by Tim Alcock
ISO/IEC 17025:2017 – General requirements for the competence of testing and calibration laboratories is the principal international standard for the accreditation of laboratories performing testing (including sampling) and/or calibration. Originating from ISO/IEC Guide 25, the standard has been through several iterations culminating in the latest version released in November 2017.
ISO/IEC 17025:2017 enables laboratories to demonstrate competent operation, validity and confidence in results.
This article provides a brief background to the application of ISO/IEC 17025 together with an overview of the new standard, highlighting the major changes.
Laboratory Accreditation in Forensics
Accreditation is the independent evaluation of conformity assessment bodies (in this case Forensic Laboratories working to ISO/IEC 17025 and crime scene investigation units working to a ‘sister’ standard ISO/IEC 17020). Accreditation bodies are normally themselves peer assessed through an international system administered by the International Laboratory Accreditation Cooperation (ILAC). Accreditation bodies are established in many countries with the primary purpose of ensuring that conformity assessment bodies are subject to oversight by an authoritative body.
Laboratory accreditation differs from ‘Quality Management Certification/Registration’ to standards such as ISO 9001 in that the assessment teams employ subject matter experts who directly evaluate the practical aspects and technical operation of the laboratory which increases the scientific rigor of the assessment. Having said this, being accredited cannot guarantee that mistakes will not happen and there are well documented cases of errors and failures even in accredited facilities. It can however provide confidence that the laboratory operates an effective management system with rigorous requirements for ensuring competency, technical operation and reporting of results and be used as the basis for continuing improvement of the laboratory’s management systems.
Accreditation is generally voluntary, but in the UK, whilst not mandated in law, the Forensic Science Regulator has required that Forensic units will be accredited to relevant standards (ie ISO/IEC 17025, 17020 or ISO 15189 for clinical laboratories). Some states in the USA also require their laboratories to hold accreditation. As the standards mentioned above were not specifically written for forensics applications, supplemental documents have also been published (such as ILAC G-19) and in the UK, the FSR Codes criteria of Practice and Conduct and associated documents as well as specific accreditation body requirements.
ISO/IEC 17025 Changes
The new standard, introduced last November, contains the following major changes:
- Re-structuring of clause numbers to be more ‘process-based’
- Closer interaction with ISO 9001
- Introduction of the need to perform an impartiality risk assessment
- Assessment of risks/opportunities to the operation of the laboratory
- Enhanced requirements relating to complaints and confidentiality
- ‘Risk-based’ Internal audits
- Management review – agenda additions
- Enhanced requirements relating to reporting
- Statements of conformity and ‘Decision Limits’
- Data/ Information management.
These changes are discussed below.
The new standard has been completely re-formatted in terms of clause numbering as outlined in the schematic below. This provides more logical sequencing of laboratory activities from review of customer requirements to issue of reports, together with associated support and resource provision, management aspects and audit, corrective action and improvement activities.
Integration with ISO 9001
ISO/IEC 17025:2017 has been developed to align with ISO 9001 (the most commonly applied Quality Management Systems standard). There are common elements in both standards and, if a company is ISO 9001 certified, it will address these common elements already. Without ISO 9001 certification, these additional requirements will need to be included (defined in Section 8 of the standard). Unfortunately, there are differences between these ‘common’ areas in ISO/IEC 17025 and ISO 9001, so laboratories who also operate ISO 9001 systems will need to review the detail of these aspects to ensure compliance.
The standard requires that organisations have some form of documented management system which includes policies, objectives and procedures, however, it no longer specifies that the laboratory has a ‘quality manual’ as such. Planned reviews are required ensuring the system’s continuing suitability and effectiveness. Clause 5, entitled “Structural requirements,” covers legal identity, management structure and organisation of laboratory and related support activities including scope of services offered. Specific position titles relating to “technical and quality management” have been removed, although responsibilities for these functions are still required to be defined.
Enhanced requirements requiring assessment of risks to impartiality together with controls for mitigation have been introduced. Additional requirements relating to confidentiality are also added.
One improved aspect of the new standard is the logical structuring of laboratory process activities. Core business activities are set out, commencing with the determination and review of customer requirements whether stated in a ‘Service Level Agreement’ or a direct request from an Investigating Officer, through method selection/development, sampling (if applicable), handling of the exhibits, records, uncertainty, quality control and reporting. Content of these clauses remains substantially the same, but has been simplified in wording. However, there are a number of detail changes (for example aspects relating to agreement to subcontract, customer requested deviations, additional requirements relating to sampling and content of final reports etc) which need to be considered when upgrading systems.
One significant introduction is the term “decision rule”, defined as a ‘rule that describes how measurement uncertainty is accounted for when stating conformity with a specified requirement’. Laboratories who report “conformity with a specified requirement”, eg, stating that a product complies with a specification or otherwise, need to agree with the customer how measurement uncertainty is taken into account when reporting conformity and make this clear on reports. This is critical where reported results are near specification limits and uncertainty could affect the pass/fail decision. This would be the case where reporting pass or fail criteria with legal limits, such as blood/alcohol limits or the length of a sawn-off shotgun.
“Resource requirements” are addressed in the form of personnel training, competence, facilities/environment, equipment and consumables, metrological traceability, purchasing and subcontracting (the latter two clauses being renamed “control of externally provided services”). Again, additional requirements have been added relating to the content of procedures and review of adequacy of facilities and calibration intervals. A new clause has been added enhancing requirements relating to Information and data management. As with all quality management system standards, controls need to be applied to the control of documents and records to ensure that personnel are up-to-date with test methods, protocols, procedures, legal requirements etc. and for the maintenance of records, whether these are case files, equipment, personnel, recorded data or anything else.
Quality management processes
Finally, “quality management” issues are addressed, namely, performance of internal audits, control of non-conforming work, an enhanced section on complaints as well as soliciting customer feedback. The corrective action section deals with actions resulting from non-conformities, identification of root cause and action to eliminate cause. In line with ISO 9001, the “Preventive Action” clause has been renamed “Risks and Opportunities” and the laboratory is required to identify and implement improvements on an ongoing basis – this represents a major change, requiring the laboratory identify risks that could affect results and objective, and identify and implement improvements.
Transition to the new standard
A three-year transition period is allowed for accredited laboratories, with accreditations to the old standard ceasing to be valid from 30 November 2020. UKAS in the UK has published transition guidelines on its website (ukas.com).
The changes represent great improvement in terms of structure and clarity, with the possible exception of the clause “Control of external products and services” which, in the author’s opinion, are not as clearly set out as the “Subcontracting” and “Purchasing” clauses of the previous version. Key new aspects, such as the identification of risks and opportunities will provide additional challenges for both laboratories and assessors alike.
About The Author
Tim Alcock, CQP FCQI MASQ is an IRCA Registered Lead Auditor and Managing Director of Qualimetric Ltd. He has 30 years’ experience in the application of quality management systems, specialising in Laboratory and Inspection Body accreditation.