By Savannah Hari, QA/RA Specialist
ISO/IEC 17025:2017 includes many changes. There are three main points to keep in mind: more options, involvement of risk, updates in current technology.
ISO/IEC 17025:2017 General requirements for the competence of testing and calibration was released in Nov 2017. All accredited labs have to move to the new standard by late 2020, three years after the final version was published. There are major differences with the formatting, phrasing, and numbering of sections from the 2012 standard. Reading through the 2017 edition and creating my own cross referencing table helped me find specific differences between the two versions.
The new standard offers more flexibility in the requirements for process, procedures, and organizational responsibilities. ISO 17025:2017 section 7.10 Non-conforming Work (previously 4.9) has been made more general.
Firstly, the title in the 2017 version is simply “Nonconforming Work”, wherein it was previously “Control of nonconforming testing and/or calibration work”. Management’s responsibilities towards nonconforming work are required to be defined, in comparison to the 2015 version where management must be designated and actions “including halting of work and withholding of test reports and calibration certificates” are defined.
There are also more options in the 2017 standard. Literally. Instead of having correlating sections to Corrective Action (4.11), Preventative Action (section 4.12), and Improvement (section 4.10), the new standard has Options A and B.
Option A addresses a management system that has control of records, improvements, corrective actions, internal audits, and management reviews, for example. Option B is more suited for a laboratory that fulfils the requirements of ISO 9001, “and at least the intent of the management system requirement specified in [Option A]”. Option A includes a more detailed description of sections and their requirements.
Risk-based thinking is included throughout ISO 17025:2017. As stated in the standard, “this has enabled some reduction in prescriptive requirements”. Option A includes a section specifying that the laboratory must: consider risks associated with lab activities; plan how to address them; and evaluate the effectiveness of these actions. Section 8.5 of Option A continues: “actions taken to address risks and opportunities shall be proportional to the potential impact on the validity of laboratory results”.
A formal risk management process is not required, however application of other guidances or standards is a possibility. Risk must also be considered with corrective actions in the 2017 standard. Risks determined during planning shall be updated, if necessary, when a nonconformity occurs.
Finally, risk has been incorporated into section 7.10 Nonconforming Work of ISO 17025:2017. Actions in response to a nonconformance “are based upon the risk levels established by the laboratory”. Records of these actions must be retained.
ISO 17025:2017 addresses changes in technology made in the twelve years since the release of the second edition. Section 5.4.7 in 2005 has been expanded from “Control of data” to “Control of data and information management”. It adds that the lab shall have access to the data and information needed to perform lab activities. 2017 also addresses off-the-shelf (OTF) software. Modifications to OTS software shall be authorized, documented, and validated before implementation. However, commercial OTS software that is not modified for use is not required to be validated.
A good place to start your update to ISO 17025:2017 is to look at options available, the incorporation of risk, and to review current software being used. Creating a cross reference table to track where sections have moved in the new standard will help later when you decide what changes need to be made in your QMS procedures. It takes careful reading and may be time consuming in the beginning, however it will ensure that small changes in the new edition are not missed.