Key considerations for using Conformity Assessment in regulatory practice

There are a number of key considerations that should be kept in mind when using conformity assessment in regulatory practice.  Some of these considerations are interrelated and can be applied more than once during the development of regulation that uses conformity assessment.  For example, risk management can be used when identifying the characteristics of products that should be subject to conformity assessment or deciding what conformity assessment techniques (e.g. audit, test, inspection) to apply or confirming the frequency and nature of the surveillance activities.

Good regulatory practice   

Regulators may require the use of conformity assessment either through direct reference to the relevant International Standard or Guide in the regulation or through developing a conformity assessment scheme or referencing an existing one. Examples of direct references and use of conformity assessment schemes are provided in the last section on Case Studies.

In some cases use of conformity assessment in regulatory practice may need to be included in a Regulatory Impact Analysis (RIA) or Regulatory Impact Statement (RIS). RIAs/RISs are formal justification and cost benefit studies required in some countries prior to the proposed regulation being accepted. One common aspect of good regulatory practice when it applies to using conformity assessment to ensure the conformity assessment approach is commensurate with the risk or level of market failure that is trying to be managed.

Regulatory schema
Click to enlarge
Extent of Conformity Assessment activity

Regulators may consider which option best meets their needs by taking into account the:

  • nature of the risks involved;
  • extent or complexity of the conformity assessment required;
  • ability to practically access the selected conformity assessment option at the domestic level;
  • anticipated costs of each conformity assessment option (both in terms of administrative burden, price and time involved);
  • degree of independence the regulator expects in terms of providing conformity assessment results and statements of conformity;
  • level of market and political acceptance of the proposed option.

Examples include:

The European Commission uses the ‘principle of proportionality’ in the selection of conformity assessment options. Its Guide to the implementation of directives based on the New Approach and the Global Approach states “In setting the range of possible [conformity assessment] modules, directives take into consideration, according to the principle of proportionality in particular, such issues as the type of products, the nature of the risks involved, the economic infrastructures of the given sector (such as the existence or non-existence of third parties)… and “The principle of proportionality also requires that the directives should not include unnecessary procedures, which are too onerous relative to the objectives, in particular as laid down in the essential requirements.” (page 31).

The UNECE Risk Management in Regulatory Frameworks: Towards a Better Management of Risks (2012) provides a comprehensive guide to using standards and in a way that is proportionate to risks. It provides examples of how certification options may add costs and delays in reaching global markets, with potential impact on business competitiveness.
Among the various compliance options, one is to use conformity assessment as prescribed in the CASCO toolbox

Good regulatory practice obligations from the World Trade Organization (WTO) agreements that include conformity assessment comprise:

Examples of pluri-lateral and regional statements on good regulatory practice that include standards and conformity assessment are:

Other examples of global and regional bodies that have used standards to achieve policy goals and showing evidence of these good practices are:

  • North American Free Trade Agreement (NAFTA) - High Level Regulatory Cooperation Council (HLRCC), use standards which helps:
    • making regulations more compatible;
    • improve the analysis of regulations;
    • increase regulatory transparency;
    • increase technical cooperation; and
  • European Union‘s use of standards and conformity assessment systems in the New and Global Approach and the New Legislative Approach that enables operation of EU’s single market.
  • The UNECE Common Regulatory Framework for Equipment Used in Environments with an Explosive Atmosphere that aims at promoting free trade of these products. It is built on international standards which form the backbone of the common regulatory requirements, while the use of the IEC Conformity Assessment System IECEx provides the presumption of conformity with the said requirements.

Examples of national statements and codes on good regulatory practice include:

Functional approach to conformity assessment   

In using conformity assessment in regulatory practice it may be helpful to structure the policy development and discussion about the design of the conformity assessment options around the functional approach which provides for:

  • selection;
  • determination;
  • review and attestation;
  • surveillance.

Identifying controlled products and requirements   

It is appropriate to have a clear justification why the regulator considers an ‘object of conformity’ (e.g. product, process, service, management system, person, or organisation) needs to be regulated. In helping to identify the object of conformity and the characteristics of particular concern it is useful to consider:

  • empirical evidence such as reported instances of failure of the object and the subsequent consequences;
  • injury, hospital admission rates, morbidity statistics, crime and police statistics;
  • demographics, including populations most at risk (e.g. children or the elderly);
  • prevalence of the object in the market; and
  • sources of supply, distribution channels etc.

In many countries, lists of controlled products with mandatory standards and conformity assessment activities (e.g. mandatory certification) exist. In some cases these lists of controlled products are outdated or may simply be duplicated from other countries without due consideration as to whether the same issues actually occur in the country of adoption. Lists of controlled products should be regularly reviewed and updated to reflect contemporary risks and market concerns.

Once the ‘object of conformity’ and its characteristics of most concern are identified, specified requirements can be stated for that object of conformity in regulations, standards, codes of practice, technical specifications etc.  In some cases specified requirements may need to be developed or adopted.  Specified requirements should be written in clear and unambiguous language. 

Guidance on how to write specified requirements is provided in ISO/IEC 17007:2009, Conformity assessment - Guidance for drafting normative documents suitable for use for conformity assessment.

Conformity Assessment scheme design and ownership   

As part of the CASCO toolbox, ISO and IEC have produced ISO/IEC 17067:2013, Conformity assessment - Fundamentals of product certification and guidelines for product certification schemes, and ISO/IEC 17026, Conformity assessment - Example of a product certification scheme.

While these International Standards contain guidance in relation to schemes for certifying products, process and services, their content can be applied in the case of other ‘objects of conformity’ such as management systems, persons and organizations, and also for conformity assessment schemes that rely on first- and second-party claims of conformity.

If regulators choose to develop and mandate a scheme they must decide whether they will take the role of scheme owner, or simply mandate the use of an existing scheme. There are certain responsibilities for being a scheme owner, including developing, managing and maintaining the scheme, and determining who is to carry out the conformity assessment activities.

To read more:  Conformity assessment schemes.

Investment and cost associated with Conformity Assessment   

When deciding on the appropriate conformity assessment approaches for a particular situation, it helps to be aware of the amount of investment and cost associated with each alternative approach. As with most compliance options in regulation, resources must be committed to undertaking conformity assessment. Whether these commitments are considered to be ‘costs of compliance’ or ‘an investment’ in achieving company or public policy outcomes is a matter of perspective.   

There is always an investment or cost associated with carrying out self-assessment but as soon as another party becomes involved it is necessary to take account of what additional costs might be incurred and by whom. If the purchaser of a product decides to carry out their own assessment, they will generally have to bear the costs of undertaking their own conformity assessment (e.g. employing or outsourcing their testing activities, auditors and inspectors). If an independent body is contracted to carry out conformity assessment, the body will need to recover its costs from whoever it is working for. In the case of product certification, it is usually the supplier who will engage and pay the certification body.

The conformity assessment body’s costs will not only relate to the assessors involved in the assessment work but also all of the expenditure incurred in running its business, a proportion of which will be charged to each certification customer. Thus the decision to establish a conformity assessment scheme can add to the costs incurred in the supply of the certified products.  Similarly, a decision to require conformity assessment bodies to be accredited will add a further layer of expenditure to cover the operation of the accreditation. In addition to the direct costs of conformity assessment, there are other factors which have financial implications particularly for suppliers of certified products. The involvement of a third party can lead to delays in producing and delivering products if there is a significant time lag between the application for certification and the receipt of the certificate of conformity. With the ever-accelerating pace of product and market development, such delays can lead to lost opportunities to sell products and can even have an adverse effect on the reputation of the supplier. The financial consequences can be serious and measures need to be adopted to minimize them, such as fully understanding the specified requirements and maintaining good communications with the certification body from the outset.

In summary, the benefits of independent conformity assessment in terms of market acceptance and the avoidance of the consequences of product failures can outweigh the direct and indirect costs of the conformity assessment approaches, but such an outcome should be the result of a careful analysis of the risks, rather than being a matter of simply following the current fashion.

Conformity Assessment and competition   

Another important aspect to consider when designing a conformity assessment approach is whether to allow or encourage competition between conformity assessment bodies. The main benefits of competition are to provide choice for the suppliers and to prevent a single body from abusing a monopoly position. On the other hand, competing bodies might be tempted to cut corners in an effort to meet the needs of customers and care needs to be taken to prevent the standard of assessment from falling. 

Accreditation or peer assessment can help to counteract the adverse effects of competition.  

Taking risk into account   

Responsive image
Click to enlarge
Risk/compliance matrix

Some commentators suggest that when there is a low risk of an adverse effect being associated with failure of the ‘object of conformity’ then the conformity assessment tool most appropriate can be to ‘do nothing’ or require a first party supplier’s declaration of conformity (SDoC). If SDoC is undertaken in accordance with ISO/IEC 17050, then it means the manufacturer/supplier has undertaken appropriate conformity assessment activities to support their SDoC and that a formal technical file exists for that ‘object of conformity.
If failure of the ‘object of conformity’ results in a high risk of an adverse effect then some commentators consider that involvement of a second or third party is necessary to independently assure the object complies with specified requirements. This can be achieved through certification. As an added level of assurance conformity assessment results (e.g. test reports, inspection reports, certificates, etc.) can come from conformity assessment bodies (e.g. laboratories, inspection bodies, certification bodies) that are accredited and/or recognised through a peer assessment group. The  two figures illustrate this concept.

However, not all people support the above concept. Some proponents of SDoC argue that when SDoC is undertaken by a conscientious manufacturer/supplier can result in better conformity outcomes than independent third-party assessment. This is especially true if the manufacturer/supplier has invested in the own internal quality control activities, such as:

Responsive image
Click to enlarge
Perceived risk/independence & rigor
  • maintaining a quality management system;
  • ongoing production testing and inspection using competent in-house resources that may be accredited and/or participate in proficiency testing;
  • undertaking internal audits;
  • undertaking corrective and preventive actions; and
  • seeking customer feedback and responding to complaints. 

This is argued as being superior to the less frequent and often time-constrained external assessments by an independent third party conformity assessment bodies. In some cases SDoC use is based on mandatory third-party conformity results (e.g. the approach adopted for the CE marking system).

To learn more see: Conformity assessment – Risk management

Access to competent resources   

Competence is another consideration in using conformity assessment in regulation. Competence is defined as “ability to apply knowledge and skills to achieve intended results” (ISO/IEC 17027:2014). Whether conformity assessment activities are being carried out by the supplier of the products, the purchaser or an independent body, there must be a clear understanding of the competence necessary for those performing the conformity assessment tasks.

Recognised general requirements for the competence of conformity assessment bodies are contained in various International Standards and Guides that make up the CASCO Toolbox. Sometimes it is necessary to augment these general requirements with more specific requirements for the sector that is being covered, e.g. specific competencies for fields of testing. These more specific levels of competence can be stipulated by regulators as part of their regulations, or in association with requirements for accreditation or peer assessment.

Another important aspect in consideration of competence is access to competent resources.  In many countries specialised competencies of conformity assessment bodies and people may not exist. In which case regulation needs to take this into account to specify alternative conformity assessment means, or allow time for competence and capacity to build up. This could be achieved through setting a transition period to allow for the establishment of public and/or private competence capacity, and to engage with donors and development agencies to establish in-country capability.

The relevant International Standards for person certification bodies is ISO/IEC 17024:2012, Conformity assessment - General requirements for bodies operating certification of persons

Surveillance   

Market surveillance

Market surveillance by a regulator can be either pre-market, at-the-border, or post-market. It can involve sampling the ‘object of conformity’ in the above situations and carrying out some form of conformity assessment activity to ensure specified requirements are fulfilled. In this regard inspection and testing are often used to demonstrate an object’s conformity with specified requirements.

For some countries a form of pre-market surveillance especially for imports is pre-shipment verification of conformity (PVOC) which is carried out by an authorised agent of the regulator at the port of origin. Controlled goods that need to meet national standards are inspected and tested by these agents and if found to fulfil specified requirements a pre-shipment certificate of conformity is issued. This certificate then accompanies the shipment of those goods to the destination market and the shipment can be released at the port of arrival and onto the market once that certificate is authenticated. To ensure PVOC does not act as a technical barrier to trade, the specified requirements should also apply to the same goods that are produced domestically.

The advantage of PVOC is it allows the regulator to outsource the compliance checks associated with imported products, especially where there is a limited capacity to perform these checks within the destination country. It can also speed up delivery of compliant products onto the domestic market without holding up shipments at the border.

Further information and examples can be found in A guide to Good Practice – Principles and Practices in Product Regulation and Market Surveillance.

Conformity Assessment surveillance

In conformity assessment activities, surveillance is the partial or full reiteration of the determination activities (e.g. audit, exanimation, evaluation, inspection or test) on a periodic basis to ensure ongoing production or service delivery continues to fulfil the specified requirements and to maintain the validity of the statement of conformity. Samples of the objects of conformity can be assessed either during production or once on the market, or both. Such surveillance is required when the conformity assessment activities result in a mark of conformity being used on the product on an ongoing basis.

Where surveillance is required, good schemes will define the sampling criteria, determination techniques, and frequency at which surveillance must be undertaken. It is also good practice to moderate sampling and frequency to take into account the level of risk being managed and the track records of the individual supplier.