ISO 17000 Series: ISO 17020 for Inspection Bodies

[This series of articles discusses the ISO 17000 family of standards, which are often obscure and complex. For links to the full series of articles, click here.]

ISO 17020 is the standard for “inspection bodies,” and one that causes a great deal of confusion in the marketplace.

This confusion arises because of the similarities in intent between ISO 17020 (for inspection bodies) and other ISO 17xxx standards. ISO 17020 largely focuses on the inspection of products, but in an effort to widen the usage (and thus sales) of the standard, ISO claims it can also be used for certification of processes or systems.

But, wait. Both ISO 17021-1 and ISO 17065 claim to be for certification of systems, too. So why is ISO 17020 different?

Well, ISO 17021-1 is limited to certification of management systems — such as quality management systems, environmental management systems, or information security management systems — not just “systems” in general. If you’re an inspection body, it’s highly unlikely you are intending to certify a company to ISO 9001 or ISO 14001, for example, so that rules out ISO 17021-1 as an alternative. But ISO doesn’t really have a standard for certifying “systems” apart from management systems. It’s a gap.

ISO 17065 is a more confusing case. Both ISO 17020 and ISO 17065 involve the inspection of a product, and both can result in a certificate. You won’t find much clarity online, either, as searches for information will result in wildly differing opinions and contradictory advice.  (This post on Quora shows just how confusing this mess is.) My rule of thumb is that if you intend to offer only an inspection report, then ISO 17020 is the best fit. If you intend to offer a full-blown certificate of some sort (certificate of conformity, perhaps), then ISO 17065 is better. ISO 17065 is also used to certify an entire line of products, whereas ISO 17020 might be a one-time inspection on a given batch or lot.

Then there’s another standard, ISO 17029, which is used if you are only issuing a “validation or verification statement.” We’ll talk about that later in this series.

And let’s not get started on the confusing overlap with the test lab standard ISO 17025!

Want objective guidance from the Accreditation Bodies? You won’t get it: bodies like ANAB traditionally push companies to pursue ISO 17020 because they can accredit companies to that standard; they cannot accredit companies to ISO 17021-1, since that’s done by a higher body. Why send business to someone else?

How to Know Which to Pursue?

In investigating whether to pursue ISO 17020 over another option, the only thing to do is have a serious conversation either internally or with an external party.

There are a few easy discriminators, one being whether you perform inspection with the intent to issue just an inspection report or a full-on certificate of conformity (or some other cert). ISO 17020 is better suited for companies issuing product inspection reports, while ISO 17065 is better for product certificates that may carry more weight. Even then, however, either standard can be forced to work under both circumstances.

If you’re certifying things other than products, such as processes or methods, then it’s a free-for-all. ISO 17020 has about as much chance of being the right fit as it does the wrong.

Another factor to consider is that ISO 17020 has very low international recognition and, thus, less “gravitas.” There’s a risk that if you pursue ISO 17020, your customers and industry partners may not have ever heard of it. ISO 17025 and ISO 17065 are far more well-known, but also bring more rigorous requirements and are thus more expensive to implement. In many cases, they may be overkill if you’re doing simple inspections.

The graphic above may help drive your decision. Failing that, feel free to contact Oxebridge for a free consultation, or reach out on our free Slack discussion group.

The ISO 17020 Requirements

Assuming you want to press on with ISO 17020, here are a breakdown of the standard’s basic requirements:

• Impartiality: the inspection body (IB) must have controls (best addressed via procedures) that ensure it can perform its inspections fairly and impartially. This then rolls into control of conflicts of interest(COIs), risk management of COIs, and the need to have objective parties make final inspection decisions.
• Confidentiality: IBs have access to confidential information related to their certified clients. As a result, the IB must have controls in place (again, procedures are likely necessary) to ensure the management of confidentiality. Such rules must spread through the IB organization to all who might touch such confidential information.
• Establishing Inspection Methods: here is where the bulk of work is required for ISO 17020, although is far less onerous than other ISO 17xxx standards.

Here the IB must define its methods for conducting inspections, and document these in formal procedures. These procedures must include things like handling inspection items, performing inspections, using inspection devices, developing and issuing inspection reports / certificates, etc.

• Competence. Here ISO 17020 demands you define the competence requirements for everyone involved in the IB’s activities.
• Resources. Apart from competence of human resources, the IB must manage and control all other resources utilized as part of its inspection activities, such as equipment, documentation, facilities, etc.
• Complaints & Appeals. IBs must have a robust method (again, procedures help here) to manage both complaints and appeals. The standard distinguishes between the two as follows: “complaints” are received from any party, and can be related to anything. “Appeals” are specific contests of IB decisions, coming from its clients; for example, a client may appeal the results of a given inspection or test.

I find that very simple procedures (using ISO 10002 as guidance on complaints handling) work great, and tying them into the IB’s corrective action system (a requirement we will discuss later) makes it very easy to manage, without needing to create an entirely separate complaints tracking tool.

• QMS requirements. ISO 17020 demands a minimum quality management system be implemented alongside all the other requirements. Like many standards within the conformity assessment family, they allow two options: implementing ISO 9001 in full, or implementing key QMS elements (which, anyone would notice, were lifted from ISO 9001 anyway.)

Specifically, the minimum QMS requirements to be implemented are:

• • Policies & objectives
  • Document control
  • Record control
  • Control of nonconforming service
  • Corrective & preventive action (as of this writing, the ISO 17020 standard still requires preventive action)
  • Internal Audits
  • Management Review
  • Continual improvement

Accreditation to ISO 17020

If you opt to pursue ISO 17020, you would later become accredited by one of the many traditional Accreditation Bodies, such as ANAB, A2LA, UKAS, etc. Unlike ISO 17021-1, you would not answer directly to the IAF or its regional bodies.

Oxebridge can help implement ISO 17020; for more information, click here.