definitive guide bg

The Definitive Guide to Understanding ISO/IEC 17025 (Updated 2024)

This guide equips readers with the knowledge and tools needed to ensure compliance and drive continual improvement in laboratory operations.

Contact Us

What is ISO/IEC 17025?

The ISO/IEC 17025 standard is an internationally recognised benchmark for laboratory competence and quality. It is specifically designed for testing and calibration laboratories and provides a framework for laboratories to demonstrate their ability to produce reliable and accurate results consistently.

ISO/IEC 17025 is used by accreditation bodies, like NATA, to recognise and determine the ability of organisations that perform specific types of testing and calibration.

This article explains each of these topics, with some suggestions on how to address the requirements.

Let’s start at the beginning with Impartiality

What is impartiality and why is it important in labs?

One of the core elements of ISO/IEC 17025 is impartiality, which refers to a laboratory’s commitment to maintaining independence, objectivity, and freedom from bias in its operations.

Impartiality is crucial to the credibility and reliability of a laboratory’s testing and calibration results. The ability to produce unbiased results, free from external influence or pressure, ensures that the laboratory maintains the trust of its clients and stakeholders. A compromised impartiality can lead to inaccurate or misleading results, which could have significant consequences for customers, regulators, and the public.

What are the requirements for Impartiality?

Section 4.1.4 of the ISO/IEC 17025:2017 standard outlines the general requirements for impartiality. According to the standard, laboratories must:

  1. Identify risks to impartiality: Laboratories must identify potential risks to their impartiality, including those that stem from their activities, relationships, or the interests of their personnel.
  2. Eliminate or minimize risks: Once risks have been identified, laboratories must take action to either eliminate or minimize them. This may involve implementing additional safeguards, modifying procedures, or imposing restrictions on certain activities or personnel.
  3. Monitor and review risks: Laboratories must periodically review and monitor identified risks to impartiality, taking into account any changes in their operations or environment. This process should be documented and incorporated into the laboratory’s management system.

Strategies for Ensuring Impartiality

To comply with the ISO/IEC 17025 requirements for impartiality, laboratories should implement the following strategies:

  1. Set up your lab to minimise the possibility of conflict when people have to make those ‘irky’ decisions. Don’t have the person responsible for deciding on whether a product or service can be released be the same as the one in charge of ensuring it is made. But I get it; sometimes that’s not possible, especially in small organisations. So….
  2. Establish a review process. Transfer the decisions of approval or acceptance to another person in the organisation if at all possible. The chance of two people getting the decision wrong are smaller than if just one person makes these decisions. Lab QC and review of requests, contracts and reports are the perfect tools for this.
  3. Get a clear idea of the people in your lab. Understand the relationships that exist with others inside and outside of the lab. Consider governance relationships too. If you don’t know, ask, but don’t make it an interrogation. Perhaps a questionnaire can help. Remember to explain the reasons why you’re asking these questions.
  4. Run the relationships through your risk management system to determine if there are any significant risks above your risk threshold. If there are, put things in place to either eliminate or mitigate these risks. Make sure you can demonstrate how you dealt with these risks to impartiality to an auditor.
  5. Lastly, think about the culture of your lab. Is it one where anything goes? Is it one where people feel able to disclose that feeling in the pit of their stomach when they feel uncomfortable? The latter, as opposed to the former, is what you should be aiming for. What can you do, as a lab manager or staff member, to encourage the right kind of culture? Can you demonstrate your organisation’s values in your everyday work? (Do you even know what these values are?) Can you use things like the quality policy, structure and content of any management and staff meetings to drive a culture where you can safeguard impartiality? If you can’t answer these questions to your satisfaction, then perhaps there is more work to do in the culture arena.


One of the core elements of ISO/IEC 17025 is impartiality, which refers to a laboratory’s commitment to maintaining independence, objectivity, and freedom from bias in its operations.

Impartiality is crucial to the credibility and reliability of a laboratory’s testing and calibration results. The ability to produce unbiased results, free from external influence or pressure, ensures that the laboratory maintains the trust of its clients and stakeholders. A compromised impartiality can lead to inaccurate or misleading results, which could have significant consequences for customers, regulators, and the public.

What is covered by confidentiality in ISO/IEC 17025?

ISO/IEC 17025 defines confidentiality as ‘the protection of information to ensure that data is accessible only to authorized personnel and is not made available or disclosed to unauthorized individuals, entities or processes’.

Confidential information refers to all technical and non-technical information that a customer supplies to the lab. This can include procedures or methods shared by the customer, or their measurement results and reports. But it also includes things like contract documentation and any specifications provided to the lab.

What are the requirements for confidentiality?

The standard states that the laboratory ‘must keep confidential all information obtained or created during the performance of laboratory activities, except as required by law’.

It’s the responsibility of the lab to keep this information confidential. They should only use customer information for the purposes of communication or to assist in lab activities.

The lab’s policies and procedures should reflect how this will happen. This includes procedures for protecting electronic storage and transmission of results.

Any information which is already known or available in the public domain can be disclosed without authorisation from the customer. However, if any additional information is to be made publicly available by the lab, they must inform the customer in advance.

If the lab obtains information about the customer from other sources, this shall also be kept confidential. The provider of this information does not need to be shared with the customer unless the source agrees.

The only alteration to this requirement is when a lab is directed to release information by a legal authority having appropriate jurisdiction. In this case, the lab must comply with this request and might not need to advise the customer in special circumstances of the law prohibiting disclosure to the customer.

Protection of information in the lab

The measures put in place must ensure that confidential information is well protected within the lab.

Keep paper documents and records in a secure location that can’t be accessed by personnel who are not a part of your organisation. Shred confidential paper documents when they’re no longer required.

Store electronic documentation on a secure network and only view them on secure devices. Share this information with other personnel only when necessary and if authorised. Think about this now that a lot of information is stored in the Cloud.

Confidentiality training

Make all lab personnel aware of the lab’s confidentiality requirements and train them in the lab’s policies and procedures.

Training in confidentiality should be part of the lab’s induction process or completed within a reasonable timeframe once new staff begin working in the lab.

The approach to confidentiality is often a part of the culture of an organisation. If there is a culture of allowing “loose lips”, then you could be in danger of breaching any confidentiality policy. Remember those loose lips sink ships! A good idea is to restate and remind staff of these policies and procedures in regular staff meetings and in annual management reviews. Encourage employees to ask questions about the policies and raise scenarios for clarification if required.

The ISO/IEC 17025 standard states that the lab is responsible through legally enforceable commitments for confidentially managing the information it obtains. For this reason, labs could also have personnel sign a formal confidentiality or non-disclosure agreement.

This is standard practice for many businesses and can remain in effect indefinitely, protecting the lab even after personnel leave.

Other issues to consider

Printing: you may have a procedure in place for filing and securing documents. But we’ve all had that moment when you printed a document, got distracted, and hit the print button again. If your printer is in a busy area, this could lead to an inadvertent breach of confidentiality. Check before you print or consider using password protected printing options.

Mobile phones: all smartphones have the capacity to take photos and video. While this is useful for those Instagram moments, in a lab setting it could lead to a serious breach. Labs must consider how they will manage the use of mobile phones by staff and visitors. Banning phones could be unreasonable but regular reminders about appropriate use is an important step.

Computer training: when assessing lab staff competency, employers may look primarily at their technical abilities. Providing staff training on lab specific software will help mitigate instances of accidental deletion or corruption of information. Assessing their abilities on email and document creation software would also be useful.


Tucked away at the end of the section on Structural Requirements, the Communication requirements are simple.

Lab management needs to ensure that communication takes place regarding the effectiveness of the management system and the importance of meeting customers’ and other requirements.

ISO/IEC 17025 does not explicitly state with whom lab management must communicate. We’ll assume this is a little oversight and that the standards writers meant to direct this to internal people.

Communication is not a simple process! How many times have you misheard, mis-spoke or not said or heard anything? At least ISO/IEC 17025 does not require effective communication, just that it takes place!

What to communicate

Communicating on the effectiveness of the management system can include subjects such as:

  • How well the lab has performed in external quality assurance activities
  • Customer feedback
  • Accreditation audit reports
  • Corrective action
  • Risks
  • Management review findings

Communication on the importance of meeting customer requirements and other requirements can cover material on:

  • Specific information on the importance of meeting selected customer requirements
  • Regulatory requirements for the performance of testing or calibration and why these requirements must be met
  • Regulatory requirements associated with specifications for test or calibration results and the reasons for their importance
  • Why meeting customer, accreditation and regulatory requirements is important in the lab generally.

When to communicate

Timing is everything when it comes to effectively communication. People need to be ready to engage for communication efforts to work successfully.

It also makes sense to include this topic in regular staff meetings because you already have all the right people in the same place. Internal newsletters and emails are another option, but ensuring engagement with your message, or even that it is read in the first place, can be a variable that can’t be easily controlled.

How to communicate

Every day we need to communicate. And whether it’s grunts from teenagers or the long, winding conversations we have with old friends, we also need to interpret what’s being said.

Effective communication in the workplace is critical. Management is often judged by the quality of communications with the rest of the organisation. Teams judge their leaders in the same way. And no doubt, you form opinions about colleagues based on your interactions.

The 7 Cs of Communication provides the perfect framework for communication.

  • Clarity
  • Correctness
  • Conciseness
  • Courtesy
  • Concreteness
  • Consideration
  • Completeness

While these seem simple enough, we’ve all been in meetings or received emails that have left us scratching our heads. Let’s look at each of these in a little more detail.

If you’ve ever read an ISO standard, you’ll relate to this one!

Whether it’s an email or a presentation, trying to cram too many ideas into a paragraph at once is going to lead to confusion. Even worse is cramming multiple points into a single sentence.

Be clear about the goal of your message. Emphasise one specific idea at a time – using shorter sentences can help. Use unambiguous and concrete words to ensure your message is clearly understood.

If your communication is within your organisation, you can use acronyms such as SOP. However, if your communication is likely to go to external parties, spelling out Standard Operating Practice is a better choice.

And be sure to use language that is easily understood. Using ‘vicissitudes’ in a sentence may make you sound smart but ‘variations’ will be better understood by your audience.

This may sound silly but before you hit send, it’s best to be certain – are you passing on the right information? And to the right person?

If you’re using facts and figures, ensure you’re using the correct ones.

For example, if you’re sending someone a copy of a test report, are you certain it’s the report for their business? If you’ve done a ‘save as’ for a client’s Excel spreadsheet to save time, have you removed the name and data from the previous client? Such errors can cause the loss of another ‘C’ – credibility. And can mean you breach another ‘C’ that’s not in the 7 C’s: confidentiality.

Does your message contain spelling errors? Proofread your work and remember, spell check is everyone’s friend here. Typing ‘herd’ instead of ‘heard’ may be amusing but could also be confusing for your recipient. It can also help with grammatical errors so do run it before you send.

We’ve all been in meetings that could have been an email!

You need to pass on the message but try to do this in the most succinct way possible. By using the fewest number of words necessary to convey your message, you’ll keep the reader’s attention.

For example: ‘We have been considering the existing policies we have for our human resources department, including those strategies we have in place for hiring of new staff, and in light of these considerations, we have updated that particular policy’.

Instead: ‘Our hiring policy has been updated because our existing strategies were ineffective’.

Focus on the key points and don’t add random facts that will confuse the recipient. However, that doesn’t mean you should skimp on relevant details. Give your audience all the facts they need to make an informed decision.

A tersely worded email could mean you’re in a hurry and wanted to send it before you left for the day. But for the recipient, this message could come across in a completely different way.
Be polite, friendly, and positive. Read your message before you send. Is the language you’ve used respectful? How would you feel if you received that message?
Many businesses have implemented fair and inclusive work practices and policies. Ensure you are not breaching these by using discriminatory or inappropriate language in your communications.

Concrete communication isn’t vague or wishy washy. Ensure your message is not open to misinterpretation and aim to use active voice. Being specific is the key here.

If you’ve quoted facts and figures, ensure these are relevant and confirm the point you’re trying to make.

Telling a sales team that they haven’t hit their target is less effective than saying ‘Your monthly sales target was $20,000 but your actual sales were $15,000’.

Think about the audience for your piece of communication. Consider their education, experience, and attitudes. Is your message geared towards their thinking?

Keep in mind that perhaps not everyone needs to receive your communications. We receive multiple daily messages so ensure that everyone on your address list needs to be there.

And be very careful with the ‘reply all’ email function!

Does the message contain everything the recipient needs to understand what you’re trying to communicate? Do they have all the facts needed to make an educated decision?

Ensure you answer what, when, why, who, where and how. For example, saying ‘You have yet to complete the task I set you’ is extremely unhelpful.

However, ‘I don’t have the test results I asked for on 6 October which should have been completed today. Will you have this finished this afternoon?’ is extremely clear and lays out your expectations.

Personnel requirements

Most of the Personnel requirements are in section 6.2, but there are also requirements to do with personnel management aspects in sections 5.5 and 5.6 of ISO/IEC 17025.

Who is in charge?

Clause 5.2 of ISO/IEC 17025 requires the laboratory to identify management that has overall responsibility for the laboratory. That does not mean that it comes down to one person to hold this responsibility.

It could be that overall responsibility is distributed amongst a team of managers who collectively make decisions about the laboratory. It’s important that this arrangement is defined.

It’s always good to know your place in the hierarchy so you know who to go to when there is a problem or who is your “wingman” ala Top Gun. Typically, this would be in an organisation chart. The organisation chart should define the organisation and management structure and cover the relationships between management, technical operations, and support services.

If the laboratory is a part of a larger organisation, there should be a well-defined connection between the laboratory and those other parts of the parent organisation. Why? Because sometimes decisions affecting the lab are made by people outside of the lab.

Defining who does what

ISO/IEC 17025 requires that the responsibility, authority and interrelationship of all personnel who manage, perform or verify work affecting the results of laboratory activities are specified. The scope of people potentially covered by this requirement range from technical assistants, scientists, laboratory managers and everyone in between. It does not, necessarily, cover the cleaner or receptionist.

Interrelationships between personnel are typically documented using an organisation chart.

There are no specific requirements on how responsibilities are to be documented. Often, several people will have the same responsibilities, such as those for performing testing or calibrations, recording results, or training staff. Responsibilities can be defined in a position description, procedure, table, or flowcharts.

While the approach to specifying responsibilities can be general, authorisations can be associated with an individual. Activities such as those outlined in clauses 5.6 and 6.2.6 are sometimes reliant on the competence of the staff member, not the position they hold.

Staff need to be authorised to perform the following activities.

  • Implementation, maintenance and improvement of the management system;
  • Identification of deviations from the management system or from the procedures for performing
  • Laboratory activities;
  • Initiation of actions to prevent or minimize such deviations;
  • Reporting to laboratory management on the performance of the management system and any need for improvement;
  • Ensuring the effectiveness of laboratory activities
  • Development, modification, verification and validation of methods;
  • Analysis of results, including statements of conformity or opinions and interpretations;
  • Reporting, reviewing and authorisation of results.

That’s quite a list! Some authorisations are not required to be documented. Although, it is a good idea to explicitly state what staff can and cannot do. For instance, consider including a general statement, such as all staff are authorised to report to laboratory management on the performance of the management system and need for improvement. Going back to the 7Cs of communication, clarity is very important in communicating authorisations.


While we’re sure all your staff are competent and know exactly what they’re doing, the auditors won’t take your word for it!
Clause 6.2.5 of ISO/IEC 17025 covers procedures and records. Your lab must have these to demonstrate a broader range of HR processes, beyond competence, training and monitoring of the competence of your staff. All these must be adhered to for all relevant personnel and the lab has to have records of implementing and following these procedures.

You’ll also need to establish and document staff competency requirements and have supporting records (6.2.2 and 6.2.5). These competency requirements need to include training, education, and experience of the various positions within the lab.

ISO/IEC 17025 requires labs to evaluate whether the individual meets those criteria. Remember, it’s not just the “hard”, technical skills that we need to consider in the competence package. The skills of critical thinking and following procedures form part of that package. So, think about what criteria for competence you’ve set out for your staff. Ask whether they are as explicit as they should be.


When it comes to requirements for your facilities, these must be appropriate to the testing and calibration activities. There are some general, basic requirements of having enough space to house everything and everyone.

You will also need to consider and control the factors that affect testing. These can include temperature, humidity, lighting, microbial contamination, electromagnetic disturbances, radiation,  electrical supply, sound and vibration. These factors must be documented. Just where and how this is documented is up to the lab, but these details could go into the Quality Manual or test and calibration procedures.

When it comes to controlling for these factors, you need to monitor, control and record these environmental conditions.

For example, if temperature is critical, simply having a data logger for monitoring the environment is not enough. Depending on the allowable temperature range, air conditioning could be essential to control the environment. And ensure that the data logger records are retained and reviewed. This will mean your lab meets the requirement for periodic review of the effectiveness of these arrangements.

The requirements for facilities also extend to testing and calibration performed outside the walls of the lab.

The equipment, materials and information contained in a lab can be precious. Access to the lab should be controlled to protect these from misadventure. Signs or controlled access through locked doors and security passes are some of the ways for meeting these requirements.


Equipment refers to all types of lab resources. This includes measuring equipment, reagents, reference standards and reference materials.

The first thing to be sure of is that you have all the equipment you need to perform the methods. If you don’t have all the equipment, develop your plan for acquiring these, and be sure that this is recorded so you can show that you have considered any critical specifications for the equipment.

There’s a list in clause 6.4.13 of specific equipment records that laboratories must maintain for all the equipment in their facility. Most of the details should be contained in an equipment inventory or asset register. If your equipment can influence the tests or calibrations performed by your lab, it will need to comply with this clause.

It is also a requirement to label equipment . You could label the equipment with its unique asset or equipment number from your system, or you could be more creative and name it after your favourite rock band. That kind of labelling is not actually required, although it will help with recording which equipment was used for testing and calibration when there are multiple items of the same equipment type in the lab.

The labelling that is required in ISO/IEC 17025 is for showing the calibration status of equipment. If it is out of calibration or service, put a label on it, or place it in a quarantined area labelled as being for equipment of that status. Putting the equipment in an unlabelled box at the back of the cupboard is not enough.

Calibration, equipment management and maintenance

Of course, obtaining the equipment is one thing. Calibrating and maintaining it is quite another.
The lab will need to have procedures for managing all equipment, from handling and transport through to maintenance. That’s a lot of ground to cover! In fact, it’s often the aspects of handling and transport procedures that trip labs up. You might find some of that information in equipment manuals. It’s important that your lab documents refer to these manuals so that everyone I the team knows where to find this information.

If you find there is nothing in equipment manuals on the topic of handling, transport and maintenance, consider and document issues such as whether the equipment needs special packaging when it is moved to sent out for repair, maintenance or calibration. Write this in a procedure.

Are there particular things to do with storage of the equipment when it is not in use? Write this in a procedure.
Do you need to do certain activities, such as changing tubing, or greasing mechanical parts to ensure that the equipment continues to operate? Write these details into a procedure.

When it comes to periodic calibration and maintenance, the best advice is to plan a system for reminders that works. It does not need to be elaborate. A simple wall chart, to do list with dates, or calendar reminder system will work. The critical part is making sure that staff react to these alerts.

Then, once the equipment has been received initially and after calibration and maintenance, you will need to confirm that it still meets the requirements for the test. We have seen plenty of calibration reports which clearly show the equipment no longer meets the specifications for testing but were simply filed away without another thought.

Ensure that a staff member reviews the calibration report and that this review is recorded. The record could be as simple as writing a note on the calibration or service report to indicate who reviewed it, whether the equipment is fit for purpose, and when the review was done.

What equipment needs to be calibrated?

In a nutshell, ISO /IEC 17025 says that if the equipment you’re using has a significant effect on your measurements results, it needs to be calibrated. Working that out can be difficult.

Clues to solving this puzzle include the units of measurement your results are reported in and the factors with a significant contribution to measurement uncertainty. If, say, your results are reported in g/L, then the equipment you use for measuring mass and volume need to be calibrated. Likewise, if your measurements are reported in m/s, the equipment you use for measuring length and time must be calibrated. These calibrations help labs establish the metrological traceability of their results.

Metrological traceability

Metrological traceability is about measurements and how they compare to other measurements. It helps us to understand what the results we produce mean in a wider context.

In metrology (the science of measurement), traceability is defined internationally as the ‘property of a measurement result whereby the result can be related to a reference through a documented unbroken chain of calibrations, each contributing to the measurement uncertainty’.

You’ll see the same definition in the ILAC Policy on Metrological Traceability of Measurement Results and NATA’s Metrological Traceability Policy document.

Samples and records or paperwork moving through the system also require traceability. However, those are subject to different requirements relating to sample and record traceability.

If you’re a calibration lab, wherever technically possible, you’ll need to establish an unbroken calibration chain, linking your measurement standards to a relevant primary standard of the SI unit.

If you’re a testing lab, you need to use a calibration service that is competent and capable of demonstrating that traceability. And you’ll also need to take a look at the traceability of any reference standards you’re using (they come up under the banner of ‘equipment’).

Perhaps you believe that your lab equipment doesn’t affect your test. In this case, you need to have objective evidence to support your decision. And yes, an assessor will definitely want to see this!

Establishing metrological traceability

You have a few options when looking for Metrological Traceability from external services. You can use the services of an NMI, through an ISO/IEC 17025 accredited lab or through a certified reference material.

Before you send your equipment to any lab, carefully review their scope of accreditation. Be sure they list the measurement function you’re seeking for your metrological traceability and that their calibration measurement capability meets your needs and that of any methods you are using in your lab.

If possible, seek quotes from more than one lab. Confirm that they can carry out the testing you need plus their turnaround time and pricing. Be sure you request an endorsed calibration certificate, bearing the symbol of the accreditation body, in line with their scope of accreditation.

As an accredited lab, they shouldn’t charge extra for a certificate bearing the symbol of the accreditation body. However this is also a useful question to ask.

When your equipment is returned, check the report! It must contain the accreditation body’s emblem, the results, an estimate of MU and a description of the reference standard.

For some areas of testing, like chemistry and biology, it’s not just about the equipment. Those expensive little vials of materials have to be the right ones for you to demonstrate appropriate metrological traceability. That’s where things can become tricky, and more expensive.

Certified Reference Materials

When it comes to certified reference materials, you might need to look a little further afield. The COMAR database and NIST database are two places to search for possible CRMs for your tests. However, many CRMs are not listed in these databases. Your favourite search engine could lead you to those materials.

What do you do if you can’t find a suitable calibration or CRM for your tests? Sometimes the costs of those CRMs are prohibitive and that alone makes them unsuitable. In this case, you will still need to establish metrological traceability of your results through investigation and evaluation of the quality of information from the supplier and reference material producer.

Externally provided products and services

A critical part of any quality management system (QMS) standard is the processes for managing suppliers or externally provided products and services. Most organisations are not completely self-sustaining and need some help from the outside. The QMS standards recognise this and provide a framework for success with these relationships.9

Not only do the QMS standards provide what you might recognise as pointers for success, these standards also help organisations uphold the integrity and reliability of products and services, even when aspects of the production, testing or calibration process are outsourced.

Understanding the steps in working with suppliers

All the family of quality management system standards stipulate stringent requirements to ensure that externally provided services and products meet the organisation’s quality benchmarks. This involves strong systems of evaluation, verification, and monitoring of suppliers.

When it comes to ISO 17025, the responsibility of demonstrating control of the quality and specifications of the products and services they source externally lies squarely with the lab.

It is also crucial to understand that the use of externally provided products or services does not absolve the lab from its obligation to its clients. The lab remains fully responsible for any activity performed under its auspices and must retain the competence to evaluate the impact of such external provision on the laboratory’s activities and on the validity of the results. That means that the performance of any sub-contracted lab is your responsibility unless the client requires the use of a particular lab.

It starts with whom you select to purchase from

The requirements do not start with the actual purchase request. The first requirement is for labs to put a systematic procedure in place to evaluate and select suppliers based on their ability to meet specified requirements.

As a customer, it’s up to the lab to be clear on these requirements and to explicitly communicate those requirements to the supplier. That means the standard you expect work will be performed to; any requirements for competence of the supplier such as accreditation to ISO 17025; and where you expect the work to be done. You probably also have some criteria around price and turn-around time. These aspects form your evaluation criteria for suppliers.

The criteria are objectively used to select the supplier/s (you might have several to choose from and that is completely OK).

Once you’ve selected the supplier/s, you might develop a list of suppliers and what products and services they supply to your organisation. There is no requirement to have an approved suppliers list. But it helps to be organised for the sake of you and your staff.

The act of making the purchase

Now, you can set about purchasing from your suppliers.

There are no requirements to have a system that uses purchase orders. There are also no requirements to have a purchase requisition form. You can place an order over the phone or on an on-line order form. But you do need to keep evidence of your request. Diary entries and screenshots are perfect evidence of your request.

There are some pieces of information that you must communicate in the request to your suppliers. These are the product or service you are purchasing, the standard you expect work will be performed to; any requirements for competence of the supplier such as accreditation to ISO 17025; and where you expect the work to be done. Remember those? They were the things to build into your criteria for supplier selection. They have multiple uses.

Steps to prevent buyer’s remorse

When you receive the product or service from your supplier, please don’t just rip open the packaging and start using it like a child on Christmas morning.

The small act of verifying you received what you ordered is not only a requirement, it’s a good idea so you don’t suffer from buyer’s remorse. Keep a record of those verification activities which can range from commissioning a big new fancy piece of kit, through to annotating a purchase request or a calibration certificate.

If the risk presented by the purchase is particularly high, you could also conduct an inspection of the final product before it is handed over to you.

Such verification processes are indispensable as they further guarantee that the product or service is as stated and is fit for its intended use in the lab.

Ongoing maintenance of suppliers

Once you start working with your suppliers, you’ll quickly learn if they live up to your expectations.

Do they deliver the products and services you’ve requested?

Do they meet requirements for turn-around time or service delivery?

Do they keep putting up their prices?

Other ways you can evaluate your suppliers’ performance could range from a comparison of product specifications, references from other users, and evaluation of service history, to formal assessment and audits. The aim is to ensure that any input from external sources does not compromise the quality of the test or calibration results or the products and services your organisation provides.

It’s worth noting that the data about the provider’s performance should be periodically reassessed to ensure continued compliance.

If things aren’t working, there’s no option but to act. You’ll have the evidence to have a difficult conversation about improvement or cutting them out of the picture entirely.

Wrapping it up in some documentation

This aspect of the standards is one of the few areas where there are stated requirements for documented procedures. Write down the process from start to finish and don’t scrimp on the steps described in the procedure.

Review of requests, tenders and contracts

This section of ISO/IEC 17025 covers how new work comes into the lab.

Even if your lab is an in-house QC lab, new samples or items still need to be managed. And these requirements for review of “requests” for testing and calibration apply to those situations too.

The “ask”

Basically, any request for testing or calibration needs to be reviewed by someone in the lab. The review considers if the lab has the resources (equipment, people, time, consumables, methods) to fulfil the request. If the request changes between when it is first made, and when samples or items arrive for testing or calibration, or it changes when staff arrive at the place testing or calibration will be performed, then a further review needs to be done to confirm the request can still be fulfilled.

It’s not just about receiving requests, the requirement compels the lab to understand what work is being requested. That means, in simple terms, if you don’t understand the “ask” that you seek clarification. And don’t start work until you are clear on what is requested.

If your lab needs to subcontract to another lab to complete the request, then you first need to get the agreement of the customer. If this is a routine arrangement that you have already run past the customer, then you could take it as given that the lab has their approval. But be wary in case they have changed their mind!

Records of reviews

You should record all these interactions. Those records can be formal request forms or chain of custody forms, through to emails and notes of phone calls. They all make up the ecosystem of review of requests, tenders and contracts.

Often, these records are maintained in electronic systems (LIMS). It’s not mandatory to have a LIMS to meet ISO/IEC 17025. But it is a good idea to have some organised way of keeping these records and ensuring staff can access this information.

Selecting the right methods

It is not uncommon for the client to have little knowledge of which lab methods for testing or calibration are appropriate. So the lab makes this decision for them. After all, scientists and engineers are the experts in these things!

Well, not necessarily……..

ISO/IEC 17025 requires labs to select methods that meet the customer’s requirements. But, how can you do that when the customer barely knows what their requirements are? You do that by asking questions! Why does the customer need the testing or calibration done? Are there any regulations associated with the materials to be tested or calibrated? Who is the ultimate customer or user of the laboratory data?

Then it’s a matter of selecting a method that best meets these needs. That might mean that your routine method is not appropriate. If that’s the case, then this needs some discussion with the customer. That also goes for requests from customers that obsolete methods are used. Neither scenarios mean that you can’t do the testing or calibration, it’s just that the customer needs to be made aware of these issues. In the end, it makes for happy customers.

Statements of conformity

ISOIEC 17025 has two kinds of requirements when it comes to decision rules.

It starts way back when a lab accepts work from a client. The first decision to be made is a fairly simple one – is the client asking you to make a statement of conformity to a specification, standard or regulation?

If the answer is “No”, then go no further. If you’re not sure or it’s a “Yes”, then you do need to engage with the customer.

I know that this is where things can get stuck. Lots of lab customers do not actually know what specifications or standards are relevant to their request. They appoint the lab as the “God of decisions” and just know that they have to get some testing or calibration done in a NATA lab. Some careful questions about why the testing or calibration is to be done can uncover this kind of information. It requires a more nuanced customer intake process.

But….. nobody has time for this in-depth conversation with the client, right? Labs are busy places and as many people have said, life would be so much simpler if there were no clients.

Whatever the customer intake process you establish, you need to communicate the decision rule to the customer and get their agreement up front.

One way to manage this is to have some clauses in the terms and conditions that customers sign up to when they submit their request. How would you like to handle the decisions? Options include:

  • Just report the result and its uncertainty and make no statement of conformance
  • Report the result as a pass or fail, but only if there is a clear margin between the result and its uncertainty and the specification limits or regulatory threshold
  • Report the result as a conditional pass or fail with a note that the conformance is not clear when the MU of the result is applied.

Of course, all options present different levels of risk for a lab. What would be the consequences if a client accepted your approach as stated in terms and conditions and they suffered a loss? To help labs with this, there’s this little extra piece of information in clause of ISO/IEC 17025 that this decision rule must take into account the level of risk (such as false accept and false reject and statistical assumptions) associated with the decision rule employed. What on Earth does that mean?

It means when the decision rule is not already inherently a part of a standard other people have to think about the risk, especially the consequences, if the call of conformity is incorrect.

There are a few guidance documents on the topic including ILAC’s G8 Guidelines on Decision Rules and Statements of Conformity and OIML G19 The role of measurement uncertainty in conformity assessment decisions in legal metrology. These can help with setting up the decision rule with a consideration of how risk plays into this.

Customer cooperation

There is a little requirement about cooperating with customers when they seek to clarify requests or monitor the lab’s performance. It makes good business sense to cooperate with your customer. But this does not give them carte blanche in terms of what they can be shown or told. Remember, there are some confidentiality requirements to also meet.

By all means, let them come in to watch the staff work on their samples or items for calibration if it is safe for them to come into the space. Just don’t reveal who your other customers are and the other items being tested or calibrated. It’s also best for such visits to be pre-arranged. That gives time for you and your staff to ensure these confidentiality provisions can be assured.

Selection, Verification and Validation of Methods

Method selection is one area that many labs take for granted. You often only have one choice…….or so you think. After all, when you have a hammer, everything is a nail, right?

What’s required in method selection?

Clause of ISO/IEC 17025 states (with our emphasis):
“The laboratory shall use appropriate methods and procedures for all laboratory activities and, where appropriate, for evaluation of the measurement uncertainty as well as statistical techniques for analysis of data.”

We have to use “appropriate methods”. What does that mean?

ISO/IEC 17025 goes on to require (in clause
“When the customer does not specify the method to be used, the laboratory shall select an appropriate method and inform the customer of the method chosen. Methods published either in international, regional or national standards, or by reputable technical organizations, or in relevant scientific texts or journals, or as specified by the manufacturer of the equipment, are recommended. Laboratory-developed or modified methods can also be used.”

We can extrapolate the requirements  to create a broader principle. Put simply this is, when selecting a method, labs need to select and use a method that deals with the question of the intended use of results. That means the selection of the method relies on an understanding of how the results of testing or calibration will be used. That understanding comes from communication with clients and other stakeholders, such as regulators.

What are the steps in method selection?

Step 1: Define the Testing or Calibration Objective
The first step in selecting a laboratory test or calibration method is to clearly define the testing or calibration objective. Determine the specific question you aim to answer or the problem you seek to address. Understanding the purpose of the test or calibration will guide you in choosing the most relevant method that aligns with the research or analytical goals.

For this step to produce a good outcome, it is vital for labs to engage with clients, specifiers, and other stakeholders to understand the problem that testing seeks to solve. Getting to the “Why” of testing or calibration will reveal the goals.

Step 2: Review Existing Literature and Standards
Before developing or selecting a new test or calibration method, review existing literature and standards. Many well-established organisations and scientific bodies publish standardised test methods for various analyses. Calibration methods are also often standardised. These methods have undergone rigorous validation and are widely accepted. Utilizing standardised methods can enhance the credibility and reproducibility of your results.

But, just because it’s an industry standard doesn’t make it right. That’s why step 1 is so important.

Step 3: Assess Equipment and Resources
Evaluate the laboratory’s available equipment, expertise, and resources. Some test or calibration methods may require specialised instruments or highly skilled personnel. Consider the cost and feasibility of acquiring any necessary equipment or expertise for the selected method. It is essential to ensure that the laboratory has the capability to conduct the chosen test or calibration accurately.

Step 4: Evaluate Test or Calibration Method Characteristics
Understand the characteristics of each potential test or calibration method. Consider factors such as sensitivity, specificity, accuracy, precision, and the detection limit. Assess how well these characteristics align with your testing or calibration objectives and the sample type or item you will be working with. For instance, if you need high sensitivity for trace analysis, choose a method that offers superior sensitivity.

Step 5: Analyse Sample Matrix and Composition
The nature of the sample matrix (solid, liquid, gas) and its composition can significantly impact the choice of a test method. Some methods may be more suitable for complex matrices, while others work better for simple or homogeneous samples. Ensure that the selected method is compatible with the properties of your sample.

Step 6: Consider Time and Throughput
Evaluate the turnaround time and throughput required for testing or calibration. Some methods are time-consuming and may not be suitable for high-throughput applications. Conversely, certain rapid test methods may sacrifice accuracy. Strike a balance between efficiency and precision based on your specific needs and those of your clients.

Step 7: Validate and Verify
Before implementing a new test or calibration method, it’s crucial to validate and verify its performance. Conducting a validation study ensures that the method consistently produces accurate and reliable results under specific conditions. Verification, on the other hand, confirms that the method is suitable for the intended use and aligns with the laboratory’s requirements.

Step 8: Monitor and Review
Once a test or calibration method is in use, it’s essential to regularly monitor its performance and review the results obtained. Identify any potential issues or deviations and take corrective actions promptly. Continuous monitoring and review help maintain the quality and effectiveness of the laboratory’s testing or calibration processes.

Method Validation and Verification

In the realm of science, method validation stands as a critical cornerstone, serving as a guarantee for precision, accuracy, and reliability of analytical methods. Its indispensability springs from its role in assuring the quality and trustworthiness of results, particularly in sectors such as pharmaceuticals, environmental monitoring, and food safety.

Where to start?

Let’s start at the beginning with the definitions. If you pull out your trusty copy of an ISO/IEC 17025, you’ll see that there is a section on definitions. This is a very handy section for engaging with your assessors and their wild claims about how a particular clause is to be interpreted.

Here’s what ISO/IEC 17025 defines validation to be:

“verification, where the specified requirements are adequate for an intended use”

You’ll notice that validation is verification plus something about specified requirements being adequate for an intended use. That suggests some type of assessment of the method and the specified requirements.

To understand what is involved, we need to consider the definition of Verification. This is also defined in ISO/IEC 17025 as the “provision of objective evidence that a given item fulfils specified requirements”.

In plain language, validation is proving your method does what it says it does and is fit for purpose. It requires organised processes and involves a systematic examination and testing of method parameters to meet predefined acceptance criteria, thus substantiating that the method delivers consistent results within a certain context.

What are the “specified requirements”?

The specified requirements are the client’s statements about the attributes of the method. These attributes cover how the method performs in terms of the following.

  • specificity
  • linearity
  • accuracy
  • precision
  • working range
  • detection limit
  • quantitation limit
  • robustness, and
  • measurement uncertainty.

Discovering these attributes is a little more than repeating a test or calibration of a sample a couple of times and testing the odd calibration standard.

Just in case you’ve forgotten what each of these attributes is and how you might approach assessing these attributes, here’s our quick primer.

Attribute Definition Ideas for assessment
Specificity The method’s ability to discern between analyte and potential interferences Analyse test samples containing various suspected interferences in the presence of the analytes of interest.
Linearity The method’s ability to return results that are directly proportional to the concentration of analyte in the sample Measure blank plus calibration standards, at 6 – 10 concentrations evenly spaced across the range of interest.
Accuracy The method’s nearness to the true value Measure RM using candidate method or measure matrix blanks or test samples unspiked and spiked with the analyte of interest over a range of concentrations.
Precision The repeatability of results Measure RM or surplus samples by the same analyst and equipment, same laboratory, short timescale AND measure RM or surplus samples by different analysts and equipment, same laboratory, extended timescale.
Working Range The extent between upper and lower concentrations of analyte, within which the method exhibits a suitable degree of linearity, precision, and accuracy. Measure blank plus calibration standards, at 6 – 10 concentrations evenly spaced across the range of interest.
Detection Limit The smallest quantity of analyte that can be reliably detected Replicate measurements of blank samples, i.e. matrices containing no detectable analyte or replicate measurements of test samples with low 
concentrations of analyte.
Quantitation Limit The smallest quantity of analyte that can be reliably quantified
Robustness The method’s resilience to variations in analytical conditions Identify variables which could have a significant effect on method performance. Set up experiments (analysing RMs or test samples) to monitor the effect on measurement results of systematically changing the variables.
Measurement uncertainty This is not the property of a method; it is the property of a result obtained using the method. In simple terms, it is the range within which the true result lies. The data from assessing the above attributes are used to estimate MU, together with other information relating to traceability of the measurement result, for instance.

Depending on whether the test is qualitative or quantitative in nature, you may not need to assess all attributes. For instance, an identification (qualitative) measurement gives a result as presence/ absence or pass/ fail so a numerical assessment of attributes such as accuracy and precision are not required. But the selectivity of the method does need to be assessed.

Bringing Efficiency into Method Validation
To get through this activity of method validation, labs need to be organized and think smart. You can do a study of both LOD, LOQ, Accuracy and Precision by careful selection of the materials to be tested or calibrated.

One of the other attributes of methods mentioned above is measurement uncertainty (MU). Many labs will estimate the MU for a method and apply this estimate to any results obtained using that method. It’s a good efficiency step, but labs should be aware of the limitations of the method and other characteristics of samples to ensure that this is a valid approach for any given sample.

Is that it? Nooooooo…..

Like the proverbial journalist looking to pounce on the inexperienced politician who dances around the question without actually saying anything, you’ve latched on that the important question of the “specified requirements” hasn’t been answered yet. There’s no pulling the wool over your eagle eyes!

As discussed above, these stated requirements are the client’s statements about these attributes. Sometimes our lab clients don’t know how to express these requirements. They come to the lab because we’re the experts. Fair enough! Some of us have got fancy white coats after all.

Yes, some clients won’t be able to tell us about their requirements, other than they know the sample has to be tested in a NATA lab. But a little probing can help uncover why they need the testing done. That’s where the veil is lifted to reveal just what these specified requirements are.

Usually, it is regulatory requirements about having a method with a detection limit greater than “X”, or an accuracy of “Y”. Or it might be a product specification that helps us to understand these specified requirements. Really, what we’re being asked to do is to make an assessment of the fitness for purpose of the method.

Without any knowledge of these requirements, we could have a situation where a customer is paying for a very expensive test or calibration with very accurate and precise results when they only needed a test that costs a tenth of the price with a lower level of accuracy and precision and a larger detection limit. The expensive test or calibration might be good for the lab’s bank balance, but it’s not good for getting a return customer, or even getting the customer in the first place!

If the customer is well-informed about their requirements, then having done a method validation study will ensure that you know you’re up to the task and can speak with confidence about how the method is suitable for their purposes.

Records of method validation and verification
Going to all that work should generate some records. The tricky part is finding a way to keep them so that they are accessible and might need an update.

There is also the issue of the extent of those records. Not only do labs need to record the results, but also the validation procedure used, specification of the requirements, and a statement of the method’s validity and fitness for purpose. That can add up to quite a lot of records!

Creating and using templates is a good way to ensure all the required information is recorded. Keeping the records filed in some logical way is also essential, such as on a server with a folder for each method.

These ideas are also useful when it comes to method verification.

If there is a change to the method, whether it’s a standard method or one developed in-house, method validation and verification may need to be repeated to demonstrate that your lab can perform the updated method and still deliver reliable and accurate results. If the changes are not significant, then this work may be unnecessary. But a record showing the review and justification for not performing method validation or verification needs to be retained.

The things labs test and calibrate don’t magically appear out of nowhere. Somewhere along the line, there is a sample taken.


Many labs aren’t in charge of sampling. That’s something left to clients and production line staff. Just because it’s somebody else’s responsibility does not mean laboratories can ignore it.

While it does not provide specific sampling procedures, ISO/IEC 17025 does require that laboratories have a documented sampling plan and follow recognised sampling methods appropriate for their specific testing and calibration activities.

Sampling Plan

ISO/IEC 17025 requires laboratories to establish a sampling plan that defines how samples will be collected, identified, and handled. The aspect of sample handling often falls within the spectre of labs because samples that have not been handled correctly might mean that they are rejected once they reach the lab. That means, all labs essentially have an active role in sampling even if the actual collection of the sample is not performed by laboratory staff.

The plan should be based on recognised and validated methods. There are often standards covering sampling. A quick check of a standards writing body such Standards Australia or a sector specific association should reveal these types of methods.
Depending on why the testing or calibration is being performed, there could be some merit in confirming with clients what sampling strategy has been used. If the items are from a production process, for instance, what is the statistical basis underpinning the sampling plan?

Sure, you can have that little disclaimer of “The results relate only to the samples tested”. But is that really what the people paying for the lab’s service are expecting? Be bold and show your clients you care about these kind of things!

Sampling Procedures

Laboratories must use appropriate and validated sampling procedures. These procedures should consider factors such as the characteristics of the material being sampled, the purpose of the analysis, and any relevant regulations or standards.

This is where labs can really assist clients, especially those who come to the lab without any significant scientific background. If you’re in an environmental testing lab, how many times have you received a water sample in a Coke bottle with instructions to test the water for pesticides from the farmer worried about spray drift into his dam?

Validation and Verification

There’s no getting away from the topic of validation and verification. Any sampling methods used should be validated and verified to ensure their suitability for the specific testing or calibration activities.

Representative Samples

Sampling is frequently used because gathering data on every member of a target population or every product produced by an organisation is often impossible, impractical, or too expensive. Sampling lets you draw conclusions or make inferences about the population or product lot from which the sample is drawn. But there is an art to ensuring the samples adequately represent the whole population.

Before anything happens to collect the sample, the population itself should be reasonably well defined. What are we trying to measure? It is not appropriate to calibrate over two points at one end of an item’s whole working range if that fails to demonstrate the performance of the equipment.

The samples collected must be representative of the material being tested. This means that the sampling process should minimise bias and ensure that the samples accurately reflect the properties of the larger population from which they are taken.
Many organisations use statistics to sensibly approach the task of sampling. And there will be some variation and uncertainty associated with the act of sampling.


Personnel involved in sampling must be trained and competent in the sampling methods they use. Training records should be maintained.

Chain of Custody

Laboratories are required to establish a chain of custody process for samples. It need not be an official chain of custody with tamper-proof seals and signatures at every stage. What this process ensures is that the samples are properly tracked from the time of collection to the time of analysis to maintain their integrity and prevent contamination or tampering.

Validation and Verification

Just as with testing and calibration, sampling records need to include details of what was sampled, when and how it was sampled and who performed the sampling. These details also need to include what equipment was used for sampling and environmental conditions if these are relevant to the sampling and testing or calibration processes.

If there is a need to deviate from the established sampling procedure, this also needs to be recorded.

Handling of test or calibration items

Once the sample hits the lab, the chain of custody and identification process is more within the control of the lab. Laboratories must establish procedures for transport, receipt, storage, handling, retention and disposal of samples and keep records of these activities.

Labs also must establish a system for uniquely identifying the samples or items. This is often a component of this chain of custody process.

Each sample should be assigned a unique identifier, and this identifier should be recorded and maintained throughout the entire testing or calibration process.

Typically we give some sort of sample number when there are lots of samples or use a serial number for pieces of equipment. The system for sample identification does not need to be super complex with secret codes using Julian calendar dates. Keep it simple so you can easily find samples and their associated records.

Quality Control

QC processes for sample management within the lab should also be established. That could range from double checking sample information against a test request form, through to monitoring temperatures of fridges.

The trick with sample handling is to think about the critical points in the process and put in checks at those points
It’s important that the sample integrity meets the requirements for a valid test or calibration result. If there is a problem, the requirement is to contact the customer to confirm whether testing or calibration should proceed and record this decision.

Storage and Preservation

Samples should be properly stored and preserved to prevent degradation or contamination until they are analysed. Storage conditions should be in accordance with recognised standards or procedures.

Laboratories must have procedures for proper sample handling to prevent contamination, degradation, or alteration. This includes guidelines for the appropriate storage conditions, container types, and handling protocols specific to the nature of the samples being analysed.

Facilities for sample storage should provide adequate protection against environmental factors that could affect sample integrity, such as temperature, humidity, and security.

While we’re on the topic, it’s important to think carefully and broadly about the integrity of the sample and preserving that integrity as a whole. This is not just whether the sample has been frozen and in the correct bottle. It might also cover how representative the sub-sample used for testing is of a lake, a production batch, or a person. The considerations about having a representative sample discussed above are just as important at this stage as in the prior stages.


Procedures for the safe and secure transportation of samples from the sampling site to the laboratory should be established. If you’re expecting highway robbers, then extra security might be in order. If not, traditional means of protection should be OK.

Sample Retention

Laboratories are required to define and document their policies regarding the retention of samples. This includes determining how long samples will be stored after analysis, as well as procedures for the disposal of samples once retention periods expire.

In determining the sample retention period, think about how long the sample maintains its integrity with respect to the analyses and how long the customer might mandate for sample retention. Often there is a disconnect between these two periods and you should have a discussion with the client if that’s the case.

Contingency Plans

Laboratories should have contingency plans in case of sample storage or handling incidents that could compromise sample integrity. These plans should include actions to be taken in case of emergencies, such as equipment failures or power outages. To develop your contingency plan, start by looking at the risks in the sampling and sample management process.

Technical Records

This clause is all about the traceability of your results. Your activities must have records that are detailed enough to replicate the exact process that produced them. Who did what, when and how?
This means that you will need to consistently record all relevant factors and you’ll need to retain all the original records and any amendments.
Alterations to records need to show when the alteration was made, who made the alteration, and clearly show what was altered.

Evaluation of Measurement Uncertainty

Labs must estimate the MU for all calibrations and testing where the results are quantitative. If your lab is using a standard method, then review it to see if there is any information on this topic. If the method specifies aspects such as tolerances for equipment, precision and accuracy, then you may not need to do a great deal of work.

If the results from your lab are qualitative or semi-quantitative, you will at least need to identify the contributions to MU.

The ‘WHY’ of Measurement Uncertainty is not just about accreditation

Measurement Uncertainty (MU) is an important tool for your lab and the people you provide your results to. The MU process is critical to making decisions and assessing risk. It goes to the heart of why we have a quality management system.

How do you do this?

When thinking about MU, you should:

  • Consider all the factors
  • Document your process
  • Reference your MU sources
  • Use spreadsheets
  • Define your origin

Let’s investigate this in a little more detail.

Consider all the factors

When you develop your MU budget, don’t dismiss an uncertainty factor without having evidence that the factor is negligible. This applies whether the evidence is a result of your own experiments or from the published research of other scientists and labs.

You’ll need to present this evidence to the Accreditation Body. Remember, just because a value is under the allowed interval or is small, doesn’t mean that there is no uncertainty. In addition, having this evidence demonstrates that you understand the principles of MU and the method you’re using.

Reference your MU sources

There is quite a number of published documents describing how to calculate MU. Some examples of valid sources are industry journals, publications from professional societies, advice from industry experts and scientific papers. There is no requirement to follow a particular bottom-up or top-down approach.

Be sure to confirm that the method you’re relying on is applicable to your area of testing or calibration.

Document your process

Prepare a document that describes the process you’re following to calculate your uncertainty budget. Include information on how the data was obtained, how it was used and the calculation method itself.

Although this may take some time to prepare, it will give the staff developing MU budgets a consistent source of information.

Use spreadsheets

If you have a computer, you’ll have a spreadsheet program on it. Although it may not be fancy, it’s an excellent tool and can make your life easier.

For example, let’s say you’re using an Excel spreadsheet to develop your measurement uncertainty budget. Rather than inputting the values directly, use cell references in your formulas instead.

This means that if you need to modify a value in your MU budget, you’ll only need to update one cell and click the save icon. The spreadsheet will do its magic and update all the calculations.

Define your origin

Indicate the origin of the values used for your MU calculation. Specify if a value came from a calibration or reference standard certificate, a scientific article, or a standard.

External and Internal Quality Control and Assurance

If you look at ISO/IEC 17025, you’ll find there are no definitive requirements on what to do. It falls within the requirements in section 7.7 of the Standard, which gives a series of activities presented like a smorgasbord for consideration.

One thing is for sure, it’s more than throwing the occasional standard into your testing or calibration regime! Discovering what to do when is an exercise of balancing risk, cost and value.

Why is QC necessary?

Imagine you’re a pilot charged with the task of flying a plane from Melbourne to Sydney. Now imagine that you have no control dashboard and the airspace 200 km around Melbourne airport is surrounded by clouds causing poor visibility. You take off and somehow end up in Port Augusta.

This kind of outcome is like operating without any quality control. Those observations from dashboards and visual images of the landscape are the pilot’s QC system. They tell the pilot if the plane is heading in the right direction and whether there are any alarming conditions coming up.

What’s involved in lab QC?

QC in a lab is no different. The things we want to measure and view on our dashboard are attributes or performance characteristics of a method. These include aspects such as:

  • Accuracy
  • Precision, including repeatability, within laboratory reproducibility and inter-laboratory reproducibility
  • Limit of detection
  • Selectivity
  • Specificity
  • Sensitivity
  • Ruggedness
  • Robustness

Labs need to make sure that the day-to-day application of the method continues to conform to the criteria set for these attributes.

But it is a trade-off between efficiency and effectiveness of laboratory processes. If we were to always have a measure for quality control for all of these attributes for every sample or even batch of samples tested or calibrated, it would be a very expensive exercise and one that the lab client could not afford!

So, we compromise.

A typical regime for quality control for a batch of samples might include:

  • Periodic retesting of a calibration standard as a measure of drift
  • Periodic testing of duplicates as a measure of repeatability
  • Once a week testing of a standard material or reference item, whether this is a reference material or a certified reference material, as a measure of accuracy and reproducibility
  • For some tests, the lab might do spike recoveries, which are also a measure of accuracy.

Depending on the method, you might even do a blank sample, which helps labs understand elements of bias and correcting for the bias.

That’s all great, but what about all the other attributes of the method? How do labs know that the method can deliver the limit of detection for all types of samples?

There is a saying, “you cannot manage what you cannot measure”. And if you don’t measure it, how can you know how you’re doing?

This means that lab people need to give some thought to the QC activities employed, including the type of sample, the target quantitative value or attribute of that sample or item, as well as the frequency of QC. Just because you are performing a qualitative method won’t let you off the QC hook either!

How frequently do you have to do QC?

The question of frequency of QC comes down to a question of risk. What would happen if you had no or the incorrect kind of QC and the results that were reported were wrong? Like the pilot, you might end up at Port Augusta, or somewhere even worse, when you are meant to be in Sydney.

Hopefully, though, you already knew all that. If not, you’re welcome!

I suppose the QC regime in most accredited labs has developed through multiple assessments over time. You know, where the technical assessor says you really need to do “X”.

These really helpful suggestions can turn into a logistical and costly nightmare sometimes. Especially when there is the added bonus conversation around metrological traceability.

Let’s strip it back to basics.

Think about what a risk management system is meant to do, besides giving you a headache!  It’s there to help us navigate successfully through life, preventing us from suffering losses by putting things in place to catch us before we fall (mitigation of risks).

It could be a big loss if the result that went out of the lab is wrong. In the worst case, people could die. Hopefully, that’s not the kind of business your lab is in.

It might be a small loss, such as the loss of a client who only spends a little bit of money with you. But what about all the people they tell about the loss they suffered?

Remember, QC is there to flag to labs that there is a wrong result, or something in the process that is not working as well as it should. And risk management processes help labs to identify and prevent those wrong results walking out the door to their unsuspecting clients. The latter helps us with the former.

The work done in activities like method validation and verification should help to identify the weak points in the method. Consider those weak points also as risks, a place in the process where something could go wrong. Run those identified weak points through your risk management tool of choice to determine if they are something you can live with, or if it is something that needs some mitigation or elimination.

From that point you can work out what you need to do to mitigate or eliminate the risk. The question of what includes not only what and how you will measure this, but also how often you will monitor for the existence of the identified risk.

That’s the makings of a good QC program.

Acceptance criteria for QC

It’s essential to set some criteria for the results of QC activities and for this data is vital. What can your lab actually achieve? It might be far better than stated in a standard method. Remember that the point of quality control is to alert us to processes that are out of control and possible areas for improvement. Being able to deliver something better in terms of performance of a standard method can be a good thing for providing value to the customer. Or perhaps not, if the customer is not willing to pay for the extra efforts put in by the lab.

In setting acceptance criteria, labs need to consider statistical parameters such as differences from the known reference or target value, and the variation from that value. These are usually represented by differences and standard deviations. That analysis is often done using method validation and verification data. Get familiar with those calculations and apply them to the results of your quality control activities.

Excel is far more powerful for interrogating this data than putting it into a Word document. It’s an excellent tool for not only determining the acceptance criteria, but also monitoring results to ensure these criteria are met. Of course, this monitoring needs to be done in real time, not six months after the test or calibration when the results have well and truly been sent to the client. A LIMS can also help with this.

External QC

This is sometimes known as interlaboratory comparisons, proficiency testing or external quality assurance. It is essential for labs to engage in this activity where these are available and appropriate.

Labs need to establish plans for these activities and review these plans. Most Accreditation Bodies set a timeframe for the plans, such as 4 years. The review of the plans could be done during management review.

Using QC data for improvement

Not only do laboratories need to react to results that fall outside of the acceptance criteria, but they must also analyse the data. This is typically an analysis for trends. Application of the Shewhart Rules is a useful way to discover and deal with these trends.


There are very specific requirements for test and calibration reports in ISO/IEC 17025. We could give you the list, but that’s probably not that useful. Instead we’ll explain what makes a good lab report that complies with ISO/IEC 17025.

A lab report doesn’t just state what you’ve done. A well-written, clear, and concise report can enhance the reputation of your lab to both customers and an accreditation body. It’s helpful to put yourself in the shoes of your customers in setting up the format for a report. Just because there is a list in a Standard doesn’t mean you have to present information in that order.

Here’s a rundown on what to include in a good lab report.

Lab report headings

Lab reports usually have several sections which should be easily identified. There’s no need to be creative here – clarity is the most important factor. Calling the document a Laboratory Report is a great start, and it ticks off that pesky requirement to have a title.

What’s in a name

Think of this as a special letter writing exercise (remember those days?) where you had the details of the recipient, date, and your address at the top and your signature at the bottom. Reports are no different to a pre-formatted letter.

Your report will probably be on letterhead, so your company name, address and logo are automatically generated.
The name and contact details of the client you’re carrying out the test or calibration for along with the date and unique identifier should be at the top of the report.

Specify the test or calibration site or location of testing or calibration on the report. Sorry, we don’t have a great reason for this, other than it’s in the Standard. Find some place in the report where this detail doesn’t detract from the main focus.

Page numbers are always helpful in case pages get lost or mixed up. Imagine reading a letter from your Mum about the funny exploits of your Dad. Half way through the story you start reading about the dog because the pages got scrambled. As well as losing the impact, it can be very confusing so pagination will ensure everyone gets the full story as it is meant to be told. Telling the client when they’ve reached the end of the report is also useful.

Finally, the name of the person authorising the report also needs to appear, typically at the end of the report.
Just like any friendly letter, you need to give the recipient an idea of what you’ve been up to. Information on the who, what and when of the laboratory’s activities needs to be given to the client.

Reports must include information on the methods used for testing or calibration, details of what sample was tested or calibrated in terms that the customer and you can understand, and the dates of testing or calibration.

Depending on the type of test or calibration you’re carrying out, details of the samples should also be listed. For example, when the sample was collected, how the sample was received (e.g. plastic container, glass bottle); temperature on receipt; the appearance of the sample (e.g. cloudy liquid, viscous substance) and how it was treated on receipt (e.g. refrigerated). This will reassure your customers that their samples have been treated with care.

A section for sampling procedure could be helpful if you have anything to do with this activity or if it is important information to put the results into context. If a client requests a particular procedure which is outside your regular scope or process, that information could be listed here.


This is probably one of the most important pieces of information you’re communicating to your customers, so it really needs to be clear. Test and calibration results are easier to read in table format. List the test or calibration, the method, the units of measurement, and the result.
If you are reporting calibration results, the uncertainty cannot be smaller than that stated on your scope of accreditation.

Remarks or comments

These can be included in a results table. For example, a summary of the overall results (e.g. fit for human consumption) can be included here. But be careful what you write.

Statements of fact are often perfectly fine. Opinions and other statements may not be. Check the coverage of any professional indemnity insurance policies held by your lab before you make these types of statements.

If you’re including some statements of compliance, like ‘pass’ or ‘fail’ of a material or product, then make sure you clearly state which specification you are comparing the results to and that you’re applying MU as agreed between you and the customer at the start.


Again, this is probably something that’s automatically generated. Along with any legal requirements stated by your organisation, this should also mention that the report relates only to the sample or item received, calibrated or tested.

What NATA requires

If you’re an accredited facility in Australia, there are certain elements NATA requires your report to contain.
You must include information from the standard you hold accreditation against e.g. ISO/IEC 17025. Different industries or programs have additional reporting requirements which are in the industry’s Appendix on the NATA website.

NATA accredited facilities can apply the NATA endorsement on reports for activities covered under their Scope of Accreditation. The endorsement is not just the NATA logo it’s also the words that go along with it.

Labs should be careful to only apply this to reports covering tests or calibrations within their Scope. If there are some results of testing or calibration outside of the Scope, make sure you have a clear disclaimer in the report.

The logo (or emblem as it’s called) is available on the NATA website. However, before applying this do check the appropriate wording contained in the NATA Rules. All of the relevant information is in the NATA Accreditation Criteria and Guidance or NAC packages for your industry.

Amendments to reports

When an amended report needs to be issued, the change needs to be clearly identified. The reason for the change should also be reported.

The amended document or data transfer must also include words to the effect of “Amendment to Report number…”. If your lab does not use report numbers for uniquely identifying reports, then it may be using a report date. If that’s the case, the statement should say something like “Amendment to report dated…”.

Simplified Reports

If all this seems a bit much, you can negotiate with your customer to produce a simplified report. This might give you some valuable insights into what matters to your customers. You can also see how different ways of communicating key pieces of information can be beneficial to your customers and your lab.
We’ve got a lot to do in labs and a load of expectations to be met. As our only tangible product, a report is our opportunity to showcase to our customers and other parties who might have an interest in testing the great work we’ve been doing.
Taking a more customer-centric view can help make this valuable piece of communication even better for our customers.


Effectively addressing complaints is essential for laboratories to maintain credibility, improve customer satisfaction, and enhance their overall service quality. Proper complaint handling allows laboratories to identify areas of improvement, address issues promptly, and demonstrate their commitment to customer satisfaction and continuous improvement.

It’s not just about being polite and professional (although those are important aspects). By listening to the complaint and showing empathy to the client, you’re making them feel like their opinion and their business is important.

And remember, the complainant isn’t calling you for validation of their feelings (or not just for that anyway). They believe they have a genuine issue and they’re giving you the opportunity to fix it.

What are the requirements for customer complaints?

Section 7.9 of the ISO/IEC 17025 standard outlines the general requirements for handling complaints. According to the standard, laboratories must:

  1. Establish a complaint handling process: Laboratories should develop a documented process for receiving, evaluating, and resolving complaints from customers, stakeholders, and other interested parties.
  2. Assign responsibility: Laboratories must designate a person or team responsible for managing complaints and ensuring the effective implementation of the complaint handling process.
  3. Maintain records of complaints: Laboratories should maintain records of all complaints received, the actions taken to address them, and the final outcome. These records must be retained for a specified period and be accessible for review and monitoring.
  4. Communicate with complainants: Laboratories must acknowledge receipt of complaints promptly and communicate with the complainant throughout the complaint handling process, including providing updates on the progress and resolution of the complaint.
  5. Investigate complaints: Laboratories should conduct thorough investigations of complaints, including identifying the root cause, implementing corrective actions, and, where necessary, preventive actions to prevent the recurrence of similar issues.
  6. Review and monitor the complaint handling process: Laboratories should periodically review and monitor the effectiveness of their complaint handling process, making improvements as necessary.

How to handle complaints

Have you ever sent a steak back in a restaurant because instead of being rare, it was extremely well done?

Or returned a clothing item to a store because the large size was big enough to accommodate you and a friend?

Your memory of how a company handles your complaint will colour your impression of the company. If you were happy with your treatment and their response, you’ll be more likely to return and tell others.

And if not…well, social media makes it VERY easy for disgruntled customers to share their thoughts with others.

Let me tell you a story

Back in the day when I worked for NATA, I would often receive phone calls from disgruntled clients complaining about their assessment, the way someone in NATA had treated them, or that another NATA lab was doing something wrong. (Shocking, I know, to think that this would ever happen!)

One day, I received a call from the owner of a NATA lab who was upset about something to do with NATA (the substance isn’t important). It was clear when I took the call that this person was upset.

So, I listened, took down the details of the concern, and empathised. At the end of the conversation, I asked what the person would like for us to do about his concern. After giving this some consideration, the owner calmly said he didn’t think there was anything that could actually be done. The owner thanked me for patiently listening to the concern and we said our good-byes.
I passed on the details of the interaction with the person in NATA in charge of dealing with complaints and he duly noted this in the records, including its resolution.

Later that day, I was surprised when the owner arrived at the NATA offices with a cake in hand (there was an excellent cake shop a few doors up from the lab).

All the owner wanted was someone to listen to the concern.

The lesson is that, handled properly, a complaint can get you cake (or at least a very positive outcome that results in a stronger relationship of trust)!

So, what do you need to do to get this kind of outcome?

What does the Standard say?

You will need to have a documented process for complaints.

This means that you’ll have something that outlines the steps for receiving, evaluating, and making decisions on any complaints that come into the lab.

This could be a written procedure, flow chart, excel spreadsheet etc. Whatever method you adopt for documenting the process, you need to include at least the following:

  • A description of how a complaint may be received
  • The process for validating and investigating a complaint
  • How decisions on actions to be taken will be made
  • How the lab tracks and records the complaint and any actions for resolution of a complaint
  • The way that the lab ensures that appropriate action is taken.

If someone asks what your complaint handling process is, you’ll need to make this available. The simplest way to do this is to have it on your website. Granted, this could be a scary prospect, but this level of transparency can help in the long run. It shows that you are a business that cares about how customers experience your service and are open to feedback. That’s a pretty attractive thing in the eyes of a customer!

By the way, documents like AS/NZS 10002 can help with guidance on complaints management.

Do you need to deal with the complaint?

Once you receive a complaint from a customer, it’s up to you to check whether this is something you need to action.

By gathering and verifying information about the complaint, you can determine whether the complaint is valid. Remember, you can only act on a complaint if it relates to your laboratory’s activities.

Keep them in the loop

Assuming the complaint is something you need to deal with, keeping the customer informed is both good business practice and common courtesy.

Let them know you’ve received their complaint and you’re investigating the issue.

If possible, give them a timeframe for how long it will take to investigate their issue. Be realistic about this. Don’t promise to get back to them in 24 hours if you know your processes will take three days.

And don’t feel as if you have to be a software call centre where the success metric on is the speed of resolution.

Rather, focus on finding an effective long-term resolution of the problem.

If the process will take some time, ensure you provide the complainant with progress reports and of course, the final outcome.
It’s also important to assure the complainant that all information about their complaint and the outcome will remain confidential, in line with your normal laboratory practice and confidentiality policy.

ISO/IEC 17025 also states that the outcome of the investigation should be made or reviewed and approved by those not involved in the lab activities in question. This should help to assure the complainant that their issue has been independently investigated.

Respond quickly

Consider it a positive that your customer has given you the opportunity to remedy the problem. They could have sat stewing about it or worse, gone straight to a competitor.

That’s why it’s in everyone’s best interests to take prompt action on complaint.

If the complaint was voiced on social media (a common occurrence these days), reach out to the person using the same platform. This doesn’t mean playing out the entire process in the full glare of Facebook! Simply acknowledge their issue and advise you will message them privately.

In a private message you can ask for contact details so you can call them and discuss the complaint process.

If your process is to put the complaint in writing, let them know this up front. Explain this process. Tell them you will email them a complaint form to complete (if there is one) or direct them to the website link or email address if that’s your process.

However, that doesn’t mean that you shouldn’t listen if they want to talk through the issue with you. As we saw in our story, sometimes all people want is to have someone listen and get it off their chest. Listen carefully and don’t attempt to provide justification or excuses. Use phrases that honestly show concern such as “I understand how frustrating this must be for you”.

Asking questions will help you to understand the problem correctly and give the customer confidence that you’re listening and interested in solving their issue. Tell them that you’re making notes of your conversation and will include these with their formal complaint. If you’re not sure about how to ask those questions we have an article that will help.

The solution isn’t the end

So, the complaint has been resolved and the customer is happy with the outcome. But that doesn’t mean you can file this away under ‘solved’ and move on.

Using the documented evidence you’ve collected, treat this like any other non-conformance and embark on the corrective action process. Of course, this includes a root cause analysis.  Document this process and any long-term solution. Check the effectiveness of this solution. Record any follow-up verification you carry out.


There are so many issues and problems that crop up in a lab where things didn’t go according to plan. They are known as “non-conformances”.

Dealing with these kinds of issues in a way that doesn’t put your ISO/IEC 17025 accreditation at risk is sometimes difficult to stomach. We really don’t want to have to deal with the consequences, which we fear might be expensive. But, with some common sense, and a bit of bravery, you might find it’s actually an opportunity in waiting!

What to do if it you find a non-conformance

The first stage is to find out some details to help determine if it is a significant problem. Small, insignificant problems can be dealt with via a correction or “quick-fix’.  For instance, it might be that the client’s report had a typographical error in their address and the way to fix that is to reissue an amended address with the correct details.

Sometimes, the problem can be a little larger and thus more significant. For example, if you discover a piece of equipment is out of calibration, as well as getting the equipment calibrated, you should also look at the results of calibration the last time the equipment was calibrated and perhaps from the occasions before that. Has the performance of the equipment really changed? You could even apply some statistics to tell you whether this is the case!

If you’re analysis shows that things have not changed significantly, then you can breathe a sigh of relief. It means that the results of any testing or calibration you’ve done are valid in terms of metrological traceability and accuracy.
But what if that’s not the case?

Being sensible and getting over the shock

We have in our tool kit a structure for dealing with instances just like this. It’s called the non-conformance and corrective action process!

In this case, you do need to do a thorough and honest investigation. A cursory look over what happened in the past might be sufficient, depending on the risk an incorrect result poses to you and your customers. While you are conducting this investigation, it could be appropriate to halt any further testing or calibration affected by the issue.

Use the corrective action process to lead you through this. That’s the subject of an entire section below.

The actions must be based on the lab’s established risk levels. This suggests that a risk assessment is carried out for each non-conformance. If you don’t know the risk arising from this event, you might not want to directly ask your customers. But some considered thinking might lead you to the reasons why the customer is asking for the test or calibration and hence the risk associated with the problem.

What do you know about the market you or your customers operate in? Is it highly regulated? If it is, then consider whether an incorrect result will lead to a regulatory risk for your customer, which might ultimately be sheeted home to your lab if there is a fine imposed by the regulator.

Once effective corrective action has been implemented, then it’s time to resume any halted testing or calibration. The resumption of this work needs to be done by someone with the appropriate authority. Those authorities are typically documented in job descriptions and the relevant procedures and policies.

Of course, records need to be kept of the non-conformance and subsequent actions. Depending on the nature of the non-conformance, these could simply made in the test or calibration record. The significant issues and problems are normally recorded through the corrective action records.

Control of data and information management

There are so many issues and problems that crop up in a lab where things didn’t go according to plan. They are known as “non-conformances”.

Dealing with these kinds of issues in a way that doesn’t put your ISO/IEC 17025 accreditation at risk is sometimes difficult to stomach. We really don’t want to have to deal with the consequences, which we fear might be expensive. But, with some common sense, and a bit of bravery, you might find it’s actually an opportunity in waiting!

The What is required of your LIMS?

Before we launch too far into answering this question, it’s important to understand that there are two kinds of LIMS: one deals with the test and calibration data and processes; the other manages information such as procedures, instructions and management system records. The latter is often called something like a document management system, enterprise management system, or quality management system and is not known by the term “LIMS”. The requirements apply to both kinds of laboratory information system.

All LIMS systems need to be validated for functionality before introduction. Changes need to be authorised, documented and validated before implementation. These requirements apply to bespoke and commercial off-the-shelf software. Sometimes this information can be provided by the software developer or supplier as a validation package. Labs should ask for this and retain the materials provided.

LIMS also need to be protected from unauthorised access, tampering and loss. It is important that unique usernames and passwords are applied, and not shared amongst staff. back-ups should also be done regularly. Often, in cloud-computing scenarios, these occur automatically.

If the LIMs and associated data are stored off-site, labs need to ensure that the supplier also complies with ISO/IEC 17025. It’s very doubtful that your data centre holds ISO/IEC 17025 accreditation, but that does not mean you don’t investigate matters such as who has access to the systems in the data centre, how confidentiality is assured, what back-ups are done, and possibly the location of the data centre if this is controlled by a regulator or customer.

What if your lab uses paper to record results and other activities?

Unless you are handwriting your reports to the customer, there will be a time where those handwritten records need to be transcribed into an electronic system. These data transfers need to be checked systematically to ensure accuracy of the transferred information.

Labs must also check the transfer of data between electronic systems. That can be done by manually reviewing the data, or by an electronic checking system.

Checking calculations

With the advent of calculators, many calculations are now more robust. But that doesn’t mean things are always correct. So systems for checking calculations have to be implemented.

This does not mean every calculation must be checked. The system should be designed to address the risk associated with the process and its outputs (results).

Records of these checks of data transfers and calculations need to be maintained. These records should include what was checked, who performed the check, or in the case of an electronic check mechanism, who reviewed the output of the check, and when the check was performed.

Management system requirements

There are two options for demonstrating conformance to the management system requirements of ISO/IEC 17025:

  • Develop and implement a system that meets the requirements in section 8 of the Standard;
  • Establish and maintain a system that meets the requirements of ISO 9001.

Management System Documentation

Labs need to develop and document policies and objectives for fulfilling the purposes of ISO/IEC 17025. This is found in the Introduction of the Standard and is to promote confidence in the operation of laboratories.

These policies and objectives must also address the competence, impartiality, and consistent operation of the laboratory.

Setting objectives

Much has been written about what makes a good objective. Acronyms like SMART (and SMARTER) abound in internet searches. However, setting a good objective requires a little more thought.

The starting point is to understand why you’re setting goals. Ideally, you do it because you want to, not because a standard or external auditor tells you that you have to. Remember, goals and objectives provide focus, motivate people, and set the target to work towards. But if you are setting an objective to tick a compliance box, then make sure it fits into the box.

However, when you set a goal, you communicate what is and isn’t important to others who help to achieve that goal. It’s necessary to understand the consequences of the path to achieving the objectives. Are you sacrificing other things that are important by not setting an objective?

Remember, there’s no rule about the number of objectives you can set.
Now you can adopt your favourite framework, like SMART, to set those objectives.

What’s SMART?

SMART is an acronym for ensuring the creation of good objectives.
S – specific
M – measurable
A – achievable
R – relevant
T – time-bound

An objective to test more samples is a little vague if you’re aiming to expand your lab. An objective of testing 50 % more samples in a new market that you already do a little work for, in the next six months, provides much more focus and direction.
A good quality objective might be something like: Receive no more than five customer complaints across the entire lab for the next 12 months.

That’s great to aim for, but if you never receive any more than three complaints each year over the past five years, is it meaningful? Of course, you’ll probably smash it, but does it lead to improvements in quality in your business?

Some ideas for making meaningful objectives:

  • Use data from quality monitoring tools like trends in corrective actions, internal audits and identified risks
  • Ask your staff what matters to them
  • Ask your customers what they value in your service or one like it.

Finally, write the objectives down and communicate them to the people who will help your organisation achieve them.

Writing good documents

There’s an art to writing a good policy or procedure.
You may be starting with a blank page. Or you might have something that you need to update. Either way, it’s time to go back to basics to work out what makes a good policy or procedure.

What are they for?

Documents are for providing written information about processes, policies, and procedures. They’re designed to communicate information and need to be updated and maintained. This means that they need to be clear and concise and most importantly, easily understood.
Generally speaking, lab documents can be defined as:

  • Policies – a statement of overall intent and direction. This is a broad and general direction for the quality system and in essence tells people which direction to head.
  • Processes – these are the steps used to implement the quality policy and achieve quality objectives. They are a set of interrelated or interacting activities that turn lab inputs into outputs. These explain how it happens.
  • Procedures – the specific, detailed, and step-by-step explanation of carrying out activities. These can be considered an explanation of how to do it.
  • Records – the pieces of information that prove what you did.

Lab documents allow you to review your activities. They help you to train your staff. Excellent documentation provides proof of accurate, reliable testing not just to clients but also to external accreditation or audit bodies.
In fact, the management of documents and records is an essential element of a lab quality system.

Who are they for?

The American Press Institute tells us that: “The best story is a well-told tale about something the reader feels is relevant or significant”. Like any good story, your policies and procedures need to be well-told, so making the information relevant or significant in the eyes of the reader is paramount.
How do we do that? Put yourself in the shoes of everyone who will read and use the documents. What’s the local lingo? How do people in your lab or organisation like to understand information?
It’s through answering questions like this that you’ll discover whether you’re just writing procedures because a standard or external organisation tells you to, or if you’re writing for the right audience who will use your documents every day.

Why am I doing this?

It may be tempting for staff to skip over documenting something they think is unnecessary or too time consuming for them to bother to explain. Or perhaps they received a verbal instruction from a colleague, carried out the action but didn’t document how it was done.
In essence, all systems depend on someone doing a thing. If someone doesn’t do that thing, the system fails.
Seeing the whole picture should remove the temptation to skip over documenting a piece of work they don’t believe is relevant.
It’s important for staff to have clarity on what place their work has in achieving outputs of the process, or the goals of the organisation. That will help you understand what level of detail, and the kind of detail that should go into a policy or procedure.

Keep it simple

Software and digital tools make this easier, but any standardised lab approaches to documentation across operations will also streamline this process. Using templates will ensure consistency of information and data collection and capture.

How do you write something in plain language?

Some basic tenets of using plain language in English include:

  • Use everyday words
  • Learn about the words people use
  • Choose simple words, not complicated expressions
  • Use common words rather than jargon as much as possible.
  • Use concise sentences (15-20 words max)
  • Use active, not passive voice (“if you break the law” not “if the law is broken”)
  • Use verbs rather than complex nouns (“identify” not “identification”)

Managing your documents

All management systems documentation needs to be included in, referenced from, or linked to the management system. What does that mean? You don’t need to have a huge list of all documents in your system. You don’t need to cross reference all your documents, although this can help the lab staff to find the various policies, procedures and forms associated with a process. Flowcharts can be used for this purpose too.
You also don’t have to include, reference AND link the documentation in your system. One of these will suffice. How you achieve this is up to you and your lab’s needs and resources.
No matter the design of your management system documentation, it is critical that the lab staff can access the documents they need to complete their job.

Control of Documents

Good documentation forms the essential guidelines for operations in your lab.
But your documentation system isn’t just a ‘set and forget’. They require reviewing, updating and managing to ensure they’re accurate, up-to-date, and available. And that’s where a document control system comes in.
A good system allows your documents to be easily managed and contains a process to maintain your document inventory. It should be fit for your purposes, reflect the rate of change in your lab and the capabilities of your people. It starts with a sound document control system that everyone in your lab understands. This reflects how to manage information and knowledge.

A document control procedure covers:

  • Document creation
  • Review and approval
  • Publishing and circulation
  • Revision
  • Removal

All documents produced and used in the lab must be included in the control system. This includes SOPs, texts, references, manuals and external documents such as regulations and standards.

Keeping them uniform

We’re all familiar with how to create a document. In a lab setting, templates or a standard outline are extremely helpful. Current staff will quickly become familiar with the structure and new staff will find documents with the same layout easy to navigate.

Templates should include a method for identifying the version of the document and the date. Also consider adding an amendment table at the end to give a quick summary of changes made to a new issue.

Getting it out there

Once you’ve created your document, don’t just drop it into the system.

Develop a clear process for formal review and approval. Have lab management or someone with appropriate knowledge approve the document to ensure accuracy. Approval could simply be shown by a signature and date.

Publish and circulate the approved document according to a distribution list. It’s important to know who it’s going to in case of updates.
Create and maintain a master list or log of documents. Include on this list the frequency of document review and the person(s) responsible for it. Labs may also like to include who has access to each document and any security restrictions on this master list.

Revising documents

Document control means regular review and revision as needed. Establish policies that include the timeframe for revision. The procedure should cover who does this, how it’s implemented and approved and how to the revised document is to be identified.
Keep in mind that if there’s lots of copies around the lab, one could be forgotten when updates are made. Keep hard copies at a minimum and discourage ‘personal’ collections.

Removal of documents

If something has changed and documents are no longer current, they still need to be retained for reference. Collect old versions. This can be tricky if they’re in hard copy which is why your distribution list is so important.

Removal does not mean deletion so being able to access these documents for a period past their use, whether stored electronically or in hard copy, is important.

Checking the system

No doubt your lab, particularly if it’s accredited, has a document control system in place.
However, it can be helpful to look at your documents and your system to make sure it’s working as it should be.
Look at what you have and consider the following:

  • Do they cover all your processes and procedures?
  • Do they contain sufficient detail?
  • Can any be combined or deleted?
  • Do they need to be changed in terms of look and feel?
  • Do they make sense with the current lab iteration?
  • Are they helpful for the staff who use them? Ask for input from stakeholders.
  • Does the format work?
  • For reports that go externally, is it a good reflection of the lab and your business? Are they professional and clear?

Although you probably don’t need to do this process annually, the requirement for examining your system in this way should be included in your manual.

Should you go electronic?

There are plenty of vendors that offer document control system software solutions. This could come with its own set of issues including security, access and compliance. Of course, these systems need to be validated, as discussed above.

For a small lab the cost would probably outweigh the perceived convenience. Larger labs would need to ensure that the navigation and retrieval is both simple and quick.

Also keep in mind the types of documents you may need to have controlled. Your software solution may need to support spreadsheets, pdfs, images. Systems may not support multiple document types and tagging for searching could be difficult.

You’ll need to train your staff in its use and have ongoing training if the system is complex.

The main question for the lab would be – does it add value?

Control of Records

We discussed the contents of technical records above. The other aspect of the requirements for records in ISO/IEC 17025 is the management of records. And it’s not just technical records captured by these requirements.

First and foremost, records need to be legible. That does not mean your staff need to practice their best cursive handwriting. But it does mean that people must be able to decipher it. If their record keeping practices resemble an entry for Mr Squiggle to work on, then it might be time to consider other options for recording their work.

The retained records need to be organised so that these can be found at a later date. The retention period depends on considerations such as contractual regulatory requirements. Labs with NATA accreditation must retain records for a minimum period of 4 years.

The system for control of records also needs to address issues of identification, storage, protection, back-up, archive, retrieval and disposal. Putting them in a pile in a store room or on a disorganised computer may not be the best solution.

If your system has hard-copy records, think about contingency plans in case of fire, water damage or theft. Scanning or photographing the records could be an effective option.

If your systems are more sophisticated and records are stored electronically, then the issues relating to confidentiality and access discussed under Control of Data and Information Management need to be considered.

Actions to address risks and opportunities

These requirements mean you look at risks and opportunities in a more formalised and strategic way. Having a risk management plan and understanding the process are important to meeting these requirements.

ISO/IEC 1705 does not prescribed HOW this should happen. Remember, there’s no ‘one size fits all’ to reduce risk, or capitalise on opportunities. It’s all about determining what’s important to your lab. That can change over time so what you had in place in 2020 may not work or be relevant in 2024.

The steps to lab risk management success

Your lab needs to plan and implement actions to address risks and opportunities by adopting a process approach.

The steps to do this are:

  1. Identify
  2. Analyse
  3. Evaluate or rank them
  4. Determine actions
  5. Implement and monitor

Let’s take a quick look at each of these steps.

Step 1: Identify
You won’t get a cross-section of opinions by sitting in a room on your own with a whiteboard! This must be a team effort and can be achieved through brainstorming with relevant stakeholders.
Who are the relevant stakeholders? At a minimum this should include representatives from management, quality, and technical staff.
Consider internal and external sources of risk. Internal inputs could be things like test methods, staffing changes and machinery.
External sources of risk could be gleaned from evaluation of future scenarios (positive and negative) and SWOT analysis. Don’t discard any suggestions at this point. In fact, ‘global pandemic’ is probably on everyone’s risk register now!

Step 2: Analyse
Use a matrix to assign a value to determine low, medium, or high levels for each risk your team has identified.
The value could be either descriptive (low, medium high) or quantitative (on a scale of 1-10). The level of risk depends on the likelihood and how severe the consequences would be if it were to occur.
You could use a separate matrix for risks and opportunities but it’s important to address both the good and the not-so-good.

Step 3: Evaluate or rank them
Once you’ve determined the level of the risks (or opportunities), you’ll be able to rank which risks to address first.
The higher the level, the more priority you should place on addressing the risk or opportunity.
Perhaps the team will start with the easy things to get some ‘quick wins’ and demonstrate the value of implementing risk management to staff members. Or they could focus on the highest-level issues that may result in critical risk and move down the list in order.
Ranking should also consider the availability of your resources and the costs involved in addressing the risks and opportunities.

Step 4: Determine the actions
Management commitment to funding, resourcing, and implementation will be a factor in determining your actions.
Whatever the case, it’s important to assign someone (or several people) to be responsible for the actions. Ensure there is a realistic timeframe for completion, so they don’t drag on.

Step 5: Implement and monitor
It’s not a solution if it doesn’t work!
Whatever actions you decide on, these must be implemented in the lab. This includes putting someone in charge of ensuring the actions are having the effect they’re supposed to.
If this isn’t happening, the person responsible can raise this with the rest of the team during a follow-up meeting.
This isn’t a ‘set and forget’ exercise. As part of your quality system, you should undertake a periodical review of your risks. This is particularly the case if something in the lab changes or there’s an industry development that could affect your lab.
And of course, this will demonstrate your commitment to continuous improvement in your business.

Write it down

Although there isn’t a requirement to document the process, having records means you’re able to provide evidence of conformance.

Your risk register can be used for this purpose since it lists your risks and opportunities, analysis, risk level, and the actions that need to be taken.


This section goes to the heart of why the quality movement exists.
There is often a better way of doing something. As humans, we are naturally innovative and make improvements (short-cuts) whenever possible. All that ISO/EC 17025 requires labs to do is to formalise that process.

These opportunities for improvement can come from internal audits, staff and customer suggestions, regular review of procedures, corrective action, management review and risk assessments. ISO/IEC 17025 requires labs to seek both positive and negative feedback from customers. Other than that, the world is your oyster!

When it comes to seeking feedback, your lab doesn’t have to rely on customer surveys. The response rate is usually low from these efforts. Other, more useful avenues include conversations with customers during the sales process, or reviewing reports with customers.

Email communication and social media can also be a fruitful way of seeking feedback. The main thing is to have records of these attempts to seek feedback.

Once you have the feedback, the next stage is to analyse the data. Sometimes, the best way to analyse the data is to make a visual depiction. Why not explore the various software tools and apps available that are built just for that purpose?

Finding the resources to adopt all the improvement ideas is often the handbrake. That’s where the lab’s risk and opportunities system can help to prioritise all these ideas. Consider making use of your corrective action system to manage implementation of the actions associated with the improvement projects.

Corrective Action

In an ideal world, everything would run smoothly with only very small bumps in the road – enough to keep us interested but not enough to cause major headaches.

However, as we all know, the world is seldom ideal.

We all have ways to deal with problems that arise in our personal lives.
But what about when something goes wrong in our laboratory?

Having an effective quality system in place means that you should get a heads-up about any issues that arise. But once you detect a problem, what then? How do you discover and address the root cause to make sure it doesn’t happen again?

Fortunately, there’s a well-established series of steps you can follow.

Your Step 1: Problem Detected

This can happen through an internal sources such as internal audits, qality control and other undesirable outcomes, or a customer complaint.

Step 2: Investigate

Collect all the details of the issue to ensure you have a complete picture.

Step 3: Determine Significance

When you determine the significance of a problem you identify its level of importance. It may be a superficial problem that can be fixed with a simple action. Or it could be something deeper.
If you incorrectly judge a problem as being insignificant, you could leave many problems unresolved and the issue will become persistent. If you judge the problem as being significant when it really isn’t, you could spend a lot of time and resources on something that can be solved on the spot. So getting this step right matters!

Step 4: Root Cause Analysis

When you’ve identified a problem as significant, the root cause analysis allows you to delve into the deeper reasons for the problem occurring. There are several methods including the 5 whys, and cause and effect diagram.
Of these, the 5 whys technique is probably one of the better known and used methods. This method requires you to ask ‘why did the problem happen’ in a focussed way, and answer that question, keeping in mind the problem you’re investigating. You repeat this process 5 times to determine what is happening at a deeper level. There should be no blame assigned to this exercise – the idea is to find out why something happened not who caused it.

Step 5: Corrective Action

Once you have identified the root cause(s), address the problem and implement corrective action that deals with the root cause(s) to avoid repetition.
Barriers to implementing a solution can come from resistance to change, inadequate resources, poor communication, and fear of failure.
To tackle these barriers, you need the right culture and sometimes some creativity.
If it is a problem of inadequate resources, identify the resources you need to successfully implement the problem, then think about the different ways to get those resources. It might mean you have to collaborate with a partner or explore the skill set of people within your organisation honestly without pigeon-holing them because of the department they work in.

Step 6: Verification

This stage allows you to evaluate if your corrective action had the desired effect. If it did, the incident can be closed. If not, you’ll need to re-visit the issue beginning with the description of the problem and the root cause analysis.

Don’t forget about risks!

Once you have identified a problem, its cause(s) and how to fix it, it’s important (and required) to update your risks and opportunities records. Those identified causes and actions are risks that have been lurking. Having done the hard work of putting a solution in place to mitigate the risk, make sure that you close the loop.

Internal Audits

Internal audits may not be high on your list of fun things to do (unless you’re an auditor of course!) but as we all know, they’re an essential part of lab life. There’s no getting around the need to perform periodic audits of your lab and its ways of working.

Remember, internal audits are an important part of ensuring your processes are working well. They are the lifeblood of any good quality assurance and quality control program. They help keep track of your activities and drive improvements.

So that means developing a culture that sees audits as a positive thing, with auditors and auditees working together to find ways to do things better. But even if your business isn’t quite at this point, everyone accepts that internal audits are a ‘necessary evil’.

Who should do them?

Whether they’re technical or management systems audits, the attributes of the person carrying out the audit should be the same.

This means that the auditor should be professional, observant, and a good listener.
Remember, this is not about finding fault.

The auditor’s focus is on assessing the compliance of procedures, processes, and information against specific audit criteria based on the relevant standards or requirements. And their findings should be based on evidence, not gut feelings.

If the activity is more technical in nature (perhaps sampling or a particular test or calibration method) it’s best to have someone who is independent but with a suitable technical background carrying out the audit. In a small lab, this could be difficult so consider having an external provider carry this out.

Why should we do them?

Simply put, the usual purpose of an internal audit is to assess if the activity being observed is producing valid and technically sound results.

To do this, an internal auditor has a number of tools at their disposal (along with the attributes we already mentioned). These include checklists, reviewing documents, and witnessing activities.

Naturally, the questioning and listening phase of the audit is critical to obtaining the full picture. Engaging with the auditee means developing a deeper understanding of their work and any issues they may be facing
The auditor then evaluates their findings against the requirements to determine whether these have been met (conformance) or not (non-conformance).

A word about checklists

Checklists are important tools for outlining the scope of the audit and keeping it on track. Use checklists to:

  • Promote planning for the audit and act as a memory aid
  • Help auditors seek objective evidence against the criteria
  • Document observations
  • Record audit findings, documents and records supplied during the audit
  • Justify those findings as conforming or nonconforming against the audit criteria
  • Provide objective evidence that an internal audit was performed
  • Provide a basis for discussing with the auditee any non-conformances discovered during the audit.

However, checklists should not:

  • Be a ‘tick and flick’ exercise – not all questions have yes or no answers
  • Substitute for proper audit planning
  • Have a laser focus on just one narrow scope in a process
  • Provide a script for the auditor
  • Be completely generic and unrelated to the process being observed
  • Allow an auditor to excuse their non-interaction.

If possible, using or adapting the accreditation body’s checklists is a great idea. This could help during an actual assessment by providing some familiarity for the auditee with the assessment process.

How long should an internal audit take?

Depending on the type of audit and its scope, an audit could take anywhere from an hour or two to several days.

Shorter, vertical and horizontal audits will be less time-consuming than a full audit covering all clauses of a management system standard. For a large lab with a number of accredited tests, your audit program should consider a ‘little and often’ approach.
Regardless of it’s structure, your program should cover all of your accredited activities over a 12-month period. That doesn’t mean you need to audit every single test or calibration.

There’s no downside!

Developing an effective internal audit program is rewarding for everyone.
By training them to carry out audits, lab staff gain new skills and an appreciation for other areas of the business. They’ll also become more familiar with the auditing process, allowing them to feel more comfortable with external audits when they occur.

The lab system will also benefit from regular auditing, becoming more robust and experiencing fewer nonconforming events. This will also allow staff members to see first-hand how valuable audits are for driving improvements and controlling risks.

And also consider this: an internal audit is like providing management with an advisory service. By undertaking effective and regular audits, management can be provided with reports on emerging risks and issues.

Implement improvement actions in line with risk assessments. An internal audit can follow up on previous audit recommendations and provide insight into their implementation and effectiveness.

All of this adds up to a good way of reducing risks and improving the cost-benefit position of a process, both of which should keep management happy.

Management Review

The prospect of doing a management review is not exactly a cause for celebration.

Unlike birthdays, which also come around annually, management reviews can be dull, life-sucking events that last way too long.

But it is possible to turn your management reviews from boring to brilliant!

1.  Timing is everything

Do you time your management review just before an assessment? That makes sense because it’s a good reminder that you need to complete the task.

But in dealing with all the other things that you need to do to prepare for an upcoming external audit, adding a big meeting into the to do list can be unhelpful.
Businesses should not do a management review just because an ISO standard or external auditor tells them to. In fact, that might be a little counter-productive to the reasons for doing a management review.

Remember, it’s your system and not the auditor’s so it’s about your management system. Ensuring the lab’s management system is suitable, adequate, and effective is simply good business practice.

Management reviews don’t have to be a one-off meeting covering everything. You can do it over several meetings with inputs from different levels within the lab. Assign responsibility for the review to a senior staff member (most likely the lab manager or quality manager). They can conduct a final review meeting after going through all the contributions.

It would also make sense to align the meeting with the organisation’s financial year or budget period. Consider whether you can roll this into your business planning meeting. It’s a great way to ensure you make well-informed decisions.

2.  Who’s involved?

Management review involves management. It’s different to a routine staff meeting where you have management and non-managerial staff coming together.

Make sure you have all the right people in the room. Remember that might not just be the Quality Manager and Lab Manager. If you have other departments like Human Resources and Finance, it’s a good idea to also involve the managers of those departments in management review. It helps with making great decisions that work.

3.  What do you need to cover?

Whilst there is a laundry list of things to cover in a management review, they boil down to four basic questions to consider:

Suitable – do the processes and operations you have in place facilitate and support the lab’s activities?
Adequate – is the lab meeting all the requirements of the standard? Is the lab complying with regulatory and contractual requirements?
Effective – is the management system accomplishing the stated purpose of producing the intended or expected results?
Efficient – examine the relationship between the resources and the results you are achieving.

The inputs that are included in detail in the ISO Standards are sometimes interrelated. That means you might be able to consider them in a different order to how they are listed in the standard if that makes sense to you.

Make this list of inputs the agenda items for discussion.
We’ve listed the typical inputs and included some notes for you to consider.

  • Changes in relevant internal and external issues – internal issues could include new equipment, new policies or personnel leaving and retiring. External issues include those beyond the control of the lab such as the pandemic, regulatory changes, changes to standards that are critical to your business, or perhaps a new competitor.
  • Fulfilment of objectives – have you met the objectives you aimed to meet?
  • Suitability of policies and procedures – is your QMS reflecting what your lab is actually doing? Are the structure and content of the QMS documents still fit for purpose? If you have external documents incorporated in your system, are they the current versions?
  • Status of actions from previous management reviews – check if those actions were assigned and accomplished. Is there anything outstanding?
  • Outcomes of recent internal audits – this is a good chance to review the process as well as the outcomes
  • Corrective actions – show what these were and whether the actions were implemented and monitored. Were any repeated? Were staff aware of the process and did anything fall through the cracks? What trends can you identify?
  • Assessments by external bodies – who did this and when is the next one? Is the next one scheduled? Were there any findings and if so, why weren’t these picked up as a non-conformance during your internal audit process?
  • Changes in the volume or in the range of laboratory activities – have you detected any trends? Do you need more financial, equipment or human resources? Is there a need for more training or perhaps cross training of staff?
  • Customer and personnel feedback – what are your staff telling you? How do you get feedback from them and what is that process? If you’re collecting feedback from customers, is this effective? Sending out 100 surveys but only getting one response means you need to try something else.
  • Complaints – are your complaints going to the right person? Are you addressing them according to the requirements of the standard? Are there any trends?
  • Effectiveness of any implemented improvements – have you monitored these and if so, where did you document that information?
  • Adequacy of resources
  • Results of risk identification – the standard mentions taking actions to address risks and opportunities. What risks did you identify? Were they taken, mitigated, or avoided?
  • Outcomes of the assurance of the validity of results – did you take part in any proficiency or interlaboratory testing and if so, what were the results? Outcomes could also include QC check results, control charts or any statistical analysis you’ve done
  • Other relevant factors, such as monitoring activities and training.

4.  Recording your management review

There is no need to record the discussion like Hansard. However, you do need to make sure there is enough detail in the notes from your management review to be able to follow up on any decisions and show the auditor that you did actually discuss something.

Speaking of decisions, make sure you record those decisions and any actions because of those decisions. Record the specific action, the timeframe for implementation and who is responsible for taking the action.

5.  Tell your staff

Management reviews are not meant to be a secret society.

All organisations rely on their total resources to deliver success. When it comes to the success of your management system, you need everyone you can possibly bring in. So it’s important to let non-managerial staff know about where they can help.

Of course, there are some sensitive things that you could discuss at a management review. You’ll need to be careful about releasing all the details.

Tell your staff about the decisions, actions and any changes that have been discussed at your management review. They will feel more a part of the organisation and its success.

Get in touch

Contact Us

Get in touch! We love to hear from you.

icon address

Mas Management Systems
Deep Technology Incubator, Building 72 ANSTO, New Illawarra Rd, Lucas Heights NSW 2234

icon phone
Phone Number