The Most Used Quality Standard for Test and Calibration Laboratories Undergoes a Revision
Based on an initiation of a new work item proposal (NWIP) by the International Laboratory Accreditation Cooperation (ILAC) and the South African Bureau of Standards (SABS) in 2014, the ISO policy committee on conformity assessment (ISO/CASCO) started the process of the revision of ISO/IEC 17025-2005 after approval of the NWIP in October 2014. A specific working group, CASCO WG44, was established that consisted of delegates of membership organizations (about 75) as well as experts from liaison organizations (about 20) and three conveners.
The first WG meeting took place in February 2015 in Geneva, Switzerland, where a work plan for the new revision of the standards and a time line was established. The subsequent meetings led to the circulation of two committee drafts to comment and vote on by the CASCO membership. At the last WG44 meeting in July 2017, the comments received on the Draft International Standard (DIS) were discussed and the Final Draft International Standard (FDIS) was prepared for circulation and final vote. The revised standard, ISO 17025-2017, was published in November 2017.
This article will summarize the major changes of the new revision of ISO/IEC 17025-2005, present the new outline of the standard and will discuss the new concept of a “risk-based” approach of implementing requirements. In particular, a commonly used risk management tool will be introduced and applied to the analysis of potential risks to impartiality – a new requirement for test and calibration laboratories to implement.
Introduction
Since the 1970s, ISO/CASCO has published a series of international standards and guides (e.g., ISO/IEC 17025:2005, ISO/IEC 17020:2012 and ISO/IEC 17065:2012) that contain internationally agreed provisions for conformity assessment. These International Standards and Guides are revised and republished on a regular basis and are known collectively as the “ISO/CASCO toolbox.” As part of this on-going maintenance effort, ISO/IEC 17025 has been revised.
There are currently more than 43,000 testing and calibration laboratories accredited to ISO/IEC 17025
by 85 ILAC full member accreditation bodies that are signatories to the ILAC mutual recognition arrangement (MRA). These 85 accreditation bodies represent 70 different economies.
ISO/IEC 17025 itself is utilized in different ways by different parties involved in the accreditation process. Laboratories use it to develop their quality management system for quality, administration and technical operations, and to demonstrate their competence to carry out specific test or calibration activities. Accreditation bodies use this standard in the accreditation process to confirm and recognize the competence of the laboratories to perform specific tasks. The granted accreditation is then very often used by regulators and other recognizing bodies or organizations as a prerequisite for recognition of a testing laboratory to perform work under specific program requirements. Therefore, changes to this standard may have a significant impact on laboratories and associated parties all over the world.
The 2017 revision of the standard looks significantly different from the 2005 version, due to the adoption of the mandatory requirements specified by ISO/CASCO in QS-CAS-PROC/33 and the new structure of the standard which is to be consistent with CASCO Resolution 12/2002 (covered in QS-CAS-PROC/01). Document QS-CAS-PROC/33 covers requirements concerning impartiality, confidentiality, complaints/appeals and management system requirements; resolution 12/2002 addresses the mandatory layout of CASCO standards in a defined order which includes:
- Terms and definitions
- Structural requirements
- Resource requirements (including human resources)
- Process requirements (including operational functions)
- Management system requirements
- Normative annexes
Furthermore, risk-based thinking, applied in the new revision of ISO/IEC 17025, has enabled some reduction in prescriptive requirements and their replacement by performance-based requirements. There is greater flexibility than in ISO/IEC 17025:2005 in the requirements for processes, procedures, documented information and organizational responsibilities. This means that fewer requirements for the preparation and implementation of documented policies and procedures are called out and the focus is much more on the outcome of an implemented process or effort. A laboratory can now decide how to implement certain requirements to ensure confidentiality of information or avoid involvement of staff members in any activities that would adversely affect the competence, impartiality or judgement of the laboratory.
For these reasons, the appearance of the new revision of ISO/IEC 17025 is significantly different from the 2005 version, but most of the actual requirements do not differ significantly from current requirements, except for a few clauses and the introduction of risk-based thinking.
The following clauses do include some new requirements, specifically around impartiality and risks to impartiality (clause 4.1), or streamlined requirements for externally provided products and services (clause 6.6), as well as more refined requirements for assuring the validity of results (clause 7.7). These and additional requirements will be briefly discussed in this article as well.
Risk to Impartiality
The new revision of ISO/IEC 17025 calls out requirements for impartiality in clause 4.1., stating that the laboratory management must commit to impartiality, and that the laboratory must ensure impartiality in all its activities and not allow commercial, financial or other pressures to compromise impartiality. Furthermore, the laboratory must identify risks to its impartiality on an on-going basis and take action if such a risk is identified. The term “impartiality” is defined in clause 3.1 as “presence of objectivity.” Further explanation is provided in a note to 3.1, stating that “Objectivity is understood to mean that conflicts of interest do not exist, or are resolved so as not to adversely influence the activities of the laboratory.”
Other terms that are useful in conveying the concept of impartiality are freedom from conflicts of interest, freedom from bias, freedom from prejudice, neutrality, fairness, open-mindedness, even-handedness, detachment and balance.
Impartiality is the principle that decisions are based on objective evidence obtained during the performance of the laboratory’s activities (e.g., EMC testing), not on the basis of bias or prejudice caused by influence of different interests of individuals or other involved parties. Impartiality is mainly assured by independence of staff, competence of staff members and exercising due professional care in conducting the laboratory activities.
With this background information, the laboratory must determine potential adverse situations that could represent a risk to impartiality. Threats to impartiality are to be permanently identified, reviewed and controlled to safeguard Impartiality. The standard does not state how to determine and analyze potential risks, and it is not expected that laboratories perform a risk analysis for example in accordance with ISO 31000. A risk analysis can be performed using either one of the available risk management tools like the failure mode and effects analysis (FMEA) or a less formal approach which considers the frequency of occurrence of a risk, the severity of a situation and a risk category. Both approaches are discussed below.
Impartiality Risk Analysis – a Less Formal Approach
It is assumed that the following risks to impartiality in an EMC testing laboratory have been identified:
- Provision of consultancy (e.g., EMI troubleshooting)
- Promoting the laboratory’s services, and then conducting testing activities
- Delivery of technical training, then conducting testing activities
- Performing testing for a client within a specified period of previous employment
- Familiarity of test engineer with client
- Financial pressure to produce favorable testing outcome
- Other pressure to produce favorable testing outcome
- Relationships of group or person involved directly or indirectly in the testing process
- Confidentiality of test data
- Client requests specific test engineer
- Falsification of test records
- Risk with respect to involvement of other branches of the laboratory
- Perceived pressure/stress by personnel in the testing process
Each of these identified risks can now be analyzed using the following ranking system, shown in Tables 1, 2, and 3.
FREQUENCY OF OCCURENCE | |
A Frequent | 3 or more times per year |
B Occasional | 1 to 2 times per year |
C Rarely | Less than once per year |
Table 1: Frequency of risk factor occurrence
SEVERITY OF RISK FACTOR | |
I | Critical: may affect test results |
II | Important: requires laboratory management intervention |
III | Insignificant/Negligible: no risk to impartiality |
Table 2: Severity of risk factor
RISK CATEGORY | ||||
FREQUENCY OF OCCURENCE |
A | |||
B | ||||
C | ||||
III | II | I | ||
SEVERITY OF INCIDENT |
Legend:
Unacceptable Risk | |
Serious Risk | |
Acceptable Risk |
Table 3: Categories of risk
It should be noted that the ranking system can be more or less complex or elaborate, based on the needs and goals of risk assessment in a laboratory. The presented ranking merely serves as an example to illustrate the approach that can be taken to analyze the potential risks to impartiality.
The evaluation of the identified risk factors is performed using the tabular approach presented below:
Potential Risk | Testing staff (employees, contractors or subcontractors) providing consultancy |
Source of Risk | Testing personnel |
Frequency of Occurrence | Rarely |
Severity of Risk | I – Critical |
Evaluation of Risk Factor | Unacceptable risk |
Preventive Measures | 1) All laboratory staff and contractors sign conflict of interest declaration upon entry into the company, identifying past employment and cooperation with customers for the last 3 years (the time line is to be defined by the laboratory) 2) Annual written acknowledgement of the conflict of interest policy 3) Strict separation of staff members providing consulting from testing activities to avoid any possible conflict of interest through scheduling and implemented policy 4) If subcontractors are used to perform testing activities it will be ensured through contractual means that either exiting conflict of interest situations will be disclosed or the non-existence of a conflict of interest will be stated, both in writing, before accepting subcontracted work |
Monitoring | 1) Annual review of conflict of interest acknowledgements 2) Update and review of consulting staff member listings and sharing with scheduler 3) Review of subcontractor contracts and conflict of interest declarations |
Corrective Actions/ Responsibilities | 1) Based on the detection of the conflict of interest staff member may have to be re-educated on importance of disclosure 2) Upon detection / declaration of a possible conflict of interest based on consultancy personnel is excluded from specific testing activities. |
Risk scenario 1: Provision of consultancy (e.g., EMI troubleshooting)
Potential Risk | Testing staff (employees or contractors) promoting testing (and other) services |
Source of Risk | Testing personnel |
Frequency of Occurrence | Rarely |
Severity of Risk | II – Important |
Evaluation of Risk Factor | Acceptable risk |
Preventive Measures | 1) Testing staff are only permitted to refer existing clients to sales staff for future testing needs 2) All laboratory staff and contractors sign conflict of interest declaration upon entry into the company, identifying past employment and cooperation with customers for the last 3 years (the time line is to be defined by the laboratory) 3) Test applications are handled by sales or administration staff directly with customers (contract review process) 4) Scheduling and assignment of testing staff by scheduler who has access to identified conflicts of interest. 5) Testing personnel will not receive additional payment for the soliciting new testing work. |
Monitoring | 1) Annual review of conflict of interest acknowledgements 2) Review of contract review records to determine if referrals from testing staff does occur |
Corrective Actions/ Responsibilities | 1) If test engineer promotes services a possible re-education about conflict of interest may be warranted 2) Sales / administrative staff to determine and document if referrals from testing staff do occur. |
Risk scenario 2: Promoting the laboratory’s services and then conducting testing activities
Potential Risk | Testing staff (employees, contractors) providing training and subsequently testing services |
Source of Risk | Testing personnel |
Frequency of Occurrence | Rarely |
Severity of Risk | I – Critical |
Evaluation of Risk Factor | Unacceptable risk |
Preventive Measures | 1) All laboratory staff and contractors sign conflict of interest declaration upon entry into the company, identifying past employment and cooperation with customers for the last 3 years (the time line is to be defined by the laboratory) 2) Training is organized by administrative or sales staff, which will ensure that the same technical personnel will not be assigned to subsequent testing activities of the same client. |
Monitoring | 1) Annual review of conflict of interest acknowledgements 2) Update and review of training staff member listings and sharing with scheduler |
Corrective Actions/ Responsibilities | 1) Based on the detection of the conflict of interest staff member may have to be re-educated on importance of disclosure 2) Upon detection / declaration of a possible conflict of interest based on training personnel is excluded from specific testing activities. |
Risk scenario 3: Delivery of technical training then conducting testing activities
Potential Risk | Testing staff (employees, contractors) providing testing services within a specified period of employment |
Source of Risk | Testing personnel (including contractors) |
Frequency of Occurrence | Rarely |
Severity of Risk | I – Critical |
Evaluation of Risk Factor | Unacceptable risk |
Preventive Measures | 1) All laboratory staff and contractors sign conflict of interest declaration upon entry into the company, identifying past employment and cooperation with customers for the last 3 years (the time line is to be defined by the laboratory) 2) Annual written acknowledgement of the conflict of interest policy 3) Regular training of all staff members to emphasize importance of conflict of interest situations |
Monitoring | 1) Annual review of conflict of interest acknowledgements 2) Update and review of conflict of interest listings and sharing with scheduler |
Corrective Actions/ Responsibilities | 1) Based on the detection of the conflict of interest staff member may have to be re-educated on importance of disclosure 2) If conflict of interest due to previous employment is determined staff member is immediately removed from testing activities. |
Risk scenario 4: Performing testing for a client within a specified period of previous employment
Potential Risk | Testing staff (employees, contractors) providing repetitive testing services for the same client |
Source of Risk | Testing personnel (including contractors) |
Frequency of Occurrence | Occasional |
Severity of Risk | II – Important |
Evaluation of Risk Factor | Serious risk |
Preventive Measures | 1) Staff allocation by scheduler such that different testing staff is assigned to subsequent testing projects for the same client. 2) All laboratory staff and contractors sign conflict of interest declaration upon entry into the company, identifying past employment and cooperation with customers for the last 3 years (the time line is to be defined by the laboratory) 3) Annual written acknowledgement of the conflict of interest policy 4) Regular training of all staff members to emphasize importance of conflict of interest situations |
Monitoring | 1) Review of test personnel allocation to clients by laboratory management or administrative section 2) Update and review of conflict of interest listings and sharing with scheduler |
Corrective Actions/ Responsibilities | 1) Test engineers will be re-assigned such that frequent or periodic involvement with the same customer is minimized 2) Possible communication with client if specific test engineer was requested for testing project explaining re-assignment to avoid possible conflict of interest. |
Risk scenario 5: Familiarity of test engineer with client
Potential Risk | Financial pressure from clients to produce favorable testing results |
Source of Risk | Testing personnel (including contractors), laboratory management |
Frequency of Occurrence | Rare |
Severity of Risk | I – Critical |
Evaluation of Risk Factor | Unacceptable risk |
Preventive Measures | 1) All laboratory staff and contractors sign conflict of interest declaration upon entry into the company, identifying past employment and cooperation with customers for the last 3 years (the time line is to be defined by the laboratory) 2) Annual written acknowledgement of the conflict of interest policy 3) Test engineer salary is independent on the number and outcome of testing actives 4) Company ethics policy should address bribes, customer presents and customer entertainment to avoid any involvement of staff members in situations that could expose them from undue financial pressure. 5) Staff members should be required to bring any situation to the attention of management that could result in financial pressure |
Monitoring | 1) Update and review of conflict of interest listings and sharing with scheduler 2) Review any staff notifications about financial offers or improper presents |
Corrective Actions/ Responsibilities | 1) Test engineers will be re-assigned such that the undue pressure situation is resolved 2) Possible communication with client by laboratory management to indicate that financial offerings or presents are not acceptable per company’s code of ethics |
Risk scenario 6: Financial pressure to produce favorable testing outcome
Potential Risk | Other pressure from clients to produce favorable testing results |
Source of Risk | Testing personnel (including contractors), laboratory management |
Frequency of Occurrence | Rare |
Severity of Risk | I – Critical |
Evaluation of Risk Factor | Unacceptable risk |
Preventive Measures | 1) All laboratory staff and contractors sign conflict of interest declaration upon entry into the company, identifying past employment and cooperation with customers for the last 3 years (the time line is to be defined by the laboratory) 2) Annual written acknowledgement of the conflict of interest policy 3) Test engineer salary is independent on the number and outcome of testing actives 4) Company ethics policy should address situations like involvement in industry activities of employees, political involvement of employees, etc. to avoid any involvement of staff members in situations that could expose them from undue external pressure. 5) Staff members should be required to bring any situation to the attention of management that could result in external pressure |
Monitoring | 1) Update and review of conflict of interest listings and sharing with scheduler 2) Review any staff notifications about external improper offers |
Corrective Actions/ Responsibilities | 1) Test engineers will be re-assigned such that the undue pressure situation is resolved 2) Possible communication with client by laboratory management to indicate that offerings or presents are not acceptable per company’s code of ethics |
Risk scenario 7: Other pressure to produce favorable testing outcome
Potential Risk | Any person involved directly or indirectly in the testing process with a relationship which can create a threat to impartiality |
Source of Risk | Relatives of staff members, Financial partners, Staff members |
Frequency of Occurrence | Rare (Relatives), Rare (Financial partners), Occasional (Staff members) |
Severity of Risk | III – Insignificant (Relatives), III – Insignificant (Financial Partners), I – Critical (Staff members) |
Evaluation of Risk Factor | Acceptable risk (Relatives), Acceptable risk (Financial partners) Unacceptable risk (Staff members) |
Preventive Measures | 1) All laboratory staff and contractors sign conflict of interest declaration upon entry into the company, identifying past employment and cooperation with customers for the last 3 years (the time line is to be defined by the laboratory) 2) Annual written acknowledgement of the conflict of interest policy 3) Financial partners are isolated from daily operations and are not exposed to clients and testing activities through implementation of contract review procedures |
Monitoring | 1) Update and review of conflict of interest listings and sharing with scheduler |
Corrective Actions/ Responsibilities | 1) Test engineers will be re-assigned such that a conflict of interest situation is resolved |
Risk scenario 8: Relationships of group or person involved directly or indirectly in the testing process
Potential Risk | Non-authorized access to confidential test data, or misuse of data by an authorized access holder |
Source of Risk | Data management system |
Frequency of Occurrence | Occasional |
Severity of Risk | II – Important |
Evaluation of Risk Factor | Serious risk |
Preventive Measures | 1) Register all authorized access- holders and their level of access 2) Implement confidentiality requirements for the transmission and sharing of test data and associated data for all access-holders (possibly specifying restrictions on data use) |
Monitoring | 1) Routine review of personnel with access and level of access to test data and associated data |
Corrective Actions/ Responsibilities | 1) Possibly training in case of security or access violations or disciplinary action |
Risk scenario 9: Confidentiality of test data
Potential Risk | Client requests specific test engineer |
Source of Risk | Test engineer |
Frequency of Occurrence | Rare |
Severity of Risk | II – Important |
Evaluation of Risk Factor | Acceptable risk |
Preventive Measures | 1) Test engineers are to be allocated by scheduler or sales department 2) Specific requests for a test engineer should be evaluated by sales department or laboratory management and acceptance or rejection communicated with client 3) Test resource allocation history should be monitored |
Monitoring | 1) Review test resource allocation history for specific client |
Corrective Actions/ Responsibilities | 1) Assignment of other test resource in case of a possible conflict of interest |
Risk scenario 10: Client requests specific test engineer
Potential Risk | Testing personnel falsify test records |
Source of Risk | Test engineers, administrators; personnel with access to databases and records |
Frequency of Occurrence | Occasional |
Severity of Risk | III – Critical |
Evaluation of Risk Factor | Unacceptable risk |
Preventive Measures | 1) All staff is trained and understand risks to impartiality and integrity 2) Technical review of test results by independent parties (e.g., senior test engineer or laboratory manager) 3) All identified incidents of falsification are thoroughly investigated |
Monitoring | 1) Periodic review of issued test reports during internal audits and technical reviews |
Corrective Actions/ Responsibilities | 1) Disciplinary action |
Risk scenario 11: Falsification of test records
Potential Risk | Risk in regard to involvement of other branches of the laboratory (e.g. test data and other associated data could be shared between branches and confidentiality be possibly breached, or objectivity and impartiality can be impacted by shared information about client, etc.) |
Source of Risk | Test engineers and test engineers at branch offices |
Frequency of Occurrence | Rare |
Severity of Risk | II – Important |
Evaluation of Risk Factor | Acceptable risk |
Preventive Measures | 1) All staff members and contractors involved with the testing process sign and understand impartiality, conflict of interest declaration and confidentially requirements. 2) Testing staff members are usually allocated to one operating branch. In case some staff members have roles concerning more than one branch, such staff members will not be assigned for testing activities in more than one branch for a specific client 3) Data is not shared between branches with the exception of test results. All project data is stored by the branch that performed the testing. All database / sever log-ins are password protected. |
Monitoring | 1) Periodic review of organization charts to identify staff members with dual roles 2) Review of resource assignments for specific clients when testing at multiple branches is required. |
Corrective Actions/ Responsibilities | 1) Personnel will be re-assigned if testing activities are performed by the same resource at different branches. |
Risk scenario 12: Risk with respect to involvement of other branches of the laboratory
Potential Risk | Personnel with self-perceived pressure to conduct testing activities, produce reports, conduct technical reviews and are not able to notify / communicate issues with laboratory management. Recognition that personnel may feel isolated. |
Source of Risk | All staff including test engineers, laboratory management, administration and support staff. Recognizing the vulnerability of remote workers, contracted staff and those pressured to work to specified timelines. |
Frequency of Occurrence | Occasional |
Severity of Risk | I – Critical |
Evaluation of Risk Factor | Unacceptable risk |
Preventive Measures | 1) All staff involved in the testing process must sign an annual acknowledgement which includes a requirement to have read and understood the code of ethics the company conducts business by. This code of ethics should include a ‘Whistle blowing’ clause, requiring all members of staff (permanent or contracted) to report to the laboratory management any action, role or testing activity that they perceive may compromise their own or the integrity of the laboratory. It may be appropriate to report these incidents outside of the direct management line and in all cases information will be treated as confidential 2) The code of ethics will be included in induction training of all staff 3) The code of ethics will be included on-line refresher training for all staff annually 4) Whistle Blowing is specifically stated as a right and duty in the code of ethics |
Monitoring | 1) Review of incidents to ensure confidentiality and proper resolution by entity not involved in the case 2) Review of annual acknowledgements to determine if questions do exist and the need for further clarification exists |
Corrective Actions/ Responsibilities | 1) Investigation of each case will be conducted and acted upon in accordance with code of ethics 2) Personnel training as required or disciplinary action |
Risk scenario 13: Perceived pressure / stress by personnel in the testing process
Impartiality Risk Analysis – FMEA
Failure mode and effects analysis (FMEA) is a popular risk assessment tool used to manage potential process and design risk. Accurate results require accurate input rankings, but complete and accurate information is not always available. FMEA has been used since the mid-1960s when it was first introduced by the aerospace industry. It is often used because it offers a proactive approach to risk mitigation, which can prevent potential quality problems. FMEA might be used in a variety of applications involving processes, products and services.
For service provisions like EMC testing services, the tool requires the user to dissect and document the process of interest, identify potential failure modes, assess current risks associated with failure modes, prioritize potential failures based on relative risk, and take action to mitigate high potential risk. When revisited periodically, it becomes an effective catalyst for continuous improvement.
Failure modes are the manner in which a process could potentially fail to meet the expected process result. It is a description of a nonconformance in a particular operation. The effect a failure might have on a customer is essential, and it is described in terms of something the customer might notice or experience. The cause or mechanism of failure describes how it is physically possible for the failure mode to occur.
FMEA teams can make decisions based on a risk priority number (RPN), which is the product of three factors that take on discrete rankings. The three variables involved use standard ranking scales often ranging from one to 10 for example. A ranking of one is most favorable (low risk), and a score of 10 is least favorable (high risk). Severity (Sev) characterizes what level of impact the effect could have on the customer. Occurrence (Occ) represents the frequency of the mechanism of failure or cause. Detection (Det) indicates how well the current process controls can detect a process weakness. Process controls might detect both defects and the process errors that cause defects.
The RPN value is easily calculated using the following equation:
RPN = Sev * Occ * Det
Spreadsheet templates for FMEA are available in a variety of forms. It is acceptable for the ranking criteria to vary from one application to another and from one analysis to another, as long as the ranking standards are documented and remain consistent within a single FMEA. For the 10-point scale, the lowest possible RPN value is equal to one (= 1 × 1 × 1) and the highest possible value is equal to 1,000 (= 10 × 10 × 10).
Severity is intended to focus on the customer. It applies only to the potential effect the failure could have on the customer, but sometimes the effect of failure is confused with potential failure mode. Using the potential failure mode to score Severity is misguided and most often will underestimate risk because it alone does not comprehend the effect on the customer. Severity should be determined independent of Occurrence and Detection.
Occ is intended to focus on the mechanism of failure or cause. Developing a ranking for Occ is best performed with actual data, but suitable and dependable data is not always available or practical. Occ applies only to the frequency of the cause, but it is sometimes with effect of failure. Using the effect of failure to score Occ most often will underestimate risk because the frequency of the effect is less than or equal to the frequency of the cause.
The capability of process controls to detect failures is easily overestimated when using FMEA because estimates can be somewhat subjective. Det is intended to focus on the likelihood that the existence of a defect will be detected by process controls before it leaves the operation. Process controls that aim to detect failures after they occur should have less-favorable rankings than those that can detect failure mechanisms and prevent defects before they occur. Det rankings are intended to focus on current capabilities of process controls within one’s own operation.
Although visual inspection and random quality checks have their purposes, these forms of process control have limited impact on the Det ranking for risk assessment. Neither can detect the mechanism of failure to systematically prevent all failures. When defects are created, eventually some will find a way to escape the operation and reach the customer. When visual inspection acts as the only method of Det, the probability of detecting failures before they leave the operation remains limited. Adding additional human visual inspectors, for example, might not actually improve the probability that visual inspection alone will detect significantly more failures. Random quality checks are unlikely to detect isolated defects and should not influence the Det ranking.
Using the 13 identified scenarios that evaluate potential risks to impartiality, a laboratory could alternatively use FMEA as an evaluation tool. It is assumed that in both evaluation cases the same applicable quality system policies and procedures (e.g., confidentiality policy) are implemented.
Then the FMEA analysis could look as follows:
Potential Failure Mode | Potential Effect | Severity | Potential Causes | Occurrence | Current Process Controls | Detection | Risk Priority Number |
Provision of consultancy | Favorable treatment and impact on test result | 10 | Technical personnel providing testing services and consultancy | 2 | Listing of consulting personnel used for test engineer allocation | 3 | 60 |
Promoting laboratory’s services | Biased execution of testing activities | 10 | Laboratory personnel other than sales staff promoting services | 3 | Testing requests must be deferred to sales. No direct financial gain for testing staff | 1 | 30 |
Delivery of technical training | Favorable treatment and impact on test result | 10 | Technical personnel providing testing services and training | 2 | Listing of trainers used for test engineer allocation | 2 | 40 |
Performing testing within a specified period | Biased execution of testing activities | 10 | Laboratory personnel with previous recent external employment | 2 | Test scheduler uses previous employ-ment information when allocating resources | 1 | 30 |
Familiarity of test engineer with client |
Biased execution of testing activities, Less attention to detail during testing execution |
8 | All testing personnel | 3 | Allocation of testing resources considers previous assignments to projects of same customer | 5 | 120 |
Financial pressure | Biased execution of testing activities | 8 | All testing personnel | 2 | Conflict of interest agree-ments in place and annually to be acknow-ledged. Code of ethics used to address matter | 2 | 32 |
Other pressure | Biased execution of testing activities | 8 | All testing personnel | 1 | Conflict of interest agree-ments in place and annually to be acknow-ledged. Code of ethics used to address matter | 2 | 16 |
Relationships of group or person involved | Biased execution of testing activities | 5 | Any relative of employee, associate or affiliated person having influence on test process | 2 | Conflict of interest agreements in place and annually to be acknow-ledged. Procedural isolation of all individuals but testing personnel form testing process | 1 | 10 |
Confidentiality of test data | Improper publica-tion of test results and customer data. Breach of confiden-tiality | 10 | All staff members who have access to data systems or files | 4 | Register all authorized access – holders and their level of access. Implement confiden-tiality require-ments for the transmis-sion and sharing of test data and associated data for all access-holders (possibly specifying restrictions on data use) | 4 | 160 |
Client requests specific test engineer |
Biased execution of testing activities, Less attention to detail during testing execution |
8 | Testing personnel | 3 | Allocation of testing resources should consider previous assignments to projects of same customer. Establish policy to not assign same test engineer to subsequent testing projects for same customer | 2 | 48 |
Falsification of test records | Legal conse-quences, customer may use improper test results that lead to loss of earning potential | 10 | All test engineers, test report reviewers | 2 |
Staff is trained and understand risks to impartiality and integrity. Indepen-dent technical review of test results by other parties (e.g., senior test engineer or laboratory manager) |
2 | 40 |
Involvement of other laboratory branches | Test data and other associated data could be shared between branches and confiden-tiality be possibly breached, or objectivity and impartiality can be impacted by shared informa-tion about client | 6 | Test engineers with multiple assignment at different laboratory branches, | 2 |
Testing staff members are usually allocated to one operating branch. In case some staff members have roles concerning more than one branch, such staff members will not be assigned for testing activities in more than one branch for a specific client Data is not shared between branches with the exception of test results. All project data is stored by the branch that performed the testing. |
2 | 24 |
Perceived pressure / stress | Bias in performing testing activities. Possibly altering test setups or test methods to meet perceived deadlines, yielding incorrect test results. | 10 | Personnel with self-perceived pressure to conduct testing activities, produce reports, conduct technical reviews and are not able to notify / communicate issues with laboratory management. | 4 | All staff involved in the testing process must sign an annual acknowledgement which includes a requirement to have read and understood the code of ethics the company conducts business by. This code of ethics should include a ‘Whistle blowing’ clause, requiring all members of staff (permanent or contracted) to report to the laboratory management any action, role or testing activity that they perceive may compromise their own or the integrity of the laboratory. It may be appropriate to report these incidents outside of the direct management line and in all cases information will be treated as confidential | 3 | 120 |
As can be seen from this simple analysis, potential risks can be prioritized and addressed using the RPN. Based on the analysis above, the highest risk to impartiality is caused by issues related to the confidentiality of test data, the possible familiarity of the test engineer with a specific client, and the perceived pressure/stress by personnel in the testing process. Based on this prioritization, the laboratory can implement measures to reduce these risks and periodically assess the effectiveness of such measures.
It should be noted that a potential effect of an inaccurate RPN value is unmitigated risk because an FMEA team might underestimate particular key risks and fail to take appropriate action. Some organizations employ an arbitrary RPN threshold value beyond which action is required and below which no action is needed. A marginal error in Sev, Occ or Det might significantly decrease the RPN, perhaps decreasing its value below a set action threshold value. Therefore, additional measures like the determination of a “risk sensitivity priority number” and the calculation of a “marginal risk priority Number” [2] should be considered to establish a more robust result based on FMEA.
Additional or Changes Requirements in the New Revision of ISO/IEC 17025
In addition to the changed outline and structure of the new standard and the introduction of a risk-based approach, other existing requirements have been consolidated or have
been expanded upon. The following clauses summarize the main changes in the new revision.
Externally Provided Products and Services (clause 6.6)
This clause combines the previous requirements for subcontracting (ISO 17025-2005, clause 4.5) and the requirements for purchasing of services and supplies (ISO 17025-2005, clause 4.6). This clause now envelopes all products and services that do have an effect on the test results of an EMC or radio test laboratory, and which are:
- Intended for incorporation into the laboratory’s testing activities (e.g., calibration services);
- Provided, in part or in full, directly to the customer by the laboratory, as received from the external provider (e.g., subcontracted test results);
- Used to support the operation of the laboratory (e.g., test equipment or test facility).
Similar to existing requirements in ISO 17025-2005, the laboratory’s requirements for externally provided products and services have to be defined, reviewed and approved. These requirements are of course to be communicated to the external provider to ensure that the products and services delivered meet the expected requirements and are suitable for use by the laboratory. Furthermore, the received services and supplies are to be inspected upon receipt to verify that purchasing requirements have indeed be met.
Assuring the Validity of Results (clause 7.7)
This clause now distinguishes more clearly between internally defined activities (clause 7.7.1) and external activities (clause 7.7.2). It is stated that a laboratory must have a procedure for monitoring the validity of laboratory results over time. The results of quality checks which are listed in part in clause 7.7.1, must be recorded such that trends can be detected. The laboratory is still required to determine a suitable acceptance criterion for the determination of the suitability of quality check results. Furthermore, these results are to be considered for the improvement of testing activities, if applicable. Clause 7.7.2 describes the participation in proficiency testing activities and inter-laboratory comparison campaigns other that proficiency testing (e.g., organized by a laboratory with other external laboratories).
Management System Requirements (clause 8)
The laboratory now has a choice for the implementation of management system requirements: Option A (clause 8.1.2) or Option B (clause 8.1.3).
In order to use Option B, a laboratory must already have an established management system, in accordance with the requirements of ISO 9001. Furthermore, the laboratory is able to demonstrate the consistent fulfilment of the requirements of clauses 4 to 7 of the new revision of ISO/IEC 17025, and the management system also fulfils at least the intent of the management system section requirements (clauses 8.2 – 8.9). This option may be suitable for a laboratory that is part of a larger organization which is registered to ISO 9001. But the sheer existence of such a quality management system is not sufficient to meet the management system requirements in the new revision of ISO 17025. As stated above, it must be shown that the requirements in clauses 4 to 7 are met by the ISO 9001-based quality system as well as the quality system requirements in clauses 8.2 through 8.9.
Option A is more descriptive as far as management system requirements are concerned. Requirements do exist for:
- Management system documentation (clause 8.2)
- Control of management system documents (clause 8.3)
- Control of records (clause 8.4)
- Actions to address risks and opportunities (clause 8.5)
- Improvement (clause 8.6)
- Corrective action (clause 8.7)
- Internal audits (clause 8.8)
- Management reviews (clause 8.9)
Many of these requirements are similar to the ones called out in ISO 17025-2005 or require some minor changes or additions. In general, existing quality management systems that meet the management system requirements of ISO/IEC 17025-2005 will require little change to meet the requirements of Option A in the new revision of ISO/IEC 17025.
Summary
The new revision of ISO/IEC 17025 does have an impact on EMC and radio testing laboratories insofar that the structure of the new standard is substantially different from the 2005 revision. This means that quality management systems that follow the outline of the 2005 version will no longer be organized in accordance with the new revision of the standard. It should be noted that there is no requirement stating that a quality system must follow the outline of the underlying quality standard. It may simplify the use but existing quality systems should be evaluated first to determine the gaps between the old and new sets of requirements. In many cases the individual requirements are at least similar, if not identical, with the exceptions described in this article. Another significant change, the introduction of risk-based thinking, will require some time to get used to and to implement. But several approaches are available which will help facilitate the introduction of this concept in the laboratory.
References
- ISO/IEC DIS 17025:2016(E), General requirements for the competence of testing and calibration laboratories
- Bukowski, E.R., “New Tricks for an Old Tool”, Quality Progress Magazine, pp. 37 – 43, May 2017