Introduction

In September 2015, the fifth edition of ISO 9001 [1] was published to replace the 2008 version. It is noticed that one of the key changes is to integrate risk-based thinking into the quality management system. As explained in the introduction of the new version, this change enables an organization to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls to minimize negative effects and to make maximum use of opportunities as they arise. On implementation, the organization is required to determine risks and opportunities that might be encountered in the daily activities and shall plan actions to address them as well. Moreover, the organization is required to evaluate effectiveness of these actions. As ISO/IEC 17025 basically refers to ISO 9001 on the part of management requirements, an alignment is thus necessary subsequent to the release of the 2015 version of ISO 9001. To this end, the ISO Committee on Conformity Assessment has already drafted the third edition of ISO/IEC 17025 and the draft was being circulated for voting to the national bodies of both ISO and IEC [3]. It is anticipated that the new ISO/IEC 17025 would be in place shortly to replace the existing version.

The concept of risk should not be new to the testing laboratories as it has been implicit in the previous editions of ISO 9001 and ISO/IEC 17025 [2] as well. For instance, laboratory is required to carry out preventive action to eliminate potential nonconformities and taking action to prevent recurrence that is appropriate for the effects of the nonconformity [2]. However, preventive action seems to be less proactive while risk-based thinking makes the consideration of risk an integral to the quality management system. But how the new thinking could be integrated into the existing system would be a concern for the testing laboratories. Especially, they would expect not much additional workload or modifications to their daily operations might be required for the new change. To address the concern, this paper attempted to explore how to implement this new change in a practical and effective way as per the requirements of the ISO/IEC 17025.

Risk-based thinking

Risk is defined in ISO 31000 as the effect of uncertainty on objectives which can have different aspects and can apply at different levels such as strategic, organization-wide, project, product and process [4]. For testing laboratories, risk may come as failing to meet the client’s needs, delivering incorrect analytical results to the clients, failing to meet the accreditation requirements, damage of the laboratory’s reputation, etc. And risk-based thinking ensures that risks could be identified, considered and controlled throughout the design and use of the quality management system.

Perhaps, to integrate risk-based thinking into the quality management system, the first thing is to have an initial review of the daily procedures and activities from the perspective of risk. This is to identify weak points or potential risks, if any, that would likely prone to cause errors or blunders. As noticed, the draft version of the new ISO/IEC 17025 adds a number of requirements on various aspects, which could be taken as hints to avoid potential risks on respective aspects of the laboratory operations [3]. For reference, this paper conducted an initial process review for the operations of a normal testing laboratory and identified some potential risks that might be encountered under different aspects of requirements.

Secondly, the laboratory may consider setting a working group to undertake the ongoing risk management work including risk assessment, actions planning, process monitoring and reporting for review. To have it in a more effective manner, the laboratory may wish to assign the above work to some sort of working group or taskforce already formed under the existing system for overseeing the quality-related matters in the laboratory. Normally, this kind of working group would have members came from different units with expertise in respective testing areas and responsibility for different activities or services provided by the laboratory. With the outcome of the above risk management work, the management could then explore opportunities for increasing the effectiveness of the management system, achieving improved results and preventing negative effects.

Initial process review

To facilitate a systematic process review, a process map as given in Fig. 1 is recommended, which groups the routine laboratory operations into five major areas including sample, test method, measurement, quality control and reporting of results. With reference to the hints noted in relevant clauses of the new ISO/IEC 17025, some potential risks were identified with details given below for discussion.

Fig. 1
figure 1

Process map covering the major operations in a testing laboratory

Full size image

Sample

Samples are entities submitted by the clients for analysis and to which the laboratory’s analytical results would be referred to. Hence, the consequence could be serious if there were loss or mix-up of samples. Of course, adopting a laboratory information management system (LIMS) may help. Particularly, LIMS consists of functions for sample management such as sample registration, generating barcode labels and sample tracking. Also, chains of custody and sample disposal records could be maintained systematically. Moreover, LIMS may be further enhanced with additional features such as subsample management and test management for samples received. However, sometimes the problems may not come with the sample recording system but occur as a result of insufficient sample storage space or limited sample handling capacity of the laboratory especially in situations where a large volume of urgent samples were being submitted at the same time. To avoid the risk, the laboratory should regularly assess its capacity for samples handling including the available storage space. In other words, the laboratory should have an idea of how much samples they could handle and keep storage at a time. Measures such as temporary redeploying of staff or arranging makeshift storage places should be in place for situations where the amount of input samples exceeded the capacity of the laboratory to handle.

Normally, the samples submitted would go through a subsampling process before the analytical procedures. For samples which are heterogeneous in nature, they are also required to be homogenized before subsampling. Otherwise, the analytical results obtained may not be reliable, especially when the analytes are present at trace levels. In the homogenization process, it is recommended that the whole sample submitted should be taken as far as practicable. Also, there should be measures to ensure the stability of the analytes in the homogenized sample.

Test method

It is a general practice that appropriate standard methods or official methods should be adopted when they were available. Otherwise, in-house developed methods may be used instead. To avoid the risk of using in-house methods which were not fully validated, a general method validation procedures based on relevant international protocols should be available for the analysts to follow or otherwise they might just depend on their experiences when designing the method validation work. Furthermore, as suggested by the new version of ISO/IEC 17025, the laboratory should record in details the specifications of requirements and means to determine the characteristics of the method during the method validation stage. There would also be checking to ensure that the requirements had been fulfilled and a statement on the validity. This does not only serve for record purposes, but to ensure the method developed had been fully validated for the intended use.

An analytical method may have steps or testing parameters which are critical. For examples, the amount of reagents to be added at a particular step, the waiting time for a reaction, or a particular step should proceed immediately without delay. To avoid overlooking of these critical steps or testing parameters, they should be highlighted appropriately in the written method procedures to remind the analysts. Also, they should be clearly explained when providing method training for the staff concerned.

Measurement

In the measurement process, aspects such as environment, personnel, equipment and traceability would have effects on the measurement results.

Environmental conditions would have impact on chemical analysis. For examples, temperature can affect sensitive analytes or reactions involved, and so can humidity and light. In particular, failing to meet the critical environmental conditions specified by the method would lead to significant deviation in the measurement results. To prevent the risk, critical requirements on environmental conditions have to be clearly indicated in the method procedures as to remind the analyst. In addition, the new version of ISO/IEC 17025 requests records of the ongoing monitoring and periodic review with respect to the required environmental conditions. This does not only facilitate the inspection or assessment afterward, but allows the analysts to be reminded to observe the required environmental conditions during the analysis.

Human error is another factor that would affect the reliability of the test results. Though the occurrence and subsequent outcome of this factor are usually unpredictable, strengthening staff supervision may be a feasible means to minimize the risk associated. As suggested by the new version of ISO/IEC 17025, the laboratory should have planned monitoring actions for staff. This may include on-site monitoring, oral review and checking of experimental records for work including sampling, sample analysis, data handling and reporting. For examples, the checklist may include on-site inspection for sampling while that for sample analysis may include checking if the critical steps had been followed as per the analytical methods. Results of these monitoring actions should be maintained, and any abnormality found has to be followed up immediately. Certainly, there is no way to ensure complete elimination the risks due to human errors. But, stepped up monitoring and increase in awareness may help to reduce them.

Sample analysis normally involves the use of analytical equipment. To ensure accurate measurements, the equipment has to be properly calibrated and should have its performance-check be conducted regularly. For the latter, procedures offered by international bodies like International Organization of Legal Metrology (OIML) are commonly referred to. However, these general procedures might be conducted only once per year and may not be specific enough for the routine applications of the equipment concerned. Hence, the laboratory is recommended to check or review the performance of the equipment according to the results of the routine quality control parameters such as method precision and system suitability to which the performance of the equipment would has contribution. However, this integrated approach would only work if the acceptance criteria of those quality control parameters were set according to the experimental data collected during the method validation with the use of the same equipment as in the routine analysis. There would be a risk that the performance of the equipment could not be correctly assessed if the acceptance criteria were not set appropriately or even set solely according to the judgment of the analyst instead. Moreover, to identify opportunities for further improvement, feedback from all users should be collected and recorded regularly if the equipment was shared among different personnel in the laboratory.

To establish the metrological traceability of the analytical results, appropriate and valid reference materials have to be used according to the ISO/IEC 17025 requirements. For chemical testing, normally two types of reference materials would be involved. They are matrix reference materials and pure reference standards for the use of method validation and equipment calibration, respectively (Fig. 2).

Fig. 2
figure 2

Use of reference materials in chemical analysis

Full size image

However, the issue of metrological traceability could not be fully addressed only by acquiring the necessary reference materials though there might be difficulties to do so sometimes. More important, the laboratory has to take measures to preserve the integrity of the reference materials once they were obtained. For example, the laboratory should have procedures for safe handling, transport, storage and use of reference materials to prevent contamination or deterioration. Otherwise, there would be a risk of the traceability chain being broken when the property values of the reference materials altered without being noticed. For pure reference standards, the laboratory should study the stability of the working standard solutions prepared from them and establish the desirable storage conditions accordingly. Moreover, there should be procedures for monitoring the stability of these working standard solutions and relevant records should be maintained for reference. For matrix reference materials, the storage conditions recommended by the producers have to be strictly followed with records maintained properly. Also, to ensure the materials intact, they should be checked for abnormality at least by visual inspection before use.

Quality control

As per the ISO/IEC 17025 requirements, the laboratory needs to have quality control procedures to monitor the validity of tests undertaken and the quality of test results. Normally, the procedures consist of quality control parameters for daily analytical work and participation in proficiency testing programs, which are regarded as internal and external quality control procedures, respectively. However, there are situations where these quality control procedures might fail to tell if the quality of work was ensured.

For the internal quality control procedures, the acceptance criteria for the quality control performance parameters such as repeatability and measurement bias might be outdated or no longer applicable when there were deviations from the stated experimental conditions during the course of analysis. To avoid the risk, the laboratory should regularly review the acceptance criteria for the quality control parameters especially when there are changes in the experimental conditions. Furthermore, the laboratory could take some more proactive actions as suggested by the new version of ISO 17025. These include applying alternative instrumentation with metrologically traceable results, conducting functional check of measuring equipment, using check standards and periodic intermediate checks on measuring equipment. Also, when necessary, the laboratory should arrange the reported data and quality control results to be examined by a fresh eye, i.e., laboratory personnel with relevant experience but not directly involved in the test concerned.

Regarding the participation in proficiency testing programs, participating laboratories might not care much about how the assigned value and the proficiency testing standard deviation were derived as long as the z-scores they obtained were satisfactory. However, there could be situations where their performance might not be truly reflected by the scores obtained due to a biased assigned value or the preset proficiency testing standard deviation might not fall within the allowable range that was agreed between the laboratory and its client. To avoid incorrect performance evaluation, the laboratory may need to review the appropriateness of the assigned value and proficiency testing standard deviation based on the pool of the participating laboratories’ results and their clients’ requirements on the performance of the methods they used. When necessary, the performance score may have to be recalculated using an appropriate proficiency testing standard deviation or a revised assigned value. If the performance was found to be questionable or unsatisfactory as indicated by the revised score, investigation into the causes of abnormality has to be conducted.

Reporting of results

To avoid the risk of incorrect results being reported to clients, tampering or loss of data should always be prevented in data acquisition, transcription, processing and storage. Normally, the laboratory would have a 2-tier, or even 3-tier, data checking procedures to ensure the correctness. When software is employed for data manipulation, built-in or in-house developed programs would be verified before use with proper protection to avoid being tampered or altered by mistakes. However, for further enhancement, it would be desirable to have these recording procedures being integrated into the laboratory information management system (LIMS) as far as possible. This is to minimize the need of manual data transcription and safeguard the integrity of data through proper electronic control means. Also, for reference purposes, the system could be able to record any system failure and corrective actions taken. Furthermore, to ensure data protection and security, the laboratory may need to observe relevant national or international requirements when setting up or upgrading its LIMS. This is indeed one of the additional requirements of the new ISO/IEC 17025 about data system.

In cases where statement of conformity to a specification or standard for test is requested, the new version of ISO/IEC 17025 recommends that the laboratory should document the decision rules with consideration of the risk associated. This helps maintain the consistency of results being delivered and avoid the risk of false accept or reject.

To conclude, it is worth mentioning that the points raised in the above process review are examples for reference purposes. Laboratories may have different outcome when they conducted the review of their own. However, to gain the benefit from the review, appropriate follow-up actions should be taken accordingly afterward, for examples, to update related working procedures and arrange briefing sessions for staff. Also, for continuous improvement, the laboratory should repeat the review after a certain period of time.

Integration into quality management system

To achieve the integration of risk-based thinking into the quality management system of the laboratory, something more has to be done in addition to the process review described above. Commonly, a laboratory would have a special taskforce or working group under the chairmanship of the quality manager to assist in overseeing the quality-related matters including reviewing quality documents, planning and conducting system audits. Members of the working group normally came from different units of the laboratory with expertise in respective testing areas and services provided by the laboratory. Hence, an effective way to integrate risk-based thinking to the quality management system is to engage the involvement of this special working group in the risk management work including risk assessment, planning follow-up actions, progress monitoring and reporting for review. For ease of implementation, this series of work could first focus on the outcome or findings from external assessments and internal system audits as those observations raised would give hints on problems or risks that need to be addressed. To link it to the quality management system and make it an ongoing basis, a process approach as shown in Fig. 3 is recommended, which is similar to that of the Plan-Do-Check-Act cycle given in ISO 9001 [1]. Details of the work involved are discussed as follows.

Fig. 3
figure 3

Proposed cycle of risk management work to be implemented

Full size image

According to ISO 31000, the risk assessment should consist of risk identification, risk analysis and risk evaluation [4]. In brief, for each observation raised in the external assessment or internal audit, the working group has to assess the possible consequence and identify whether there was source of risk affecting the quality of the laboratory work. Of course, members of the working group could also raise other quality-related issues for the risk assessment, which they encountered in their routine work. For those risks identified, the working group has to discuss and decide whether they need to be treated and recommend follow-up actions accordingly. The then planned actions should be documented and recorded properly for ease of monitoring and further actions if needed. Also, for effective implementation, there should be approving and responsible staff members for the planned actions, respectively. Depending on the nature of the risk identified, the planned actions may include revising quality control plans, providing additional training on specific areas, promoting experience sharing, conducting investigation or study, exploring opportunities for improvement, and issuing new guidelines. And members of the working group would be assigned to assist in monitoring the progress according to the proposed schedule for the planned actions. The chairman of the working group would be responsible for reporting the results of the risk assessment work and the progress of associated follow-up actions to the management regularly. With the information gathered, the management could discuss at its management review meeting the risks identified and actions taken to address them. Further, through the outcome of this additional risk management work, the management could explore opportunities for increasing the effectiveness of the management system, achieving improved results and preventing negative effects.

Impartiality and confidentiality

In the new ISO/IEC 17025, impartiality and confidentiality are the two aspects being included as the general requirements and much more details on the requirements of these two aspects are given as compared with those of the previous version. Particularly, the laboratory is required to identify risks to its impartiality on an ongoing basis. If a risk to impartiality is identified, the laboratory shall be able to demonstrate how it eliminates or minimizes such risk. Also, the laboratory shall ensure the protection of its customers’ confidential information and shall be responsible, through enforceable commitments, for the management of all information obtained or created during the performance of laboratory activities [3]. It seems that the new ISO/IEC 17025 would like to highlight the importance of these two aspects of requirements with respect to risk management. Procedures and notes are also given that would help avoid the possible risks. From another point of view, the new ISO/IEC 17025 seems to take this as an example illustrating how to identify and address risks related to the management system.