{"id":24148,"date":"2021-02-21T22:12:26","date_gmt":"2021-02-22T03:12:26","guid":{"rendered":"https:\/\/www.oxebridge.com\/emma\/?p=24148"},"modified":"2021-02-21T22:14:01","modified_gmt":"2021-02-22T03:14:01","slug":"parsing-iso-17021-1s-melange-of-procedure-callouts","status":"publish","type":"post","link":"https:\/\/www.oxebridge.com\/emma\/parsing-iso-17021-1s-melange-of-procedure-callouts\/","title":{"rendered":"Parsing ISO 17021-1&#8217;s Melange of Procedure Callouts"},"content":{"rendered":"<p>I&#8217;m excited to be back at work <a href=\"https:\/\/www.oxebridge.com\/emma\/iso-17021-requirements-for-management-system-certification-bodies\/\">helping develop certification bodies<\/a>, something that I had done many years ago, but which fell aside under the flood of AS9100 implementations I did throughout the 2010&#8217;s. This month alone I am lucky enough to be working on setting up three different CBs, and it&#8217;s exciting work. Not many can do it.<\/p>\n<p>It means I am spending a lot of time in <a href=\"https:\/\/www.iso.org\/standard\/61651.html\">ISO 17021-1<\/a>, as a real user of the standard, digging deep through it, mining for gems. ISO 17021-1 is a crucial work within the ISO certification world, but you wouldn&#8217;t find many people who know much about it. It&#8217;s the standard that applies to certification bodies, like BSI and SGS, and which defines their requirements. If you&#8217;re certified to ISO 9001, and unless you hired a cert mill, your CB is accredited to ISO 17021-1.<\/p>\n<p>So you&#8217;d think the rules governing the industry&#8217;s judges would be reasonably well-written.<\/p>\n<p>You&#8217;re adorable!<\/p>\n<p>ISO 17021-1 is written by the ISO Committee on Conformity Assessment (CASCO). That committee was, until recently, lead by long-time ISO staffer Sean MacCurtain, and is supposed to be one of the more put-together ISO committees. So you might be surprised to see just how terrible ISO 17021-1 is, and how it reveals it was hammered together by a cast of dubiously-qualified characters all firing in different directions.<\/p>\n<p>Now, don&#8217;t get me wrong: the rules are important. I&#8217;m constantly holding CBs accountable to them, so I acknowledge we need what&#8217;s written in 17021-1. It&#8217;s just the <strong>way<\/strong> it&#8217;s written that is both frustrating and hilarious.<\/p>\n<p>For example, the folks on CASCO don&#8217;t really know what a &#8220;document&#8221; is. I&#8217;m serious, and you&#8217;ll agree completely about two minutes from now. Stick with me.<\/p>\n<p>In prior ISO standards, the text called out the need for &#8220;documented procedures&#8221; whenever the authors wanted a user to have&#8230; well, a documented procedure. Then, the word &#8220;records&#8221; was used to call out requirements for records.<\/p>\n<p>In the 2010s, though, a new crop of standards developers overtook most of ISO&#8217;s committees, and brought with them a need to make things as confusing as possible, to sell their consulting services later.\u00a0CASCO, which has always been largely <a href=\"https:\/\/www.oxebridge.com\/emma\/casco-iso-certification-bodies-write-their-own-rules\/\">populated by CB reps and consultants<\/a>, was infected with this problem far, far earlier. Back in 1996, the original ISO Guide 62 simply called out a need for &#8220;procedures.&#8221; By the time that guide was turned into a full standard (ISO 17021), the CB reps had taken over CASCO, and started to muddy things up.\u00a0 The latest edition &#8212; published in 2015 &#8212; makes things much, much worse.<\/p>\n<p>Let&#8217;s start with clause 5.2 on &#8220;management of impartiality.&#8221; That clause requires the following:<\/p>\n<blockquote><p>The certification body shall have a <em><strong>policy<\/strong> <\/em>that it understands the importance of impartiality in carrying out its management system certification activities&#8230;.<\/p><\/blockquote>\n<p>OK, so it calls out a &#8220;<em>policy<\/em>.&#8221; Most will agree that needs to be documented, so there&#8217;s not much confusion there. Now we move to the very next paragraph in the same clause, which reads:<\/p>\n<blockquote><p>The certification body shall have a <em><strong>process <\/strong><\/em>to identify, analyze, evaluate, treat, monitor, and document [risks]&#8230;.<\/p><\/blockquote>\n<p>As a former chemical process engineer, this casual usage of the word &#8220;<em>process<\/em>&#8221; drives me crazy.\u00a0 ISO 9001 tried to get people to understand process management, but obviously failed. ISO standards developers still do not understand that <em><strong>a process and a procedure are two very different things<\/strong><\/em>, and so they use the terms interchangeably. But technically a process may invoke measurement (KPIs, etc.) while a procedure doesn&#8217;t; so the distinction is important. If you&#8217;re a CB getting just getting started, you&#8217;re already scratching your head, asking, &#8220;<em>Am I supposed to write this stuff down or not?<\/em>&#8221;<\/p>\n<p>Moving ahead in the standard a bit, clause 6.1 on &#8220;Organizational Structure&#8221; then requires:<\/p>\n<blockquote><p>The certification body shall <em><strong>document <\/strong><\/em>its organizational structure&#8230;.<\/p><\/blockquote>\n<p>Okay, that&#8217;s clearly calling out a document, even if I wouldn&#8217;t know whether the org structure is supposed to be in a procedure or not. One assumes a chart will do.<\/p>\n<p>But then, on just the next page, it calls out something entirely different:<\/p>\n<blockquote><p>The certification body shall have <em><strong>formal rules<\/strong><\/em> for the appointment, terms of reference and operation of any committees that are involved in the certification activities.<\/p><\/blockquote>\n<p>&#8220;<em>Formal rules<\/em>?&#8221; This, by the way, is a holdover from the earliest 2000&#8217;s versions of ISO 17021, and they haven&#8217;t edited it since. One can assume that &#8220;<em>formal rules<\/em>&#8221; should be written, but to be fair, it doesn&#8217;t really <em><strong>say<\/strong> <\/em>that.<\/p>\n<p>Moving to clause 7.1.1 on &#8220;Competence,&#8221; the standard then requires this:<\/p>\n<blockquote><p>The certification body shall have <em><strong>processes <\/strong><\/em>to ensure that personnel have appropriate knowledge and skills&#8230;.<\/p><\/blockquote>\n<p>Most will not get upset by this, but the sudden shift to plural (&#8220;<em>processes<\/em>&#8221; vs. &#8220;<em>process<\/em>&#8220;) is maddening. I&#8217;ve had auditors tell me that if the standard indicates a plural, then you must have &#8220;<em>more than one<\/em>&#8221; of a thing. Therefore, an accreditation auditor can ask to see multiple &#8220;<em>processes<\/em>&#8221; and &#8212; assuming they really mean &#8220;<em>procedures<\/em>&#8221; &#8212; you&#8217;d have to produce multiple documents. If you wanted to combine them into one, you&#8217;d technically be in violation of the standard. Sigh.<\/p>\n<p>The very next clause, 7.1.2, jumps back to the singular:<\/p>\n<blockquote><p>The certification body shall have a <strong><em>process <\/em><\/strong>for determining the competence criteria for personnel&#8230;<\/p><\/blockquote>\n<p>Argh! And then, 7.1.3 goes one step further:<\/p>\n<blockquote><p>The certification body shall have <em><strong>documented processes <\/strong><\/em>for the initial competence evaluation&#8230;<\/p><\/blockquote>\n<p>Now, not only are we back to plural, but here the clause distinguishes that &#8212; in this case &#8212; the processes must be &#8220;<em>documented<\/em>.&#8221; Does that mean in all the other cases, they didn&#8217;t need to be documented? Now everything we&#8217;ve been assuming up to now is thrown out.<\/p>\n<p>Oh, we&#8217;re not done yet. Jumping forward to 8.3.1 we see this:<\/p>\n<blockquote><p>A certification body shall have <em><strong>rules<\/strong> <\/em>governing any management system certification mark that it authorizes certified clients to use.<\/p><\/blockquote>\n<p>Or clause 9.4.1:<\/p>\n<blockquote><p>The certification body shall have <em><strong>documented procedures<\/strong><\/em> for determining audit time.<\/p><\/blockquote>\n<p>Or 9.6.5:<\/p>\n<blockquote><p>The certification body shall have <em><strong>a policy and documented procedure(s)<\/strong> <\/em>for suspension, withdrawal or reduction of the scope of certification, and shall specify the subsequent actions by the certification body.<\/p><\/blockquote>\n<p>Or 9.7:<\/p>\n<blockquote><p>The certification body shall have <em><strong>a documented process<\/strong><\/em> to receive, evaluate and make decisions on appeals.<\/p><\/blockquote>\n<p>Or 9.9.4:<\/p>\n<blockquote><p>The certification body shall have <em><strong>a documented policy and documented procedures<\/strong><\/em> on the retention of records.<\/p><\/blockquote>\n<p>Or 10.2.1:<\/p>\n<blockquote><p>The certification body\u2019s top management shall establish and <em><strong>document policies and objectives <\/strong><\/em>for its activities.<\/p><\/blockquote>\n<p>Or 10.2.2:<\/p>\n<blockquote><p>All applicable requirements of this part of ISO\/IEC 17021 shall be addressed either in <em><strong>a manual or in associated documents.<\/strong><\/em><\/p><\/blockquote>\n<p>Or 10.2.4:<\/p>\n<blockquote><p>The certification body shall establish <em><strong>procedures <\/strong><\/em>to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of its records&#8230;<\/p><\/blockquote>\n<p>In all, by the time ISO 17021-1 is done, it has used upwards of<em><strong> fifteen different terms<\/strong><\/em> referring to stuff that should be written down. Beyond the hard requirements, there are a host of other terms used in the standard which strongly imply the need for a written thing, such as &#8220;<em>the certification body shall make clear&#8230;<\/em>&#8221; or &#8221; <em>the certification body shall provide information on&#8230;<\/em>.&#8221;, or multiple references to &#8220;<em>legally enforceable agreements.<\/em>&#8221;<\/p>\n<p>If CASCO just had an <strong><em>editor<\/em><\/strong>, none of this would happen. But ISO can&#8217;t afford a proofreader, apparently. Sean MacCurtain had enough money to retire young, so I&#8217;m not sure what he was being paid to do, exactly. It certainly wasn&#8217;t catching obvious goof-ups like these.<\/p>\n<p>The thing is, this stuff matters. When someone like me is guiding a new CB into developing its various policies and procedures, it helps to know what the accreditation bodies will be demanding to see. It shouldn&#8217;t be left up to interpretation, since my interpretation might differ from, say, ANAB&#8217;s &#8212; and that can mean a costly nonconformity during the initial accreditation audit. Standards are supposed to be beneficial because they ensure everyone speaks the same language about a certain topic; it&#8217;s frustrating when committees like CASCO can&#8217;t get their writers to speak the same language from one page to the next, in the same standard!<\/p>\n<p>It&#8217;s standardization, for heaven&#8217;s sake. It&#8217;s in ISO&#8217;s name! You&#8217;d think they could standardize the words they use in their publications.<\/p>\n<p>Well, I suppose I shouldn&#8217;t complain. The reason certification bodies have to bring on a hired gun like me to <a href=\"https:\/\/www.oxebridge.com\/emma\/iso-17021-requirements-for-management-system-certification-bodies\/\">set up their systems<\/a> is because CASCO has made the ISO 17021-1 standard so impossible to understand. Maybe I should be paying for Sean MacCurtain&#8217;s next vacation!<\/p>\n<p>There are precious few people on the planet who can help set up a CB, so feel free to <a href=\"mailto:OQR@oxebridge.com\">reach out to me<\/a> if you get stuck and need help. Send me an email&#8230; or is it a message? A documented infobite? A digital textogram?<\/p>","protected":false},"excerpt":{"rendered":"<p>The standard for certification bodies uses over 15 different terms to refer to &#8220;procedures,&#8221; making implementation a nightmare without third-party help.<\/p>","protected":false},"author":2,"featured_media":24151,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","mc4wp_mailchimp_campaign":[],"footnotes":""},"categories":[5],"tags":[61,198,23,43,52,304,789],"class_list":["post-24148","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-opinion","tag-accreditation-bodies","tag-casco","tag-certification-bodies","tag-iso","tag-iso-17021","tag-iso-17021-1","tag-iso-casco","et-has-post-format-content","et_post_format-et-post-format-standard"],"_links":{"self":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/24148","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/comments?post=24148"}],"version-history":[{"count":5,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/24148\/revisions"}],"predecessor-version":[{"id":24154,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/24148\/revisions\/24154"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/media\/24151"}],"wp:attachment":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/media?parent=24148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/categories?post=24148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/tags?post=24148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}