Attestations of conformity

After the application of one or more conformity assessment techniques to generate evidence of fulfilment of requirements, a statement of conformity can be issued.

These statement can be issued by different parties and generate different results. Thus, the question of who should carry out the conformity assessment is a crucial one when it comes to putting theory into practice.

One of the basic principles of conformity assessment is the principle of primary responsibility. It implies that the organization which owns the object of assessment or places it on the market has the primary responsibility for its conformity with the stated requirements.

To illustrate the principle of primary responsibility, the supplier of a product will have a contractual and a legal duty to the user that the product will perform its declared function and that it will not endanger the health or safety of the user. Even if the supplier obtains a certificate from an independent body stating that the product conforms to the relevant specification, if anything goes wrong, the supplier remains responsible. Although the independent body might incur some degree of liability, particularly if it had been negligent in performing the conformity assessment, that would not absolve the supplier from the primary responsibility. Of course, misuse by the end user, particularly a failure to read instructions or carry out proper maintenance, could absolve the supplier from liability for subsequent damage and its consequences.

First-party
Second-party
Third-party
Marks of conformity

Supplier’s declarations of conformity (SDoC)

Confidence that products, processes, services , systems etc. conform to specified requirements is essential for world-wide commerce. ISO and IEC, through the ISO Committee for conformity assessment (CASCO) develops International Standards that enable regulators, suppliers and consumers to have confidence that a product, process, service or system (i.e. an object of conformity) meets specified requirements.In ISO/IEC terminology, “attestation” is the issue of a "statement", based on a decision, that fulfilment of specified requirements has been demonstrated.
Attestations of conformity can be made:

by a first-party, e.g. the manufacturer or supplier of the object of conformity;
by a second-party, e.g. the purchaser or user of the object of conformity; or
by a third-party, e.g. a person or organization that is unrelated to the manufacturer or supplier of the object of conformity or their customers (e.g. a third-party testing laboratory, inspection body or certification body).

First-party attestations of conformity

In relation to first-party attestations of conformity, a supplier who attests that their product, process, service, system etc. conforms to specified requirements, is making a Supplier’s Declaration of Conformity (SDoC). To support their attestation, the supplier may conduct conformity assessment activities such as testing, inspection or auditing, either themselves or through contracting with a third-party to undertake these assessment activities. The test, inspection or audit results are evaluated, and when all requirements are met, the supplier may issue a declaration or statement that their product, process, service or management system is in conformance with the requirements. This declaration can be documented and made available with supporting documentation when authorities, supply chain partners, customers or consumers request it.

Global consistency in SDoC

SDoC is a type of conformity assessment that allows a supplier to make a first-party attestation that an object of conformity fulfils specified requirements. To support the consistent application of SDoC around the world, ISO/CASCO has for many years produced requirements covering this type of conformity assessment [1]. The original ISO/IEC Guide Public Sector Assurance 22:1982, Information on manufacturer's declaration of conformity with standards or other technical specifications, has been revised several times and the current ISO/IEC documents containing general requirements for SDoC are:

ISO/IEC 17050-1:2004 Conformity assessment - Supplier's declaration of conformity - Part 1: General requirements; and
ISO/IEC 17050-2:2004 Conformity assessment - Supplier's declaration of conformity - Part 2: Supporting documentation.

These standards provide requirements for first-parties to fulfil when they make attestations that products, processes, services, and systems conform to standards, regulations or other specifications.
Part 1 specifies the general requirements for making an SDoC and includes a sample SDoC. Part 2 describes the types of supporting documentation to substantiate an SDoC, for example, the results of tests carried out by the supplier or an independent body.
Under the standards ISO/IEC 17050 Parts 1 and 2, self-declarations of conformity:

are based on results of appropriate conformity assessment techniques;
provide enough information for the recipient of the declaration to understand what conformity assessment attestation is being made, including:
unique identification;
name and address of the issuer;
identification of the object of conformity (e.g. the product, process, service, management system etc.);
the statement of conformity;
complete and clear list of the specified requirements (e.g. standards) as well as selected options (if relevant) to which conformity is declared;
data and place of issue of the declaration;
signature or equivalent of an authorized person;
any limitations (e.g. geographical);
the issuer has procedures in place to ensure continued conformity; and
the issuer maintains a ‘technical file’ for each declaration that contains:
description of the object of conformity (product, process, services etc.);
design documentation;
conformity assessment results, including:
- methods used (auditing, audit procedures, batch testing, design review, verification and validation, sampling plan, test methods, type testing) and reasons for their selection;
- evaluation of the results, including deviations and concessions; and
identification and competence records of people and organizations involved in producing and reviewing conformity assessment results.

Use of SDoC

The use of SDoC is widely used in transactions between businesses, and can be made a requirement through legally enforceable agreements and contracts between buyers and sellers. The most frequent application of SDoC is for products, but it can also be used for services, processes and management systems.

SDoC is also used in regulatory systems, sometimes as a prerequisite for market access of products and in cases when there is a need to establish a legal responsibility on the supplier of product, process, service or system. An example of the mandatory application of SDoC is in the European Directives under the New Approach and the New Legislative Approach [2].

Other aspects that should be in place to support the effective use of SDoC include [3]:

active and consistent market surveillance to ensure that products being placed on the market on the basis of SDoC are indeed fulfilling the specified requirements – this is especially true when ‘internal markets’ are established across various jurisdictions (e.g. across the various Member States of the European Union) to ensure each state has the resources and competence to adequately fulfil their market surveillance responsibilities;
appropriately enforced product liability laws that have sufficient penalties to act as a deterrent to suppliers making attestations of conformity when they have not invested in the necessary supporting conformity assessment activities; and
generally ensuring that all market participants (including regulators and suppliers) have access to sufficient technical competence that have the knowledge and skills to effectively undertake supporting conformity assessment activities.

EXAMPLES OF THE USE OF SDOC

The European Union (EU) has an extensive experience in the use of the Suppliers' Declaration of Conformity (SDoC). The European Directives, enacted under the New Approach and the New Legislative Framework, define the common legal basis for many product categories in the European Economic Area. The objective is to establish the Single Market by common legal, health, safety and environment requirements on a high protection level, and to harmonize the conformity assessment processes required for placing products on the European market.

The legal requirements are laid down as essential requirements in the European Legislation for the CE-marking of products for example. These essential requirements that products must meet to be placed on the EU market and move freely throughout the Member State countries are given by EU-regulation or EU-Directives. The requirements are expressed in terms of objectives establishing a high level of protection. The manufacturer or supplier has to fulfil the legal requirements according to the state of the art. Often the technical specifications for products are laid down in harmonized European standards, which are published in the Official Journal of the European Communities (OJEC). They can be voluntarily applied alongside the legislation. Products manufactured in compliance with these harmonized standards benefit from a presumption of conformity with the corresponding essential requirements of the relevant legislation⁴. This means that these products fulfilling harmonised standards are presumed to meet the relevant essential health and safety requirements and can be placed on the EU market.

As part of all conformity assessment procedures, the EU legislation imposes an obligation on the manufacturer to draw up and sign a legally binding EU Declaration of Conformity (EU-DoC) before placing the product on the market⁵. ISO/IEC 17050-1 and -2 are also ‘harmonized standards’ with respect to the formal requirements in the EU-DoC and are the template for all EC-DoCs. The manufacturer or supplier must establish a technical file, with documentation on design, manufacture and operational aspects of the product, reflecting the results of an appropriate risk assessment and any necessary conformity assessment activities in accordance with prescribed conformity assessment modules. The manufacturer or the supplier can then affix the CE marking and prepare the EU-DoC that must be kept and made available to the national authorities on request. By doing so, the manufacturer or the supplier states that the product satisfies the essential requirements of the applicable EU-Regulations or EU-Directives and assumes the responsibility and liability for the product including its conformity. For some categories of products, involvement of a third-party conformity assessment body (“Notified Body”) is necessary [3]. In all cases the EU-DoC remains the legally accepted form of attestation of conformity.

The CE marking is the visible consequence of the above process and indicates that a product is declared by the manufacturer as being in conformity with European Union harmonization legislation [3]. It is an essential piece of information to Member States’ authorities as well as other relevant parties (for example importers or distributors).

Conformity assessment using SDoC is applied in a number of EU-Regulations and EU-Directives covering a large range of products, such as electrical and electronic equipment, machinery, toys, medical devices, personal protective equipment, radio equipment, construction products, reduction of hazardous substances, etc. covering a market volume of several thousand billion Euros.

In the United States, some regulatory agencies accept the use of SDoC. For example, the U.S. Federal Communications Commission (FCC) has adopted a rule that permits recognition of SDoC (also sometimes called Self Declaration of Conformity) for certain information technology devices. For other equipment, such as personal computers and attachments thereto, the FCC allows the equipment declared compliant by the supplier, under a process called Declaration of Conformity, provided that supporting test results are obtained from a recognised laboratory. Similar arrangements apply in Australia and New Zealand.

Under the Electricity (Safety) Regulations 2010, a supplier’s declaration of conformity is required before placing on the market any low voltage or extra-low voltage fittings or appliances that have been declared as medium risk by the regulator. These products include certain Electric Wires and Cables; Switches for Circuit, Installation Protective and Connection Devices; Electrical Tools; Electric Welding Machines; Household and Similar-use Appliances; Audio and Video Products; Lighting and Electrical Appliances; and Power Transformers, Power Supply Units and Similar Products. The supplier’s declaration of conformity must be in accordance with ISO/IEC 17050 Part 1, and the official government supplied forms reflect the suggested format contained in this International Standard.

J. Urman, Trusting in a Supplier’s Declaration of Conformity, ISO Focus, February 2004, p. 23.
European Commission (2016-04), The ‘Blue Guide’ on the implementation of EU product rules 2016, Chapter 5 ‘Conformity assessment’, pp. 62-72.
L. Tamiotti, TBT Workshop on Supplier’s Declaration of Conformity (SDoC), 21 March 2005.
European Commission (2016-04), The ‘Blue Guide’ on the implementation of EU product rules 2016, Chapter 4.2.1, p. 39.
Ibid., chapter 4.4, p. 54.

Standards

ISO/IEC 17050-1:2004

Conformity assessment

Supplier's declaration of conformity
Part 1: General requirements
ISO/IEC 17050-2:2004

Conformity assessment

Supplier's declaration of conformity
Part 2: Supporting documentation

Related information

For further information on SDoC, ISO/CASCO work on conformity assessment, and other forms of conformity assessment, such as third-party conformity assessment please see the following web-links:

Second-party attestations of conformity

Second party attestations of conformity are often made through supplier and retail chains where the purchaser of the object undertakes some form of conformity assessment to check that the object meets the specified requirements. In this regard any combination of the main conformity assessment techniques can be used. The second party then makes a statement about the products that they have purchased.

Audit criteria are used as a reference against which conformity is determined.

Apart from the various International Standards about conformity assessment techniques and how to develop conformity assessment schemes in general, ISO and IEC do not have any specific standard or guide about second party conformity assessment

Third-party attestations of conformity - Certification

Third party attestations of conformity are made by organisations that are independent of the person or organization that provides the object, and of user interests in the object. Examples of third parties include independent and impartial testing laboratories, inspection bodies or certification bodies. Third-party statements of conformity are defined as certification.

ISO/IEC have developed a number of International Standards related to third-party conformity assessment.

Guidance on product certification schemes

ISO/IEC 17067:2013

Conformity assessment

Fundamentals of product certification and guidelines for product certification schemes
ISO/IEC TR 17026:2015

Conformity assessment

Example of a certification scheme for tangible products
ISO/IEC 17021-1:2015

Conformity assessment

Requirements for bodies providing audit and certification of management systems
Part 1: Requirements
ISO/IEC 17024:2012

Conformity assessment

General requirements for bodies operating certification of persons
ISO/IEC 17065:2012

Conformity assessment

Requirements for bodies certifying products, processes and services

Marks of conformity

Statements of conformity may be associated with placing marks of conformity on a product. However, it should be appreciated that test reports, audit evidence, examination, inspection or evaluation results are snapshots in time, and can be issued to report a failure. A certificate/mark of conformity can only be issued where conformance has been confirmed and certifies the ability of performing a certain function through a certain period of time, which is generally pre-defined.

Frequently, the use of a mark of conformity is controlled through a registration or licence issued by the owner of the mark or by an organization operating on behalf of the owner such as a certification body. The licence spells out the conditions under which the licensee can use the mark, such as the restriction to use it only on products which the supplier has verified as conforming to the certified product type. Policing of the use of marks of conformity is vital for the interests of the owner and licensing body, since products bearing their mark are often produced under a system in which only occasional samples of product are verified by the licensing body.

Marks must be distinctive and their ownership and conditions of use should be clearly stated. In particular the use of a mark should not be misleading to purchasers and users of the products. For example, a supplier which has a certified management system conforming to ISO 9001 must not place the certification body’s mark on its products, since that would imply that the body had actually certified the products and not just the management system.

Examples include:

the first party’s (supplier’s) own trade mark;
a second party mark of quality or branding;
a third party certification mark controlled by a scheme owner or a certification body;
marks of regulatory compliance such as the European Union’s CE mark.

Standards

Advice on marks of conformity is contained in the following ISO/IEC conformity assessment publications:

ISO/IEC Guide 23:1982 [Withdrawn]

Methods of indicating conformity with standards for third-party certification systems
ISO Guide 27:1983 [Withdrawn]

Guidelines for corrective action to be taken by a certification body in the event of misuse of its mark of conformity
ISO/IEC 17030:2003 [Withdrawn]

Conformity assessment

General requirements for third-party marks of conformity