ISO-17065 and NC classification

[ComplianceCaptain]

As I'm sure we are aware ISO 17065 doesn't specify classification of NCs. As a CB the stance we take is that it doesn't forbid it, so we still classify based on degree of risk to the MS, as this is what our clients know and expect. It also helps as we also integrate EN 1090 with ISO 9001, which does specify classification. The NCs are reported as "with evidence" and certification is not granted until evidence of closure of the NCs is submitted.

We have had an NC against this from our AB stating that classification is prohibited. Please tell me am not going mad - 17065 doesn't explicitly forbid it, only mandates closure before certification for any NCs.

Obviously I'm going to comply and implement a CA as required, but this is going to involve code change in our database, validation etc - which is going to be a bit of a pain.

How is this handled internationally? Do you classify NCs for product certification, or state compliant/non-compliant?

 

[Sidney Vianna]

We have had an NC against this from our AB stating that classification is prohibited.

What requirement was cited to support the NC? No shall, no foul.

 

[ComplianceCaptain]

What requirement was cited to support the NC? No shall, no foul.

So the clauses covering this are as quoted:
ISO 17065: 2012
Clauses 7.4.7 If one or more nonconformities have arisen, and if the client expresses interest in continuing the
certification process, the certification body shall provide information regarding the additional evaluation tasks
needed to verify that nonconformities have been corrected.
7.4.8 If the client agrees to completion of the additional evaluation tasks, the process specified in 7.4 shall
be repeated to complete the additional evaluation tasks.
7.4.9 The results of all evaluation activities shall be documented prior to review (see 7.5).

Further quoting EN 1090 but not specifying a clause - assumedly 6.2.9 "Corrective actions shall be taken when the results of evaluations show non-compliance, and the results of these actions must be recorded."

I have always interpreted this as there being no restriction against classifying findings provided these do not conflict with the standard’s intent. I'm curious as to others' interpretations.

Edit - the only must is that there is evidence of implementation of the CA

 

[Sidney Vianna]

The construct of classification of nonconformities is embedded in 17021-1. So, while not a requirement for categorization, that standard CLEARLY allows/suggests it.

In management system certification protocols, it is a dogma that, without an explicit, written and valid requirement, THERE IS NO valid NC. I am surprised you are not appealing this.