[This series of articles discusses the ISO 17000 family of standards, which are often obscure and complex. For links to the full series of articles, click here.]
ISO 17029 is entitled “Conformity Assessment — General Principles and Requirements for Validation and Verification Bodies“, which is, admittedly, quite a mouthful.
Let’s unpack who this is targeted at. In most countries and industries, the term used is “verification and validation,” or more often “independent verification and validation,” called “IV&V”. It’s more recognized in the software industry, with IV&V services utilized by companies who need software to be rigorously tested, or for web applications that need security testing. But IV&V occurs in hardware and other industries as well, where a system or product might need similar independent examination.
ISO fumbles with the terms, though. First of all, they re-order the terms so that the two “V”s are reversed. That may not seem very interesting, but it poitns to ISO aiming this at the software industry, and not hardware. Keep reading, and I hoped I haven’t lost you already.
Next, ISO is wholly contradictory on its definitions of the two words. I mean literally contradictory; they reverse them whether you are reading ISO 9000 (the standard on quality management system terms and vocabulary) or ISO 17029. Have a look, and you may want to ignore the notes for now (I included them only to be thorough):
Ignoring how ISO 9000 uses the words “objective evidence” and ISO 17029 uses the word “claim,” the standards reverse the definitions. Worse, ISO 17029 displays the typically shady way ISO refuses to acknowledge mistakes, and then just lies in the notes, admitting the definitions were “modified” but not identifying them as completely swapped.
Short version for people who don’t read ISO-speak:
- Under ISO 9000 and in manufacturing in general, “verification” is understood to mean checking to see if a design has captured all the requirements before you build something; “validation” is physical testing of a prototype or first article to then prove the design is adequate.
- Under ISO 17029 and in the software industry, “validation” is the act of ensuring requirements are addressed in the design (or software), and then “verification” is checking the actual code in a simulation, test environment, etc. … the functional equivalent of “prototyping.”
This is because decades ago, ISO never really reconciled the two industries, even though it might have had a shot at doing so, given it’s — you know — the International Organization for Standardization. So this contradiction exists in perpetuity, unmolested.
The problem here, however, is that ISO always claims its products are suitable for anyone in any organization, and ISO 17029 is no different. So while writing ISO 17029 in a bland, generic manner that might be suitable for a hardware design company, if they try to implement it, they will find the language contradicts everything they know, right from the cover page.
the standard gives an idea as to who it’s aimed at, and the crowd is pretty infinitesimal:
Current examples for validation/verification as conformity assessment activities include claims related to greenhouse gas emissions, environmental labelling, product declarations and footprints (… such as the environmental product declaration) , sustainability or environmental reporting. Potential new applications can include claims relating to construction technology, energy management, financial management, industrial automation systems, software and systems engineering, artificial intelligence, information technology, healthcare products and medical devices, machine safety, safety and design engineering, and social responsibility.
But, no. No matter what ISO says, ISO 17029 is aimed at software and IT companies, because everyone else is unlikely to recognize the words used.
Finally, it’s worth pointing out that ISO 17029 assumes the V&V body is issuing a “validation/verification statement,” and does not refer to these things as “certifications“.
As with many of the ISO 17xxx standards, it might be worth having a consultation when deciding whether ISO 17029 is the right approach for your particular organization.
The ISO 17029 Principles
ISO 17029 borrows from a few other standards in this family, and opens with a set of “principles.” While not hard requirements, V&V bodies would be expected to prove they operate in accordance with these principles, or risk not being accredited ti 17029.
- Evidence-based decision making
- Fair presentation
- Responsiveness to complaints
- Risk-based approach
All of these appear in other standards, and are relatively self-explanatory. The one that stands out, however, is “documentation.” Here the authors are embracing documentation, something that other ISO committees have eagerly avoided. Under ISO 17029, the expectation is that you will document your V&V activities to ensure they are understood throughout the organization, and applied universally. Compare this to the latest iteration of ISO 9001, which lets you do everything via tribal knowledge and oral tradition!
The ISO 17029Requirements
ISO 17029 then goes on to define hard requirements, including:
- Impartiality: the validation/verification body (V&VB) must have controls (best addressed via procedures) that ensure it can issue personnel certifications fairly and impartially. This then rolls into control of conflicts of interest (COIs), risk management of COIs, and the need to have objective parties make final certification decisions.
- Liability: V&VBs must have adequate legal protections and insurance to cover liabilities.
- Competence. Compared to other ISO 17xxx standards, the competence requirements for V&VB staff defined in ISO 17029 are pretty minimal. Nevertheless, the V&VB must identify its competence requirements, and then work to ensure those requirements are met.
- Resources. Resource management for V&VBs is largely focused on personnel, staffing, and the use of subcontractors. You won’t find language about equipment or facilities here.
- Complaints & Appeals. V&VBs must have a robust method (again, procedures help here) to manage both complaints and appeals. I find that very simple procedures (using ISO 10002 as guidance on complaints handling) work great, and tying them into the V&VB’s corrective action system (a requirement we will discuss later) makes it very easy to manage, without needing to create an entirely separate complaints tracking tool.
- Defining V&V schemes. As with the other ISO 17xxx standards, this set of clauses requires the most work. Here the V&VB must define all the activities it performs for its validation and verification activities, from “pre-engagement” to “engagement and planning,” and on through final decision-making and “issue of the validation/verification statement.” In addition, if a V&VB offers more than one V&V service, each scheme must be fully defined with appropriate procedures.
- MS requirements. Unlike others in the ISO 17xxx series of standards, ISO 17029 does not invoke ISO 9001 as a possible management system (MS) approach. Instead, ISO 17029 calls out specific management system requirements, and dramatically scales these back as compared to other standards in the series. These include:
- Documented information
- Corrective action
- Internal audits
- Management review
Accreditation to ISO 17029
If you opt to pursue ISO 17029, you would later become accredited by a third-party Accreditation Body. Because the ISO 17029 standard is relatively new and very, very obscure, there are not many ABs that offer accreditation to it. ANAB is one.
As a result, there are a number of other documents, typically demanded by the AB on top of ISO 17029, which you would be expected to comply with as well.
Oxebridge can help implement ISO 17029; for more information, drop an email our way.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.