technical criteria for accreditation of management system ...system certification bodies - iso/iec...

Hong Kong Accreditation Service August 2013

(Incorporating Amendment No. 1 : March 2015)

HKCAS 003 (Second Edition)

Technical Criteria for Accreditation of Management System Certification Bodies Abridged Version (Requirements and notes of ISO/IEC 17021 are not included in this document. This document should be read in conjunction with ISO/IEC 17021:2011.)

Published by Innovation and Technology Commission The Government of

the Hong Kong Special Administrative Region

36/F., Immigration Tower, 7 Gloucester Road,

Wan Chai, Hong Kong.

The Government of the Hong Kong Special Administrative Region 2013

ISBN 978-988-18955-8-5

First Edition : October 1998 Second Edition : August 2013

TABLE OF CONTENTS

Page

1 Introduction .................................................................................................................. 4

1.1 Basis of HKCAS 003 Technical Criteria for Accreditation of Management System Certification Bodies - ISO/IEC 17021:2011 ..................................... 6

1.2 Scope of Accreditation ................................................................................... 8

1.3 Accreditation Criteria ..................................................................................... 9

2 Normative references ................................................................................................. 10

3 Terms and definitions ................................................................................................. 10

4 Principles .................................................................................................................... 10

5 General requirements ................................................................................................. 10

6 Structural requirements .............................................................................................. 10

7 Resource requirements ............................................................................................... 11

8 Information requirements ........................................................................................... 11

9 Process requirements .................................................................................................. 11

10 Management system requirements for certification bodies ........................................ 12

Annex A (normative) Required knowledge and skills ........................................................ 13

Annex B (informative) Possible evaluation methods .......................................................... 14

Annex C (informative) Example of a process flow for determining and maintaining competence ................................................................................................................. 15

Annex D (informative) Desired personal behaviours .......................................................... 16

Annex E (informative) Third-party audit and certification process .................................... 17

Annex F (informative) Considerations for the audit programme, scope or plan ................. 18

Annex G (informative) HKAS Assessment Process of Management System Certification Bodies ......................................................................................................................... 19

Bibliography ........................................................................................................................ 25

1 Introduction The Hong Kong Accreditation Service (HKAS) was set up in 1998 by the Government of the Hong Kong Special Administrative Region to provide accreditation service to the public. It was formed through the expansion of the Hong Kong Laboratory Accreditation Scheme (HOKLAS). HKAS now offers accreditation for laboratories, proficiency testing providers, reference material producers, certification bodies, GHG validation or verification bodies and inspection bodies. It may offer other accreditation services in the future when the need arises. The principal aims and objectives of HKAS are :- • to upgrade the standard of operation of laboratories, proficiency testing

providers, reference material producers, certification bodies, GHG validation or verification bodies and inspection bodies;

• to offer official recognition to competent laboratories, proficiency testing providers, reference material producers, certification bodies, GHG validation or verification bodies and inspection bodies which meet international standards;

• to promote the acceptance of data, results, reports and certificates obtained by accredited laboratories, proficiency testing providers, reference material producers, certification bodies, GHG validation or verification bodies and inspection bodies;

• to establish mutual recognition agreements with overseas accreditation bodies;

• to eliminate the need for repetition of testing, calibration, certification and inspection in the importing economies and thereby reducing costs and facilitating free trade across borders.

The operating cost of HKAS is funded by the Government and is partly recovered by charging fees for services provided by HKAS. HKAS Executive is responsible for administering HKAS and its accreditation schemes. At present, there are three schemes: the Hong Kong Laboratory Accreditation Scheme (HOKLAS) for laboratories, proficiency testing providers and reference material producers, the Hong Kong Certification Body Accreditation Scheme (HKCAS) for certification bodies and GHG validation or verification bodies, and the Hong Kong Inspection Body Accreditation Scheme (HKIAS) for inspection bodies. All accreditation schemes of HKAS are operated in accordance with the requirements of the relevant international standard, i.e. ISO/IEC 17011 and other criteria set by relevant international and regional cooperations of accreditation bodies. Participation in the three schemes is voluntary.

4

Organisations applying for accreditation or those accredited organisations under any of the three schemes are required to demonstrate that:- • they are competent to perform the specific activities for which they are

applying for accreditation or have been accredited; • they have implemented an effective quality system which complies with the

accreditation criteria of the relevant scheme; and • they comply with all the regulations in HKAS 002 - Regulations for HKAS

Accreditation. These regulations are the governing rules for the administration of the three schemes and contain the obligations of any organisation which has applied for HKAS accreditation or has been accredited by HKAS.

The procedures for seeking HKCAS accreditation and for processing applications are detailed in Annex G of this booklet. HKAS will grant accreditation for an activity to an organisation only when it meets the conditions given in clause 4.15 of HKAS 002 – “Regulations for HKAS Accreditation”.

5

1.1 Basis of HKCAS 003 Technical Criteria for Accreditation of Management System Certification Bodies - ISO/IEC 17021:2011

This technical criteria booklet is applicable to all types of management systems certification bodies. The requirements stated in this booklet are based on the International Standard, ISO/IEC 17021:2011 – “Conformity assessment – Requirements for bodies providing audit and certification of management systems”. This International Standard was jointly published by International Organisation for Standardisation (ISO) and International Electrotechnical Commission (IEC). This International Standard specifies requirements for certification bodies. Observance of these requirements is intended to ensure that certification bodies operate management system certification in a competent, consistent and impartial manner, thereby facilitating the recognition of such bodies and the acceptance of their certifications on a national and international basis. This International Standard serves as a foundation for facilitating the recognition of management system certification in the interests of international trade. This International Standard provides a set of requirements for management systems auditing at a generic level, aimed at providing a reliable determination of conformity to the applicable requirements for certification, conducted by a competent audit team, with adequate resources and following a consistent process, with the results reported in a consistent manner. This International Standard is intended for use by bodies that carry out audit and certification of management systems. It gives generic requirements for such certification bodies performing audit and certification in the field of quality, environmental and other forms of management systems. It is recognized that some of the requirements, and in particular those related to auditor competence, can be supplemented with additional criteria in order to achieve the expectations of the interested parties. In Sections 2 to 10 of this booklet, the requirements and notes of ISO/IEC 17021:2011 are reproduced verbatim as the main text and relevant HKCAS policies are given in shaded boxes following the main text. The notes provide clarification of the requirements, examples and guidance. HKCAS will consider that a certification body has met the requirements if it follows the guidance. HKCAS policies serve as additional explanation of the requirements of ISO/IEC 17021:2011 and shall be regarded as mandatory. The use of an international standard for recognising competence has led to increased confidence in certification bodies and facilitated the acceptance of certifications by authorities around the world. In this respect, HKAS has established multilateral recognition arrangement (MLA) with other accreditation bodies. Signatories to the MLA recognise the equivalence of one another’s accreditation and accept certificates issued by their accredited certification bodies. As at July 2013, HKAS has concluded management system certification MLA with 52 accreditation bodies in 52 economies. A list of HKAS MLA partners, and their contact information, is available from the HKAS website at

6

http://www.itc.gov.hk/hkas. This booklet sets out the general requirements which all HKCAS accredited management system certification bodies shall meet. More detailed requirements specific to certain administrative aspects and technical disciplines are issued as individual HKAS and HKCAS Supplementary Criteria. This and other criteria documents set out the requirements to be met by a certification body but do not dictate how such requirements should be met. It is the responsibility of the certification body management to determine the best method to meet such requirements, the relative significance of individual activities to the overall quality of the certification body and the emphasis and resource that should be allocated to each of them. The certification body management may be required to demonstrate to the assessment team that the method it has selected is adequate in meeting the requirements stated in criteria documents. A list of HKAS and HKCAS Supplementary Criteria is available from the HKAS Executive and the HKAS website. This website also provides links to other websites which provide useful information on accreditation and certification body operation.

7

1.2 Scope of Accreditation Each management system certification body accredited under HKCAS will have the specific management system certifications for which it is accredited clearly given in its “scope of accreditation”. The HKAS Executive will define from time to time the specific management system certifications which are available for accreditation under HKCAS. The management system certifications currently available for accreditation are:

Energy Management System Certification to ISO 50001

Environmental Management System Certification to ISO 14001

Food Safety Management System Certification to ISO 22000 Information Security Management System Certification to ISO 27001

Occupational Health and Safety Management System Certification to

OHSAS 18001

Quality Management System Certification to ISO 9001 Residential Care Homes (Elderly Persons) Service Providers’ Management

System Certification Other management system certifications may be added when significant needs are identified. A certification body may apply to be accredited for one or more certification areas in specific management system certification and may seek to have its scope of accreditation extended or reduced as its needs change. Any expansion of an accreditation will normally require a full assessment of the certification body’s competence to perform the additional certification. All accredited certification bodies are reassessed at regular intervals to ensure continuing conformity with HKCAS requirements at all times for all accredited activities. In addition, their performance is monitored closely through surveillance visits.

8

1.3 Accreditation Criteria Applicant certification bodies have to demonstrate conformity with the criteria in Sections 5 to 10, Annex A, the criteria in the relevant IAF Mandatory Documents, the criteria in the relevant HKAS and HKCAS Supplementary Criteria, and the regulations listed in HKAS 002 before accreditation can be granted, and accredited certification bodies shall comply with the same criteria at all times for maintaining accreditation. Accredited and applicant certification bodies may also be required to demonstrate to HKAS Executive that they can perform competently all the activities proposed for accreditation. Additionally, they shall maintain complete integrity and impartiality in all circumstances.

9

2 Normative references

(The main text of this clause is the text of the same clause of ISO/IEC 17021:2011.)

3 Terms and definitions


4 Principles


5 General requirements


5.1.C HKCAS Policy on Legal and contractual matters

It is the responsibility of the certification body to carry out its work in accordance with the applicable Laws and Regulations of Hong Kong, or of the country where the certification activity is carried out. It should be emphasized that assessment of the certification body’s compliance with the relevant regulatory requirements is outside the scope of HKAS accreditation schemes. An accredited certification body shall have enforceable arrangements with each organisation holding a HKCAS accredited certificate which commit it to allow, on request, HKAS assessment teams to witness the certification body’s audit teams performing audits, including access to its premises for doing so. 6 Structural requirements


10

7 Resource requirements


7.5.C HKCAS Policy on Outsourcing If an accredited certification body intends to subcontract any part of its activities for which it is accredited, the certification body shall ensure that the subcontracted certification body is competent to perform the activities. A certification body accredited for performing the activities by HKAS or an accreditation body which has concluded a multilateral recognition arrangement with HKAS is one of the means to demonstrate its competence. A list of such accreditation bodies is obtainable from HKAS Executive. The certification body shall notify the client in writing of its intention to subcontract the activities, the extent of such subcontract and the name of the subcontractor. The certification body shall further ensure that its client agrees to such arrangement and shall keep all records of such subcontracted activities.

8 Information requirements


9 Process requirements


9.9.C HKCAS Policy on Records of applicants and clients An applicant or accredited certification body shall keep all certification records and certification documents for at least 3 years after the expiry of the certificate of conformity or termination/withdrawal of certification, or for the minimum period defined by the regulatory authority. An accredited certification body shall keep an up-to-date list of countries in which the certification body has issued certificates under HKAS accreditation. The list shall be provided to HKAS Executive.

Where records are stored, retrieved, transmitted or processed electronically, an applicant or accredited certification body shall establish and implement procedures to ensure the integrity and confidentiality of the records. When an accredited certification body performs activities having significantly impact on audit and certification results in its branch offices, relevant certification records shall be available at such branch offices within a reasonable time of making the request for such records.

11

10 Management system requirements for certification bodies


12

Annex A (normative)

Required knowledge and skills

(The main text of this annex is the text of the same annex of ISO/IEC 17021:2011.)

13

Annex B (informative)

Possible evaluation methods


14

Annex C (informative)

Example of a process flow for determining and maintaining competence


15

Annex D (informative)

Desired personal behaviours


16

Annex E (informative)

Third-party audit and certification process


17

Annex F

(informative)

Considerations for the audit programme, scope or plan


18

Annex G (informative)

HKAS Assessment Process of Management System Certification Bodies

G.1 The purpose of a HKAS assessment is to determine whether the subject

certification body has the competence required to evaluate the adequacy of an applicant organisation in meeting the requirements of the relevant management systems included in its proposed scope of accreditation, including conformity of its certification system with the standards, specifications and other normative requirements.

G.2 To apply for accreditation, a certification body shall complete an application form HKCAS 005 and provide the details of its organisation and certification system to be accredited using the applicable HKCAS questionnaire. The form and questionnaires are obtainable from the office of HKAS Executive and have been uploaded to the HKAS website. All supporting documents, including the quality manual, documents of the certification programme as required in the HKCAS questionnaire, and the appropriate application fee shall be provided together with the completed HKCAS 005 and HKCAS application questionnaire to HKAS Executive.

G.3 Upon receipt of an application, HKAS Executive will review whether it can be

accepted. HKAS Executive may ask for more information or documents before determining whether it is acceptable. If the application cannot be accepted, HKAS Executive will inform the applicant certification body of the reason in writing. In general, an application cannot be accepted if it is incomplete, the application fee has not been provided or if HKAS does not provide the required accreditation service.

Pre-assessment visit G.4 After accepting an application from an applicant certification body which has not

been accredited previously under HKCAS, HKAS Executive will conduct a pre-assessment visit at a mutually acceptable time to the office of the applicant certification body to advise it on accreditation requirements. This visit will usually last for not more than one day.

19

Initial assessment G.5 Assessments are conducted by HKAS assessment teams. A HKAS assessment

team usually consists of a team leader and where necessary, technical assessors and/or technical experts.

G.6 The assessment team will visit the office of the applicant certification body,

arrange on-site witnessing for its audit activities and where necessary, interview with auditors. Other appropriate assessment methods may also be used to ensure the competence of applicant certification body in operating the certification system to be accredited at the discretion of HKAS Executive. The assessment team may select initial certification audits including both stage 1 and 2 audits, surveillance or recertification audit for witnessing.

G.7 The assessment team will also visit branch offices where key activities are

performed. Depending on the complexity of the certification system and the structure of the applicant certification body, an assessment will involve multiple visits to different locations on different dates. The detailed assessment schedule is to be agreed between the applicant certification body and HKAS Executive.

G.8 Personnel involved in the certification process to be assessed, for examples,

those carrying out contract reviews, those conducting audits and those making certification decisions, should be available for interview by the HKAS assessment team. Where necessary, HKAS Executive would notify the certification body being assessed for interview arrangement in advance.

G.9 The applicant certification body will be required to provide solid evidence to

demonstrate that it has the necessary technical expertise to adequately evaluate the capability of its applicant organisation.

G.10 In addition to administrative and management aspects, all technical aspects will

be assessed, including but not limited to the following: (a) contract reviews/preparations for certification audit carried out by the

applicant certification body; (b) the technical management processes and competence criteria of personnel

involved in all stages of certification audit; (c) the arrangements to ensure the integrity of audits and surveillance activities; (d) the analysis to determine the competence criteria of personnel; (e) the records of personnel training, qualifications and experience;

20

(f) the certification decision-making process; and (g) the quality assurance procedures for the above activities.

G.11 Emphasis will be given to assess whether the certification system is effective in

providing the required assurance to the quality of the certified organisation.

G.12 Upon completion of an initial assessment, the HKAS Executive will provide an outcome letter detailing the findings of the assessment to the authorised representative of the applicant certification body.

G.13 All non-conformities raised in the report of the HKAS assessment team shall be

graded as specified in HKAS SC-02.

G.14 An applicant certification body shall report the actions it has taken to rectify any non-conformity in writing together with supporting evidence to HKAS Executive within six months of the initial assessment. In general, when the non-conformities have been rectified to the satisfaction of the HKAS Executive in accordance with HKAS SC-02, accreditation will be granted to the applicant certification body.

G.15 Upon granting of the accreditation to a certification body for a certification

system, HKAS Executive shall issue to it a certificate of HKCAS accreditation for such certification system.

Surveillance Visit G.16 After accreditation has been granted, HKAS Executive will normally conduct

surveillance visits to an accredited certification body routinely every six months. HKAS Executive has discretion to vary the period for surveillance visit as it sees fit. Similar to an initial assessment, a surveillance visit is performed by a HKAS assessment team. Surveillance visit for different types of accredited certification systems may be combined.

G.17 The procedures for a surveillance visit are similar to an initial assessment but only selected aspects of the accredited certification system will be examined and the size of the assessment team and the duration of the visit will usually be smaller and shorter. Emphasis will be given to how effective the accredited certification system has been operating, any significant changes to the accredited certification body, particularly changes in personnel, and its accredited certification system. The aspects of operation to be examined will be selected

21

by the assessment team. Priority will be given to the aspects which were not assessed in the last visit. The objective is to ensure that all aspects of the certification operation are covered in an assessment cycle.

G.18 Upon completion of a surveillance visit, the HKAS Executive will provide an

outcome letter detailing the findings of the assessment to the authorised representative of the accredited certification body. The content of the report is similar to that of an initial assessment, but only the aspects examined will be covered.

G.19 To maintain accreditation, an accredited certification body shall rectify all

non-conformities to the satisfaction of the HKAS Executive in accordance with HKAS SC-02.

G.20 Depending on the findings of the surveillance visit, HKAS Executive may

suspend the accreditation of relevant certification systems in accordance with the provisions in Chapter 6 of HKAS 002. An accredited certification body which has its accreditation suspended shall follow the procedure detailed in Chapter 6 of HKAS 002.

Reassessment G.21 HKAS Executive will conduct a reassessment for an accredited certification

body normally every three years. The reassessment will usually cover all aspects in the accredited certification system. HKAS Executive has discretion to vary the period for reassessment as it sees fit. The reassessment interval may be shortened to meet the requirements of a regulatory authority. The procedures and coverage of a reassessment are similar to those of an initial assessment. Changes to the certification body, its accredited certification system, and the effectiveness of corrective actions taken against the findings of previous assessments and surveillance visits will also be reviewed. Reassessments for different accredited certification systems may be combined.

G.22 If a particular area in the accredited certification system has not been used by the

certification body for a long time, the accredited certification body will be required to provide additional evidence to demonstrate that it still retains the necessary competence.

22

G.23 Upon completion of reassessment, the HKAS Executive will provide an outcome letter detailing the findings of the assessment to the authorised representative of the accredited certification body. The content of the report is similar to that of an initial assessment.

G.24 To maintain accreditation, an accredited certification body shall rectify all

non-conformities to the satisfaction of the HKAS Executive in accordance with HKAS SC-02.

G.25 Depending on the findings of the reassessment visit, HKAS Executive may

suspend the accreditation of relevant certification systems in accordance with the provisions in Chapter 6 of HKAS 002. An accredited certification body which has its accreditation suspended shall follow the procedure detailed in Chapter 6 of HKAS 002.

Extension of scope of accreditation G.26 When an accredited certification body wants to have its scope of accreditation

extended to cover new certifications, it shall submit HKCAS 005 and applicable HKCAS questionnaire, together with the relevant documents and the required application fee to HKAS Executive for processing.

G.27 HKAS Executive will assess the application for extension using an assessment team. The assessment will focus on the extension and will be conducted similar to an initial assessment. An assessment for extension may be combined with a reassessment or a surveillance visit.

23

0BCONFIDENTIALITY

1BHKAS Executive will keep confidential all information provided by an organisation in relation to preliminary enquiries or to an application for accreditation and all information obtained in connection with an assessment of an organisation, such that only personnel who require the information for the assessment will have access to such information. Such personnel will include HKAS Executive and staff, assessors involved in the assessment and members of AAB (except where a conflict of interest arises). Without written consent of the organisation, HKAS Executive will not disclose confidential information of an applicant or accredited organisation outside HKAS Executive except as allowed in HKAS 002 Regulations for HKAS Accreditation. However, an organisation shall note that it may be necessary to pass the HKAS’s files, including any information in relation to it to persons responsible for evaluating the performance of HKAS under a mutual recognition arrangement/agreement which HKAS has concluded or intended to conclude with other accreditation bodies. HKAS will notify those persons the confidential nature of the information. Where the law requires any information to be disclosed to a third party, HKAS will, where possible and permitted by the law, inform the organisation concerned. Furthermore, HKAS will comply with the provisions under the Personal Data (Privacy) Ordinance (Cap. 486) and the rules under the Code on Access to Information of the Government.

24

Bibliography

(The references listed under this section are the same as those listed in ISO/IEC 17021:2011.)

25