possible for a certification body to give a formal notice of

complaint resolution to the complainant (e.g. complaint is received anonymously, complainant does not leave contact info, complainant changes contact information such as being dismissed from an employment position).

Possible evidence could include records of attempted emails with read receipts, phone logs, voicemails, certified postal mailings, or generalized resolution notices to alternate persons that are known to be related to the original complainant.

These examples are not intended to be all-inclusive, nor are they mandatory actions that must be undertaken by the Certification Body.

Ultimately, the Certification Body must show evidence that they have done reasonable due diligence in attempting to contact or locate the original complainant

In all cases, records of attempts to contact must be kept as required by clause 7.13.1.

ISO/IEC 17065:2012 Explanations (8.3.1) What does A2LA consider to be “External documents” that my

organization must control under our document control procedures? Current versions of the normative documents (e.g. test methods) that are

vital to maintaining their accreditation and to perform their certification activities.

These documents include ISO/IEC 17065:2012 General A2LA policy documents Any specific A2LA program requirement documents relating directly to their

field of accreditation

A2LA does not consider “terminology documents”, such as ISO/IEC 17000 and the VIM, to be normative documents that an organization must control within their system

Example on next slide

ISO/IEC 17065:2012 Explanations (8.3.1) Telecommunications Certification Bodies (TCB) would be expected to

possess (or have direct access to) and have under its document control system current versions of the following A2LA documents: R307 - General Requirements - Accreditation of ISO-IEC 17065 Product

Certification Bodies P101 - Rules for Making Reference to A2LA Accredited Status R102 - Conditions for Accreditation R308 - Specific Requirements - 17065 - Telecommunication

Certification Body Accreditation Program Furthermore, such a TCB would be expected to control copies of all test

methods (e.g. ANSI C63.4, FCC Rule Parts) called out in the schemes on their scope, as well as copies of the schemes themselves

ISO/IEC 17065:2012 Explanations (8.5.1.1) I am a Certification Body getting ready to apply for accreditation

to ISO/IEC 17065, do I have to perform a complete Management Review before I can become accredited? A2LA assessors will look for evidence during the on-site assessment

that a complete management review has been conducted in accordance with their documented procedure and pre-determined schedule (8.5.1.1).

If only a partial review has been conducted by the time of the on-site assessment, a deficiency will be cited and the full review must be completed before initial accreditation can be granted.

ISO/IEC 17065:2012 Explanations (8.6.1)

I am a Certification Body getting ready to apply for accreditation to ISO/IEC 17065, do I have to perform a complete Internal Audit before I can become accredited? A2LA assessors will look for evidence during the on-site assessment

that a complete internal audit has been conducted in accordance with their documented procedure (8.6.1) and pre-determined schedule (8.6.3).

If only a partial audit has been conducted by the time of the on-site assessment, a deficiency will be cited and the internal audit must be completed before initial accreditation is granted.

ISO/IEC 17065:2012 Explanations (8.6.1) My internal audit process consists of only completing the A2LA

C309 checklist – is this sufficient to demonstrate a complete internal audit? Not necessarily A CB must provide evidence that their internal audit consists of at least

the following: Determination of compliance with all ISO/IEC 17065 requirements Determination of compliance with all policies, procedures,

instructions, etc. that form its management system Review of all Certification Process steps (i.e. application,

evaluation, review, decision, certification documents, and surveillance, where applicable)

Determination of compliance with all relevant A2LA policies and requirements (e.g. “Ad Policy” / use of Accredited mark)

ISO/IEC 17065:2012 Explanations (8.6.1)

My Scope of Accreditation includes multiple product types under a larger scheme. Does my internal audit have to include every product type on my Scope? Review of records related to each Product Type on the organization’s

Scope of Accreditation must be included in their Internal Audit to ensure that the management system is being properly implemented across all certifications

The Internal Audit is considered incomplete if the organization fails to include each Product Type during its internal audit

ISO/IEC 17065:2012 Explanations (8.6.3) What does the standard mean when it says that my internal audit

shall “normally” be performed at least once every 12 months? Language of the standard states that the certification body may choose to

“Reduce or Restore” the frequency - A2LA currently does not permit a schedule which extends beyond the 12 month period specified by the standard (e.g. 8 month audit schedules are permitted, but not 16 months)

CB’s initial internal audit schedule can/should show that internal audits will be performed once in a 12 month period (or over a rolling 12 month period)

If more frequent audits are needed (feeling or evidence), do not hesitate to adjust the schedule accordingly

Any changes to the schedule (including restoring to the maximum 12 month time frame), as well as the rationale behind the decisions to change, must be documented and kept as a formal record

Changes must be supported by records that demonstrate ongoing stability and effectiveness of the management system

ISO/IEC 17065:2012 Explanations (8.6.4.d) What does the standard mean when it states that my

organization must ensure that any actions resulting from our internal audits are taken in a timely and appropriate manner?

A2LA cannot define what “timely and appropriate” means for its certification bodies. The intent of this clause is for the organization to take action as soon as they are able, in order to ensure that the organization’s quality system is running smoothly, and that the certifications being offered are not negatively impacted. An assessor may cite a deficiency if there is evidence that the quality system or offered certifications are being affected by lack of action on an internal audit finding. The certification body is still responsible for meeting all requirements related to corrective actions (section 8.7) and preventive actions (section 8.8) when acting upon their internal audit findings.

Proposed Explanations

From A2LA PCAC Meeting (April 4, 2014)Clause 4.3.1 – define what is “adequate” in terms

of insuranceClause 4.4 – pricing and discrimination (expedite

fees)Clause 7.6.4 – clarification of applicability to clause

7.6.3Clause 7.9.1 & 7.9.3 – scheduling and other details

of surveillance activities

Common TCB Assessment Deficiencies

ISO Guide 65:1996

012345678

4.1

4.2

4.3

4.4

4.5

4.6

4.7

4.8

4.9

4.10 5

5.1

5.2 6 7 8

8.1

8.2 9 10 11 12 13 14 15

FCC IC IDA HK JP

TCB QM

IAF

A2LA

2011

2012

2013

Common TCB Assessment Deficiencies

ISO/IEC 17065:2012

012345678

4.1

4.2

4.3

4.4

4.5

4.6

5.1

5.2

6.1

6.2

7.1

7.2

7.3

7.4

7.5

7.6

7.7

7.8

7.9

7.10

7.11

7.12

7.13 8.

18.

28.

38.

48.

58.

68.

78.

8

Sheme

A2LA

TCB QM

17065

Implementing FCC KDB Revisions (April 2014)

FCC KDB 668797 – TCB Checklist

FCC KDB 610077 – TCB Post Market Surveillance

FCC KDB 641163 – TCB Program Roles & Responsibilities

Questions?

Mike Buzard – Senior Accreditation Officer- Email: mbuzard@A2LA.org- Phone: 240 575 7484

Adam Gouker – Accreditation Manager- Email: agouker@A2LA.org- Phone: 301 644 3217