Standards for personal protective equipment during the Covid-19 pandemic, from equivalence issues to assessing conformity
Currently, three main standards are used in the production and distribution of the crucial FFP2 masks (or N95 masks in the US). In the EU, EN 149:2001 “Respiratory protective devices” covers FFP2 minimal requirements, as well as laboratory and practical performance tests. It is technically equivalent to the “Federal regulation for certifying air-purifying particulate respirators” (42 CFR 84) that covers the N95 mask, managed by the National Institute for Occupational Safety and Health (NIOSH) in the US (source: Centre for Disease Control and Prevention). In China, as explained by the Seconded European standardisation Expert in China, the equivalent is the national standard GB19083-2010 “Technical Requirements for Protective Facemasks for Medical Use”, adopted under the authority of the standardisation Administration of China (SAC). A comprehensive list of equivalence between foreign standards is available on the U.S. Centre for Disease Control and Prevention website, under the section “personal protective equipment: Respiratory protection and facemasks”. A list of existing pandemic prevention product standards (gloves, masks, protective clothing and eye protectors) in Europe and China is also available.
While standards play an important role in ensuring that products are fit for purpose, conformity assessment and market surveillance are essential during the current crisis
In March, the European Commission published Recommendation (EU) 2020/403 on conformity assessment and market surveillance procedures within the context of the COVID-19 threat. The Recommendation was adopted to tackle the increasing demand for PPE, such as face masks, gloves or protective eyewear on the EU market. The Recommendation provides that under specific circumstances some medical devices and PPE may be made available on the EU market for the duration of the COVID-19 outbreak, even if they do not yet bear the CE marking that shows conformity with applicable regulations and obligations. While flexibility is necessary during the current crisis to tackle supplies shortages, it appears that manufacturers in China may have exploited loopholes in the system to abuse both EU and Chinese regulations (Financial Times, “Chinese mask makers use loopholes to speed up regulatory approval”). Indeed, such issues seem to have arisen already.
One of the problems was that manufacturers based in China were not required to comply with national standards (GB) but could instead use CE marking alone if their products were destined for exports. This has allowed un-scrupulous producers to export non-compliant products from China without going through proper conformity assessment processes locally. Since then, the Chinese authorities have adapted their legislation and forced manufacturers to obtain a national license before being permitted to export (South China Morning Post, “Coronavirus: China bans export of test kits, medical supplies by firms not licensed to sell them at home”). At the same time, provincial authorities have also started to crack-down on illegal manufacturers (source: Sixth Tone).
During any crisis, existing institutions are mercilessly tested. One could say that there is no better test than reality, and this is as true for standardisation, conformity assessment and market surveillance systems across the globe. While, at present, urgency calls for flexibility and immediate efforts to relieve the shortage of materials, insights and information need to be gathered systematically to make sure that we will be better prepared next time. In this context, SBS has announced a common position described in an article later in this issue.
This crisis has showed us the importance of standards. Standards represent accumulated knowledge and provide a common technical language that allows production lines to be set up quickly without compromising quality. The key role that standards play for the industry shows the relevance of our mission and work are when it comes to ensuring that standards meet the needs of SMEs.
SBS calls for European direct investment to expand the production lines of safety equipment manufacturers and build up their capacity—not just for this crisis, but also for future ones. SBS also stresses that while bringing the relevant PPEs to market quickly is necessary in the current crisis, market surveillance authorities must ensure that equipment meets the essential safety and health requirements to protect health workers and the public. The position paper also makes reference to a previous article illustrating standards for different respiratory protective devices and their efficiency in fighting COVID-19.
This initiative is a response to the severe shortages of personal protective equipment supplies that Europe has been facing since the outbreak of the coronavirus. The aim is to ease and accelerate market access for these products in order to increase European production of masks and respiratory devices.
The aim of providing free access to this series of standards is to allow SMEs to consider converting their manufacturing installations to respond to the growing demand for these kinds of product while meeting essential technical requirements for them. This action should also help public authorities in their product procurement processes.
European standards can be downloaded from CEN national members’ websites. International standards can be downloaded from ISO’s and IEC’s websites.
One important task is to examine whether the current standardisation frameworks and the available standards in cybersecurity are fit for all SMEs. To this end, SBS provides four options for building on existing cybersecurity standards. SBS believes that these four options will help all kinds of SMEs with different capabilities to adopt cybersecurity standards and certification schemes.
SBS proposes a simple platform which would serve as a ‘one-stop-shop’ for practical guidance on cybersecurity for SMEs. The long-term goal is to increase the overall level of cybersecurity assurance among companies in Europe and it is necessary both to raise awareness and provide practical solutions
Most of us are familiar with ISO 9001, the famous Quality Management System. But have you heard of the ISO/IEC 27001 Information Security Management System? Its first publication dates back to 2005 and its structure and content are very similar to ISO 9001, so if you comply with the first, you can achieve the second without much effort. Nevertheless, although less well known than ISO 9001, ISO/IEC 27001 is an important tool that provides a framework for businesses and SMEs to deal with security risks.
What is information?
Information is (a set of) interpretable data that, within a given context, has a signification and a value. To protect and enhance this value, the data and its interpretability and context must be preserved and safeguarded. Why? Simply because without information – more specifically, reliable information – very little can be achieved.
Information is essential: knowledge gives us power and lets us make sound decisions, realise objectives and measure achievements.
What if the information used is unreliable because it might have fallen into the hands of unauthorised persons (confidentiality) or has been altered without proper controls at any stage of processing (integrity) or because it is unavailable or inaccessible when we need it (availability)?
What is information security?
Confidentiality, integrity and availability have long been described as the three main criteria for Information security.
The two ‘key’ standards on information security are ISO/IEC 27001 (Information Security Management System – ISMS) and ISO/IEC 27002 (Code of Practice for information security control). Applying ISO/IEC 27001 to Personally Identifiable Information (PII) also enhances the level of compliance with the General Data Protection Regulation (GDPR) although it does not directly ensure it; there is a new standard for this: ISO/IEC 27701.
However, this all requires mature information management. ISO/IEC 27002 provides a reasoned list of 114 controls to ensure information security. These are generally determined – especially for their implementation in each context – within a risk management process which is explained in more depth in ISO/IEC 27005.
Why is it important and why do we need standards for this?
According to a report from Datto, SMEs are the main target of cybercrime. The average ransomware payment demanded from SMEs by cyber criminals averaged €2,300 in 2019 and downtime related to such attacks in Europe is increasing by 300% year on year. This kind of attack hits SMEs even harder and may in some cases force SMEs to close down.
Due to the importance of information in hitting business targets, especially within SMEs where constraints on people, time and money are high, information security standards can be critical.
Information security standards are the responsibility of Sub Committee 27 of the Joint Technical Committee 1 within ISO and IEC (International Electrotechnical Committee): in brief ISO/IEC JTC 1 SC 27 “Information Security, Cybersecurity and Privacy Protection”.
SC 27 splits its responsibility for 250 projects over five Working Groups (WG) and Small Business Standards currently has two experts in this sector: one in WG 1, and one in WG 4.
WG 1: ‘Information Security Management systems’ around 27001 and 27002. It currently works on about 23 standards (until now) numbered from 27000 to 27022
WG 4: Security Controls and Services (numbered from 27030 to 27050 and 11 others)
To address the increasingly significant cybersecurity aspects, SC 27 has a number of projects (27100 to 27104) under joint development by WG 1 and WG 4.
Information is immaterial, intangible and virtual, which makes it very difficult to manage (Asset management: Acquisition, Valuation, Inventory, Transport, Storage, Use, Removal from use). Staples are generally better managed than information. It is essential for SMEs to grasp the importance of information security. Their resilience and capacity to prosper depends on it. In order to help SMEs to better handle information security and to help them implement the ISO IEC 27001, in 2018 SBS in conjunction with the European Digital SME Alliance published the SME Guide for the implementation of ISO/IEC 27001 on information security management.
If you are interested or have questions, please get in touch with the article’s authors, SBS experts for ISO/IEC JTC1 SC27 Jean-Luc Allard and Fabio Guasconi.
These guidelines have been written as a response to the need for specific instructions for the lift sector to supplement the national protocols – generally divided by macro-sectors – which cannot go into too much detail. This lack of clarity has led to a situation where SMEs can only carry out part of their work safely. The guidelines will provide a few sets of information, set out clearly.
The work on these guidelines is also continuously raising awareness among experts of the changes that the COVID-19 emergency will bring to the sector. Given the new ways of working and the related measures that have come into prominence to limit contagion, EFESME is convinced that this crisis will also lead to major changes in standardisation.
As far as the elevator sector is concerned, there will inevitably have to be new instructions for maintenance, repair, periodic inspections and installation works. New standards will be needed to support what are considered as essential changes to the ventilation and air exchange systems of cabins, and/or their sanitisation. The creation of new study and working groups to address the impact of the pandemic on the sector and the future participation of EFESME and SBS in them are therefore inevitable and indispensable to better protect and support SMEs.