General Conditions and Procedure Guidelines or the Certification of Functional Safety Management Systems

0. Introduction
1. Scope
2. Audit and Certification Procedures
3. Utilisation of FSM-Certificates and FSM-Mark
4. Obligations of Certification Body
5. Co-operation of Client
6. Objection Procedures
7. Effectiveness and Amendment

0. Introduction

The certification body Automation, Software and Information Technology for functional safety management systems of TÜV Rheinland Industrie Service GmbH (TÜV-ASI), TÜV Rheinland Group, offers its services for audit and certification of Functional Safety Management (FSM) systems according to the requirements of international standards, for example the IEC 61508 or IEC 61511.

The existing structural organisation and procedures of the certification body are based on the criteria determined by DIN EN 45012. The organisation and certification procedures follow quality management procedures accordingly.

TÜV–ASI has gained its special experience in functional safety over many years with type approvals based on e.g. industrial and machinery standards like DIN VDE 0801 or EN 954.

According to this, the FSM-auditors are not only competent in auditing FSM organizational measures but they are also able to judge the organizational measures for their technical effectiveness, because of their own practical experiences.

1. Scope

These general conditions and procedure guidelines regulate the audit and certification and surveillance of functional safety management systems based for example on the IEC 61508 or IEC 61511.

2. Audit and Certification Procedures

2.1 Prerequisites

The client appoints the certification body with the certification of his functional safety management system.

A certification contract has to be signed as part of the order placing in which

- these general conditions and procedure guidelines,
- the general conditions of TÜV Rheinland Industrie Service GmbH as well as
- the price list of the certification body in the latest valid version

are being accepted as basis of the order.

The client has to be registered in the register of companies according to the commercial law.

2.2 Procedure of Certification

The figure shown below illustrates the correlation of the certification steps, which will be detailed in the following chapters.
 

2.2.1 Kick off-Meeting

The certification body offers and – if ordered – conducts a kick off-meeting as an initial step. The kick-off meeting is an informative meeting in which the auditors of the certification body and representatives of the client participate.

Objective of the Kick-Off Meeting is to define the geographical and technical scope of the certification procedure (scope of certification) and to agree and circumstantiate the course of certification steps on the company specific conditions.

A detailed description is necessary in case not all lifecycle phases, which are necessary for the development or manufacturing of a product are applicable for the company to be audited.

Special attention is paid to service providers and/or suppliers who participate during the FS - lifecycle.

The information for the preparation of the next audit steps as well as the certification contract with enclosures mentioned in clause 2.1 will be handed over or sent to the client after the conclusion of the kick-off meeting.

The certification procedure of the functional safety management system is further on structured into the following four steps.

2.2.2 Step 1: Pre-audit

Upon the results of the kick-off meeting an offer concerning the certification is submitted by the certification body. The client places an order and signs the certification contract. The pre-audit is carried out by an audit team with two auditors.

Before the audit takes place the client and the certification body agree upon an audit plan.

The objective of the pre-audit is to identify deviations of the planned or implemented functional safety management system. To achieve this the FSM-organization is inspected with regard to the requirements of, for example IEC 61508 or IEC 61511 and the assigned QM (FSM) procedures.

The results of the pre-audit are presented at the end of the audit day and summarised in an open item list (OIL) which is updated throughout the whole certification process.

2.2.3 Step 2: Review of FSM Documentation

The client submits his assigned and amended FSM documentation before the certification audit.

The FSM documentation (e.g. FSM manual, QM-procedures and work instructions) will be evaluated by the audit team.

The results of the review are communicated to the client and summarised in the updated OIL.

If the documentation does not fulfil fundamental requirements of the standard, an additional conversation for the clarification is agreed upon.
 

2.2.4 Step 3: Certification Audit

Before the audit takes place, the client and the certification body agree upon an audit plan.

The certification audit is carried out by the same audit team that has conducted the pre-audit in one or two audit day(s).

During the certification audit at the location of the company, the effectiveness of the implemented functional safety management system will be examined.

Basis for the audit is the FSM scope, the FSM documentation, and the applicable requirements of IEC 61508 or IEC 61511. The audit questionnaire and the information obtained from the above-described previous steps serve as guideline for the assessment.

The task of the company is to demonstrate the practical application of it’s documented procedures.

The results of the audit are presented in a final meeting at the end of the audit. Deviations as well as recommendations are documented in the updated OIL.

Critical deviations lead either to an additional audit, which means a renewed examination at the location of the company or to a submission of documents which provide evidence of corrective actions performed.

In case of minor deviations, recommendations are expressed. The corresponding correction measures are object of the surveillance audit.

After clarification of the identified deviations, the course of the audit and it’s results are summarised in an audit report. This report includes a recommendation for certification addressed to the certification authority (head of certification body).

2.2.5 Step 4: Granting of FSM-Certificate

The certification authority decides upon the audit report and the audit documentation whether or not the certification of the FSM system is granted.

A FSM-certificate will only be issued if all identified deviations have been clarified and correction measures have been performed or determined in writing.

The validity duration of the FSM-certificate is three years if at least a surveillance audit will be carried out once a year in the company.

2.3 Surveillance Audit

In order to maintain validity of the FSM-certificate, an annual surveillance audit is conducted.

Amendments of the functional safety management system have to be submitted by the client in writing before the audit takes place.
 
Objects of the surveillance audit with reference to recent projects are primarily all relevant changes, corrections, amendments and/or innovations concerning the geographical and technical scope of the certification which in the meantime have been undertaken by the client.

Also the correct use of the FSM-certificate in technical documentations or publications will be reviewed.

Surveillance audits are carried out normally by one auditor in one or two audit day(s).

The surveillance audit should be carried out three months before or after the month of issuing the FSM-certificate for the basic certification.

In case of deviations, the procedure will be the same as of the certification audit. In case of critical deviations, the FSM-certificate can be withdrawn.

After each surveillance audit, the client receives a summery report.

2.4 Re-certification Audit

Before the validity is expired, a re-certification audit at the location of the company for the extension of the validity of the FSM-certificate for a further period of three years has to be carried out.

The effectiveness of the complete functional safety management system is again examined in the re-certification audit.

Amendments of the functional safety management system have to be communicated in writing by the client before the audit takes place.

The re-certification audit is carried out according to step 3.

2.5 Extension of Scope

It is possible to extend the certification scope with regard to an additional location, to additional activities or to additional lifecycle phases. In such cases the scope of certification is extended accordingly in a surveillance or a re-certification audit or in a specially arranged appointment.

The expenditure for the audit duration and costs depend on the degree of scope extension.

3. Utilisation of FSM-Certificates and FSM-Marks

After the positive assessment of audit documentations the certification authority issues a FSM-certificate stating the conformance of the client’s functional safety management systems for example with IEC 61508 or IEC 61511.

The right of utilisation of the FSM-certificate by the client applies only to it’s confirmed location and/or scope of certification which is stated on the FSM-certificate and, in more detail, in the audit report. 

The FSM-certificate and the audit report must not be copied in an abridged version without the written permission of the certification body.

A FSM-certificate becomes invalid if

- the duration of validity mentioned on the FSM-certificate expires,
- the owner of a FSM-certificate (company) does not require the FSM-certificate and  terminates this in writing before the expiry date mentioned on the FSM-Certificate,

- the certification contract is being terminated from one of the contract parties under the consideration of notice of termination,

- the client goes into bankruptcy or an application of bankruptcy disclosure directed against him has been rejected because of lack of assets,

- the requirements, which are the basic standard of the FSM-Certificate, have been amended or other requirements, e.g. because of the changed utilisation, have to be applied,

- the client does not indicate alterations or signs of alterations within his company immediately, which definitively concern the scope of certification.

A FSM-certificate can be withdrawn by the certification body if

- critical deviations are found for example during the surveillance audit,

- the manufacturer does not permit or hinder the audit of his FSM system,

- misleading or other inadmissible advertisement in relation to the FSM-certificate is being conducted,

- based on the facts, which were not identified at the time of granting of FSM-certificate, a violation against these general conditions and procedure guidelines exists.

- payment has not been effected within the period of time indicated by the certification body,
- the validity of the certificate is prohibited by law and order.

The certification body can publish the invalidity or the withdrawal according to it’s own estimation.

The certification body is authorised to inform the supervisory authorities, the accreditation bodies, the nominated bodies and the registration authorities concerning the invalidity or the withdrawal of FSM-certificates.

The certification body is not liable for disadvantages to the client resulting from non-granting, invalidity or withdrawal of a FSM-certificate.

All restrictions listed above are applicable for the FSM-Mark in the same way. 

4. Obligations of Certification Body

The certification body commits to handle all accessible information concerning the business of the client confidentially and only use it for the agreed purpose. The accessible documents will not be given to a third person. Herewith excluded is a thorough report to the court of arbitration in case of disputes. The client can release the pledge of confidentiality from the certification body in case of specified reasons.

The liability of the certification body to the client or third persons is only provided so far as laid down by the law in case of intention or major negligence. Further claims are not included.

The head of the certification body is obligated within his possibilities to pay attention to the correct description of certification in advertising measures done by the client.

The certification body informs the holder of the certificate concerning alterations within the certification procedure, which have a direct effect on him.

The certification body administers a register of the certified companies including information on the scope of certification and publishes it upon request.

5. Co-operation of Client

The client puts all QM-documents necessary for the audit at the disposal of the auditors for insight and assessment.

The client allows the auditors access to all areas of the company, which are involved within the geographical scope of the certification procedure.

The client informs the certification body immediately about amendments made and/or intended to be made by him to the certified FSM system. The further validity depends on the evidence given by the client about the fulfilment of the certification basis.

The client informs the certification body about intended movings of inspected company sections in time or about intended transfer of his company to another company or another owner.

The client has to register and archive all complaints relating to his products which will be manufactured or developed on the basis of the certified FSM-System. Upon request of the certification body, he has to put the documents at disposal free of charge and inform about taken measures to eliminate the existing justified complaints.

The client is obliged within the bounds of the FSM system to archive the documents referring to the product or installed system for a period of ten years after the products have been marketed or installed on site independent of the duration of validity mentioned on the FSM-certificate. Above all that requirements from other legal works remain unchanged.

6. Objection Procedures

The client can submit objections or complaints to the certification body concerning unsatisfactory decisions made by the certification body. The certification body then has to give a detailed reason for it’s decision to the appellant.

Should the given reason of the certification body not be acceptable for the appellant, the procedure to submit the complaint to the head of the certification body is open for him. The head of the certification body has to meet a definite conclusion of resolution.

7. Effectiveness and Amendment

These general conditions and procedure guidelines become operative on 2006-04-19.

They are generally valid for all FSM-certificates which have been granted in the period of validity.

Future relevant amendments concerning the general conditions and procedure guidelines will be submitted to the client in writing and can be applied to the existing FSM-certificates in writing upon agreement with the owners.