Search results

Do I need ISO 17025 certification in order to audit laboratories?

You asked

as a lab expert, do I also need ISO17025 certification in order to audit laboratories? Or is 9001 is sufficient?

 
There are very few options to obtain ISO 17025 auditing certification. As ISO 9001 is incorporated into the ISO 17025:2017 Management requirements and ISO 17025 Lead Auditor certification courses may not be as readily available, the ISO 9001:2015 Lead Auditor Training Course is a good option. (see https://advisera.com/training/iso-9001-lead-auditor-course/)
There are two components to auditing to consider:

• Auditing skills - Training should include exposure /introduction to ISO 19011: Guidelines for Auditing Management Systems as it is provides guidelines for auditing all management systems.
• Knowledge of the standard against which you are auditing. 

Auditing basics, roles and the principles of auditing covered in the ISO 9001 auditing course will be applicable to auditing ISO 17025 as well. In ISO 17025 auditing the lead auditor should have appropriate auditing skills to assess the management clauses, meaning all those that do not have a technical component. The technical auditor also needs to also have appropriate auditing skills but must also have the ability to audit the technical aspects, including method validation and measurement uncertainty, quality control. In other words the depth of knowledge and skill to delve deep enough into the risks and assess technical validity and competency. This experience comes from hands on working in a laboratory and attending additional training on technical matters. Based on your comments, this is experience you have.

If you choose to obtain ISO 17025:2017 Lead Auditor certification; select a suitable course offered by an approved Training Partners of an international certification body such as Exemplar Global (formally RABQSA) or IRCA (The International Register of Certificated Auditors). 

Have a look at Advisera’s Certification FAQs at https://advisera.com/training/eu-gdpr-courses/ for further information regarding certification

Checklist for pre-/post site inspections

We do not have a checklist, but here are some questions that you can ask:

• How they maintain the refrigerators/cold rooms
• How do they monitor the temperature of the refrigerators / cold rooms
• Are equipment for monitoring temperature calibrated – ask for the certificate of the calibration
• What is the principle of the storage – First in first out (FIFO) or First expire first-out (FEFO)?
• Is there other special conditions for the refrigerators/cold rooms that need to be monitored (for example: is humidity important to be monitored; if refrigerators are used, is it necessary to ensure the conditions of the room in which the refrigerators are located in order to prevent overheating)

For more information regarding storage, please see the following articles:

• Managing medical device infrastructure requirements according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/managing-medical-device-infrastructure-requirements-according-to-iso-13485/
• Calibration requirements in ISO 13485 https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/

• Can one person be lab director and quality manager at the same time?

  Glad you found the webinar interesting.

  In terms of ISO 17025, the Quality Manager needs to be impartial, but need not, if the risk is accepted, be independent. There may however, for certain sectors be regulatory requirements or other standards; that require independence of the QM. What is important is the functional role in ISO 17025, for example the appointed laboratory manager my function as the QM as well, as long as risk is managed, and impartiality is evident.

   

  There are some activities, where you should appoint an independent person; even a person reporting to you, or a colleague; to review for example, documents you author. Furthermore internal auditing requires independence so you will need to contract an independent third party consultant or an independent competent person from another department or sister company to assist with audits.

• ISO 9001 MRM & MOM

  I think that MRM stands for Management Review Meeting:

  • Please consider this free webinar on-demand - How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/

  Consider also the following information:

  • How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
  • How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
  • ISO 9001 document template: Procedure for Management Review - https://advisera.com/9001academy/documentation/procedure-management-review/
     

  I think MOM for Manufacturing Operations Management:

  Consider the following information:

  • Understanding Product & Service Provision in ISO 9001 - https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/
  • Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Procedure sign-off under ISO 9001

  Please check ISO 9001:2015 clause 7.5.2 c). Each organization has the authority to determine what is to be considered the appropriate review and approval for suitability and adequacy. Many smaller or centralized organizations decide that all procedures are approved by the owner or General Manager. Bigger and or more decentralized organizations determine that different documents can be approved by different functions and one or more functions. As a consultant, I ask organizations to write a document register where the authority to sign off each procedure is written, and that document is approved by top management. Showing clearly who has the authority to approve each document.

  You can find more information about the documentation below:

  • Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Where to begin implementing ISO 9001 for a Port Authority

  If your organization wants to implement a quality management system (QMS) according to ISO 9001:2015 requirements you can start by reading this article - How to get ISO 9001 certified - https://advisera.com/9001academy/iso-9001-certification/

  A possible approach to implement a QMS can be:

  • Setup a project sponsor, a project manager, and a project team. Ensure top management support, get training about the standard. Designing and implementing a quality management system implies being knowledgeable about ISO 9001:2015.
  • As a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis, you can develop your Project Plan, listing what needs to be done, by whom, until when.

  Then, an important step is to design a model of how your organization works as a set of interrelated processes. For example:

  

  Decide how to describe and monitor those processes.

  From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

  If you need to speed-up your implementation process you can consider our Documentation Toolkit for the implementation of ISO 9001:2015 here - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ and check the free previews. You can also watch this free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/

  This is a very short description of the journey but below you can find more detailed information:

  You can find more information below:

  • Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
  • Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
  • Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
  • ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
  • How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
  • Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Fines issued in UK for non-compliance to GDRP

  You can find all enforcement decision issued by the Information Commissioner's Office on its website: https://ico.org.uk/action-weve-taken/enforcement/

  There is also this Enforcement tracker where you can filter by country: https://www.enforcementtracker.com/

  If you need more information about GDPR enforcement and how the Supervisory Authorities work, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Non-applicable clauses for supplier of component for medical device

  I do not have enough information here, but the following requirements can be marked as non-applicable :

  • 6.4.2 Contamination control – if it is no necessary to have special control of the work environment during production
  • 7.5.2 Cleanliness of the product - if it is no necessary to monitor cleanliness of the product, if it is not sterile
  • 7.5.3 Installation activities - if your component does not need installation
  • 7.5.4 Service activities – if your comnponent does not need service
  • 7.5.5 Particular requirements for sterile medical devices – if your component does not need to be sterile
  • 7.5.7 Particular requirements for validation of processes for sterilization and sterile barier systems - if your component does not need to be sterile

  Maybe there are some more requirements that can be marked as non-applicable, but for defining that I need more information regarding the product.

  For more information regarding the ISO 13485:2016, please see following articles:

  • What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
  • Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/
  • How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

  For any other question regarding the ISO 13485:2016, please do not hesitate to ask us.

• Managing records kept on the basis of documents

  Although ISO 27001 requires the storage of specific documents and records (clause 7.5.3 d), and that changes on them are controlled (clause 7.5.3 e), it does not prescribe how to store them or control changes on them, so organizations are free to define the methods that best suit their needs.

  Considering that, storing documents in Excel or Word form is acceptable by the standard. However, the version history feature in Office365 may not be sufficient, because it can help detect an unauthorized change, but cannot prevent it. One way to make your solution more robust, you can limit the users that can edit a document to a small group of users.

  These articles will provide you a further explanation about documentation management:

  • Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
  • Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  These materials will also help you regarding documentation management:

  • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Network controls

  By “system” you should understand software or set of software. For example, operational systems, Office 365, and SaaS applications are examples of systems.

  When control A.13.1.1 (Network controls) requires a system to be authenticated, it means that the system must show proof that it is the system it claims to be (much like a human user must prove his identity when accessing a system or physical area), by means of presenting a password or one-time code provided by a token along with its identification. By adopting this control, you can ensure that only systems you know and have authorized can access your network. For example, when you access your organization’s network you need to provide your identification and authentication information, right? It is the same thing, only applied to systems (each system should have its own identification and authentication information).

  When we talk about the restriction of system connection, we mean that a system should access only what is necessary for its activities. For example, a payment application should have access to the organization’s finance systems and customer databases, but most probably should not have access to HR systems or R&D applications.

  These articles will provide you a further explanation about network controls:

  • How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
  • Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls https://advisera.com/27001academy/blog/2016/07/04/using-intrusion-detection-systems-and-honeypots-to-comply-with-iso-27001-a-13-1-1-network-controls/

  These materials will also help you regarding network controls:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/