ISO/IEC 17025:2017

A slightly new paradigm

Roger Brauninger
Biosafety Program Manager
A2LA

January 30, 2018

2:00 pm
 Topics
• Outline of new structure
• Changes
• Process
• Risk
• Some new clauses
Don’t Panic.
 ISO Process Flow
Feb Jun 2015 OCT
2015 Output WD2 & 3 2015 MAR 2016 OCT
Output of WD
1
CD1 Ballot CD2 Ballot 2016
Translation

Aug Feb
2015 2016
Output CD1 Output CD2

DEC 2016 MAY 2017 JUL 2017

DIS Ballot DG FDIS?
Preparatory
Nov 17 – Committee
RELEASE?
Inquiry
Approval
Transition
FDIS Optional Event

2/6/2018 4
 Philosophical Changes
• ISO 9001 Principles
– Risk management (9001)
• Changed Managed Processes to Process Management
– “Fit for Use/Purpose” – Validation

• Conformity vs. Compliance

• Shall, Must, Should, Where . . .

– Requirements = shall
– Should and Where __ = ~

2/6/2018 5
 Philosophical Changes (cont)
• “Test and/or calibration”
– Replaced with laboratory to reduce confusion
– Where appropriate, it was left in the Standard

• Notes
– If the NOTE did not provide value it was
removed, moved to an Annex, otherwise it was
moved to a requirement

2/6/2018 6
A Few Important Points
Who Was the Standard Written For?

• Well…… not us (Accreditation Bodies)

• A little bit for regulators / specifiers

• Ultimately, it was written for the LABS

 Main Goal
Ultimately, Labs Should Be Aiming For:

Competent People
+
Impartial Work
+
Consistent Results
__________________________________________

CUSTOMER CONFIDENCE
 Changes
• Does it look different?

• Didn’t some procedures get

removed?

• Is there a bunch of risk talk in the

standard now?

• Can we even assess to this thing?

Changes in a nutshell…
• Different structure
• Clarification of scope
• Process approach
• Risk-based thinking
• Emphasis on required
outcomes vs. prescriptive
requirements

11
 CPC Mandatory Changes
• Aligned with CASCO Document Structure

*ISO/CASCO Chairman’s Policy and Coordination Group

2/6/2018 12
 ISO Obligatory Changes
• CPC Proc/33
– Impartiality
• General (4.1), Resource (6.2)
– Confidentiality
• General (4.2)
– Complaints
• Process (7.9)
– Management System (8)
• Option A : 17025:2005 section 4
• Option B : 9001 Registered/Certified Bodies
*ISO/CASCO Chairman’s Policy and Coordination Group

2/6/2018 13
 ISO/IEC 17025 in the Past

• Previous version, 5 sections:

– Scope,
– Normative references,
– Definitions,
– Quality,
– Technical

• Lacked flow

Rev 1.1 – 09/27/17 14

 ISO/IEC 17025 Now
• Standard has 8 sections:
– Sections 1 to 3 - Scope, normative references,
definitions
– Sections 4 to 8 - start from bare ground, and build

Rev 1.1 – 09/27/17 15

 Different Structure
ISO/IEC 17025:2005
1. Scope
2. Normative references
3. Terms and definitions
4. Management
requirements
5. Technical requirements
Annex A – Nominal cross-
references to ISO 9001:2000
Annex B – Guidelines for
establishing applications for
specific fields
DIS ISO/IEC 17025
1. Scope
2. Normative references
3. Terms and definitions
4. General requirements
5. Structural requirements
6. Resource requirements
7. Process requirements
8. Management requirements
Annex A – Metrological
traceability
Annex B – Management system
16
 The Basic Format

• Similar to other new standards \

– e.g., ISO/IEC 17020, ISO/IEC 17034 and ISO/IEC 17065.
• Will be aligned to ISO 9001:2015 principles on
resources and process.
• Follows the new ISO 9001 philosophy
– Requires less documented procedures and policies
– Focuses more on the outcomes of a process.
• Example: no longer required to maintain a current job
description (2005 – 5.2.4) but focuses on communicating to
each person their duties, responsibilities and authorities
( 2017– 6.2.4)
•
 Definitions (3)
• Impartiality (3.1) –
– presence of objectivity

• Laboratory (3.6) –
– body that performs one or more of the following activities:
• calibration
• testing
• sampling, associated with subsequent calibration or testing

• Decision Rule (3.7) –

– a rule that describes how measurement uncertainty will be
accounted for when stating conformity with a specified
requirement

2/6/2018 18
 Introduction / Scope
• General requirements for
competence, impartiality
and consistent operation of
laboratories as defined in
the standard.
• Labs that conform with
ISO/IEC 17025 will also
operate generally in
accordance with the
principles of ISO 9001
• Risk based thinking
• Not full risk management
per ISO 31000
• Requires the laboratory to
plan and implement
actions to address risks and
opportunities
• Laboratory is responsible
for deciding which risks
and opportunities need to
be addressed.
19
 Section 4 - General
• The Foundation of a Lab

Rev 1.1 – 09/27/17 20

 General
• Impartiality
– Safeguard against
– Establish structure
– Mitigate pressures
– Identify & manage risks (ongoing basis)
• Confidentiality
– Legally enforceable
– Inform customer of if public exposure of
information
– 3rd party communication requirement

2/6/2018 21
 Section 5 – Org Structure
• Build the structure

Rev 1.1 – 09/27/17 22

 Structure
• Define range of laboratory activities (could be a scope)
• Conformity claims only to defined range of activities
• Added “personnel with responsibility & authority” to
implement , maintain and improve the QMS
– Removed “top” management
– Removed “quality manager”
– Removed “technical manager”
• Ensure communications…
• Maintain integrity when there are changes

5/10/2016 17025 Revision Status

 Section 6 – Resources

• Does the lab have what it needs to operate?

Rev 1.1 – 09/27/17 24

 Resources (6)
• Personnel (6.2)
– Define & Document competency and impartiality requirements
– Authorities to develop methods, review and release reports
• Facilities (6.3)
– Suitable, monitor, control and record

• Equipment (6.4)
– Clearer definition – anything affecting the measurement results
– Reference materials better clarified and defined

5/10/2016 17025 Revision Status

 Resources (6) cont

• Metrological Traceability (6.5)

– Clarified and moved much of 2005 content to Annex A
– Use of CRMs or calibration
– Traceability to 1° method or material when needed
• Externally provided products and services (6.6)
– Adopted and modified 9001:2015 content
– Procedure and records for
• Defining and approving requirements
• Defining criteria for selection and monitoring
• Required communication of requirements for products/services, criteria,
competence

5/10/2016 17025 Revision Status

 6. Resource requirements

6.6 Externally provided products and services

• Combines current Subcontracting and Purchasing
• In all cases, have requirements and controls
• Communication with customer

Supplies
• Select Competent
External services • Control Supplier
• Verify
“Subcontracting”
27
 Section 7 – Lab Process

• Get the lab ready to work!

Rev 1.1 – 09/27/17 28

 Processes (7)
• Methods (7.2)
• Sampling (7.3) by lab customer or third party
• Quality Assurance (7.7) (ensuring validity)
– Equal weighting between External and Internal
Processes
• Reporting the Results (7.8)
– Common Requirements (7.8.2)
• Date of performance of the test
• Date of issuance of the report
– Measurement uncertainty – (7.8.6) & decision rules
• Same unit or relative units (%) (7.8.4.1)

5/10/2016 17025 Revision Status

 7. Process Requirements
7.7 Assuring the quality of results
• Defined by laboratory • Regular use of RMs or QC materials;
• Regular use of alternative instrumentation;
• Intralaboratory • Functional check of measuring and testing
equipment;
• Use of check or working standards with control
• Interlaboratory charts, where applicable;
• Periodic intermediate checks on measuring
equipment;
• Replicate tests or calibrations using the same or
• Proficiency testing; different methods;
• Retesting or recalibration of retained items;
• Interlaboratory
• Correlation of results for different
comparisons other
characteristics of an item;
than proficiency • Review of reported data;
testing • Intra-laboratory comparisons;
• Blind test.

30
 Processes (cont.)
• Reporting the Results (7.8)
– Statements of Conformity (7.8.6.2) – identified to a
• Specific result,
• Specification or Standard, and
• Decision rule (3.7) applied (7.1.1.3/ 7.8.6)
– Amendments (7.8.8)
• Changes shall be clearly identified

5/10/2016 17025 Revision Status

 Section 8 – Management System

• Supporting Controls and Processes

Rev 1.1 – 09/27/17 32

 Management (8)
• Option A (Clauses 8.2-8.9)
– Addressing Risks & Opportunities (8.5)
• PDCA concept added to Standard – (control and continual
improvement of processes and products)
– Improvement (8.6) – removed Preventive Action (redundant)
• Internal audit program (8.8)
– Planned intervals
• Management Review (8.9)
– Planned intervals, new documented inputs/outputs

5/10/2016 17025 Revision Status

 Where Did My Procedures Go?
• Before we think the sky is falling…

• Ask how many of these procedures affected Technical Output

 Where Did My Procedures Go?
• Former procedure / document requirements which were
removed:
– Quality manual (ISO/IEC 17025:2005, 4.2.2)
– Quality policy statement (4.2.2)
– Many references to “Policies”
– Doc Control Procedure (4.3.1)
– Corrective Action Procedure (4.11.1)
– Preventive Action Procedure (4.12.2)
– Record Control Procedure (4.13.1)
– Internal Audit Procedure (now a program with methods) (4.14.1)
– Management Review Procedure (4.15.1)
– M.U. Procedure (5.4.6.1)
Do The Labs Need to Change?
 Do The Labs Need to Change?
• “New” things that need to be added to existing practices:

– Competence instead of Qualification and Monitoring (6.2)

– Requirements for and Monitoring of Service Providers (6.6)
– More Robust Complaint Process (7.9)
– Risk Identification and Handling (4.1, 8.5, and 8.9)
– Confidentiality Requirements more detailed (4.2)
– Document “Range of Lab Activities” (5.3)
– Handling Decision Rules / Statement of Conformity (7.1 and
7.8.6)
– Records for Verifying Performance of New Methods (7.2)
– Functionality of LIM Systems (7.11)
 Mapping the Old & New
17025:2005 17025:2017
§ 4 – Management
4.1 Organization . . . . . . . . . . . . . . . > §5 Structural
4.2 Management System . . . . . . . . > 8.2
4.3 Document Control . . . . . . . . . . . > 8.3
4.4 Requests & Tenders . . . . . . . . . > 7.1
4.5 Subcontracting . . . . . . . . . . . . . > 6.5
4.6 Purchasing . . . . . . . . . . . . . . . . > 6.6
4.7 Service to Customer . . . . . . . . . > Entire document
4.8 Complaints . . . . . . . . . . . . . . . . > 7.9
4.9 NCW . . . . . . . . . . . . . . . . . . . . . > 7.10
4.10 Improvement . . . . . . . . . . . . . . > 8.5, 8.6
4.11 Corrective Action . . . . . . . . . . . > 8.7
4.12 Preventive Action . . . . . . . . . . . > Removed
4.13 Records . . . . . . . . . . . . . . . . . . > 7.5, 7.11, 8.4
4.14 Internal Audits . . . . . . . . . . . . . > 8.8
4.15 Management Review . . . . . . . . > 8.9
Mapping the Old & New (cont)
17025:2005 17025:2017
§ 5 – Technical
5.2 Personnel . . . . . . . . . . . . . . . . > 6.2
5.3 Accom. & Environ . . . . . . . . . > 6.3
5.4 Methods . . . . . . . . . . . . . . . . . > 7.2
5.5 Equipment . . . . . . . . . . . . . . . > 6.4
5.6 Traceability . . . . . . . . . . . . . . > 6.6, 7.6
5.7 Sampling . . . . . . . . . . . . . . . . > 7.3
5.8 Handling of UUT . . . . . . . . . . . > 7.4
5.9 Quality Assurance . . . . . . . . . > 7.7
5.10 Reporting . . . . . . . . . . . . . . . > 7.8
 Documents
(those items which indicate instructions for performing tasks)

Procedures (Methods) Documented Process

• 6.2.5 Personnel records • 7.9.1 Complaints
• 6.3.2 Environmental conditions
documented Program(me)
• 6.4.3 Handling of laboratory equipment • 6.4.7 Calibration
• 6.4.10 Intermediate checks • 8.8.2 Internal audit
• 6.5.3 b) Reference measurement
• 6.6.2 Externally provided products & Plans
services • 6.4.13 g) Equipment maintenance
• 7.1.1 Review of requests, tenders & • 7.2.1.6 Method development
contracts • 7.3.1 Sampling
• 7.2.1.1 Evaluation of measurement • 8.9 Management review
uncertainty
• 7.2.2.4 Validation
• 7.4.1 Handling of customer equipment
• 7.7.1 Ensuring the validity of results
• 7.10.1 Nonconforming work
 Records
(evidence that a required task was carried out)
Record(s)
• 6.2.5 Laboratory personnel
• 6.3.3 Environmental conditions
• 6.4.13 Equipment
• 6.6.2 External providers
• 7.1.8 Contract reviews and discussions
• 7.2.1.5 Verification of methods
• 7.2.2.4 Validations
• 7.3.3 Sampling data
• 7.4.3 Deviations from specified conditions
• 7.4.3 Consultation
• 7.4.4 Specified environmental conditions
• 7.5.1 Original observations
• 7.5.2 Data files
• 7.7.1 Resultant data
• 7.8.1.1 Reports
• 7.8.7.3 Dialog with customer on opinions &
interpretations
• 7.9 Complaints
• 7.10.2 Nonconforming work
• 7.11.3 e) Information management system failures
• 8.7.3 Corrective action
• 8.8.2 Implementation of the internal audit
• 8.9.1 Inputs to management review
• 8.9.3 Outputs from management review
Identify
• 4.1.4 Risks to impartiality
• 5.2 Management responsible for the laboratory
• 6.4.8 Period of validity
• 7.3.3 Sample
• 7.6.1 Contributions to measurement uncertainty
• 7.8.4.1 c) Metrological traceability
• 8.6.1 Opportunities for improvement
Define
• 5.3 Range of activities
• 6.6.2 a) Laboratory requirements for external providers
• 6.6.2 b) Criteria for evaluating, . . .
• 7.1.8 Requirements for the review of requests, tenders
and contracts
Document
• 5.3 Range of activities
• 6.2.2 Competence requirements
• 6.3.2 Requirements for facilities and environmental
conditions
• 6.4.13 f) Reference materials
• 7.2.1.7 Deviations
• 7.8.6.1 Decision rule
• 7.8.7.1 Opinions & interpretations
• 7.8.8.2 Amendments
• 7.9.1 Complaints
• 7.11.2 Laboratory software configuration or
modification of COTS
• 8.2.1 Policies and objectives
Process
 Process Talk

Someone wants / needs something!

• A Process is basically an Activity
• Source is needed for a Process
• The Source provides Input(s) to the Process
• A Process does (something) and creates an Output
• That Output goes to a Receiver

• ISO 9001:2015 definition of Process – “set of interrelated or interacting activities that use inputs
to deliver an intended result”
 Visual

SOURCES OF RECEIVERS OF
INPUTS ACTIVITIES OUTPUTS
INPUTS OUTPUTS

Requirements Data
Customers
Resources NCW
Stakeholders Data Analysis
Identification System Internal Audits
Regulators Reports
Monitoring Mgmt. Reviews
AB or Registrar KPIs
Quality Control Data Customer
Product
Measurement Unc.

Rev 1.1 – 09/27/17 44

Figure B.1 — Possible schematic
representation f the operational processes of
a laboratory
What’s All This Risk Stuff?

46
 Risk

- Effect of uncertainty on objectives ISO 31000 [2.1]

Managing Risk
Risk Responsiveness
(The Short Course)
 Risk

RISK PROBABILITY IMPACT

 Risk Management

– Requires the laboratory to plan and implement actions

to address risks and opportunities.
• Establishes a basis for increasing the effectiveness of the
quality management system, achieving improved results and
preventing negative effects.
– The laboratory is responsible for deciding which risks
and opportunities need to be addressed
What Does this Mean for You?
Identify: What can happen, when,
where why and how.
Assess: Determine existing
controls, determine likelihood and
consequences leading to estimate
level of risk.
Evaluate: Compare against criteria,
Identify and weigh options, Decide
on response and establish
priorities.
Control & Monitor: Mitigate by
modifying process, document
outcomes
 Other Areas for Risk
• Using new test methods
• Using new equipment
• Hiring / Firing personnel
• Frequency of QC checks
• Frequency of monitoring
• Defining Competence
• Detail in Purchasing Docs
• Keeping or Deleting
Procedures
• Detail in Procedures
• Internal vs External Calibrations
• Calibration Intervals
• Service Acceptance Criteria
• Subcontractor Use
• Decision Rules
• Acting on Non-Conformities
• Resolving Complaints
• Corrective Action Implementation
and Monitoring
53
 Assessing This “Risk” Thing
• All these risk areas are potential weak points for a
lab!

• No Procedures for Risk

• Few Records required (all in mgmt. rev.)

• Is this even assessable? Can we even cite

deficiencies?

54
 Assessing This “Risk” Thing
• Are the few required records present?

• Did the lab experience observed problems because

they failed to identify a risk?

• Did the lab fail to act on identified risks such that the
failure to act caused problems?

55
New stuff
 Impartiality
4.1.5 If a risk to impartiality is identified, the
laboratory shall be able to demonstrate how it
eliminates or minimizes such risk.
 Structural Requirements
5.3 The laboratory shall define and document
the range of laboratory activities for which it
conforms with this document. The laboratory
shall only claim conformity with this document
for this range of laboratory activities, which
excludes externally provided laboratory
activities on an ongoing basis.
 6.6 Externally provided products
and services
6.6.3 The laboratory shall communicate its
requirements to external providers for:
c) competence, including any required
qualification of personnel;
d) activities that the laboratory, or its customer,
intends to perform at the external provider's
premises.
 7.1 Review of requests, tenders
and contracts
• 7.1.3 When the customer requests a statement
of conformity to a specification or standard for
the test or calibration (e.g. pass/fail, in-
tolerance/out-of-tolerance), the specification or
standard and the decision rule shall be clearly
defined.
• Unless inherent in the requested specification
or standard, the decision rule selected shall be
communicated to, and agreed with, the
customer.
 7.3 Sampling
7.3.1 The laboratory shall have a sampling
plan and method when it carries out sampling
…for subsequent testing.
The sampling method shall address the factors
to be controlled to ensure the validity of
subsequent testing or calibration results.
Sampling plans shall, whenever reasonable, be
based on appropriate statistical methods.
 7.8 Reporting of results
7.8.6 Reporting statements of conformity
7.8.6.1 When a statement of conformity to a specification or
standard is provided, the laboratory shall document the decision rule
employed, taking into account the level of risk (such as false accept
and false reject and statistical assumptions) associated with the
decision rule employed, and apply the decision rule.
NOTE Where the decision rule is prescribed by the customer, regulations or
normative documents, a further consideration of the level of risk is not
necessary.

7.8.6.2 The laboratory shall report on the statement of conformity,

such that the statement clearly identifies:
c) the decision rule applied (unless it is inherent in the requested
specification or standard).
 7.9 Complaints
• 7.9.4 The laboratory receiving the complaint shall be responsible
for gathering and verifying all necessary information to validate
the complaint.
• 7.9.5 Whenever possible, the laboratory shall acknowledge
receipt of the complaint, and provide the complainant with
progress reports and the outcome.
• 7.9.6 The outcomes to be communicated to the complainant
shall be made by, or reviewed and approved by, individual(s) not
involved in the original laboratory activities in question.
NOTE This can be performed by external personnel.
• 7.9.7 Whenever possible, the laboratory shall give formal notice
of the end of the complaint handling to the complainant.
7.11 Control of data and information
management
• 7.11.4 When a laboratory information
management system is managed and
maintained off-site or through an external
provider, the laboratory shall ensure that the
provider or operator of the system complies
with all applicable requirements of this
document.
 8.5 Actions to address risks and
opportunities (Option A)
8.5.1 The laboratory shall consider the risks and
opportunities associated with the laboratory
activities in order to:
a) give assurance that the management system
achieves its intended results;
b) enhance opportunities to achieve the purpose
and objectives of the laboratory;
c) prevent, or reduce, undesired impacts and
potential failures in the laboratory activities;
d) achieve improvement.
 8.5 Actions to address risks and
opportunities (Option A)
8.5.2 The laboratory shall plan:
a) actions to address these risks and opportunities;
b) how to:
— integrate and implement these actions into its
management system;
— evaluate the effectiveness of these actions.
8.5.3 Actions taken to address risks and opportunities
shall be proportional to the potential impact on the
validity of laboratory results.
8.9 Management reviews (Option A)

• 8.9.2 The inputs to management review shall be

recorded and shall include information related to the
following:
• a) changes in internal and external issues that are
relevant to the laboratory;
• b) fulfilment of objectives;
• d) status of actions from previous management
reviews;
• k) effectiveness of any implemented improvements;
• m) results of risk identification;
8.9 Management reviews (Option A)

8.9.3 The outputs from the management review

shall record all decisions and actions related to at
least:
a) the effectiveness of the management system
and its processes;
b) improvement of the laboratory activities
related to the fulfilment of the requirements of
this document;
c) provision of required resources;
d) any need for change.
 Summary

• Changes in 17025 focus on risk mitigation:

• Emphasis on Impartiality and Confidentiality
• But maps well to current version
• Processes occurs in all managed activities – “set of
interrelated or interacting activities that use inputs to
deliver an intended result”
• Uses business metrics:
• Requires defining goals and measuring outcomes
Contact Information

Roger M. Brauninger

BioSafety Program manager

Rbrauninger@A2ALA.org
301 644 3233

A2LA
www.A2LA.org