iso/iec 17025:2017 a slightly new paradigm · iso/iec 17025:2017 a slightly new paradigm roger...

ISO/IEC 17025:2017A slightly new paradigm

Roger BrauningerBiosafety Program Manager

A2LA

January 30, 20182:00 pm

Topics

• Outline of new structure• Changes• Process• Risk• Some new clauses

Don’t Panic.

ISO Process Flow

2/6/2018 4

Preparatory

Committee

Inquiry

Approval

Transition Event

Aug 2015

Output CD1

OCT 2015

CD1 Ballot

Jun 2015Output WD2 & 3

Feb 2015

Output of WD 1

Feb 2016

Output CD2

MAR 2016CD2 Ballot

OCT 2016

Translation

FDIS Optional

MAY 2017DG

Nov 17 –RELEASE?

JUL 2017FDIS?

DEC 2016DIS Ballot

Philosophical Changes• ISO 9001 Principles

– Risk management (9001)• Changed Managed Processes to Process Management

– “Fit for Use/Purpose” – Validation

• Conformity vs. Compliance

• Shall, Must, Should, Where . . .– Requirements = shall– Should and Where __ = ~

2/6/2018 5

Philosophical Changes (cont)

• “Test and/or calibration”– Replaced with laboratory to reduce confusion– Where appropriate, it was left in the Standard

• Notes– If the NOTE did not provide value it was

removed, moved to an Annex, otherwise it was moved to a requirement

2/6/2018 6

A Few Important Points

Who Was the Standard Written For?

• Well…… not us (Accreditation Bodies)

• A little bit for regulators / specifiers

• Ultimately, it was written for the LABS

Main GoalUltimately, Labs Should Be Aiming For:

Competent People+

Impartial Work+

Consistent Results__________________________________________

CUSTOMER CONFIDENCE

Changes• Does it look different?

• Didn’t some procedures get removed?

• Is there a bunch of risk talk in the standard now?

• Can we even assess to this thing?

Changes in a nutshell…

11

• Different structure• Clarification of scope• Process approach• Risk-based thinking• Emphasis on required

outcomes vs. prescriptive requirements

CPC Mandatory Changes• Aligned with CASCO Document Structure

2/6/2018 12

*ISO/CASCO Chairman’s Policy and Coordination Group

ISO Obligatory Changes• CPC Proc/33

– Impartiality• General (4.1), Resource (6.2)

– Confidentiality• General (4.2)

– Complaints• Process (7.9)

– Management System (8)• Option A : 17025:2005 section 4• Option B : 9001 Registered/Certified Bodies

2/6/2018 13

*ISO/CASCO Chairman’s Policy and Coordination Group

ISO/IEC 17025 in the Past

• Previous version, 5 sections:– Scope, – Normative references, – Definitions,– Quality, – Technical

• Lacked flow

Rev 1.1 – 09/27/17 14

ISO/IEC 17025 Now• Standard has 8 sections:

– Sections 1 to 3 - Scope, normative references, definitions

– Sections 4 to 8 - start from bare ground, and build

Rev 1.1 – 09/27/17 15

Different Structure

1. Scope2. Normative references3. Terms and definitions4. General requirements5. Structural requirements6. Resource requirements7. Process requirements8. Management requirementsAnnex A – Metrological traceabilityAnnex B – Management system

16

1. Scope2. Normative references3. Terms and definitions4. Management

requirements5. Technical requirementsAnnex A – Nominal cross-references to ISO 9001:2000Annex B – Guidelines for establishing applications for specific fields

ISO/IEC 17025:2005 DIS ISO/IEC 17025

The Basic Format

• Similar to other new standards \– e.g., ISO/IEC 17020, ISO/IEC 17034 and ISO/IEC 17065.

• Will be aligned to ISO 9001:2015 principles on resources and process.

• Follows the new ISO 9001 philosophy– Requires less documented procedures and policies– Focuses more on the outcomes of a process.

• Example: no longer required to maintain a current job description (2005 – 5.2.4) but focuses on communicating to each person their duties, responsibilities and authorities ( 2017– 6.2.4)

•

Definitions (3)• Impartiality (3.1) –

– presence of objectivity

• Laboratory (3.6) –– body that performs one or more of the following activities:

• calibration• testing• sampling, associated with subsequent calibration or testing

• Decision Rule (3.7) –– a rule that describes how measurement uncertainty will be

accounted for when stating conformity with a specified requirement

2/6/2018 18

• General requirements for competence, impartiality and consistent operation of laboratories as defined in the standard.

• Labs that conform with ISO/IEC 17025 will also operate generally in accordance with the principles of ISO 9001

• Risk based thinking

Introduction / Scope

19

• Not full risk management per ISO 31000

• Requires the laboratory to plan and implement actions to address risks and opportunities

• Laboratory is responsible for deciding which risks and opportunities need to be addressed.

Section 4 - General• The Foundation of a Lab

Rev 1.1 – 09/27/17 20

General

• Impartiality– Safeguard against– Establish structure– Mitigate pressures– Identify & manage risks (ongoing basis)

• Confidentiality– Legally enforceable– Inform customer of if public exposure of

information– 3rd party communication requirement

2/6/2018 21

Section 5 – Org Structure

• Build the structure

Rev 1.1 – 09/27/17 22

Structure• Define range of laboratory activities (could be a scope)• Conformity claims only to defined range of activities• Added “personnel with responsibility & authority” to

implement , maintain and improve the QMS– Removed “top” management– Removed “quality manager”– Removed “technical manager”

• Ensure communications…• Maintain integrity when there are changes

5/10/2016 17025 Revision Status

Section 6 – Resources

• Does the lab have what it needs to operate?

Rev 1.1 – 09/27/17 24

Resources (6)

• Personnel (6.2)– Define & Document competency and impartiality requirements– Authorities to develop methods, review and release reports

• Facilities (6.3) – Suitable, monitor, control and record

• Equipment (6.4)– Clearer definition – anything affecting the measurement results– Reference materials better clarified and defined

5/10/2016 17025 Revision Status

Resources (6) cont

• Metrological Traceability (6.5)– Clarified and moved much of 2005 content to Annex A– Use of CRMs or calibration– Traceability to 1° method or material when needed

• Externally provided products and services (6.6)– Adopted and modified 9001:2015 content– Procedure and records for

• Defining and approving requirements• Defining criteria for selection and monitoring• Required communication of requirements for products/services, criteria,

competence

5/10/2016 17025 Revision Status

6. Resource requirements

6.6 Externally provided products and services• Combines current Subcontracting and Purchasing• In all cases, have requirements and controls• Communication with customer

27

Supplies

External services

“Subcontracting”

• Select• Control• Verify

Competent Supplier

Section 7 – Lab Process

• Get the lab ready to work!

Rev 1.1 – 09/27/17 28

Processes (7)• Methods (7.2)• Sampling (7.3) by lab customer or third party• Quality Assurance (7.7) (ensuring validity)

– Equal weighting between External and Internal Processes

• Reporting the Results (7.8)– Common Requirements (7.8.2)

• Date of performance of the test • Date of issuance of the report

– Measurement uncertainty – (7.8.6) & decision rules• Same unit or relative units (%) (7.8.4.1)

5/10/2016 17025 Revision Status

7. Process Requirements7.7 Assuring the quality of results• Defined by laboratory• Intralaboratory

• Interlaboratory

30

• Regular use of RMs or QC materials;• Regular use of alternative instrumentation; • Functional check of measuring and testing

equipment;• Use of check or working standards with control

charts, where applicable;• Periodic intermediate checks on measuring

equipment;• Replicate tests or calibrations using the same or

different methods;• Retesting or recalibration of retained items;• Correlation of results for different

characteristics of an item;• Review of reported data;• Intra-laboratory comparisons;• Blind test.

• Proficiency testing;• Interlaboratory

comparisons other than proficiency testing

Processes (cont.)

• Reporting the Results (7.8)– Statements of Conformity (7.8.6.2) – identified to a

• Specific result,• Specification or Standard, and • Decision rule (3.7) applied (7.1.1.3/ 7.8.6)

– Amendments (7.8.8)• Changes shall be clearly identified

5/10/2016 17025 Revision Status

Section 8 – Management System

• Supporting Controls and Processes

Rev 1.1 – 09/27/17 32

Management (8)

• Option A (Clauses 8.2-8.9)– Addressing Risks & Opportunities (8.5)

• PDCA concept added to Standard – (control and continual improvement of processes and products)

– Improvement (8.6) – removed Preventive Action (redundant)

• Internal audit program (8.8)– Planned intervals

• Management Review (8.9)– Planned intervals, new documented inputs/outputs

5/10/2016 17025 Revision Status

Where Did My Procedures Go?• Before we think the sky is falling…

• Ask how many of these procedures affected Technical Output

Where Did My Procedures Go?

• Former procedure / document requirements which were removed:– Quality manual (ISO/IEC 17025:2005, 4.2.2)– Quality policy statement (4.2.2)– Many references to “Policies”– Doc Control Procedure (4.3.1) – Corrective Action Procedure (4.11.1)– Preventive Action Procedure (4.12.2)– Record Control Procedure (4.13.1)– Internal Audit Procedure (now a program with methods) (4.14.1)– Management Review Procedure (4.15.1)– M.U. Procedure (5.4.6.1)

Do The Labs Need to Change?

Do The Labs Need to Change?• “New” things that need to be added to existing practices:

– Competence instead of Qualification and Monitoring (6.2)– Requirements for and Monitoring of Service Providers (6.6)– More Robust Complaint Process (7.9)– Risk Identification and Handling (4.1, 8.5, and 8.9)– Confidentiality Requirements more detailed (4.2)– Document “Range of Lab Activities” (5.3)– Handling Decision Rules / Statement of Conformity (7.1 and

7.8.6)– Records for Verifying Performance of New Methods (7.2)– Functionality of LIM Systems (7.11)

Mapping the Old & New17025:2005

§ 4 – Management4.1 Organization . . . . . . . . . . . . . . . 4.2 Management System . . . . . . . .4.3 Document Control . . . . . . . . . . .4.4 Requests & Tenders . . . . . . . . .4.5 Subcontracting . . . . . . . . . . . . . 4.6 Purchasing . . . . . . . . . . . . . . . . 4.7 Service to Customer . . . . . . . . .4.8 Complaints . . . . . . . . . . . . . . . . 4.9 NCW . . . . . . . . . . . . . . . . . . . . .4.10 Improvement . . . . . . . . . . . . . . 4.11 Corrective Action . . . . . . . . . . .4.12 Preventive Action . . . . . . . . . . .4.13 Records . . . . . . . . . . . . . . . . . .4.14 Internal Audits . . . . . . . . . . . . .

4.15 Management Review . . . . . . . .

17025:2017

> §5 Structural> 8.2> 8.3> 7.1> 6.5> 6.6> Entire document> 7.9> 7.10> 8.5, 8.6> 8.7> Removed> 7.5, 7.11, 8.4> 8.8> 8.9

Mapping the Old & New (cont)

17025:2005§ 5 – Technical

5.2 Personnel . . . . . . . . . . . . . . . .5.3 Accom. & Environ . . . . . . . . . 5.4 Methods . . . . . . . . . . . . . . . . .5.5 Equipment . . . . . . . . . . . . . . .5.6 Traceability . . . . . . . . . . . . . . 5.7 Sampling . . . . . . . . . . . . . . . . 5.8 Handling of UUT . . . . . . . . . . .5.9 Quality Assurance . . . . . . . . .5.10 Reporting . . . . . . . . . . . . . . .

17025:2017

> 6.2> 6.3> 7.2> 6.4> 6.6, 7.6> 7.3> 7.4> 7.7> 7.8

Documents (those items which indicate instructions for performing tasks)

Procedures (Methods)• 6.2.5 Personnel records• 6.3.2 Environmental conditions

documented• 6.4.3 Handling of laboratory equipment• 6.4.10 Intermediate checks• 6.5.3 b) Reference measurement• 6.6.2 Externally provided products &

services• 7.1.1 Review of requests, tenders &

contracts• 7.2.1.1 Evaluation of measurement

uncertainty• 7.2.2.4 Validation• 7.4.1 Handling of customer equipment• 7.7.1 Ensuring the validity of results• 7.10.1 Nonconforming work

Documented Process• 7.9.1 Complaints

Program(me)• 6.4.7 Calibration• 8.8.2 Internal audit

Plans• 6.4.13 g) Equipment maintenance• 7.2.1.6 Method development• 7.3.1 Sampling• 8.9 Management review

Records (evidence that a required task was carried out)

Record(s)• 6.2.5 Laboratory personnel• 6.3.3 Environmental conditions• 6.4.13 Equipment• 6.6.2 External providers• 7.1.8 Contract reviews and discussions• 7.2.1.5 Verification of methods• 7.2.2.4 Validations• 7.3.3 Sampling data• 7.4.3 Deviations from specified conditions• 7.4.3 Consultation• 7.4.4 Specified environmental conditions• 7.5.1 Original observations• 7.5.2 Data files• 7.7.1 Resultant data• 7.8.1.1 Reports• 7.8.7.3 Dialog with customer on opinions &

interpretations• 7.9 Complaints• 7.10.2 Nonconforming work• 7.11.3 e) Information management system failures• 8.7.3 Corrective action• 8.8.2 Implementation of the internal audit• 8.9.1 Inputs to management review• 8.9.3 Outputs from management review

Identify• 4.1.4 Risks to impartiality• 5.2 Management responsible for the laboratory• 6.4.8 Period of validity• 7.3.3 Sample• 7.6.1 Contributions to measurement uncertainty• 7.8.4.1 c) Metrological traceability• 8.6.1 Opportunities for improvementDefine• 5.3 Range of activities• 6.6.2 a) Laboratory requirements for external providers• 6.6.2 b) Criteria for evaluating, . . .• 7.1.8 Requirements for the review of requests, tenders

and contractsDocument• 5.3 Range of activities• 6.2.2 Competence requirements• 6.3.2 Requirements for facilities and environmental

conditions• 6.4.13 f) Reference materials• 7.2.1.7 Deviations• 7.8.6.1 Decision rule• 7.8.7.1 Opinions & interpretations• 7.8.8.2 Amendments• 7.9.1 Complaints• 7.11.2 Laboratory software configuration or

modification of COTS• 8.2.1 Policies and objectives

Process

Process Talk

Someone wants / needs something!• A Process is basically an Activity• Source is needed for a Process• The Source provides Input(s) to the Process• A Process does (something) and creates an Output• That Output goes to a Receiver

• ISO 9001:2015 definition of Process – “set of interrelated or interacting activities that use inputs to deliver an intended result”

Visual

Rev 1.1 – 09/27/17 44

SOURCES OF INPUTS

ACTIVITIES OUTPUTSINPUTS RECEIVERS OF OUTPUTS

CustomersStakeholders

RegulatorsAB or Registrar

DataData Analysis

ReportsKPIs

Product

NCWInternal AuditsMgmt. Reviews

Customer

RequirementsResources

Identification SystemMonitoring

Quality Control DataMeasurement Unc.

Figure B.1 — Possible schematic representation f the operational processes of a laboratory

What’s All This Risk Stuff?

46

Risk

- Effect of uncertainty on objectives ISO 31000 [2.1]

Managing Risk

Risk Responsiveness (The Short Course)

Risk

RISK IMPACTPROBABILITY

Risk Management

– Requires the laboratory to plan and implement actions to address risks and opportunities.

• Establishes a basis for increasing the effectiveness of the quality management system, achieving improved results and preventing negative effects.

– The laboratory is responsible for deciding which risks and opportunities need to be addressed

What Does this Mean for You?

Identify: What can happen, when, where why and how.Assess: Determine existing controls, determine likelihood and consequences leading to estimate level of risk.Evaluate: Compare against criteria, Identify and weigh options, Decide on response and establish priorities.Control & Monitor: Mitigate by modifying process, document outcomes

Other Areas for Risk• Using new test methods• Using new equipment• Hiring / Firing personnel• Frequency of QC checks• Frequency of monitoring• Defining Competence• Detail in Purchasing Docs• Keeping or Deleting

Procedures• Detail in Procedures

• Internal vs External Calibrations• Calibration Intervals• Service Acceptance Criteria• Subcontractor Use• Decision Rules• Acting on Non-Conformities• Resolving Complaints• Corrective Action Implementation

and Monitoring

53

Assessing This “Risk” Thing

• All these risk areas are potential weak points for a lab!

• No Procedures for Risk

• Few Records required (all in mgmt. rev.)

• Is this even assessable? Can we even cite deficiencies?

54

Assessing This “Risk” Thing• Are the few required records present?

• Did the lab experience observed problems because they failed to identify a risk?

• Did the lab fail to act on identified risks such that the failure to act caused problems?

55

New stuff

Impartiality

4.1.5 If a risk to impartiality is identified, the laboratory shall be able to demonstrate how it eliminates or minimizes such risk.

Structural Requirements

5.3 The laboratory shall define and document the range of laboratory activities for which it conforms with this document. The laboratory shall only claim conformity with this document for this range of laboratory activities, which excludes externally provided laboratory activities on an ongoing basis.

6.6 Externally provided productsand services

6.6.3 The laboratory shall communicate its requirements to external providers for:c) competence, including any required qualification of personnel;d) activities that the laboratory, or its customer, intends to perform at the external provider's premises.

7.1 Review of requests, tenders and contracts

• 7.1.3 When the customer requests a statement of conformity to a specification or standard for the test or calibration (e.g. pass/fail, in-tolerance/out-of-tolerance), the specification or standard and the decision rule shall be clearly defined.

• Unless inherent in the requested specification or standard, the decision rule selected shall be communicated to, and agreed with, the customer.

7.3 Sampling

7.3.1 The laboratory shall have a sampling plan and method when it carries out sampling …for subsequent testing. The sampling method shall address the factors to be controlled to ensure the validity of subsequent testing or calibration results. Sampling plans shall, whenever reasonable, be based on appropriate statistical methods.

7.8 Reporting of results7.8.6 Reporting statements of conformity7.8.6.1 When a statement of conformity to a specification or standard is provided, the laboratory shall document the decision rule employed, taking into account the level of risk (such as false accept and false reject and statistical assumptions) associated with the decision rule employed, and apply the decision rule.NOTE Where the decision rule is prescribed by the customer, regulations or normative documents, a further consideration of the level of risk is not necessary.

7.8.6.2 The laboratory shall report on the statement of conformity, such that the statement clearly identifies:c) the decision rule applied (unless it is inherent in the requested specification or standard).

7.9 Complaints• 7.9.4 The laboratory receiving the complaint shall be responsible

for gathering and verifying all necessary information to validate the complaint.

• 7.9.5 Whenever possible, the laboratory shall acknowledge receipt of the complaint, and provide the complainant with progress reports and the outcome.

• 7.9.6 The outcomes to be communicated to the complainant shall be made by, or reviewed and approved by, individual(s) not involved in the original laboratory activities in question.

NOTE This can be performed by external personnel.• 7.9.7 Whenever possible, the laboratory shall give formal notice

of the end of the complaint handling to the complainant.

7.11 Control of data and information management

• 7.11.4 When a laboratory information management system is managed and maintained off-site or through an external provider, the laboratory shall ensure that the provider or operator of the system complies with all applicable requirements of this document.

8.5 Actions to address risks and opportunities (Option A)

8.5.1 The laboratory shall consider the risks and opportunities associated with the laboratory activities in order to:a) give assurance that the management system achieves its intended results;b) enhance opportunities to achieve the purpose and objectives of the laboratory;c) prevent, or reduce, undesired impacts and potential failures in the laboratory activities;d) achieve improvement.

8.5 Actions to address risks and opportunities (Option A)

8.5.2 The laboratory shall plan:a) actions to address these risks and opportunities;b) how to:

— integrate and implement these actions into its management system;

— evaluate the effectiveness of these actions.8.5.3 Actions taken to address risks and opportunities shall be proportional to the potential impact on the validity of laboratory results.

8.9 Management reviews (Option A)

• 8.9.2 The inputs to management review shall be recorded and shall include information related to the following:

• a) changes in internal and external issues that are relevant to the laboratory;

• b) fulfilment of objectives; • d) status of actions from previous management

reviews;• k) effectiveness of any implemented improvements; • m) results of risk identification;

8.9 Management reviews (Option A)

8.9.3 The outputs from the management review shall record all decisions and actions related to at least:a) the effectiveness of the management system and its processes;b) improvement of the laboratory activities related to the fulfilment of the requirements of this document;c) provision of required resources;d) any need for change.

Summary

• Changes in 17025 focus on risk mitigation:• Emphasis on Impartiality and Confidentiality• But maps well to current version

• Processes occurs in all managed activities – “set of interrelated or interacting activities that use inputs to deliver an intended result”

• Uses business metrics:• Requires defining goals and measuring outcomes

Contact Information

Roger M. Brauninger

BioSafety Program manager

Rbrauninger@A2ALA.org301 644 3233

A2LAwww.A2LA.org