Certification of Quality Management System (Against International Standards)

1.  QUALITY MANAGEMENT SYSTEM

A Management System (MS) is a set of policies, processes and procedures required for planning and execution of Products and Services in the core business area of the organization. The business activities may include manufacture (production), Design & Development of provide any service to the customer. The orgainsation may be involved in any one or all of the above activities. The main aim of a Quality Management System (QMS) is to impact the organization's ability to meet customer requirements.

Some of the common types of Management System are Environmental Management system (EMS), Information security Management System (ISMS) and Quality Management System (QMS).

2.  STANDARDS

A standard is a document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose.

2.1   National Standards

Standards published by any national body for country wise use is a national standard. The Bureau of Indian Standards (BIS) is the national Standards Body of India working under the aegis of Ministry of Consumer Affairs, Food & Public Distribution, Government of India. It is established by the Bureau of Indian Standards Act, 1986 which came into effect on 23 December 1986.The organisation was formerly the Indian Standards Institution (ISI), set up under the Resolution of the then Department of Industries and Supplies No. 1 Std.(4)/45, dated 3 September 1946. BIS is responsible for issuing national standards (e.g. IS 456: 2005: Indian Standard Plain and Reinforced Concrete – Code of Practice).

Similarly British Standards (BS) are the standards produced by the BSI Group (British Standards Institute) which is incorporated under a Royal Charter (and which is formally designated as the National Standards Body (NSB) for the UK).The American National Standards Institute (ANSI) is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States.The organization also coordinates U.S. standards with international standards so that American products can be used worldwide.

2.1 International Standards

ISO (the International Organisations for Standardization) is a network of the national standards institutes (one member per member country: present strength 157) countries, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO is a non-governmental organization: its members are not, as is the case in the United Nations system, delegations of national governments. Nevertheless, ISO occupies a special position between the public and private sectors. This is because, on the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations.

Because "International Organization for Standardization" would have different abbreviations indifferent languages ("IOS" in English, "OIN" in French for Organisation Internationale de Normalisation), it was decided at the outset to use a word derived from the Greek isos, meaning "equal". Therefore, whatever the country, whatever the language, the short form of the organization's name is always ISO.

Three very important management systems are: ISO 9001: 2015 - Quality Management Systems – Requirements, ISO 14001:2015- “Environmental Management System – Requirements with Guidelines for Use”, and ISO 27001:2013 –“Information Security Management System – Requirements”.

3.  QUALITY CERTIFICATION

3.1 Certification and Certification Bodies

Definition under “Certification” means the action of independent third party (auditor’s belonging to Certification Bodies may be Government or non- governmental), which verifies that product, process or service in question fulfills all the specified requirements of relevant standards, technical regulations or other normative acts in force. The management system audits are performed according to ISO 19011: “Guidelines for Auditing Management Systems”.

            Certification = Confirmation that prescribed requirements are fulfilled.

Organizations that recognize the benefits of implementing management systems often seek independent verification of conformance to standards by any independent third-party. These independent bodies who take up third party certification of organizations are known as Certification Bodies (CBs). These third party organizations who wish to take QMS Certification must get themselves accredited by a recognized and respected body known as “Accreditation Bodies” to ensure the impartiality and competence of the CB and fosters confidence and acceptance of the CB's certifications by end users in the public and private sectors. The CBs for all types of management systems are required to conform to the most recent versions of: ISO/IEC 17021-1: 2015, ‘Conformity assessment - Requirements for bodies providing audit and certification of management systems’. 

3.2 Accreditation

Accreditation is the independent evaluation of certification bodies against the accreditation requirement standard ISO/IEC 17021-1: 2005, “Requirements for bodies providing audit and certification of management systems” to ensure their impartiality, competence and consistency. The standard sets out the principles and requirements for the competence, consistency and impartiality of bodies providing audit and certification of management systems services. In many countries, accreditation is not mandatory. It should be noted that the fact that a certification body is not accredited does not by itself, mean that it is not a reputable organization. However, many certification bodies choose to seek accreditation in order to be able to demonstrate an independent confirmation of their competence against the requirement of the standard.

Definition under “Accreditation” means the procedure by which an authoritative body gives formal recognition that a conformity assessment body in accordance to the standards and technical regulations, is competent to carry out specific tasks as testing, calibration, certification, and inspection. The accreditation is a third party attestation of any certification body conveying formal demonstration of its competence to carry out specific conformity assessment (QMS certification) task. 

 Accreditation = Confirmation and recognition of technical competence

The difference between the two seemingly similar definitions of ‘Accreditation’ and ‘Certification’ lies in the fact that in the case of accreditation, the formal recognition of competence is based on proven technical knowledge and therefore requires the consultation of a technical expert for the scope to be accredited, while the second case of certification primarily involves ensuring conformity with a given norm, e.g. a management system or a product.

Accreditation therefore relates to specific technical tasks such as those of a testing or calibration laboratory, or of a certification or inspection body, for which specific norms set out the required degree of competence.

3.3 Accreditation Bodies

Quality Council of India (QCI) is the national accreditation body of India. It is an autonomous body jointly set up by the Ministry of Commerce, FICCI (Federation of Indian Chambers of Commerce and Industry), CII (Confederation of Indian Industries) and ASSOCHAM (Associated Chambers of Commerce and Industry of India). It was set up in 1997. The Chairman of QCI is appointed by the Prime Minister on recommendation of the industry.

QCI functions through executive boards in the specific areas i.e. accreditation. The various accreditation boards are NABCB (National Accreditation Board for Certification Bodies), NABET (National Accreditation Board for Education and Training), NABH (National Accreditation Board for Hospitals and Healthcare Providers) and NABL (National Accreditation Board for Testing and Calibration Laboratories).

The scope of accreditation of NABCB however does not include the AQMS (Aerospace Quality Management Systems i.e. AS 9100 series).

ANSI-ASQ National Accreditation Board (ANAB) is a US-based non-governmental standards organization known for providing ISO accreditation services to manufacturers, laboratories and other public and privately held organizations/ companies. ANAB is an underwriter for the International Accreditation Forum (IAF) and the International Laboratory Accreditation Cooperation (ILAC) providing documentations recognized by government agencies from a number of participating nations. The American National Standard Institute (ANSI) and the American Society for Quality (ASQ) jointly own ANAB.

UKAS (United Kingdom Accreditation Service) provides accreditation to ISO/IEC 17021, ISO/IEC 17065, ISO/IEC 17024, ISO 14065 and EMAS (EU Council Regulation (EC) No 1221/2009) to organisations providing certification of management systems, products, processes and services and persons.

3.4. International Accreditation Forum

The International Accreditation Forum, Inc. (IAF) is the world association of Conformity Assessment Accreditation bodies and other bodies interested in conformity assessment in the fields of management systems, products, services, personnel and other similar programs of conformity assessment. Its primary function is to develop a single worldwide program of conformity assessment which reduces risk for business and its customers by assuring them that accredited certificates may be relied upon. Accreditation assures users of the competence and impartiality of the body accredited. IAF members accredit certification or registration bodies that issue certificates attesting that an organization's management, products or personnel comply with a specified standard (called conformity assessment).

The primary purpose of IAF is two-fold.

a)    Firstly, to ensure that its accreditation body members only accredit bodies that are competent to do the work they undertake and are not subject to conflicts of interest.

b)    The second purpose of the IAF is to establish mutual recognition arrangements, known as Multilateral Recognition Arrangements (MLA), between its accreditation body members which reduce risk to business and its customers by ensuring that an accredited certificate may be relied upon anywhere in the world.

The MLA contributes to the freedom of world trade by eliminating technical barriers to trade. IAF works to find the most effective way of achieving a single system that will allow companies with an accredited conformity assessment certificate in one part of the world, to have that certificate recognized elsewhere in the world. The objective of the MLA is that it will cover all accreditation bodies in all countries in the world, thus eliminating the need for suppliers of products or services to be certified in each country where they sell their products or services. Certified once - accepted everywhere.

IAF Mandatory Document 5 (IAF MD 5, Issue 2: 2013) gives the audit duration (man days) required for QMS and EMS audit. IAF MD 11 gives additional factor for integrated management system Audit.

4.0 ISO – 19011: GUIDELINES FOR AUDITING MANAGEMENT SYSTEMS

As mentioned in section 3.1 that certification audits are performed as per ISO 19011 -2011. This International Standard does not state requirements, but provides guidance on the management of an audit programme, on the planning and conducting of an audit of the management system, as well as on the competence and evaluation of an auditor and an audit team. The guidance in this International Standard can also be used for the purpose of self-declaration, and can be useful to organizations involved in auditor training or personnel certification.The guidance is applicable to both combined audit (i.e. when a two or more management systems are audited together) and joint audit (when two or more auditing organizations cooperate to audit a single auditee).

4.1 Principles of Auditing (§ 4 ISO 19011)

The “Principles of auditing” is defined in paragraph 4 of ISO 19011, as based on:

a)    Integrity: The foundation of professionalism

b)    Fair presentation: the obligation to report truthfully and accurately

c)    Due professional care: the application of diligence and judgement in auditing

d)    Confidentiality: Security of Information

e)    Independence: the basis  for the impartiality of the audit and objectivity of audit conclusion

f)  Evidence based approach: the rational method for reaching reliable and reproducible audit conclusion in a systematic audit process.

4.2 Managing Audit Programme (§ 5 ISO 19011)

The top management should ensure that the audit programme objectives are established and assign one or more competent persons to manage the audit programme. The extent of an audit programme should be based on the size and nature of the organization being audited, as well as on the nature, functionality, complexity and the level of maturity of the management system to be audited. Priority should be given to allocating the audit programme resources to audit those matters of significance within the management system. These may include the key characteristics of product quality or hazards related to health and safety, or significant environmental aspects and their control. (This concept is commonly known as risk-based auditing).

The audit programme should include information and resources necessary to organize and conduct its audits effectively and efficiently within the specified time frames and can also include the following:

— Objectives for the audit programme and individual audits;

— extent/number/types/duration/locations/schedule of the audits;

— audit programme procedures;

— audit criteria;

— audit methods;

— Selection of audit teams;

— Necessary resources, including travel and accommodation;

— processes for handling confidentiality, information security, health and safety, and other similar matters.

The implementation of the audit programme should be monitored and measured to ensure its objectives have been achieved. The audit programme should be reviewed in order to identify possible improvements.Figure 1 illustrates the process flow for the management of an audit programme.

Figure 1 — Process flow for the management of an audit programme

4.3 Performing an audit (§ 6 ISO 19011)

ISO 19011 gives guidance on guidance on preparing and conducting audit activities as part of an audit programme. Figure 2 provides an overview of typical audit activities. The extent to which the provisions of this clause are applicable depends on the objectives and scope of the specific audit.

Figure 2 — Typical audit activities

4.4 Competence and Evaluation of Auditors (§ 7 ISO 19011)

Confidence in the audit process and the ability to achieve its objectives depends on the competence of those individuals who are involved in planning and conducting audits, including auditors and audit team leaders. Competence should be evaluated through a process that considers personal behaviour and the ability to apply the knowledge and skills gained through education, work experience, auditor training and audit experience.

This process should take into consideration the needs of the audit programme and its objectives. It is not necessary for each auditor in the audit team to have the same competence; however, the overall competence of the audit team needs to be sufficient to achieve the audit objectives. The evaluation of auditor competence should be planned, implemented and documented in accordance with the audit program.

4.5 ISO 19011-2011: Appendices

a) Appendix A: Guidance and Illustrative Examples of Disciplines Specific Knowledge and Skills of Auditors.

b) Appendix B: Additional Guidance for Auditors for Planning and Conducting Audits.

5.  ISO/IEC 17021 – 1: 2015, “CONFORMITY ASSESSMENT – REQUIREMENTS FOR BODIES PROVIDING AUDIT AND CERTIFICATION OF MANAGEMENT SYSTEM”, PART-1: REQUIREMENT

ISO/IEC 17021 contains principles and specifies requirements for the competence, consistency and impartiality of the audit and certification of management systems (EMS, ISMS and QMS) and for the bodies providing these activities i.e. the certification bodies (Certification of a management system is sometimes also called "registration” and certification bodies’ are sometimes called "registrars"). The document uses the verbal forms as: “shall” indicating a requirement, “should” indicating a recommendation, “may” indicates a permission and “can” denotes a possibility or capability. 

The audit activities normally include:

a)    Conducting opening meeting,

b)    Performing document review while conducting the audit

c)    Communicating during the audit

d)    Assigning roles and responsibilities of guides and observers

e)    Generating audit findings

f)     Preparing audit conclusion and

g)    Conducting closing meeting.

5.1 Audit Principles (§ 4 ISO/IEC17026-1: 2015)

The overall aim of certification is to give confidence to all parties that a management system fulfils specified requirements. The value of certification is the degree of public confidence and trust that is established by an impartial and competent assessment is based on the following principles:

a)    Impartiality - certification be based on objective evidence of conformity (or nonconformity) and are not influenced by other interests or by other parties.

b)    Competence - Competence of the personnel & CB. Competence is the demonstrated ability to apply knowledge and skills.

c)    Confidentiality – It is essential for the CB not to disclose any confidential information of the client.

d)    Responsibility – CB is responsible to assess sufficient objective evidences upon which to base a certification decision.

e)    Openness - A CB needs to provide public access to, or disclosure of, appropriate and timely information about its audit, certification process, and status.

f)     Responsiveness to complaints - Confidence in certification activities is safeguarded when complaints are processed appropriately.

g)    Risk based Approach – CB needs to take into account the risk associated with providing competent, consistent and impartial certification.

5.2 General Requirement of Audit (§ 5 ISO/IEC17026-1: 2015)

a)    Legal and Contractual Requirement – CB shall be a legal entity and held responsible for Certification decision. CB shall have a legally enforceable agreement with client

b)    Management impartiality – Top management shall be held responsible for impartiality. A CB shall not certify another CB.

c)    Liability and Financing – CB shall ensure that financial liability does not impair impartiality.

5.3 Structural Requirements (§ 6 ISO/IEC17026-1: 2015)

a)    Organizational Structure and Top Management – Organization structure, duties, authorities and responsibilities of management and other personnel shall be documented so as to safeguard impartiality. 

b)    Operational Control – the CB shall have a process for effective control of certification activities.

5.4 Resource Requirements (§ 7 ISO/IEC17026-1: 2015)

a)    Competency of Personnel – CB shall have process to determine competency and shall ensure that personnel have appropriate competency. CB shall have a documented procedure for initial competency evaluation, ongoing monitoring of competence and performance of all personnel. (App A to this ISO gives the details of the required knowledge and skills).

b)    Personnel Involved in the Certification Activities – The CB shall have sufficient competent personnel for managing and supporting certification activities. 

c)    Use of individual external auditors and external technical experts – If services of external auditors and external technical experts are used, there shall be a written agreement with them to comply with applicable policies and procedures as defined by the certification body.

d)    Personal Records – Up to date personal records of all personnel including management and administrative personnel shall be maintained.

e)    Outsourcing – Outsourcing procedure shall be defined. The CB shall have a legally enforceable agreement, however shall be responsible for all activities of the outsourced agency. Outsourcing and subcontracting are synonymous.

5.5 Information Requirements (§ 8 ISO/IEC17026-1: 2015)

1.      Public Information –The CB shall maintain (through publication /electronic media) about geographical area of its operation, scope of audit and certification activities. 
2.        Certification Documents – The CB shall provide certificate document to certified client. Each certificate shall have unique identification and clearly specify scope and effective dates of granting as well as expiry.
3.             Reference to Certification and use of Marks - A certification body shall have a policy governing any mark that it authorizes certified clients to use.
4.        Confidentiality - The CB shall, through legally enforceable agreements, have a policy and arrangements to safeguard the confidentiality of the information obtained or created during the performance of certification activities.
5.        Information Exchange between a certification – The information shall include certification activity requirement, continuing certification activity and notice of changes.

5.6 Process Requirements (§ 9 ISO/IEC17026-1: 2015)  

a)    Pre Certification activities – These shall include application, application review, audit program (full certification cycle for three years: two stage initial audit, surveillance audits and recertification), audit time (depending on single or multiple sites), multiple management system audits etc. ISO/IEC TS 17023 gives guidelines for determining management system audit.  For surveillance audit one third and for recertification two third audit time is normally allotted.

b)    Planning Audit – The audit objectives, scope and criteria shall be determined, the CB shall have a process for selecting the audit team, observer, technical experts and guides. The audit plan prepared shall be appropriate to the objectives and it shall be communicated to the audit team members.

c)    Initial Certification – Initial certification shall be conducted in two stages. The objectives of the stage 1 audit is to review the clients management system documented information. The purpose of the stage 2 is to evaluate the implementation including effectiveness of the client’s management system. The stage 2 shall take place at the site of the client.

d)    Conducting Audits – The CB shall have a process for conducting on site audit. The process shall include an opening meeting at the start and a closing meeting at the conclusion of the audit. The CB shall provide a written audit report for each audit to the client.

e)    Certification Decision – The CB shall ensure the persons or the committee that make decision on certification (granting or refusing), (expanding or reducing the scope), (suspending/withdrawing or restoring/renewing) are different from those who carried out audit.

f)     Maintaining Certification – The CB shall maintain certification based on demonstration, surveillance audit, recertification audit etc.

g)    Special Audit – CB shall undertake special audit to expand the scope, follow up audit at short notice or unannounced audits in order to investigate complaints. The CB shall have a policy and documented procedure for suspension, withdrawal or reduction of the scope of certification, and shall specify subsequent actions by the CB.

h)   Appeals – The CB shall have documented process to receive, evaluate and make decision on appeals.

i)     Complaints – The CB shall be responsible for all decision at all levels of the complaints handling process.

j)      Client Record – The CB shall maintain records on the audit and other certification activities for all clients including all organisations that submitted applications, and all organisations audited, certified or with certification suspended or withdrawn.

5.7 Management System Requirements for CBs (§ 10 ISO/IEC17026-1: 2015)

The certification body shall establish and maintain a management system that is capable of supporting administrating the consistent achievement of the requirements of this International Standard. In addition to meeting the requirements of Clauses 5 to 9, the certification body shall implement a management system in accordance with either

a)    General management system requirements (see below)or,

b)    Management system requirements in accordance with ISO 9001 

5.7.1     General Management System Requirement

a)    The certification body shall establish, document, implement and maintain a management system that is capable of supporting and demonstrating the consistent achievement of the requirements of this International Standard.The certification body's top management shall establish and document policies and objectives for its activities. The top management shall provide evidence of its commitment to the development and implementation of the management system in accordance with the requirements of this International Standard. The top management shall ensure that the policies are understood, implemented and maintained at all levels of the certification body's organization'.

The certification body's top management shall assign responsibility for:

i) Ensuring that processes and procedures needed for the management system are established,implemented and maintained, and

ii) Reporting to top management on the performance of the management system and any need for improvement.

b) Management system manual - All applicable requirements of this International Standard shall be addressed in a manual or associated document which should be accessible to all relevant personnel.

c) Control of Documents – CB shall establish a procedure for control of documents

d) Control of Record – The CB shall establish procedures to define the control needed for the identification, storage, protection, retrieval, retention time and disposition of records related to the fulfillment of this International Standard.

e) Management Review – The CB shall establish procedure to review its management system at planned intervals. The review inputs and review outputs (defined in the standard) are related to management function. 

f)  Internal Audit – The CB shall establish procedure for carrying out internal audits to verify that it fulfils the requirement of this standard.

g) Corrective Actions – The CB shall establish procedure for identification and management of nonconformities in its operation. 

5.7.2 Option 2: Management system requirements in accordance with ISO 9001

The certification body shall establish and maintain a management system, in accordance with the requirements of ISO 9001 that is capable of supporting and demonstrating the consistent achievement of the requirements of this International Standard. .

a)    Scope – for application of the requirements of ISO 9001, the scope of the management system shall include the desiqn and development requirements for its certification services.

b)    Customer focus - For application of the requirements of ISO 9001, when developing its management system, the CB shall consider the credibility of certification and shall address the needs of all parties that rely upon its audit and certification services, not just its clients.

c)    Management review - For application of the requirements of ISO 9001, the CB shall include as input for management review, information on relevant appeals and complaints from users of certification activities and review of impartiality.

5.8     Appendices of ISO/IEC17026-1: 2015)

a)    Appendix A: Required Knowledge and Skill

b)    Appendix B (Informative): Possible Evaluation Method

c)    Appendix C (Informative): Example of a Process flow for determining and maintaining Competence.

d)    Appendix D (Informative): Desired personal behaviour

--------------- x-x --------------