Conformity Assessment: It Is About Confidence
Conformity Assessment: It is about confidenceISPAB MeetingJune 24Lisa J. CarnahanNIST/ITL Associate Director for IT Standardizationcarnahan@nist.gov301-975-33621
Points to remember1. There is a toolbox of conformity assessment approaches intended to meet a rangeof needs.2. Conformity assessment program models vary based on balancing risk andresources.3. Software and cybersecurity bring challenges to conformity assessment.Certain commercial products, organizations and websites are identified. Such identification is not intended to imply recommendation orendorsement by NIST, nor is it intended to imply that the products or organizations identified are necessarily the best available for the purpose.2
Conformity Assessment: Basic Terms and ConceptsConformity assessment is the demonstration that specified requirements relatingto a product, process, system, person or body are EILLANCEHow should itperform?How do we knowit performs?Who says itsperformancehas beendemonstrated?What aboutassurancesnext week?What activities are preformed? Who performs the activities? How robustly?* ISO/IEC 17000 Conformity assessment – Vocabulary and general principles3
The Parties – Who Does What?First PartyConformity assessment activity performed by the person or organization thatprovides the product/service/etc. (seller or manufacturer)Second PartyConformity assessment activity performed by the purchaser or userThird PartyConformity assessment activity performed by an independent entity that has nointerest in transactions between the first and second partiesThe US Government can be in any of the three and may also have an oversight role.4
REQUIREMENTDETERMINATIONATTESTATIONSURVEILLANCEHow should itperform?How do we knowit performs?Who says itsperformancehas beendemonstrated?What aboutassurancesnext week?Changingrequirements pushon process Defines characteristics of the object of conformity Can be expressed in various ways (e.g., standards, regulations, customerrequirements ) Federal agencies should use voluntary consensus standards5
REQUIREMENTDETERMINATIONATTESTATIONSURVEILLANCEHow should itperform?How do we knowit performs?Who says itsperformancehas beendemonstrated?What aboutassurancesnext week?Testing makes use of a Test MethodInspection makes use of professional judgement and sometimes testingAudit document process using records, documents, etc.Can be performed by the manufacturer, the purchaser, or a 3rd party.Determination of conformity results in a reportSource: cityinspectionsoftware.comSource: FlickrStar51126
REQUIREMENTDETERMINATIONATTESTATIONSURVEILLANCEHow should itperform?How do we knowit performs?Who says itsperformancehas beendemonstrated?What aboutassurancesnext week? An attestation is a statement made by an organization (generally) that requirements havebeen fulfilled. A manufacturer making an attestation is called a Suppliers Declaration of Conformity(SDOC) A 3rd-party attestation is called a Certification7
REQUIREMENTDETERMINATIONATTESTATIONSURVEILLANCEHow should itperform?How do we knowit performs?Who says itsperformancehas beendemonstrated?What aboutassurancesnext week?Changingenvironment requireschangingrequirements Conformity decisions are often based on a sample and a point-in-time Confidence demands conformity today, tomorrow, next year Purchasers & consumers want it Certifiers want to know their attestations are still valid Surveillance activities help ensure ongoing conformity Pre-market activities (quality checks at manufacturing plants, suppliers, processes, etc.) Post-market activities (sample testing, complaint resolution, etc.) IT product market time may be a factor in surveillance activities8
Standards for Conformity AssessmentPublished by International Organization for Standardization (ISO) Committee on Conformity Assessment(CASCO) in cooperation with the International Electrotechnical Commission (IEC)CASCOToolboxTypePartiesStandard(s)1st 2nd 3rdTesting ISO/IEC 17025Inspection ISO/IEC 17020Supplier’s Declaration ofConformity (SDoC)CertificationProducts, processes,servicesManagement systemsPersonsAccreditationISO/IEC 17050Parts 1 and 2 ISO/IEC 17065[ISO/IEC 17067]ISO/IEC 17021ISO/IEC 17024ISO/IEC 170119
Confidence in testers, inspectors, certifiers,accreditors?ConformityWho Watches the Watchers?assessment schemeowner Body(ies)/Laboratory(ies)Manufacturers10
Factors in building conformity assessment systemsRisks associated with non-compliance shouldbe proportional to the rigor of the systemdesignOne size does not fit all Over-design can be costly Under-design reduces confidenceMarketplace consequences, regulatorypenalties and effective recall processes canallow less rigor in conformity assessmentThe ABCs of Conformity Assessment, NIST SP 2000-01Conformity Assessment Considerations for Federal Agencies, NIST SP 2000-0211
Flexibility to Address Confidence(Example models)12
Conformity Assessment in the U.S. is unique No national level coordinating organizationNumerous conformity assessment bodies, differing in size and scopeSector developed approachesOverlap in coverageConformity assessment programs tailored to meet specific private and public sector needs*RESULTS IN The opportunity for effective conformity assessment programs at the most efficient cost.*Authorities and regulators may rely on private-sector conformity assessment to support their missionsNTTAA and OMB A119 require federal agencies to first consider voluntary consensus standards and reduce industry burden for redundant conformity and compliancemechanisms13
Federal Agency Use of Conformity Assessment Legislation & Policy National Technology Transfer & Advancement Act OMB Circular A-119 Revised* WTO Technical Barrier to Trade Agreements (WTO TBT) Legislation focused on topic Themes Agencies should first consider using industry standards (conformity assessment standards) Agencies should reduce industry complexity where possible (complexity time/effort/cost) Consider and leverage private-sector CA programs and other public-sector CA programs*OMB Circular A-119: Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities – 201614
Elements of a Conformity Assessment ProgramFoundational Considerations forFederal Agency Programs1. Engage Stakeholders2. Maximize Transparency3. Leverage Existing Efforts15
Foot Protection in the Workplace[. . .]1616
Variation by Federal agencies17
Points to remember1. There is a toolbox of conformity assessment approaches intended to meet a rangeof needs. Many federal programs use these tools and leverage existing programsand activities.2. Conformity assessment program models vary based on balancing risk andresources. Many federal programs focus on this balance and adjust.3. Software and cybersecurity bring challenges to conformity assessment. There is nosilver bullet. Programs addressing cybersecurity requirements continue to evolve.18
Questions & DiscussionLisa CarnahanNIST/ITL Associate Director for IT Standardizationcarnahan@nist.gov301-975-3362Visit https://www.standards.gov to learn more about conformity assessment andaccess NIST conformity assessment guidance documents.19
1. There is a toolbox of conformity assessment approaches intended to meet a range of needs. 2. Conformity assessment program models vary based on balancing risk and resources. 3. Software and cybersecurity bring challenges to conformity assessment. Certain commercial products, organizations and websites are identified.
8. conformity assessment bodies Bodies that perform conformity assessment activities, including testing, calibration, certification and inspection. 9. Designation Acceptance of the applicant body that applicate to perform conformity assessment services in specific field in accordance with the rules of this procedure. 10. Applicant bodies
The online survey was distributed to stakeholders throughout the conformance system, and they completed the survey between 26 June and 10 July 2018. The target survey sample were organisations which provide conformity assessments (ie conformity assessment bodies) and organisations which use conformity assessment services. The aim was to hear from
AWS Conformity Assessment Report for: Coca Cola HBC Hrvatska d.o.o. LR reference: PIR0361689/ 3216964 AWS reference number: AWS-000317 Assessment dates: 10-11/12/2020 Assessment location: 1 Milana Sachsa, Zagreb 10000, Croatia Assessment criteria: AWS Standard Version 2, 22/03/2019 Assessment team: Artemis Papadopoulou Assessment type: Initial assessment
NOTE 1 First-party, second-party and third-party conformity assessment activities are defined in ISO/IEC 17000. NOTE 2 The term "document" is defined in 3.1.1. 3.1 Explanation Requirements for conformity assessment are in many cases comprehensively fixed in regulations.
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of conformity assessment, the ISO Committee on conformity assessment (CASCO) is responsible for the development of International Standards and Guides. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
Conformity assessment — General requirements for third-party marks of conformity . ISO/IEC 17065, Conformity assessment — Requirements for bodies certifying products, processes and services . Minimum Scheme Requirements to Certify Criminal Justice Restraints Described in NIJ Standard 1001.00 . 3
According to NB-MED/2.2/Rec4. Conformity Assessment Procedures Annex III EC type-examination Annex IV EC verification Annex V production quality assurance Annex VI product quality assurance Annex VII EC declaration of conformity Annex II full quality assurance system xxxx Hardly
Adventure tourism is a rapidly expanding sector of the tourism industry internationally. New Zealand is internationally recognised as a country where adventure tourism and adventure sports are undertaken by a large proportion of the resident and visitor population. While the risks associated with adventure tourism and adventure sport activity are increasingly highlighted in media reports of .
