Expert Advice Community

Guest

Using Non-ISO Clients on Controlled Forms

  Quote
Guest
Guest user Created:   Sep 16, 2020 Last commented:   Sep 17, 2020

Using Non-ISO Clients on Controlled Forms

I have a PhD and have been creating/building/working in an ISO17025 laboratory for over 30 years. Today, I was helping a fellow company with an internal audit. On one of the ISO controlled forms I noticed that full names of companies have been completely spelt out (process deficiency, confidentiality deficiency). The lab manager (not very experienced) said that because those non-ISO clients are on an ISO form, they don't count for confidentiality and process rules under ISO. Shocked, I didn't know what to say. Is it a documentation deficiency to list non-ISO clients on ISO internally controlled documents?

0 0

Assign topic to the user

Assign

ISO 17025 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 17025 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Tracey Evans Sep 17, 2020

Thank you for the information. Regarding you being “shocked”, I agree with your concern. As I do not have all the context (it depends on the use of the record), I will answer generally with some comments to assist.

A laboratory implementing ISO 17025 and working towards accreditation must state the range of activities that conform to ISO 17025. For general activities, for example, document and record control, customer contracts, handling complaints and corrective actions, it is not appropriate to consider applying a conforming approach to some and a non-conforming approach to situations. The management system must cover all activities that could impact the policies and objectives (aligned to ISO 17025 purpose), otherwise, it defeats the purpose of the management system. The purpose of ISO 17025:2017 is to provide laboratories with the requirements to ensure competence, impartiality, and consistent operation. The purpose of the accreditation is to provide confidence in the operation of the laboratory. Beyond the overall requirements for common general activities,  only the tests on the scope of accreditation need to comply with all the mandatory technical competency requirements such as completed metrological traceability, validation, participation in interlaboratory studies.

Bear in mind that often an auditee will answer in a way that does not reflect the real situation. What is required in an audit is objective evidence against specific criteria. When a response is given verbally, best practice is to ask an open-ended question to get to the basis of that response. With your knowledge of ISO 17025:2017 and laboratory operations, ask yourself where the higher risk or deficiency lies and go deeper there. In this case, it means looking at the criteria for confidentiality (clause 4.1), data and information management (clause 7.11), and customer requirements (clause 5.4); not document control. As an auditor notes the document control observation/concern to tie in later with other observations. You can also note a concern in the apparent gap in the responder's knowledge of the requirements (consider if the person should know details or have an awareness, depending on responsibility).

Any situation where you are looking for evidence that the organization has established and is maintaining their management to the extent required (or not), consider the operational, standard, and regulatory needs. For example, ISO 17025 clause 8.2.5 states personnel must have access to information required. That said, in order to minimize risks, protect the confidentiality and safeguard impartiality, an organization should only make the minimum information available, and only to that personnel who need it do to their work. Take a risk approach to the audit, considering the context. There are four questions to ask which will lead you to the criteria for deeming compliance or not. Ask: 1. What is the organization required by law?2. What has been agreed with the customer?3. What are the mandatory ISO 17025 requirements?4. What has the laboratory documented as a procedure, meaning what have they stated they will do?

Stating the non-conformance finding clearly against specific criteria will assist the laboratory to close the significant gaps.

The following may be of interest, to compliment your approach:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 16, 2020

Sep 17, 2020

Suggested Topics