Rules and Procedures

For

Smart Card / Microelectronics Module 

Testing and Certification

 

(Issue 2 Dated 1st August 2006)

 

 

 

Section 0 : Preface

 

0.1  Background

 

National Informatics Centre, is a premier Government organization in providing IT related support to different Ministries and Departments in different fields of                      e-Governance. National Informatics Centre (NIC) has been entrusted by Ministry of Road Transport and Highways (MoRT&H) and Office of Registrar General, India (RGI) to work as Technical support provider for the project of Smart Card based Driving License & Vehicle Registration Certificate (DL/RC) and Multi Purpose National Identity Card (MNIC) respectively across the Country. This involves following technological areas,

 

 

Certification of compliance to defined standards and application requirements of Smart Card, Microelectronics Module  and Hand Held Terminals is one major task in insuring the interoperability of Smart Card based DL & RC and Microelectronics Module  for MNIC across the Country.

 

0.2 Approval & Issue

This document is the property of National Informatics Centre, Dept of Information Technology and should not be reproduced in part or full without the written consent.

 

 

 

Reviewed by:

 

 

____________________________  ______________________________________

Director (Test & Evaluation)          Director (Smart Card Product Certification)                    STQC Directorate                            National Informatics Centre

 

 

 

 

Approved by:

 

                                      ________________________________________________

                                      Head (Smart Card Product Certification Body)                              

 

 

 

 

 

Section 1: General

 

1.1   Purpose & Scope

 

The purpose of this document is to lay down the policies and procedures for Smart  Card Product/ Microelectronics Module  certification Scheme operated by National Informatics Centre (NIC) and Standardization Testing & Quality Certification Directorate, (STQC), as per the applicable National/International standards and normative documents.

 

This document describes the organization of Certification Body and process of certification, which, by means of assessment/evaluation and subsequent surveillance provides an adequate level of confidence that the certified Smart Card/ Microelectronics Module is conforming to the specified requirements of the applicable standard and applications.

 

The Certification Body will take all steps necessary to evaluate Smart Card Product/ Microelectronics Module  to determine its conformance to all the applicable requirements as defined. This will include

 

- Identification of applicable standards/normative documents                                              

- Evaluation Criteria

- Process for ensuring compliance

- Criteria for suitability and competence of personnel and /or test laboratories

 

This document is applicable to all those involved in providing the certification services.

 

1.2   References

 

ISO/IEC Guide 2 - General terms and their definitions concerning standardisation and related activities

 

ISO/IEC Guide 65 - General requirements for bodies operating product certification systems

 

ISO9000 - Quality Management Systems- Fundamentals & Vocabulary

 

EN 45011 - European standard for ‘General criteria for Certification Body operating Product Certification’

 

1.3   Definitions

 

For the purpose of this document, the following definitions, in addition to those given in ISO/IEC Guide 2 & ISO 9000 shall apply.

 

Supplier ( Client )

 

The party that is responsible for providing product, process or service and is able to ensure that quality assurance is exercised. The definition may apply to manufacturer, distributors, importers, assemblers, service organizations etc.

 

 

Manufacturer of smart card/ Microelectronics Module 

 

An organization situated at stated location(s), which carries out or controls such stages in the manufacturing (implantation/embedding), inspection, handling, and storage of smart cards/ Microelectronics Module  that enables it to accept responsibility for quality assessment of the smart cards/ Microelectronics Module.

 

Quality Assessment

 

The totality of measures carried out consistently and systematically, in order to ensure that a product conforms with the requirements of a stated specification.

 

Certification of Conformity (or compliance)

 

Action by MoRT&H and RGI authorized agency, demonstrating that adequate confidence is provided that the supplier’s product and/or system are in conformity with specified requirements of applicable standard or normative document.

 

Certification System

 

System that has its own rules of procedures and management for carrying out Certification of compliance/conformity.

 

Certification Body (CB)

 

The body which conducts certification of compliance/conformity with respect to published standards and any supplementary documentation required under the system.

 

Registration

Inclusion of the supplier’s particulars and field of assessed capability by the Certification Body in an appropriate register or list.

 

Certificate of Compliance/Conformance

 

Document issued under the rules of a Certification System indicating Compliance/ conformance to the specified requirements of the applicable standard or application requirements to a specific Smart Card product/ Microelectronics Module  with unique Brand Name/Product Name given by the interested party, which is a Supplier or Manufacturer of Smart Card/ Microelectronics Module, to its product.

 

Certification Agreement

 

An agreement which is part of the Certification System and which details the mutual rights and obligations of the certificate holder and the Certification Body, and which

includes the right to use the certificate.

 

Appeal

 

A formal expression of dissatisfaction by a party affected with a decision of a Certification Body, which is directly related to the certification status of the product of the party affected.

 

Complaint

 

A formal expression of dissatisfaction with some matter related to a Certification Body, a certified supplier, a certified product or an individual.

 

Dispute

 

Expression of difference of opinion between two parties in relation to some matter related to a Certification Body, a certified supplier, a certified product or an individual.

 

Minor Non-conformity

 

A Minor Non-conformity is an isolated lapse that will not directly affect the conformance of the product to the applicable requirements. However, if it persists, it may be considered a major non-conformity.

 

Major Non-conformity

 

A Major Non-conformity is the absence of or the in-effective implementation of one or more required system elements, or a situation, which would, on the basis of objective evidence or evaluation, affect the conformance of the system or product to applicable requirements ( e.g. nonconformities arising from OS and SCOSTA documents )

 

 

Section 2 : Certification Body

 

2.1 Name and Office Locations

 

National Informatics Center (NIC) is designated as a Certification Body for compliance testing of smart cards, Microelectronics Module  and Hand Held Terminals for Driving license & Vehicle registration and Multi Purpose National Identity Card by Ministry of Road Transport & highways, Govt. of India and Office of Registrar General India, Govt. of India respectively, operates from its HQ at New Delhi, India.

 

2.2 Legal Status

 

NIC is a part of Department of Information Technology, Ministry of Communication & Information Technology (MCIT), Government of India. (Refer cl. No. 2.4 : Organization description )

 

 

2.3 Goal Policy and Objectives

 

Goal

 

To provide certification services for Smart Cards products/ Microelectronics Module  in a competent and credible manner, to enhance the acceptability of Smart Cards/ Microelectronics Module  by users/ organizations.

 

 

General Policy statements and commitments

 

The Certification Body provides unhindered access to all the eligible applicants (the organizations intends to bring its products to the market to be used for the driving license and vehicle registration & Multi Purpose National Identity Card purpose in India.) seeking certification of their smart Card Product/ Microelectronics Module  whose activities fall within its declared field of operation, without undue financial or other conditions. However, it is conditional for certification that certified organizations are regularly involved in the activities for which they have been certified.

 

All the procedures adopted by the Certification Body are administered in a non-discriminatory manner. The Certification Body makes its services accessible to all eligible applicants, without any undue financial or other conditions.

 

The Certification Body confines its assessment and decision on certification to those matters specifically related to the scope of certification being considered.

 

The Certification Body has a defined criteria against which the smart Card product / Microelectronics Module of an applicant is assessed. In case of change in product specification for any component of the product viz-a-viz this criteria, re-certification will be required.

 

The Certification Body is responsible for its decision relating to the granting, maintaining, extending, reducing, suspending and withdrawing certifications.

 

The Certification Body has a identified management structure which has the overall responsibility for the operation of Certification System.

 

The Certification Body has a documented structure which safeguards impartiality, including provisions to assure the impartiality of the operation of Certification Body. It further enables participation of all interested parties in the content and functioning of certification system.

 

The Certification Body ensures that each decision on certification is taken by persons different from those who carried out the testing/assessment/evaluation.

 

The Certification Body has defined authorities and responsibilities relevant to its certification activities.

 

The Certification Body has adequate arrangements to cover liabilities arising from its operations and/or activities. (as specified in certification agreement).

 

The Certification Body has financial stability and resources required for the operation of the certification system, in the form of budgetary and resource support from MoRT&H / RGI and NIC respectively. The financial administration of the scheme including determination of charges is the responsibility of Head ( Smart Card Product Certification Body).

 

The Certification Body has sufficient number of personnel having the necessary education, training, technical knowledge and experience for performing certification functions under the overall responsibility of Head (Smart Card Product Certification Body).

 

The Certification Body has a documented system to provide confidence in its ability to operate a certification system.

 

The Certification Body’s personnel along with Head (Smart Card Product Certification Body) & staff are free from any commercial, financial and other pressures, which might influence the results of Certification process.

 

The Certification Body has defined criteria for appointment and operation of all the committees needed for Certification process. These committees are free from any commercial, financial and other pressures that might influence decisions.

 

The Certification Body has a defined policy and procedure for resolution of Complaints, Appeals and Disputes received from suppliers or other parties about the handling of certification or any other related matter.

 

2.4 Organisation

 

Organisation description

 

The certification body has

 

  I.   Head (Smart Card Product Certification Body)

 II.   Management Review Committee

III.   Technical Advisory Committee (TAC)

IV.   Certification Committee (CC)

 V.   Director (Smart Card Product Certification)

         -Techno-Administrative Support Cell

VI.   Director (Smart Card Test & Evaluation)

         - Test Engineering Cell

         - Technical Support Cell

 

 

 

ORGANISATION CHART OF CERTIFICATION BODY

 

 

                                                      ----------- Advisory Inputs

                                                      _______ Administrative reporting

 

Criteria, Composition and Terms of Reference

 

I)        Head, Smart Card Product Certification Body

 

DDG-NIC is the Head of Smart Card Product Certification Body acting under the authority of DG-NIC, Government of India. He is responsible to safeguard the impartiality of the Certification Operations and to provide confidence in its certification.

 

The members are appointed by the Head ( Smart Card Product Certification Body), in consultation with respective interested parties, for a period of 3 years.

 

Director (Smart Card Product Certification)

- An active professional in Smart Card technology and certification, and at sufficiently senior level.

 

- has sufficient work experience (preferably not less than 20 years) in Application development, management, Informatics, testing etc.

 

- Along with his team is responsible to the DG, NIC and thereby to the Ministry of Road Transport and Highways /Office of Registrar General, India for operation of the Certification System.

 

- will act on the advice of Certification Committee on certification decisions. In case of equal votes the Certification Committee or conflict of opinion with the decision of the Certification Committee, he may take decision, as appropriate.

 

- is responsible for approval of System Procedures and Forms/ Formats on the advice of a committee appointed by DG, NIC and concurred by TAC.

 

II)            Management Review Committee (MRC)

 

The object of management review committee is to carry out periodic review of the Smart Card product/ Microelectronics Module certification scheme at least once in a year.

 

III)          Technical Advisory Committee (TAC)

 

The object of the Technical Advisory Committee is to provide the technical advice to certification system at various levels, as per the requirements. The TAC will meet on the following events or recommendation of MRC:

 

-          Change/ Review of SCOSTA documents

-          Bugs identified in script during the testing

-          Modification/addition of test cases in test script

-          Review and adoption of Certification Scheme documents

-          Providing clarification and interpretation of technical issues

 

TAC would be responsible for :

 

-  Drafting and reviewing the scheme specific documents, including Test Cases etc.

- Resolution of disputes received from supplier/manufacturer with regards to the    interpretation of specifications/commands etc.

 

The members are chosen among those interested parties involved in the

 

- Formulation of SCOSTA documents

- Formulation of Certification System documents

- Technology Experts on Smart Card Technologies

- Testing Experts

- Technical expert on standards

 

The TAC has five representatives that have adequate academic and professional experience in the field they represent. Director (Smart Card Product Certification) is the Member Convener of the Committee.

 

- Representative NIC (One)

- Representative IIT, Kanpur (One)

- Representative STQC (One)

- Representative SCAFI (Two)

- Member Convener (Director (Smart Card Product Certification))

 

 

 

 

IV)         Certification Committee

The role of the Certification Committee is to advise the Head (Smart Card Product Certification Body) on decisions relating to

 

- certification of Smart Card Products/ Microelectronics Module after its technical evaluation.

- certification of assessor/specialist resource for empanelment

 

                   The Certification Committee consists of a three representatives appointed by Head (Smart Card Product Certification Body). Director (Smart Card Product Certification) is the member convener.

 

- STQC (Two)

- NIC (One)

 

The representatives should have

 

- Adequate academic background (preferably post graduate in Engineering/

  technology with 15 years of experience)

- Knowledge of Smart Card Technologies

- knowledge and awareness of certification related matters including

  national/international standards and other normative documents, Test

  Engineering, quality and Security Concepts.

 

While advising the Head ( Smart Card Product Certification Body). on certification related decisions, the Certification Committee will

 

- ensure compliance through /evaluation to the defined criteria.

- review the reports of testing and evaluation for adequacy of their content.

- provide feed back for improvement

- seek experts opinion where necessary for determining the technical basis for  granting certification.

 

The Certification Committee normally meets as and when required. The convener of the committee presents all requisite information along with supporting documentation to the committee. The committee will examine the inputs and advises the Head ( Smart Card Product Certification Body) on certification decision.

 

V)     Director (Smart Card Product Certification)

 

The Director (Smart Card Product Certification) will be responsible for all testing and certification related operations at NIC, New Delhi and will be located at NIC HQ, New Delhi.

 

 

 

 

The Director (Smart Card Product Certification)

 

- should have thorough knowledge and sufficient work experience (preferably not less than 2 years) in Smart Card Technologies and application development, SCOSTA Standard Development and knowledge of procedures for certification.

 

-          is appointed by Head ( Smart Card Product Certification Body)

 

-    is responsible for day-to-day operations of

      * all pre-certification activities of Smart Card Products Certification

      * all activities connected with organizing test lab approval.

      * all liaison/co-ordination within and outside the certification

 

Techno-Administrative Support Cell

 

The Techno-Administrative Support Cell is responsible for providing administrative                             support to Director (Smart Card Product Certification) such as secretarial help, registration of applications, maintaining register of certified supplier, collection and verification of fee and maintaining records, Preparation and dispatch of certificate etc.

 

VI)   Director (Smart Card Test & Evaluation) -

The Director (Smart Card Test & Evaluation) will be responsible for all carrying out testing and evaluation of Smart card Products/ Microelectronics Module.

 

Test Engineering Cell

To attain the confidence in testing process and maintain information security a three member Test Engineering Cell is formed as and when required on case-to-case basis by Director(Smart Card Test & Evaluation) randomly form the pool of trained test engineers to carry out the testing activities. Constitution of the cell is dynamic in nature to make the process impartial and confidential.

 

- Test engineers carry out testing activity independently on the basis of Test Cases approved by Technical Advisory Committee.

- The Team Leader does co-relation of results.

- All the test engineers’ sign test Reports.

 

Test Engineering Cell

- is responsible for carrying out testing on the advice Director (Smart Card Test &    Evaluation).

- has clearly documented procedures/instructions are available for carrying out   assigned activities.

 

Technical Support Cell

 

The Technical Support Cell is responsible for providing technical support to Director (Smart Card Product Certification) such as preliminary evaluation of the applications, clarifying doubts of applicants, liaison work between test engineering cell and certification body.

 

 

 

2.5 List of Appointments

 

A control list of appointments with contact addresses/ points of the following is maintained by the Certification Body : (Who is who)

 

- Head (Smart Card Product Certification Body)

- Director (Smart Card Product Certification)

- Director (Smart Card Test & Evaluation)

- Members of Technical Advisory Committee

- Members of Certification Committee

- Test Engineering Cell

- Technical support Cell

- Techno Administrative Support Cell

 

The responsibilities of all personnel involved in the certification activities are indicated in cl. No. 2.4

 

2.6 Records

The Certification Body maintains a record system to comply with existing procedures. The records demonstrate that the certification procedures have been effectively implemented, particularly with respect to application forms, assessment reports, test and evaluation reports and other documents relating to granting, maintaining, extending, reducing, suspending or withdrawing certification. The records are identified, managed and disposed of in such a way as to ensure the integrity of the process and confidentiality of the information. These records are kept for at least one full certification cycle (i.e. 10 Years).

 

2.7 Documents and Change Control

 

Certification body maintains a formal document control system where all procedures, specifications etc. are controlled by Doc. No., Version No., and Records/ History of amendments and approval of changes. A master list of approved documents indicating above is maintained by Director (Smart Card Product Certification).

 

2.8 Confidentiality

 

The Certification Body has adequate arrangements, consistent with applicable laws, to  safeguard confidentiality of the information obtained in the course of its certification activities at all levels of its organization, including committees and external bodies or individuals acting on its behalf.

 

Except as required in this documents information about a particular product or supplier will not be disclosed to a third party without the written consent of the supplier. Where the law requires information to be disclosed to a third party, the supplier will be informed of the information provided as permitted by the law.

 

2.9 Liability

 

The Certificate of Compliance given to a supplier under the scheme shall not be regarded as in any way diminishing the mutual contractual responsibilities/obligations between the supplier and purchaser. While the Certificate of Compliance will normally be a sound indicator of the capability of supplier to provide quality products/services, it should not be taken as a sort of guarantee accorded by the Certification Body. The Certification Body will not be liable for any deficiency in the product/service supplied by supplier.

 

2.10 Appeals, Complaints and Disputes

 

Appeals, Complaints and Disputes brought before the Certification Body by suppliers or other parties are subject to the review of Technical Advisory Committee.

The Certification Body will

 

a) Keep a record of all appeals, complaints and disputes and remedial actions relative to certification

b) take appropriate corrective and preventive action

c) document the actions taken and assess their effectiveness.

 

2.11 Changes in the Certification Requirements

 

The Certification Body will give due notice of any changes it intends to make in its requirements for certification. It will take account of views expressed by the interested parties before deciding on the precise form and effective date of the changes. Following a decision on, and publication of, the changed requirements it shall verify that each certified supplier carries out any necessary adjustments to its procedures within such time, as in the opinion of the Certification Body, is reasonable. Certification Body will accept specification changes only from the committee, which is responsible for Specification Development (SCOSTA and other), which includes NIC, IITK, and SCAFI representatives.

 

Section 3:  Requirements for Certification

 

3.1. Application for Certification

 

The Certification Body requires that a supplier organization (client) :

 

a) Always complies with the relevant provisions of the certification program

 

b) Provide all necessary inputs for testing.

 

c) only claims that it is certified with respect to those activities for which it has been granted certification

 

d)  does not use its certification in such a manner as to bring the Certification Body into disrepute and does not make any statement regarding its certification which the Certification Body may consider misleading or unauthorized

 

e) upon suspension or withdrawal of its certification (however determined) discontinues use of all advertising matter that contains any reference thereto and returns any certification documents as required by the Certification Body

 

f) uses certification only to indicate that the Smart Card product/ Microelectronics Module. is in conformity with specified standards or other normative documents, and does not use its certification to imply otherwise

 

g) ensures that no certification document, mark or report nor any part thereof is used in a misleading manner

 

h) in making reference to its certification in communication media such as documents, brochures or advertising, complies with the requirements of the Certification Body.

 

 

 

3.2 Application for Renew of Certification

 

The renewal of certificate shall be performed as per Certificate Renewal Procedure SCPC-02-07 for the valid “Certificate of Compliance” issued to supplier by Smart Card Product Certification Body of NIC.

 

The Application

 

The Certification Body requires an official Application Form (SCPC-02-06-1 or SCPC-02-06-2) duly completed, and signed by a duly authorized representative of the applicant, in which the applicant agrees to comply with the requirements for certification and to supply any information needed for its evaluation.

 

3.2 Decision on Certification

 

The decision whether or not to certify a supplier’s Smart Card Product will be taken by the Head ( Smart Card Product Certification Body). based on the recommendation of the Certification Committee on the basis of the information gathered during the certification process, evaluation of the test report and any other relevant information. Where necessary, the Certification Committee will seek expert’s opinion to determine the technical basis for its decisions.

 

The Certification Body will not delegate authority for granting, maintaining, extending, reducing, suspending or withdrawing certification to an outside person or body without prior approval of Head ( Smart Card Product Certification Body) in each and every case.

 

The Certification Body will provide to each of its suppliers whose Smart Card Product / Microelectronics Module  are certified, a certificate signed by Head (Smart Card Product Certification Body) or an officer who has been assigned such responsibility. These documents will identify for the supplier (clients) and each of its sites covered by the certification

 

a) the name and address

 

b) the scope of the certification granted including

    - the standards and/or other normative documents to which smart Card Products/ Microelectronics Modules are certified

 

c) the effective date of certification and the term for which the certification is valid

 

d) Simultaneously, arrangements will be made to update the list of certified clients.

 

Need of Re-Certification:

 

Any change after Certification, in any of the components listed below, will be treated as Major Non-conformity and will require re-certification,

 

 

 

3.3 Surveillance and Re-assessment

 

The Certification Body will carry out periodic surveillance and re-assessment at sufficiently close intervals to verify that suppliers, whose Smart Card / Microelectronics Modules / products are certified, continue to comply with the certification requirements.

 

Currently, the following policies (on surveillance and re-assessment) are being pursued

 

- The surveillance activities are subject to re-testing on if a supplier with a certified    Smart Card / Microelectronics Module/Product makes major modifications to the System/Product or if other    changes take place which could affect the basis of the certification at least.

 

- Audit testing will be performed at least once in a year by

 

- picking up smart card from supplier premises

 

- market/ users

 

 

3.4 Suspension and Withdrawal/Cancellation of Certification

 

Suspension

 

Certification may be suspended for a limited period at the discretion of Certification Body under the following circumstances

 

- if the surveillance/ audit/Renewal testing indicates minor non-conformance to the relevant  System/Product requirements and the same is not cleared even after lapse of   initial time period given for corrective actions

- if the surveillance/ audit/Renewal testing indicates major non-conformance to the eleventh   System/Product requirements.

- if improper use of the Certificate of Registration or Logo/Mark is not rectified to   the satisfaction of Certification Body;

- if the certified supplier is not regularly involved in the activities for which he is  certified.

- if there has been any other contravention of the applicable requirements or rules   of procedures of certification body.

 

An official suspension will be confirmed by the Certification Body in a registered letter to the supplier or by equivalent means and will indicate the conditions under which suspension will be revoked. The Certification Body may publish notification of suspension. Upon fulfillment of the indicated conditions within the specified period, the Certification Body will revoke suspension and notify the supplier accordingly; otherwise, the certification will be cancelled and certificate will be withdrawn.

 

Withdrawal/Cancellation

 

The Certification Body will cancel certification, withdraw the Certificate and authorisation for the use of the Logo/Mark under the following circumstances

 

-          if the supplier under suspension fails to rectify non-conformance within specified period

-          if the supplier either will not or cannot ensure conformance to changed rules of

  procedure of Certification Body.

-          if the supplier ceases to supply the product, process or service

-          if the supplier fails to meet the financial obligation to Certification Body

-          at the former request of the supplier

-          if the supplier fails on the Certification Agreement signed between CB.

-          any other serious contravention of applicable requirements of rules of procedures

   of Certification Body

 

The official communication by the Certification Body of the withdrawal/cancellation will be either through a registered letter or equivalent means. The Certification Body will publish notification of the withdrawal/cancellation.

 

3.5 Maintenance of Certification

 

For maintenance of certification, the client shall submit annually a statement regarding continuing compliance with the criteria and the requirements of the certification smart card products along with objectively verifiable documents. The CB will carry out the surveillance of these documents along with the audit/Renewal testing.

 

Based on the results of the audit/Renewal testing documents surveillance CB will take the decision for continuation of the certification or otherwise.

 

Access to Records of Complaints to Suppliers

 

The Certification Body will require the certified supplier to

 

a)      keep a record of all complaints made known to the supplier relating to product’s/services compliance with applicable requirements and to make these records available to the Certification Body when requested

b)      take appropriate action with respect to such complaints and any deficiencies found in products or services that affect compliance with the requirements for certification;

c)      Document the actions taken.