[This series of articles discusses the ISO 17000 family of standards, which are often obscure and complex. For links to the full series of articles, click here.]

ISO 17029 is entitled “Conformity Assessment — General Principles and Requirements for Validation and Verification Bodies“, which is, admittedly, quite a mouthful.

Let’s unpack who this is targeted at. In most countries and industries, the term used is “verification and validation,” or more often “independent verification and validation,” called “IV&V”. It’s more recognized in the software industry, with IV&V services utilized by companies who need software to be rigorously tested, or for web applications that need security testing. But IV&V occurs in hardware and other industries as well, where a system or product might need a similar independent examination.

The standard gives an idea as to who it’s aimed at, and the crowd is pretty infinitesimal:

Current examples for validation/verification as conformity assessment activities include claims related to greenhouse gas emissions, environmental labelling, product declarations and footprints (… such as the environmental product declaration) , sustainability or environmental reporting. Potential new applications can include claims relating to construction technology, energy management, financial management, industrial automation systems, software and systems engineering, artificial intelligence, information technology, healthcare products and medical devices, machine safety, safety and design engineering, and social responsibility.

Finally, it’s worth pointing out that ISO 17029 assumes the V&V body is issuing a “validation/verification statement,” and does not refer to these things as “certifications“.

As with many of the ISO 17xxx standards, it might be worth having a consultation when deciding whether ISO 17029 is the right approach for your particular organization.

The ISO 17029 Principles

ISO 17029 borrows from a few other standards in this family, and opens with a set of “principles.” While not hard requirements, V&V bodies would be expected to prove they operate in accordance with these principles, or risk not being accredited ti 17029.

These are:

  • Evidence-based decision making
  • Documentation
  • Fair presentation
  • Impartiality
  • Competence
  • Confidentiality
  • Openness
  • Responsibility
  • Responsiveness to complaints
  • Risk-based approach

All of these appear in other standards, and are relatively self-explanatory. The one that stands out, however, is “documentation.” Here the authors are embracing documentation, something that other ISO committees have eagerly avoided. Under ISO 17029, the expectation is that you will document your V&V activities to ensure they are understood throughout the organization, and applied universally. Compare this to the latest iteration of ISO 9001, which lets you do everything via tribal knowledge and oral tradition!

The ISO 17029Requirements

ISO 17029 then goes on to define hard requirements, including:

  • Impartiality: the validation/verification body (V&VB) must have controls (best addressed via procedures) that ensure it can issue personnel certifications fairly and impartially. This then rolls into control of conflicts of interest (COIs), risk management of COIs, and the need to have objective parties make final certification decisions.
  • Liability: V&VBs must have adequate legal protections and insurance to cover liabilities.
  • Competence. Compared to other ISO 17xxx standards, the competence requirements for V&VB staff defined in ISO 17029 are pretty minimal. Nevertheless, the V&VB must identify its competence requirements, and then work to ensure those requirements are met.
  • Resources. Resource management for V&VBs is largely focused on personnel, staffing, and the use of subcontractors. You won’t find language about equipment or facilities here.
  • Complaints & Appeals. V&VBs must have a robust method (again, procedures help here) to manage both complaints and appeals. I find that very simple procedures (using ISO 10002 as guidance on complaints handling) work great, and tying them into the V&VB’s corrective action system (a requirement we will discuss later) makes it very easy to manage, without needing to create an entirely separate complaints tracking tool.
  • Defining V&V schemes. As with the other ISO 17xxx standards, this set of clauses requires the most work. Here the V&VB must define all the activities it performs for its validation and verification activities, from “pre-engagement” to “engagement and planning,” and on through final decision-making and “issue of the validation/verification statement.” In addition, if a V&VB offers more than one V&V service, each scheme must be fully defined with appropriate procedures.
  • MS requirements. Unlike others in the ISO 17xxx series of standards, ISO 17029 does not invoke ISO 9001 as a possible management system (MS) approach. Instead, ISO 17029 calls out specific management system requirements, and dramatically scales these back as compared to other standards in the series. These include:
    • Documented information
    • Corrective action
    • Internal audits
    • Management review

Accreditation to ISO 17029

If you opt to pursue ISO 17029, you would later become accredited by a third-party Accreditation Body. Because the ISO 17029 standard is relatively new and very, very obscure, there are not many ABs that offer accreditation to it. ANAB is one.

As a result, there are a number of other documents, typically demanded by the AB on top of ISO 17029, which you would be expected to comply with as well.

Oxebridge can help implement ISO 17029; for more information, drop an email our way.


ISO Benchmark