technical criteria for accreditation of management system

HKCAS 003:2015 Abridged Version

1

Hong Kong Accreditation Service July 2015

(Incorporating Amendment No. 1 : March 2018)

HKCAS 003: 2015

Technical Criteria for Accreditation of Management System Certification Bodies (ISO/IEC 17021-1:2015, Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements, MOD) Abridged Version (Requirements and notes of ISO/IEC 17021-1 are not included in this document. This document should be read in conjunction with ISO/IEC 17021-1:2015.)


2

Published by Innovation and Technology Commission The Government of

the Hong Kong Special Administrative Region

36/F., Immigration Tower, 7 Gloucester Road,

Wan Chai, Hong Kong.

The Government of the Hong Kong Special Administrative Region 2015

ISBN 978-988-14500-1-2

First Edition : July 2015


3

TABLE OF CONTENTS

Page

HKAS Introduction ............................................................................................................... 5

i Basis of HKCAS 003 Technical Criteria for Accreditation of Management System Certification Bodies - ISO/IEC 17021-1:2015 .................................. 7

ii Scope of Accreditation ................................................................................... 9

iii Accreditation Criteria .................................................................................. 10

Introduction ......................................................................................................................... 11

1 Scope .......................................................................................................................... 12

2 Normative references ................................................................................................. 12

3 Terms and definitions ................................................................................................. 12

4 Principles .................................................................................................................... 12

5 General requirements ................................................................................................. 12

6 Structural requirements .............................................................................................. 13

7 Resource requirements ............................................................................................... 13

8 Information requirements ........................................................................................... 13

9 Process requirements .................................................................................................. 14

10 Management system requirements for certification bodies ....................................... 14

Annex A (normative) Required knowledge and skills ........................................................ 15

Annex B (informative) Possible evaluation methods .......................................................... 16

Annex C (informative) Example of a process flow for determining and maintaining competence ................................................................................................................. 17

Annex D (informative) Desired personal behaviour ........................................................... 18

Annex E (informative) Audit and certification process....................................................... 19

Bibliography ........................................................................................................................ 20

Confidentiality ..................................................................................................................... 21

Annex AA (informative) HKAS Assessment Process of Management System Certification Bodies ................................................................................................... 22


4

Annex AB (informative) Variations to ISO/IEC 17021-1:2015 for HKCAS 003:2015 ...................................................................................................... 27


5

HKAS Introduction The Hong Kong Accreditation Service (HKAS) was set up in 1998 by the Government of the Hong Kong Special Administrative Region to provide accreditation service to the public. It was formed through the expansion of the Hong Kong Laboratory Accreditation Scheme (HOKLAS). HKAS now offers accreditation for laboratories, certification bodies, inspection bodies, proficiency testing providers, reference material producers, greenhouse gas validation and verification bodies. It may offer other accreditation services in the future when the need arises. The principal aims and objectives of HKAS are: • to upgrade the standard of operation of conformity assessment bodies; • to offer official recognition to competent conformity assessment bodies

which meet international standards; • to promote the acceptance of endorsed reports and certificates issued by

accredited conformity assessment bodies; • to conclude mutual recognition arrangements with other accreditation bodies;

and • to eliminate the need for repetition of conformity assessment in the importing

economies and thereby reducing costs and facilitating free trade across borders.

Endorsed report or certificate means a report or certificate bearing the

accreditation symbol of HKAS or its mutual recognition arrangement partners

The operating cost of HKAS is funded by the Government and is partly recovered by charging fees for services provided by HKAS. HKAS Executive is responsible for administering HKAS and its accreditation schemes. At present, there are three schemes: the Hong Kong Laboratory Accreditation Scheme (HOKLAS) for laboratories, proficiency testing providers and reference material producers, the Hong Kong Certification Body Accreditation Scheme (HKCAS) for certification bodies and greenhouse gas validation and verification bodies, and the Hong Kong Inspection Body Accreditation Scheme (HKIAS) for inspection bodies. All accreditation schemes of HKAS are operated in accordance with the requirements of the relevant international standard, i.e. ISO/IEC 17011 and other criteria set by relevant international and regional cooperations of accreditation bodies. Participation in the three schemes is voluntary.


6

Organisations applying for accreditation or those have been accredited under any of the three schemes are required to demonstrate that: • they are competent to perform the specific activities for which they are

applying for accreditation or have been accredited; • they have implemented an effective management system which complies

with the accreditation criteria of the relevant scheme; and • they comply with all the regulations in HKAS 002 - Regulations for HKAS

Accreditation. These regulations are the governing rules for the administration of the three schemes and contain the obligations of any organization which has applied for HKAS accreditation or has been accredited by HKAS.

The procedures for seeking HKCAS accreditation and for processing applications are detailed in Annex AA of this booklet. HKAS will grant accreditation for an activity to an organisation only when it meets the conditions given in clause 4.15 of HKAS 002 – ‘Regulations for HKAS Accreditation’.


7

i Basis of HKCAS 003 Technical Criteria for Accreditation of Management System Certification Bodies - ISO/IEC 17021-1:2015

This HKCAS 003 booklet serves as a domestic publication which is applicable to all management system certification bodies accredited by HKAS or sought HKAS accreditation. This booklet is the modified adoption of International Standard ISO/IEC 17021-1:2015, ‘Conformity assessment – Requirements for bodies providing audit and certification management systems – Part 1: Requirements’. The ISO/IEC 17021-1:2015 was jointly published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) and contains principles and requirements for the competence, consistency and impartiality of bodies providing audit and certification of all types of management systems. The title of this booklet varies from the ISO/IEC 17021-1:2015 and is entitled as ‘Technical Criteria for Accreditation of Management System Certification Bodies’. HKAS is responsible for this booklet. In Sections 1 to 10 of this booklet, the requirements and notes of ISO/IEC 17021-1:2015 are reproduced verbatim as the main text and relevant HKCAS policies are given in shaded boxes following the main text. Annexes A to E are also added following the original text of the ISO/IEC 17021-1:2015. The notes provide clarification of the requirements, examples and guidance. HKAS will consider that a management system certification body has met the requirements if it follows the guidance. HKCAS policies serve as additional explanation of the requirements of ISO/IEC 17021-1:2015 and shall be regarded as mandatory. The reference documents, if any, referred to in the HKCAS policy are given for information only. They are not part of the requirements unless explicitly stated as such. A complete list of modifications, together with their explanations, is given in Annex AB. The term ‘shall’ is used throughout this booklet to indicate those provisions which are mandatory. The term ‘should’ is used to indicate guidance which, although not mandatory, is provided by HKAS as a recognised means of meeting the requirements. This booklet sets out the general requirements which all HKAS accredited management system certification bodies shall meet. More detailed requirements specific to certain administrative aspects and technical disciplines are issued as individual HKAS and HKCAS Supplementary Criteria.


8

This booklet and other criteria documents set out the requirements to be met by a management system certification body but do not dictate how such requirements should be met. It is the responsibility of the certification body’s management to determine the best method to meet such requirements, the relative significance of individual activities to the overall quality of the certification body and the emphasis and resource that should be allocated to each of them. The certification body’s management may be required to demonstrate to the assessment team that the method it has selected is adequate in meeting the requirements stated in criteria documents. A list of HKAS and HKCAS Supplementary Criteria is available from the HKAS Executive and the HKAS website. This website also provides links to other websites which provide useful information on accreditation.


9

ii Scope of Accreditation HKAS accreditation of management system certification bodies is provided under the Hong Kong Certification Body Accreditation Scheme (HKCAS) and is open for voluntary application from any certification bodies offering a third-party management system certification service. Each management system certification body accredited under HKCAS will have specific management system certification for which it is accredited clearly given in its ‘scope of accreditation’. The HKAS Executive will define from time to time the specific certification activities which are available for accreditation under HKCAS. The management system certifications currently available for accreditation are:

Energy Management System Certification

Environmental Management System Certification

Food Safety Management System Certification

Information Security Management System Certification

Occupational Health and Safety Management System Certification

Quality Management System Certification

Residential Care Homes (Elderly Persons) Service Providers’ Management System Certification

Other management system certifications may be added when significant needs are identified. A certification body may apply to be accredited for one or more certification areas in specific management system certification and may seek to have its scope of accreditation extended or reduced as its needs change. Any expansion of its scope of accreditation will normally require a full assessment of the certification body’s competence to perform the additional certification. All accredited certification bodies are reassessed at regular intervals to ensure continuing conformity with HKCAS requirements at all times for all accredited activities. In addition, their performance is monitored closely through surveillance visits.


10

iii Accreditation Criteria Applicant certification bodies have to demonstrate conformity with the criteria in Sections 5 to 10 of this booklet, Annex A as well as the criteria in the relevant Supplementary Criteria, the regulations listed in HKAS 002, relevant IAF requirements as specified in Mandatory Documents / Resolutions and relevant PAC requirements as specified in Technical Documents / Resolutions before accreditation can be granted, and accredited certification bodies shall comply with the same criteria at all times for maintaining accreditation. Accredited and applicant certification bodies may also be required to demonstrate to HKAS Executive that they can perform competently all the activities proposed for accreditation. Additionally, they shall maintain complete integrity and impartiality in all circumstances.


11

Introduction (The main text of introduction is the text of the same introduction of ISO/IEC 17021-1:2015.)


12

1 Scope

(The main text of this clause is the text of the same clause of ISO/IEC 17021-1:2015.)

2 Normative references


3 Terms and definitions


4 Principles (The main text of this clause is the text of the same clause of

ISO/IEC 17021-1:2015.) 5 General requirements


5.1.C HKCAS Policy on Legal and contractual matters

It is the responsibility of the certification body to carry out its work in accordance with the applicable Laws and Regulations of Hong Kong, or of the country where the certification activity is carried out. It should be emphasized that assessment of the certification body’s compliance with the relevant regulatory requirements is outside the scope of HKAS accreditation schemes. An accredited certification body shall have enforceable arrangements with each organization holding a HKCAS accredited certificate which commit it to allow, on request, HKAS assessment teams to witness the certification body’s audit teams performing audits, including access to its premises for doing so.


13

6 Structural requirements (The main text of this clause is the text of the same clause of

ISO/IEC 17021-1:2015.) 7 Resource requirements


7.5.C HKCAS Policy on Outsourcing If an accredited certification body intends to subcontract any part of its activities for which it is accredited, the certification body shall ensure that the subcontracted certification body is competent to perform the activities. A certification body accredited for performing the activities by HKAS or an accreditation body which has concluded a multilateral recognition arrangement with HKAS is one of the means to demonstrate its competence. A list of such accreditation bodies is obtainable from HKAS Executive. The certification body shall notify the client in writing of its intention to subcontract the activities, the extent of such subcontract and the name of the subcontractor. The certification body shall further ensure that its client agrees to such arrangement and shall keep all records of such subcontracted activities.

8 Information requirements (The main text of this clause is the text of the same clause of

ISO/IEC 17021-1:2015.)


14

9 Process requirements


9.9.C HKCAS Policy on Records of applicants and clients An applicant or accredited certification body shall keep all certification records and certification documents for at least 3 years after the expiry of the certificate of conformity or termination/withdrawal of certification, or for the minimum period defined by the regulatory authority. An accredited certification body shall keep an up-to-date list of countries in which the certification body has issued certificates under HKAS accreditation. The list shall be provided to HKAS Executive.

Where records are stored, retrieved, transmitted or processed electronically, an applicant or accredited certification body shall establish and implement procedures to ensure the integrity and confidentiality of the records. When an accredited certification body performs activities having significantly impact on audit and certification results in its branch offices, relevant certification records shall be available at such branch offices within a reasonable time of making the request for such records.

10 Management system requirements for certification bodies



15

Annex A (normative)

Required knowledge and skills

(The main text of this annex is the text of the same annex of

ISO/IEC 17021-1:2015.)


16

Annex B (informative)

Possible evaluation methods


ISO/IEC 17021-1:2015.)


17

Annex C

(informative)

Example of a process flow for determining and maintaining competence

(The main text of this annex is the text of the same annex of ISO/IEC 17021-1:2015.)


18

Annex D (informative)

Desired personal behaviour


ISO/IEC 17021-1:2015.)


19

Annex E

(informative)

Audit and certification process

(The main text of this annex is the text of the same annex of ISO/IEC 17021-1:2015.)


20

Bibliography

(The references listed under this section are the same as those listed in ISO/IEC 17021-1:2015.)


21

Confidentiality HKAS Executive will keep confidential all information provided by an organisation in relation to preliminary enquiries or to an application for accreditation and all information obtained in connection with an assessment of an organisation, such that only personnel who require the information for the assessment will have access to such information. Such personnel will include HKAS Executive and staff, assessors involved in the assessment and members of AAB (except where a conflict of interest arises). Without written consent of the organisation, HKAS Executive will not disclose confidential information of an applicant or accredited organisation outside HKAS Executive except as allowed in HKAS 002 Regulations for HKAS Accreditation. However, an organisation shall note that it may be necessary to pass the HKAS’s files, including any information in relation to it to persons responsible for evaluating the performance of HKAS under a mutual recognition arrangement which HKAS has concluded or intended to conclude with other accreditation bodies. HKAS will notify those persons the confidential nature of the information. Where the law requires any information to be disclosed to a third party, HKAS will, where possible and permitted by the law, inform the organisation concerned. Furthermore, HKAS will comply with the provisions under the Personal Data (Privacy) Ordinance (Cap. 486) and the rules under the Code on Access to Information of the Government.


22

Annex AA (informative)

HKAS Assessment Process of Management System Certification Bodies

AA.1 The purpose of a HKAS assessment is to determine whether the applicant

certification body has the competence required to evaluate the adequacy of an applicant organisation in meeting the requirements of the relevant management systems included in its proposed scope of accreditation, including conformity of its certification service with the standards, specifications and other normative requirements.

AA.2 To apply for accreditation, a certification body shall complete an application form HKCAS 005 and provide the details of its organisation and certification service to be accredited using the applicable HKCAS questionnaire. The form and questionnaires are obtainable from HKAS Executive and HKAS website. All supporting documents, including the quality manual, documents of the certification programme as required in the HKCAS questionnaire, and the appropriate application fee shall be provided together with the completed HKCAS 005 and HKCAS application questionnaire to HKAS Executive.

AA.3 Upon receipt of an application, HKAS Executive will review whether it can be

accepted. HKAS Executive may ask for more information or documents before determining whether the application is acceptable. If the application cannot be accepted, HKAS Executive will inform the applicant certification body of the reason in writing. In general, an application cannot be accepted if it is incomplete, the application fee has not been provided or if HKAS does not provide the required accreditation service.

Preliminary visit AA.4 After accepting an application from an applicant certification body which has

not been accredited previously under HKCAS, HKAS Executive will conduct a preliminary visit at a mutually acceptable time to the office of the applicant certification body to answer any questions relating to accreditation requirements. This visit will usually last for not more than one day.


23

Initial assessment AA.5 Assessments are conducted by HKAS assessment teams. An HKAS

assessment team usually consists of a team leader and where necessary, technical assessors and/or technical experts.

AA.6 The assessment team will visit the office of the applicant certification body,

arrange on-site witnessing for its audit activities and where necessary, interview with auditors. Other appropriate assessment methods may also be used to ensure the competence of applicant certification body in operating the certification service to be accredited at the discretion of HKAS Executive. The assessment team may select initial certification audits including both stage 1 and 2 audits, surveillance or recertification audit for witnessing.

AA.7 The assessment team will also visit branch offices where key activities are

performed. Depending on the complexity of the certification service and the structure of the applicant certification body, an assessment will involve multiple visits to different locations on different dates. The detailed assessment schedule is to be agreed between the applicant certification body and HKAS Executive.

AA.8 Personnel involved in the certification process, for examples, those carrying out

contract reviews, those conducting audits and those making certification decisions, should be available for interview by the HKAS assessment team. Where necessary, HKAS Executive would notify the certification body for interview arrangement in advance.

AA.9 The applicant certification body will be required to provide solid evidence to

demonstrate that it has the necessary technical expertise to adequately evaluate the capability of its applicant organisation.

AA.10 In addition to administrative and management aspects, all technical aspects will

be assessed, including but not limited to the following: (a) contract reviews/preparations for certification audit carried out by the

applicant certification body; (b) the technical management processes and competence criteria of personnel

involved in all stages of certification audit; (c) the arrangements to ensure the integrity of audits and surveillance activities; (d) the analysis to determine the competence criteria of personnel; (e) the records of personnel training, qualifications and experience; (f) the certification decision-making process; and (g) the quality assurance procedures for the above activities.

AA.11 Emphasis will be given to assess whether the certification service is effective in

providing the required assurance to the quality of the certified organisation.


24

AA.12 Upon completion of an initial assessment, HKAS Executive will provide an outcome letter detailing the findings of the assessment to the authorised representative of the applicant certification body.

AA.13 All nonconformities raised in the report of the HKAS assessment team shall be

graded as specified in HKAS SC-02.

AA.14 An applicant certification body shall report the actions it has taken to rectify any nonconformity in writing together with supporting evidence to HKAS Executive within six months of the initial assessment. In general, when the nonconformities have been rectified to the satisfaction of the HKAS Executive in accordance with HKAS SC-02, accreditation will be granted to the applicant certification body.

AA.15 Upon granting of the accreditation to a certification body for a certification

system, HKAS Executive shall issue to it a certificate of HKCAS accreditation for such certification service.

Surveillance Visit AA.16 After accreditation has been granted, HKAS Executive will normally conduct

surveillance visits to an accredited certification body routinely every six months. HKAS Executive has discretion to vary the period for surveillance visit as it sees fit. Similar to an initial assessment, a surveillance visit is performed by an HKAS assessment team. Surveillance visit for different types of accredited certification services may be combined.

AA.17 The procedures for a surveillance visit are similar to an initial assessment but only selected aspects of the accredited certification system will be examined and the size of the assessment team and the duration of the visit will usually be smaller and shorter. Emphasis will be given to how effective the accredited certification service has been operating, any significant changes to the accredited certification body, particularly changes in personnel, and its accredited certification service. The aspects of operation to be examined will be selected by the assessment team. Priority will be given to the aspects which were not assessed in the last visit. The objective is to ensure that all aspects of the certification operation are covered in an assessment cycle.

AA.18 Upon completion of a surveillance visit, the HKAS Executive will provide an

outcome letter detailing the findings of the assessment to the authorised representative of the accredited certification body. The content of the report is similar to that of an initial assessment, but only the aspects examined will be covered.


25

AA.19 To maintain accreditation, an accredited certification body shall rectify all non-conformities to the satisfaction of the HKAS Executive in accordance with HKAS SC-02.

AA.20 Depending on the findings of the surveillance visit, HKAS Executive may

suspend / terminate the accreditation of relevant certification systems in accordance with the provisions in Chapter 6 of HKAS 002. An accredited certification body which has its accreditation suspended / terminated shall follow the procedure detailed in Chapter 6 of HKAS 002.

Reassessment AA.21 HKAS Executive will conduct a reassessment for an accredited certification

body normally every three years. The reassessment will usually cover all aspects in the accredited certification service. HKAS Executive has discretion to vary the period for reassessment as it sees fit. The reassessment interval may be shortened to meet the requirements of a regulatory authority. The procedures and coverage of a reassessment are similar to those of an initial assessment. Changes to the certification body, its accredited certification system, and the effectiveness of corrective actions taken against the findings of previous assessments and surveillance visits will also be reviewed. Reassessments for different accredited certification services may be combined.

AA.22 If a particular area in the accredited certification service has not been used by

the certification body for a long time, the accredited certification body will be required to provide additional evidence to demonstrate that it still retains the necessary competence.

AA.23 Upon completion of reassessment, the HKAS Executive will provide an outcome

letter detailing the findings of the assessment to the authorised representative of the accredited certification body. The content of the report is similar to that of an initial assessment.

AA.24 To maintain accreditation, an accredited certification body shall rectify all

nonconformities to the satisfaction of the HKAS Executive in accordance with HKAS SC-02.

AA.25 Depending on the findings of the reassessment visit, HKAS Executive may

suspend / terminate the accreditation of relevant certification services in accordance with the provisions in Chapter 6 of HKAS 002. An accredited certification body which has its accreditation suspended / terminated shall follow the procedure detailed in Chapter 6 of HKAS 002.


26

Extension of scope of accreditation AA.26 When an accredited certification body wants to have its scope of accreditation

extended to cover new certifications, it shall submit HKCAS 005 and applicable HKCAS questionnaire, together with the relevant documents and the required application fee to HKAS Executive for processing.

AA.27 HKAS Executive will assess the application for extension using an assessment team. The assessment will focus on the extension and will be conducted similar to an initial assessment. An assessment for extension may be combined with a reassessment or a surveillance visit.


27

Annex AB (informative)

Variations to ISO/IEC 17021-1:2015 for HKCAS 003:2015

This Annex lists out all variations of this booklet to ISO/IEC 17021-1:2015 as followings:

Clause Modifications

Foreword Replaced by ‘HKAS Introduction’ and i, ii and iii under ‘HKAS Introduction’

5 General requirements Add 5.1.C ‘HKCAS Policy on Legal Contract Matters’

7 Resource requirements

Add 7.5.C ‘HKCAS Policy on Outsourcing’

9 Process requirements Add 9.9.C ‘HKCAS Policy on Records of applicants and clients’

-- Add Annex AA ‘HKAS Assessment Process of Management System Certification Bodies’

-- Add Annex AB ‘Variations to ISO/IEC 17021-1:2015 for HKCAS 003:2015’

Explanation:

- HKCAS policies added serve as additional explanation of the requirements ofISO/IEC 17021-1:2015 and shall be regarded as mandatory under the Hong KongCertification Body Accreditation Scheme (HKCAS).

- Annexes AA shall be regarded as mandatory under the Hong Kong CertificationBody Accreditation Scheme (HKCAS).

- Annex AB is an informative annex listing out all variations of this booklet toISO/IEC 17021-1:2015.