Sei sulla pagina 1di 68

ISO/IEC 17025:2017 A

slightly new paradigm


Russel Ahmed
Lab Manager

January 09,2019
2:00 pm
Topics
• Outline of new structure
• Changes
• Process
• Risk
• Some new clauses
Don't Panic.
4
Philosophical Changes
• ISO 9001 Principles
- Risk management (9001)
• Changed Managed Processes to Process Management
- "Fit for Use/Purpose" - Validation

• Conformity vs. Compliance

• Shall, Must, Should, Where . . .


- Requirements = shall
- Should and Where = ?
Philosophical Changes (cont)
• "Test and/or calibration"
— Replaced with laboratory to reduce confusion
— Where appropriate, it was left in the Standard

• Notes
— If the NOTE did not provide value it was removed,
moved to an Annex, otherwise it was moved to a
requirement.
Who Was the Standard Written For?

• Well......not us (Accreditation Bodies)

• A little bit for regulators / specifiers

Ultimately, it was written for the LABS


Main Goal
Ultimately, Labs Should Be Aiming For:

Competent People +
Impartial Work +
Consistent Results
Changes
• Does it look different?

• Didn't some procedures get


removed?
• Is there a bunch of risk talk in
the standard now?

Can we even assess to this thing?


Changes in a nutshell...

Different structure
Clarification of scope
Process approach
Risk-based thinking
Emphasis on required
outcomes vs. prescriptive
requirements

11
CPC Mandatory Changes
• Aligned with CASCO Document Structure
Informative preliminary Title page Table of contents Foreword
Introduction (including relationship to other standards

Normative General Title


Scope
Normative references
Normative Technical Terms and definitions Requirements Structural requirements
Resource requirements (including human resources) Process
requirements (including operational functions) Management
system requirements Normative annexes

Informative supplementary Any further explanations that are not part of the normative
process
Informative annexes
Bibliography
Indexes
*ISO/CASCO Chairman’s Policy and Coordination Group
ISO Obligatory Changes
• CPC Proc/33
- Impartiality
• General (4.1), Resource (6.2)
- Confidentiality
• General (4.2)
- Complaints
• Process (7.9)
- Management System (8)
• Option A : 17025:2005 section 4
*ISO/CASCO Chairman’s Policy and Coordination Group
• Option B : 9001 Registered/Certified Bodies
ISO/IEC 17025 in the Past

• Previous version, 5 sections:


— Scope,
— Normative references,
— Definitions,
— Quality,
— Technical

• Lacked flow

Rev 1.1 - 09/27/17 14


ISO/IEC 17025 Now
• Standard has 8 sections:
- Sections 1 to 3 - Scope, normative references,
definitions
— Sections 4 to 8 - start from bare ground, and build

Rev 1.1 - 09/27/17 15


Different Structure
ISO/IEC 17025:2005 DIS ISO/IEC 17025
1. Scope 1. Scope
2. Normative references 2. Normative references
3. Terms and definitions 3. Terms and definitions
4. Management 4. General requirements
requirements 5. Structural requirements
5. Technical requirements
6. Resource requirements
Annex A - Nominal 7. Process requirements
crossreferences to ISO
8. Management
9001:2000
Annex B - Guidelines for requirements Annex A -
establishing applications for Metrological traceability
specific fields Annex B - Management system
16
The Basic Format
• Similar to other new standards \
— e.g., ISO/IEC 17020, ISO/IEC 17034 and ISO/IEC 17065.
• Will be aligned to ISO 9001:2015 principles on
resources and process.
• Follows the new ISO 9001 philosophy
— Requires less documented procedures and policies
— Focuses more on the outcomes of a process.
• Example: no longer required to maintain a current job description
(2005 - 5.2.4) but focuses on communicating to each person their
duties, responsibilities and authorities ( 2017- 6.2.4)
Definitions (3)
• Impartiality (3.1) -
— presence of objectivity

• Laboratory (3.6) -
— body that performs one or more of the following
activities:
• calibration
• testing
• sampling, associated with subsequent calibration or testing

• Decision Rule (3.7) -


— a rule that describes how measurement uncertainty will
be accounted for when stating conformity with a specified
requirement
Introduction / Scope
• General requirements for
competence, impartiality
and consistent operation
of laboratories as defined
in the standard. Not full risk management
per ISO 31000 Requires
Labs that conform with the laboratory to plan and
ISO/IEC 17025 will also implement actions to
operate generally in address risks and
opportunities Laboratory
accordance with the is responsible for deciding
principles of ISO 9001 which risks and
Risk based thinking opportunities need to be
addressed.
Section 4 - General
• The Foundation of a Lab

Rev 1.1 - 09/27/17 20


General
• Impartiality
- Safeguard against
- Establish structure
- Mitigate pressures
- Identify & manage risks (ongoing basis)
• Confidentiality
- Legally enforceable
- Inform customer of if public exposure of
information
- 3rd party communication requirement
Section 5 - Org Structure
• Build the structure

Rev 1.1 - 09/27/17 22


Structure
• Define range of laboratory activities (could be a scope)
• Conformity claims only to defined range of activities
• Added "personnel with responsibility & authority" to
implement , maintain and improve the QMS
— Removed "top" management
— Removed "quality manager"
— Removed "technical manager"
• Ensure communications...
• Maintain integrity when there are changes
Section 6 - Resources

• Does the lab have what it needs to operate?

Rev 1.1 - 09/27/17 24


Resources (6)
• Personnel (6.2)
- Define & Document competency and impartiality
requirements
- Authorities to develop methods, review and release reports

• Facilities (6.3)
- Suitable, monitor, control and record

• Equipment (6.4)
- Clearer definition - anything affecting the measurement
results
- Reference materials better clarified and defined
Resources (6) cont

• Metrological Traceability (6.5)


- Clarified and moved much of 2005 content to Annex A
- Use of CRMs or calibration
- Traceability to 1° method or material when needed
• Externally provided products and services (6.6)
- Adopted and modified 9001:2015 content
- Procedure and records for
• Defining and approving requirements
• Defining criteria for selection and monitoring
• Required communication of requirements for products/services, criteria,
competence
6. Resource requirements

6.6 Externally provided products and services


• Combines current Subcontracting and
Purchasing
• In all cases, have requirements and controls
• Communication with customer
• Select
• competent
• Control supplier
• Verify
27
Section 7 - Lab Process

• Get the lab ready to work!

Rev 1.1 - 09/27/17 28


Processes(7)
• Methods (7.2)
• Sampling (7.3) by lab customer or third party
• Quality Assurance (7.7) (ensuring validity)
— Equal weighting between External and Internal
Processes
• Reporting the Results (7.8)
— Common Requirements (7.8.2)
• Date of performance of the test
• Date of issuance of the report
— Measurement uncertainty - (7.8.6) & decision rules
• Same unit or relative units (%) (7.8.4.1)
7. Process Requirements
7.7 Assuring the quality of results
• Defined by laboratory Regular use of RMs or QC materials;
Regular use of alternative instrumentation;
• Intralaborator Functional check of measuring and testing
equipment;
Use of check or working standards with
Interlaboratory control charts, where applicable;
Periodic intermediate checks on measuring
equipment;
Replicate tests or calibrations using the same
Proficiency testing; or different methods;
Interlaboratory Retesting or recalibration of retained items;
comparisons other Correlation of results for different
characteristics of an item;
than proficiency
Review of reported data;
testing Intra-laboratory comparisons;
Blind test.
30
Processes (cont.)
• Reporting the Results (7.8)
— Statements of Conformity (7.8.6.2) - identified to
a
• Specific result,
• Specification or Standard, and
• Decision rule (3.7) applied (7.1.1.3/ 7.8.6)
— Amendments (7.8.8)
• Changes shall be clearly identified
Section 8 - Management System

• Supporting Controls and Processes

Rev 1.1 - 09/27/17 32


Management (8)
• Option A (Clauses 8.2-8.9)
- Addressing Risks & Opportunities (8.5)
• PDCA concept added to Standard - (control and continual
improvement of processes and products)
- Improvement (8.6) - removed Preventive Action (redundant)
• Internal audit program (8.8)
- Planned intervals
• Management Review (8.9)
- Planned intervals, new documented
inputs/outputs
Where Did My Procedures Go?
• Before we think the sky is falling...

Ask how many of these procedures affected Technical Output


Where Did My Procedures Go?
• Former procedure / document requirements which were
removed:
- Quality manual (ISO/IEC 17025:2005, 4.2.2)
- Quality policy statement (4.2.2)
- Many references to "Policies"
- Doc Control Procedure (4.3.1)
- Corrective Action Procedure (4.11.1)
- Preventive Action Procedure (4.12.2)
- Record Control Procedure (4.13.1)
- Internal Audit Procedure (now a program with methods) (4.14.1)
- Management Review Procedure (4.15.1)
- M.U. Procedure (5.4.6.1)
Do The Labs Need to Change?

If it ain’t
Do The Labs Need to Change?
• "New" things that need to be added to existing practices:

- Competence instead of Qualification and Monitoring (6.2)


- Requirements for and Monitoring of Service Providers (6.6)
- More Robust Complaint Process (7.9)
- Risk Identification and Handling (4.1, 8.5, and 8.9)
- Confidentiality Requirements more detailed (4.2)
- Document "Range of Lab Activities" (5.3)
- Handling Decision Rules / Statement of Conformity (7.1 and
7.8.6)
- Records for Verifying Performance of New Methods (7.2)
- Functionality of LIM Systems (7.11)
Mapping the Old & New
17025:2005 17025:2017
§ 4 - Management
4.1 Organization........ > §5 Structural
4.2 Management System . > 8.2
4.3 Document Control . . . > 8.3
4.4 Requests & Tenders . . > 7.1
4.5 Subcontracting...... > 6.5
4.6 Purchasing.......... > 6.6
4.7 Service to Customer . . > Entire
4.8 Complaints......... document
4.9 NCW............... > 7.9
4.10 Improvement...... > 7.10
4.11 Corrective Action . . . > 8.5, 8.6
4.12 Preventive Action . . . > 8.7
4.13 Records ........... > Removed
4.14 Internal Audits ..... > 7.5, 7.11, 8.4
4.15 Management Review > 8.8 > 8.9
Mapping the Old & New (cont)
17025:2005 17025:2017
§ 5 - Technical
5.2 Personnel.............. .
.6.2
>
.
5.3 Accom. & Environ....... .6.3
>
5.4 Methods.............. >7.2
.
5.5 Equipment............. .6.4
>
5.6 Traceability............ >6.6, 7.6
5.7 Sampling.............. >7.3
5.8 Handling of UUT........ >7.4
.
5.9 Quality Assurance....... .7.7
>
Documents
(those items which indicate instructions for performing
Documented Process tasks)
Procedures (Methods)
• 6.2.5 Personnel records • 7.9.1 Complaints
• 6.3.2 Environmental conditions
documented Program(me)
• 6.4.3 Handling of laboratory • 6.4.7 Calibration
equipment • 8.8.2 Internal audit
• 6.4.10 Intermediate checks Plans
• 6.5.3 b) Reference measurement • 6.4.13 g) Equipment
• 6.6.2 Externally provided products & maintenance
services • 7.2.1.6 Method development
• 7.1.1 Review of requests, tenders &
• 7.3.1 Sampling
contracts
• 7.2.1.1 Evaluation of measurement • 8.9 Management review
uncertainty
• 7.2.2.4 Validation
• 7.4.1 Handling of customer equipment
• 7.7.1 Ensuring the validity of results
• 7.10.1 Nonconforming work
Records
(evidence that a required task was
carried out) Identify
• 4.1.4 Risks to impartiality
• 5.2 Management responsible for the laboratory
Record(s) • 6.4.8 Period of validity
• 6.2.5 Laboratory personnel • 7.3.3 Sample
• 6.3.3 Environmental conditions • 7.6.1 Contributions to measurement uncertainty
• 6.4.13 Equipment • 7.8.4.1 c) Metrological traceability
• 6.6.2 External providers • 8.6.1 Opportunities for improvement Define
• 7.1.8 Contract reviews and discussions • 5.3 Range of activities
• 7.2.1.5 Verification of methods • 6.6.2 a) Laboratory requirements for external providers
• 7.2.2.4 Validations • 6.6.2 b) Criteria for evaluating, . . .
• 7.3.3 Sampling data • 7.1.8 Requirements for the review of requests, tenders and
• 7.4.3 Deviations from specified conditions contracts
• 7.4.3 Consultation Document
• 7.4.4 Specified environmental conditions • 5.3 Range of activities
• 7.5.1 Original observations • 6.2.2 Competence requirements
• 7.5.2 Data files • 6.3.2 Requirements for facilities and environmental conditions
• 7.7.1 Resultant data • 6.4.13 f) Reference materials
• 7.8.1.1 Reports • 7.2.1.7 Deviations
• 7.8.7.3 Dialog with customer on opinions & • 7.8.6.1 Decision rule
interpretations
• 7.8.7.1 Opinions & interpretations
• 7.9 Complaints
• 7.8.8.2 Amendments
• 7.10.2 Nonconforming work
• 7.9.1 Complaints
• 7.11.3 e) Information management system failures • 7.11.2 Laboratory software configuration or modification of
• 8.7.3 Corrective action COTS
• 8.8.2 Implementation of the internal audit • 8.2.1 Policies and objectives
• 8.9.1 Inputs to management review
• 8.9.3 Outputs from management review
Process

iMit. II. KAIII.V I'(Min ' »r IIKSSKMUH I 'OWKHTIM-. PI.ANT AT SIIKFHKI.I*


Process Talk

Someone wants / needs something!


• A Process is basically an Activity
• Source is needed for a Process
• The Source provides Input(s) to the Process
• A Process does (something) and creates an Output
• That Output goes to a Receiver

• ISO 9001:2015 definition of Process - "set of interrelated or interacting activities that use
inputs to deliver an intended result"
Visual

SOURCES OF RECEIVERS OF
ACTIVITIES
INPUTS OUTPUTS

Requirements
Customers Data
Resources NCW
Stakeholders Data Analysis
Identification System Internal Audits
Regulators AB Reports KPIs
Monitoring Quality Mgmt. Reviews
or Registrar Product
Control Data Customer
Measurement Unc.

Rev 1.1 - 09/27/17 44


Handling of test or calibration items
r 7.4 ;
f> r
Calibration j test execution
Item Preparation
Sampling |—.
y 7"~'y
of item
V 7.3 )
l_J
me
»sioie scne

ttte'Opera
1 Control of data /

^
information
_ management f 7.1
Review of Selection,
Ensuring the
requests, verification
validity of
tenders and J Validation of !L) results
contracts
i method D
7.1 1 7.2 )
v

Figure B.l — Possible schematic representation of the operational processes of a laboratory


What's All This Risk Stuff?

46
Risk

- Effect of uncertainty on objectives ISO 31000 [2.1]


Managing Risk

TWiF
"We'ue C-orisiolereA ei>ery po+en4ia\nsK,
The n^K's of all
Risk Responsiveness
(The Short Course)

«/,

RISK PERCEPTION RISK ANALYSIS RISK MANAGEMENT


Risk
Risk Management

— Requires the laboratory to plan and implement


actions to address risks and opportunities.
• Establishes a basis for increasing the effectiveness of the quality
management system, achieving improved results and preventing
negative effects.
— The laboratory is responsible for deciding which
risks and opportunities need to be addressed
What Does this Mean for You?
Identify: What can happen,
when, where why and how.
Assess: Determine existing
controls, determine likelihood
and consequences leading to
estimate level of risk.
Evaluate: Compare against
criteria, Identify and weigh
options, Decide on response
and establish priorities.
Control & Monitor: Mitigate by
modifying process, document
outcomes
Other Areas for Risk
• Using new test methods Internal vs External Calibrations
• Using new equipment Calibration Intervals Service
• Hiring / Firing personnel Acceptance Criteria
• Frequency of QC checks Subcontractor Use Decision Rules
• Frequency of Acting on Non-Conformities
monitoring Resolving Complaints Corrective
• Defining Competence Action Implementation and
• Detail in Purchasing Monitoring
Docs
• Keeping or Deleting
Procedures
• Detail in Procedures 53
Assessing This "Risk" Thing
• All these risk areas are potential weak points
for a lab!

• No Procedures for Risk

• Few Records required (all in mgmt. rev.)

• Is this even assessable? Can we even cite


deficiencies?

54
Assessing This "Risk" Thing
• Are the few required records present?

• Did the lab experience observed problems because


they failed to identify a risk?
• Did the lab fail to act on identified risks such that
the failure to act caused problems?

55
New stuff
Impartiality
4.1.5 If a risk to impartiality is identified, the
laboratory shall be able to demonstrate how
it eliminates or minimizes such risk.
Structural Requirements
5.3 The laboratory shall define and document
the range of laboratory activities for which it
conforms with this document. The laboratory
shall only claim conformity with this document
for this range of laboratory activities, which
excludes externally provided laboratory
activities on an ongoing basis.
6.6 Externally provided
products and services
6.6.3 The laboratory shall
communicate its requirements to
external providers for:
c) competence, including any
required qualification of personnel;
d) activities that the laboratory, or
its customer, intends to perform at
the external provider's premises.
7.1 Review of requests, tenders
and contracts
• 7.1.3 When the customer requests a
statement of conformity to a specification or
standard for the test or calibration (e.g.
pass/fail, in-tolerance/out-of-tolerance), the
specification or standard and the decision rule
shall be clearly defined.
• Unless inherent in the requested
specification or standard, the decision rule
selected shall be communicated to, and
agreed with, the customer.
7.3 Sampling
7.3.1 The laboratory shall have a sampling plan
and method when it carries out sampling ...for
subsequent testing.
The sampling method shall address the factors to
be controlled to ensure the validity of
subsequent testing or calibration results.
Sampling plans shall, whenever reasonable, be
based on appropriate statistical methods.
7.8 Reporting of results
7.8.6 Reporting statements of conformity
7.8.6.1 When a statement of conformity to a specification or standard
is provided, the laboratory shall document the decision rule employed,
taking into account the level of risk (such as false accept and false
reject and statistical assumptions) associated with the decision rule
employed, and apply the decision rule.
NOTE Where the decision rule is prescribed by the customer, regulations or
normative documents, a further consideration of the level of risk is not necessary.

7.8.6.2 The laboratory shall report on the statement of


conformity, such that the statement clearly identifies: c) the
decision rule applied (unless it is inherent in the requested
specification or standard).
7.9 Complaints
• 7.9.4 The laboratory receiving the complaint shall be responsible
for gathering and verifying all necessary information to validate the
complaint.
• 7.9.5 Whenever possible, the laboratory shall acknowledge receipt
of the complaint, and provide the complainant with progress
reports and the outcome.
• 7.9.6 The outcomes to be communicated to the complainant shall be
made by, or reviewed and approved by, individual(s) not involved in
the original laboratory activities in question.
NOTE This can be performed by external personnel.
• 7.9.7 Whenever possible, the laboratory shall give formal notice of
the end of the complaint handling to the complainant.
7.11 Control of data and
information management
• 7.11.4 When a laboratory
information management system is
managed and maintained off-site or
through an external provider, the
laboratory shall ensure that the
provider or operator of the system
complies with all applicable
requirements of this document.
8.5 Actions to address risks and
opportunities (Option A)
8.5.1 The laboratory shall consider the risks
and opportunities associated with the
laboratory activities in order to: a) give
assurance that the management system
achieves its intended results; bj enhance
opportunities to achieve the purpose and
objectives of the laboratory;
c) prevent, or reduce, undesired impacts and
potential failures in the laboratory activities;
d) achieve improvement.
8.5 Actions to address risks and
opportunities (Option A)
8.5.2 The laboratory shall plan:
a) actions to address these risks and opportunities;
b) how to:
— integrate and implement these actions into its
management system;
— evaluate the effectiveness of these actions.
8.5.3 Actions taken to address risks and opportunities shall
be proportional to the potential impact on the validity of
laboratory results.
8.9 Management reviews (Option A)
• 8.9.2 The inputs to management review shall be
recorded and shall include information related to the
following:
• a) changes in internal and external issues that are
relevant to the laboratory;
• b) fulfilment of objectives;
• d) status of actions from previous management
reviews;
• k) effectiveness of any implemented improvements;
• m) results of risk identification;
8.9 Management reviews (Option A)
8.9.3 The outputs from the management review
shall record all decisions and actions related to at
least:
a) the effectiveness of the management system
and its processes;
b) improvement of the laboratory activities
related to the fulfilment of the requirements of
this document;
c) provision of required resources;
d) any need for change.
Summary

• Changes in 17025 focus on risk mitigation:


• Emphasis on Impartiality and Confidentiality
• But maps well to current version
• Processes occurs in all managed activities - "set of
interrelated or interacting activities that use inputs to
deliver an intended result"
• Uses business metrics:
• Requires defining goals and measuring
outcomes
Contact Information

Russel Ahmed / Labtech Ltd

Q and A