Notes from Megameeting 12th April 2010


BruceAmbacher UM
DavidGiaretta STFC
HelenTibbo UNC
JohnGarrett GSFC
MarkConrad NARA
RobertDowns CIESIN, Columbia University
SimonLambert STFC


Some amended text was agreed for the last paragraph of 1.7.2.: "The term “Trustworthy Digital Repository” (TDR) is used in this document to indicate those repositories which are already certified."

It was agreed that it is necessary be precise about the terminology "candidate reporitory"/TDR, and that there is a need to clarify the roles of the actors implied in the document: overarching body composed of initial audit committee at first; companies approved to conduct audits; audit teams; candidate repositories. The national bodies for accreditation will probably have an important role.

SimonLambert >> (All): Where did you reach last week?
Mark Conrad >> (All): Title of the Document needs to be changed in Document 
Control on page vi.
Mark Conrad >> (All): In 1.7.2., last paragraph, the text, "or else are 
potential candidates for such certification; sometimes the wording “the 
repository being audited” or “candidate rdigital repository” is used." should be 
BruceAmbacher >> (All): Mark, What version are you using?  I do not see these 
terms in 1.7.2, last par.
JohnGarrett >> (All): Yes, we were working in Section 9.2 last week
BruceAmbacher >> (All): I am looking at 4/05 version
Mark Conrad >> (All): I am looking at format 5 20100405
SimonLambert >> (All): I see the text just before
BruceAmbacher >> (All): Here is the last par. I see: The term “Trustworthy 
Digital Repository” (TDR) is used in this document to indicate those 
repositories which are either already certified or else are potential candidates 
for such certification; sometimes the wording “the repository being audited” or 
“candidate rdigital repository” is used.
JohnGarrett >> (All): Yes, that is what I see.  I also had it marked.
Helen Tibbo >> (All): got it.
Helen Tibbo >> (All): I totally agree with Mark's comments here.
Mark Conrad >> (All): We should also delete "either" right before "already".
BruceAmbacher >> (All): Why leave in: or else are potential candidates for such 
TerryLongstreth >> (All): I agree, too, and prefer Bruce's solution
BruceAmbacher >> (All): John,, is this the kind of thing we can charge a 
technical editor to edit out or must we make all such changes?
JohnGarrett >> (All): Just a question on this version.   I think we discussed 
some of  Mark's question already and made corrections, but now the corrections 
have been accepted and Mark's comments still appear.  Is that correct?
Mark Conrad >> (All): No. If you want to talk about potential candidates that 
should be a separate term from TDR.
JohnGarrett >> (All): The technical editor will edit for that sort of thing, but 
 if we spot it, we may as well make the update to make sure it is caught.
Mark Conrad >> (All): This is not something for the technical editor. This is 
BruceAmbacher >> (All): I am pretty sure we are all in agreement on this type of 
thing.  We need a scrub of TDR every place it occurs to be sure we are using it 
correctly and distinguishing TDR from candidate repository.
TerryLongstreth >> (All): The TDR imprimatur is equivalent to 'Certified'.  I'd 
prefer to reserve Candidate for those that have never passed an audit.
JohnGarrett >> (All): Sorry, I was answering Bruce's question which I think was 
referring to "either already"
Mark Conrad >> (All): This is the definintion of TDR. It should not be confused 
with the definition of a candidate repository.
Helen Tibbo >> (All): Last week we supposedly took out the phase "client 
repository" and substituted "applicant". Did that happen in the text??
RobertDowns >> (All): I agree that we should take the opportunity to make these 
kinds of changes rather than leaving them to an editor.
TerryLongstreth >> (All): Three states of a Digital Repository: 1) Candidate, 
never certified. 2) TDR 3) TDR, recertification candidate
SimonLambert >> (All): I see that in 9.1 "candidate TDR2 is used - should that 
be "candidate repository"?
JohnGarrett >> (All): I think we should make the substitutions for TDR as 
BruceAmbacher >> (All): Helen, That must have occurred after I left.  
JohnGarrett >> (All): Terry, I agree, but in the text I think we will often be 
talking about 1 and 3 at the same time which I think will be "candidate 
Mark Conrad >> (All): Here is my proposed text for the last paragraph of 1.7.2.: 
"The term “Trustworthy Digital Repository” (TDR) is used in this document to 
indicate those repositories which are already certified."
JohnGarrett >> (All): OK with me
Helen Tibbo >> (All): Yes, this is good. 
BruceAmbacher >> (All): agreed
RobertDowns >> (All): I also agree
TerryLongstreth >> (All): John, perhaps so, if the initial and recertification 
processes are the same.
JohnGarrett >> (All): Terry, I think we can identify the different initial and 
recertification processes at the location in the document, if they are different
TerryLongstreth >> (All): .. and distinguish between the new candidates, and 
those with prior certifications in our  text
JohnGarrett >> (All): Yes
TerryLongstreth >> (All): Hokay
Mark Conrad >> (All): So where to next?
TerryLongstreth >> (All): Sorry I missed last week. I thought it had been called 
for the holiday.  Can I mention 8.1.1?
JohnGarrett >> (All): So are we marching through Mark's comments and deciding if 
they are covered or not?
Mark Conrad >> (All): Terry, What did you want to say about 8.1.1.?
JohnGarrett >> (All): Sure, what is your comment on 8.1.1?
TerryLongstreth >> (All): pp. b) menitons the Initial audit committee being in 
charge fo continuing / recert activities.  I think we should change its name or 
define a different body for permanent oversight
TerryLongstreth >> (All): If the audit committee is a permanent body, it needs a 
different name than  ‘initial’.  The responsibilities of the initial audit 
committee and permanaent audit committee should be separated and documented 
BruceAmbacher >> (All): Terry, I read this as the cert. body, not necessarily 
the actual audit team.
TerryLongstreth >> (All): Absolutely
SimonLambert >> (All): Not sure it is implying the initial audit committee goes 
on forever - the exceptions could be agreed at an early stage, couldn't they?
JohnGarrett >> (All): I don't want to create still another group.  I don't mind 
changing the name.  In subsequent issues of this document, hopefully reference 
to it will disappear completely.
SimonLambert >> (All): i.e. the initial audit cttee does it work then backs out
Mark Conrad >> (All): My original comment was why do we need 8.1.1. at all? It 
only serves to bind our hands and doesn't really add anything that is TDR 
TerryLongstreth >> (All): But initially, the Initial Audit committee was to be 
able to interpret  this document in real time, rather than monitor the auditors.
BruceAmbacher >> (All): Why is that an either/or and not the ability to do both?
TerryLongstreth >> (All): We could kill it, but I think David wants the Initial 
audit committee to shepherd the document through its early uses and 
SimonLambert >> (All): Section 8 is titled "Information requirements" - does 
this mean reqts on the repository or on the auditing body?  Seems to be both at 
Mark Conrad >> (All): What is the upside to leaving 8.1.1. in?
TerryLongstreth >> (All): Simon: actually there are three main actors - the 
repository, the auditing body, and the spec interpretation and auditor 
credentialing org
BruceAmbacher >> (All): Isn't the third a subset of the first?
BruceAmbacher >> (All): Sorry I meant 3 being subset of 2
JohnGarrett >> (All): I think b) allows the Initial Audit Committee to change 
the times required to do the surveillance and recertification audits ( 1 and 3 
years I think in underlying document)
TerryLongstreth >> (All): No, 2 is the audtors that are being sent out to 
inspect repositories.  3 is the Initial (or continuing, permanant) committee
TerryLongstreth >> (All): It's the same dichotomy Bruce mentions about 10 lines 
Mark Conrad >> (All): John, We sign off on that timetable in 9.1.
TerryLongstreth >> (All): (All): Terry, I read this as the cert. body, not 
necessarily the actual audit team.
BruceAmbacher >> (All): I see the auditing body as just that - the overall 
structure to guide the audit teams (3) and establish overall policy and 
procedures and to approve results (grant certification).
TerryLongstreth >> (All): Is the auditing body different from the Initial audit 
committee? Is there a mechanism for credentialing auditing bodies?
JohnGarrett >> (All): No, the auditing body is the company that is actually 
doing the audit of a candidate repository.  There are many potential auditing 
bodies (companies) and each candidate repository will hire whicheve auditing 
body it wants.
RobertDowns >> (All): states that each auditor is accredited by the 
initial audit committee.
JohnGarrett >> (All): The auditing body is different from the initial auditing 
TerryLongstreth >> (All): @Robert: Right, which means it must be a permanent org
Helen Tibbo >> (All): Have we defined these terms in the glossary?
Helen Tibbo >> (All): If not, we should.
RobertDowns >> (All): Initial audit committee:  The initial audit committee will 
consist of internationally recognized experts in digital preservation, the 
membership building on members of the authors of the <ISO XXXXX - RAC Document
TerryLongstreth >> (All): .. for as long auditors are to be allowed to submit 
JohnGarrett >> (All): The initial audit committee is defined in the glossary.
BruceAmbacher >> (All): as is the certification body
RobertDowns >> (All): Yes, I just posted the definition from a few lines up
BruceAmbacher >> (All): the audit teams can come from from any "company" 
approved by the certification body to conduct audits and make recommendations on 
JohnGarrett >> (All): I have 
BruceAmbacher >> (All): In the beginning the authors of this doc will comprise 
the certification body and also may be members of audit teams - correct?
TerryLongstreth >> (All): That probably violates 17021
JohnGarrett >> (All): Bruce, yes we are initial audit committee and can also be 
BruceAmbacher >> (All): initial audit committee equals certification body - yes 
or no?
TerryLongstreth >> (All): And can also decide who else can be auditors?
Mark Conrad >> (All): Terry, 17021 refers the reader to ISO 9000 and ISO 17000.
TerryLongstreth >> (All): I was thinking about the conflict of interest 
discussions from the last meeting in March
BruceAmbacher >> (All): With these concepts clarified, someone can do a 
technical scrib to get the text correct.
Mark Conrad >> (All): What concepts, exactly, have we clarified?
JohnGarrett >> (All): I'm concerned about saying that Initial Audit Committee 
will "certify" auditors.  I think that is a big issue and big discussion will be 
needed, so I will let that for another day.
Mark Conrad >> (All): The Glossary at Defines the makeup of the initial 
audit committee, but does not define its responsibilities.
JohnGarrett >> (All): Bruce,  Initial Audit Committe   is NOT equal to   
Certification Body  
BruceAmbacher >> (All): I was trying to clarify the distinctions, duties, roles 
of certification body, initial audti teams, future audit teams and "companies" 
that employ such teams on the one side and the candidate repository on the other 
side, which, once certified, will be under review and ultimately a 
recertification process.
JohnGarrett >> (All): Certification Body = company doing the audit and company 
that 'hires' the audit team
Mark Conrad >> (All): This is what the glossary currently says, "Certification 
body: third party that assesses and certifies the candidate TDR of a client 
organization with respect to published TDR standards, and any supplementary 
documentation required under the system."
BruceAmbacher >> (All): John, I do not agree that the certification body 
is/equals the company, unless there is only one company in the world.  
Mark Conrad >> (All): Not quite sure how that definition jives with John's 
JohnGarrett >> (All): Bruce, each company provides the certification for a TDR.  
It is not granted by an overarching body.
RobertDowns >> (All): Ideally, several organizations would be qualified to 
conduct the audits and certify TDRs. 
BruceAmbacher >> (All): Somewhere in this mix is a board or panel that reviews 
the work of the companies and their audit teams for compliance to the RAC and to 
the audit procedures.  It also has a responsibility to promulgate revisions, 
probably through the ISO process.
JohnGarrett >> (All): The overarching body certifies the certifying bodies 
(companies) to be able to provide this certification
TerryLongstreth >> (All): Agree, completely
Helen Tibbo >> (All): And where does this over-arching body come from? Is this 
ISO? I don't htink so...
JohnGarrett >> (All): Yes, that is right
TerryLongstreth >> (All): And this doc implies that's the Initial Audit 
committee, which should be renamed, I think
TerryLongstreth >> (All): As Robert pointed out, above, says it
JohnGarrett >> (All): The over-arching body is ISO, or actually there is a 
National Activities Board (Or some name like that) for each country that 
certifies certification bodies to do that work in their country.
Mark Conrad >> (All): See
TerryLongstreth >> (All): If there is a separate body, we must declare it so in 
this book
Mark Conrad >> (All): "   When selecting the audit team to be 
appointed for a specific certification audit the certification body shall ensure 
that the skills brought to each assignment are appropriate."
BruceAmbacher >> (All): To be sure we all agree we are talking about the roles 
of four distinct bodies (which may have overlapping personnel): 1) overarching 
body composed of initial audit committee at first,  2) companies approved to 
conduct audits 3) audit teams and 4) candidate repositories
JohnGarrett >> (All): Actually that numbering is now strange as we no longer 
have a 7.2.1
Mark Conrad >> (All): John, There is still a section 7.2.1. in the current 
JohnGarrett >> (All): Sorry, you are right, there is a 7.2.1 but not a
Mark Conrad >> (All): Bruce, Where is 2) referenced in the document?
JohnGarrett >> (All): Bruce, yes to levels 2, 3, 4.  I think 1 is actually 
broken into a couple co-operating pieces.
JohnGarrett >> (All): 2) is reference a lot as "Certification body"
BruceAmbacher >> (All): Mark, the companies are not mentioned.  In 
this is the role of the cetification body.  I agree the role of the companies 
has been conflated into the certification body which has, too often, been seen 
as the over-arching body.  Perhaps a diagram would be helpful or an explanation 
in the beginning.
TerryLongstreth >> (All): John - If 1 involves  spec interpretation and auditor 
credentialing,  are there separate bodies for each?
TerryLongstreth >> (All): I use auditor broadly to include the companies and the 
agents they send out
Mark Conrad >> (All): We need a clear definition of terms for each role.
BruceAmbacher >> (All): I strongly agree.
Helen Tibbo >> (All): Agree, agree, agree - we do not seem to be at the point 
that we even understand this so how can we put it into a standards document 
until we do.
JohnGarrett >> (All): Terry,  actually that is a good distinction, thanks.  That 
helps me.   This is fuzzy for me also, but I think eventually the National 
Boards will certify the Certification Bodies (companies) as the do for all the 
other ISO certications.
JohnGarrett >> (All): And eventually the responsible working group within the 
responsible ISO committee  (RAC WG equivalent) will be responsible for the spec 
interpretation and correction when needed.
TerryLongstreth >> (All): So this document should mention establishing a 
credentialing body equivalent to existing National boards?
BruceAmbacher >> (All): John, Do we need to include a section in the front that 
spells out the different bodies, how the process will be handled initially and 
how it will operate once it is up and running.  We have avoided including any 
language that will be superseded once the process is up and running.
JohnGarrett >> (All): I think initially, we are trying to define an Initial 
Audit Committee to fulfill both roles to kick start the process and get things 
off the ground initially.
BruceAmbacher >> (All): John, agreed.  But we also need to show what the more 
permanent structure will be and do.
JohnGarrett >> (All): Terry, I'm not sure
TerryLongstreth >> (All): Neither am I
BruceAmbacher >> (All): Terry, is this venture large enough to establish 
multiple national boards?  How are such boards coordinated so the USA and the EU 
do the same thing, set the same requirements and certification means the same 
BruceAmbacher >> (All): And, to think, we thought we were near the end of the 
process!  The more we do/learn, the more we need to do.
TerryLongstreth >> (All): All good questions.  Engineering practices abhor TBDs 
(to be determined), but we may need a list of tasks for the Initial committee to 
perform to answer those.
JohnGarrett >> (All): I think the National Boards already exist for a lot of 
countries and they certify the Certification Bodies for a number of different 
Mark Conrad >> (All): Does anyone have a copy of: ISO 9000:2005, Quality 
management systems — Fundamentals and vocabularyISO 19011:2002, Guidelines for 
quality and/or environmental management systems auditing1)ISO/IEC 17000:2004, 
Conformity assessment — Vocabulary and general principles
TerryLongstreth >> (All): Who would be the National Board in the US?
Mark Conrad >> (All): These standards are referenced in 17021 as normative.
JohnGarrett >> (All): In the US, it is the ANSI-ASQ National Accreditation Board
TerryLongstreth >> (All): Can we ask them for guidance?
BruceAmbacher >> (All): I was going to ask if anyone has been in touch with any 
such national board.
Helen Tibbo >> (All): Sorry to be distracted today but have to run. 
JohnGarrett >> (All): Looks like in UK it is UK Accreditation Service  UKAS
BruceAmbacher >> (All): I must leave now.  until next week.
Mark Conrad >> (All): Ciao for now!
JohnGarrett >> (All): Mark, I have those in my stack here somewhere, could 
probably put my hands on it eventually
JohnGarrett >> (All): Terry and Bruce, we've talked about getting in touch with 
them, but I haven't had a chance to do so yet
JohnGarrett >> (All): We'd like to talk to them informally, but also tread 
lightly in case the get 'territorial' and then they could take too much interest 
in our little standard and object to things like our Initial Audit Committee, 
which for us is a practical thing to try to get things up and running.
JohnGarrett >> (All): Does anyone else want to try to contact them?
JohnGarrett >> (All): OK, I'm out of here too.  Have a good week everyone.
RobertDowns >> (All): Bye

-- SimonLambert - 12 Apr 2010

Topic revision: r1 - 2010-04-12 - SimonLambert
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback