ISO/IEC 17025:2017 A

slightly new paradigm

Russel Ahmed
Lab Manager

January 09,2019
2:00 pm
 Topics
• Outline of new structure
• Changes
• Process
• Risk
• Some new clauses
Don't Panic.
4
 Philosophical Changes
• ISO 9001 Principles
- Risk management (9001)
• Changed Managed Processes to Process Management
- "Fit for Use/Purpose" - Validation

• Conformity vs. Compliance

• Shall, Must, Should, Where . . .

- Requirements = shall
- Should and Where = ?
 Philosophical Changes (cont)
• "Test and/or calibration"
— Replaced with laboratory to reduce confusion
— Where appropriate, it was left in the Standard

• Notes
— If the NOTE did not provide value it was removed,
moved to an Annex, otherwise it was moved to a
requirement.
Who Was the Standard Written For?

• Well......not us (Accreditation Bodies)

• A little bit for regulators / specifiers

Ultimately, it was written for the LABS

 Main Goal
Ultimately, Labs Should Be Aiming For:

Competent People +
Impartial Work +
Consistent Results
 Changes
• Does it look different?

• Didn't some procedures get

removed?
• Is there a bunch of risk talk in
the standard now?

Can we even assess to this thing?

Changes in a nutshell...

Different structure
Clarification of scope
Process approach
Risk-based thinking
Emphasis on required
outcomes vs. prescriptive
requirements

11
 CPC Mandatory Changes
• Aligned with CASCO Document Structure
Informative preliminary Title page Table of contents Foreword
Introduction (including relationship to other standards

Normative General Title

Scope
Normative references
Normative Technical Terms and definitions Requirements Structural requirements
Resource requirements (including human resources) Process
requirements (including operational functions) Management
system requirements Normative annexes

Informative supplementary Any further explanations that are not part of the normative
process
Informative annexes
Bibliography
Indexes
*ISO/CASCO Chairman’s Policy and Coordination Group
 ISO Obligatory Changes
• CPC Proc/33
- Impartiality
• General (4.1), Resource (6.2)
- Confidentiality
• General (4.2)
- Complaints
• Process (7.9)
- Management System (8)
• Option A : 17025:2005 section 4
*ISO/CASCO Chairman’s Policy and Coordination Group
• Option B : 9001 Registered/Certified Bodies
 ISO/IEC 17025 in the Past

• Previous version, 5 sections:

— Scope,
— Normative references,
— Definitions,
— Quality,
— Technical

• Lacked flow

Rev 1.1 - 09/27/17 14

 ISO/IEC 17025 Now
• Standard has 8 sections:
- Sections 1 to 3 - Scope, normative references,
definitions
— Sections 4 to 8 - start from bare ground, and build

Rev 1.1 - 09/27/17 15

 Different Structure
ISO/IEC 17025:2005
1. Scope
2. Normative references
3. Terms and definitions
4. Management
requirements
5. Technical requirements
Annex A - Nominal
crossreferences to ISO
9001:2000
Annex B - Guidelines for
establishing applications for
specific fields
DIS ISO/IEC 17025
1. Scope
2. Normative references
3. Terms and definitions
4. General requirements
5. Structural requirements
6. Resource requirements
7. Process requirements
8. Management
requirements Annex A -
Metrological traceability
Annex B - Management system
16
 The Basic Format
• Similar to other new standards \
— e.g., ISO/IEC 17020, ISO/IEC 17034 and ISO/IEC 17065.
• Will be aligned to ISO 9001:2015 principles on
resources and process.
• Follows the new ISO 9001 philosophy
— Requires less documented procedures and policies
— Focuses more on the outcomes of a process.
• Example: no longer required to maintain a current job description
(2005 - 5.2.4) but focuses on communicating to each person their
duties, responsibilities and authorities ( 2017- 6.2.4)
 Definitions (3)
• Impartiality (3.1) -
— presence of objectivity

• Laboratory (3.6) -
— body that performs one or more of the following
activities:
• calibration
• testing
• sampling, associated with subsequent calibration or testing

• Decision Rule (3.7) -

— a rule that describes how measurement uncertainty will
be accounted for when stating conformity with a specified
requirement
 Introduction / Scope
• General requirements for
competence, impartiality
and consistent operation
of laboratories as defined
in the standard.
Labs that conform with
ISO/IEC 17025 will also
operate generally in
accordance with the
principles of ISO 9001
Risk based thinking
Not full risk management
per ISO 31000 Requires
the laboratory to plan and
implement actions to
address risks and
opportunities Laboratory
is responsible for deciding
which risks and
opportunities need to be
addressed.
 Section 4 - General
• The Foundation of a Lab

Rev 1.1 - 09/27/17 20

 General
• Impartiality
- Safeguard against
- Establish structure
- Mitigate pressures
- Identify & manage risks (ongoing basis)
• Confidentiality
- Legally enforceable
- Inform customer of if public exposure of
information
- 3rd party communication requirement
 Section 5 - Org Structure
• Build the structure

Rev 1.1 - 09/27/17 22

 Structure
• Define range of laboratory activities (could be a scope)
• Conformity claims only to defined range of activities
• Added "personnel with responsibility & authority" to
implement , maintain and improve the QMS
— Removed "top" management
— Removed "quality manager"
— Removed "technical manager"
• Ensure communications...
• Maintain integrity when there are changes
 Section 6 - Resources

• Does the lab have what it needs to operate?

Rev 1.1 - 09/27/17 24

 Resources (6)
• Personnel (6.2)
- Define & Document competency and impartiality
requirements
- Authorities to develop methods, review and release reports

• Facilities (6.3)
- Suitable, monitor, control and record

• Equipment (6.4)
- Clearer definition - anything affecting the measurement
results
- Reference materials better clarified and defined
 Resources (6) cont

• Metrological Traceability (6.5)

- Clarified and moved much of 2005 content to Annex A
- Use of CRMs or calibration
- Traceability to 1° method or material when needed
• Externally provided products and services (6.6)
- Adopted and modified 9001:2015 content
- Procedure and records for
• Defining and approving requirements
• Defining criteria for selection and monitoring
• Required communication of requirements for products/services, criteria,
competence
 6. Resource requirements

6.6 Externally provided products and services

• Combines current Subcontracting and
Purchasing
• In all cases, have requirements and controls
• Communication with customer
• Select
• competent
• Control supplier
• Verify
27
 Section 7 - Lab Process

• Get the lab ready to work!

Rev 1.1 - 09/27/17 28

 Processes(7)
• Methods (7.2)
• Sampling (7.3) by lab customer or third party
• Quality Assurance (7.7) (ensuring validity)
— Equal weighting between External and Internal
Processes
• Reporting the Results (7.8)
— Common Requirements (7.8.2)
• Date of performance of the test
• Date of issuance of the report
— Measurement uncertainty - (7.8.6) & decision rules
• Same unit or relative units (%) (7.8.4.1)
 7. Process Requirements
7.7 Assuring the quality of results
• Defined by laboratory Regular use of RMs or QC materials;
Regular use of alternative instrumentation;
• Intralaborator Functional check of measuring and testing
equipment;
Use of check or working standards with
Interlaboratory control charts, where applicable;
Periodic intermediate checks on measuring
equipment;
Replicate tests or calibrations using the same
Proficiency testing; or different methods;
Interlaboratory Retesting or recalibration of retained items;
comparisons other Correlation of results for different
characteristics of an item;
than proficiency
Review of reported data;
testing Intra-laboratory comparisons;
Blind test.
30
 Processes (cont.)
• Reporting the Results (7.8)
— Statements of Conformity (7.8.6.2) - identified to
a
• Specific result,
• Specification or Standard, and
• Decision rule (3.7) applied (7.1.1.3/ 7.8.6)
— Amendments (7.8.8)
• Changes shall be clearly identified
 Section 8 - Management System

• Supporting Controls and Processes

Rev 1.1 - 09/27/17 32

 Management (8)
• Option A (Clauses 8.2-8.9)
- Addressing Risks & Opportunities (8.5)
• PDCA concept added to Standard - (control and continual
improvement of processes and products)
- Improvement (8.6) - removed Preventive Action (redundant)
• Internal audit program (8.8)
- Planned intervals
• Management Review (8.9)
- Planned intervals, new documented
inputs/outputs
 Where Did My Procedures Go?
• Before we think the sky is falling...

Ask how many of these procedures affected Technical Output

 Where Did My Procedures Go?
• Former procedure / document requirements which were
removed:
- Quality manual (ISO/IEC 17025:2005, 4.2.2)
- Quality policy statement (4.2.2)
- Many references to "Policies"
- Doc Control Procedure (4.3.1)
- Corrective Action Procedure (4.11.1)
- Preventive Action Procedure (4.12.2)
- Record Control Procedure (4.13.1)
- Internal Audit Procedure (now a program with methods) (4.14.1)
- Management Review Procedure (4.15.1)
- M.U. Procedure (5.4.6.1)
Do The Labs Need to Change?

If it ain’t
 Do The Labs Need to Change?
• "New" things that need to be added to existing practices:

- Competence instead of Qualification and Monitoring (6.2)

- Requirements for and Monitoring of Service Providers (6.6)
- More Robust Complaint Process (7.9)
- Risk Identification and Handling (4.1, 8.5, and 8.9)
- Confidentiality Requirements more detailed (4.2)
- Document "Range of Lab Activities" (5.3)
- Handling Decision Rules / Statement of Conformity (7.1 and
7.8.6)
- Records for Verifying Performance of New Methods (7.2)
- Functionality of LIM Systems (7.11)
 Mapping the Old & New
17025:2005 17025:2017
§ 4 - Management
4.1 Organization........ > §5 Structural
4.2 Management System . > 8.2
4.3 Document Control . . . > 8.3
4.4 Requests & Tenders . . > 7.1
4.5 Subcontracting...... > 6.5
4.6 Purchasing.......... > 6.6
4.7 Service to Customer . . > Entire
4.8 Complaints......... document
4.9 NCW............... > 7.9
4.10 Improvement...... > 7.10
4.11 Corrective Action . . . > 8.5, 8.6
4.12 Preventive Action . . . > 8.7
4.13 Records ........... > Removed
4.14 Internal Audits ..... > 7.5, 7.11, 8.4
4.15 Management Review > 8.8 > 8.9
 Mapping the Old & New (cont)
17025:2005 17025:2017
§ 5 - Technical
5.2 Personnel.............. .
.6.2
>
.
5.3 Accom. & Environ....... .6.3
>
5.4 Methods.............. >7.2
.
5.5 Equipment............. .6.4
>
5.6 Traceability............ >6.6, 7.6
5.7 Sampling.............. >7.3
5.8 Handling of UUT........ >7.4
.
5.9 Quality Assurance....... .7.7
>
 Documents
(those items which indicate instructions for performing
Documented Process tasks)
Procedures (Methods)
• 6.2.5 Personnel records • 7.9.1 Complaints
• 6.3.2 Environmental conditions
documented Program(me)
• 6.4.3 Handling of laboratory • 6.4.7 Calibration
equipment • 8.8.2 Internal audit
• 6.4.10 Intermediate checks Plans
• 6.5.3 b) Reference measurement • 6.4.13 g) Equipment
• 6.6.2 Externally provided products & maintenance
services • 7.2.1.6 Method development
• 7.1.1 Review of requests, tenders &
• 7.3.1 Sampling
contracts
• 7.2.1.1 Evaluation of measurement • 8.9 Management review
uncertainty
• 7.2.2.4 Validation
• 7.4.1 Handling of customer equipment
• 7.7.1 Ensuring the validity of results
• 7.10.1 Nonconforming work

(evidence that a required task was
carried out)
Record(s)
• 6.2.5 Laboratory personnel
• 6.3.3 Environmental conditions
• 6.4.13 Equipment
• 6.6.2 External providers
• 7.1.8 Contract reviews and discussions
• 7.2.1.5 Verification of methods
• 7.2.2.4 Validations
• 7.3.3 Sampling data
• 7.4.3 Deviations from specified conditions
• 7.4.3 Consultation
• 7.4.4 Specified environmental conditions
• 7.5.1 Original observations
• 7.5.2 Data files
• 7.7.1 Resultant data
• 7.8.1.1 Reports
• 7.8.7.3 Dialog with customer on opinions &
interpretations
• 7.9 Complaints
• 7.10.2 Nonconforming work
• 7.11.3 e) Information management system failures
• 8.7.3 Corrective action
• 8.8.2 Implementation of the internal audit
• 8.9.1 Inputs to management review
• 8.9.3 Outputs from management review
Records
Identify
• 4.1.4 Risks to impartiality
• 5.2 Management responsible for the laboratory
• 6.4.8 Period of validity
• 7.3.3 Sample
• 7.6.1 Contributions to measurement uncertainty
• 7.8.4.1 c) Metrological traceability
• 8.6.1 Opportunities for improvement Define
• 5.3 Range of activities
• 6.6.2 a) Laboratory requirements for external providers
• 6.6.2 b) Criteria for evaluating, . . .
• 7.1.8 Requirements for the review of requests, tenders and
contracts
Document
• 5.3 Range of activities
• 6.2.2 Competence requirements
• 6.3.2 Requirements for facilities and environmental conditions
• 6.4.13 f) Reference materials
• 7.2.1.7 Deviations
• 7.8.6.1 Decision rule
• 7.8.7.1 Opinions & interpretations
• 7.8.8.2 Amendments
• 7.9.1 Complaints
• 7.11.2 Laboratory software configuration or modification of
COTS
• 8.2.1 Policies and objectives
 Process

iMit. II. KAIII.V I'(Min ' »r IIKSSKMUH I 'OWKHTIM-. PI.ANT AT SIIKFHKI.I*

 Process Talk

Someone wants / needs something!

• A Process is basically an Activity
• Source is needed for a Process
• The Source provides Input(s) to the Process
• A Process does (something) and creates an Output
• That Output goes to a Receiver

• ISO 9001:2015 definition of Process - "set of interrelated or interacting activities that use
inputs to deliver an intended result"
 Visual

SOURCES OF RECEIVERS OF
ACTIVITIES
INPUTS OUTPUTS

Requirements
Customers Data
Resources NCW
Stakeholders Data Analysis
Identification System Internal Audits
Regulators AB Reports KPIs
Monitoring Quality Mgmt. Reviews
or Registrar Product
Control Data Customer
Measurement Unc.

Rev 1.1 - 09/27/17 44

 Handling of test or calibration items
r 7.4 ;
f> r
Calibration j test execution
Item Preparation
Sampling |—.
y 7"~'y
of item
V 7.3 )
l_J
me
»sioie scne

ttte'Opera
1 Control of data /

^
information
_ management f 7.1
Review of Selection,
Ensuring the
requests, verification
validity of
tenders and J Validation of !L) results
contracts
i method D
7.1 1 7.2 )
v

Figure B.l — Possible schematic representation of the operational processes of a laboratory

What's All This Risk Stuff?

46
 Risk

- Effect of uncertainty on objectives ISO 31000 [2.1]

 Managing Risk

TWiF
"We'ue C-orisiolereA ei>ery po+en4ia\nsK,
The n^K's of all
 Risk Responsiveness
(The Short Course)

«/,

RISK PERCEPTION RISK ANALYSIS RISK MANAGEMENT

Risk
 Risk Management

— Requires the laboratory to plan and implement

actions to address risks and opportunities.
• Establishes a basis for increasing the effectiveness of the quality
management system, achieving improved results and preventing
negative effects.
— The laboratory is responsible for deciding which
risks and opportunities need to be addressed
What Does this Mean for You?
Identify: What can happen,
when, where why and how.
Assess: Determine existing
controls, determine likelihood
and consequences leading to
estimate level of risk.
Evaluate: Compare against
criteria, Identify and weigh
options, Decide on response
and establish priorities.
Control & Monitor: Mitigate by
modifying process, document
outcomes
 Other Areas for Risk
• Using new test methods
• Using new equipment
• Hiring / Firing personnel
• Frequency of QC checks
• Frequency of
monitoring
• Defining Competence
• Detail in Purchasing
Docs
• Keeping or Deleting
Procedures
• Detail in Procedures
Internal vs External Calibrations
Calibration Intervals Service
Acceptance Criteria
Subcontractor Use Decision Rules
Acting on Non-Conformities
Resolving Complaints Corrective
Action Implementation and
Monitoring
53
 Assessing This "Risk" Thing
• All these risk areas are potential weak points
for a lab!

• No Procedures for Risk

• Few Records required (all in mgmt. rev.)

• Is this even assessable? Can we even cite

deficiencies?

54
 Assessing This "Risk" Thing
• Are the few required records present?

• Did the lab experience observed problems because

they failed to identify a risk?
• Did the lab fail to act on identified risks such that
the failure to act caused problems?

55
New stuff
 Impartiality
4.1.5 If a risk to impartiality is identified, the
laboratory shall be able to demonstrate how
it eliminates or minimizes such risk.
 Structural Requirements
5.3 The laboratory shall define and document
the range of laboratory activities for which it
conforms with this document. The laboratory
shall only claim conformity with this document
for this range of laboratory activities, which
excludes externally provided laboratory
activities on an ongoing basis.
 6.6 Externally provided
products and services
6.6.3 The laboratory shall
communicate its requirements to
external providers for:
c) competence, including any
required qualification of personnel;
d) activities that the laboratory, or
its customer, intends to perform at
the external provider's premises.
7.1 Review of requests, tenders
and contracts
• 7.1.3 When the customer requests a
statement of conformity to a specification or
standard for the test or calibration (e.g.
pass/fail, in-tolerance/out-of-tolerance), the
specification or standard and the decision rule
shall be clearly defined.
• Unless inherent in the requested
specification or standard, the decision rule
selected shall be communicated to, and
agreed with, the customer.
 7.3 Sampling
7.3.1 The laboratory shall have a sampling plan
and method when it carries out sampling ...for
subsequent testing.
The sampling method shall address the factors to
be controlled to ensure the validity of
subsequent testing or calibration results.
Sampling plans shall, whenever reasonable, be
based on appropriate statistical methods.
 7.8 Reporting of results
7.8.6 Reporting statements of conformity
7.8.6.1 When a statement of conformity to a specification or standard
is provided, the laboratory shall document the decision rule employed,
taking into account the level of risk (such as false accept and false
reject and statistical assumptions) associated with the decision rule
employed, and apply the decision rule.
NOTE Where the decision rule is prescribed by the customer, regulations or
normative documents, a further consideration of the level of risk is not necessary.

7.8.6.2 The laboratory shall report on the statement of

conformity, such that the statement clearly identifies: c) the
decision rule applied (unless it is inherent in the requested
specification or standard).
 7.9 Complaints
• 7.9.4 The laboratory receiving the complaint shall be responsible
for gathering and verifying all necessary information to validate the
complaint.
• 7.9.5 Whenever possible, the laboratory shall acknowledge receipt
of the complaint, and provide the complainant with progress
reports and the outcome.
• 7.9.6 The outcomes to be communicated to the complainant shall be
made by, or reviewed and approved by, individual(s) not involved in
the original laboratory activities in question.
NOTE This can be performed by external personnel.
• 7.9.7 Whenever possible, the laboratory shall give formal notice of
the end of the complaint handling to the complainant.
7.11 Control of data and
information management
• 7.11.4 When a laboratory
information management system is
managed and maintained off-site or
through an external provider, the
laboratory shall ensure that the
provider or operator of the system
complies with all applicable
requirements of this document.
 8.5 Actions to address risks and
opportunities (Option A)
8.5.1 The laboratory shall consider the risks
and opportunities associated with the
laboratory activities in order to: a) give
assurance that the management system
achieves its intended results; bj enhance
opportunities to achieve the purpose and
objectives of the laboratory;
c) prevent, or reduce, undesired impacts and
potential failures in the laboratory activities;
d) achieve improvement.
 8.5 Actions to address risks and
opportunities (Option A)
8.5.2 The laboratory shall plan:
a) actions to address these risks and opportunities;
b) how to:
— integrate and implement these actions into its
management system;
— evaluate the effectiveness of these actions.
8.5.3 Actions taken to address risks and opportunities shall
be proportional to the potential impact on the validity of
laboratory results.
8.9 Management reviews (Option A)
• 8.9.2 The inputs to management review shall be
recorded and shall include information related to the
following:
• a) changes in internal and external issues that are
relevant to the laboratory;
• b) fulfilment of objectives;
• d) status of actions from previous management
reviews;
• k) effectiveness of any implemented improvements;
• m) results of risk identification;
8.9 Management reviews (Option A)
8.9.3 The outputs from the management review
shall record all decisions and actions related to at
least:
a) the effectiveness of the management system
and its processes;
b) improvement of the laboratory activities
related to the fulfilment of the requirements of
this document;
c) provision of required resources;
d) any need for change.
 Summary

• Changes in 17025 focus on risk mitigation:

• Emphasis on Impartiality and Confidentiality
• But maps well to current version
• Processes occurs in all managed activities - "set of
interrelated or interacting activities that use inputs to
deliver an intended result"
• Uses business metrics:
• Requires defining goals and measuring
outcomes
 Contact Information

Russel Ahmed / Labtech Ltd

Q and A