Risk management according to ISO 170252017January 7, 2021 2021-05-16 13:50
Risk management according to ISO 170252017
Risk management according to ISO 170252017
The revision process for ISO/IEC 17025:2005 has been completed and the new edition of ISO/IEC 17025:2017 was published on 31 March 2017. Compared to the previous ISO standard, this edition specifies the requirements to be met by all the parties
involved in a laboratory’s operation and in particular those responsible for the quality assurance within laboratories.
With the introduction of the 2017 revision of ISO/IEC 17025, which seeks greater alignment with ISO 9001, laboratories now need to implement risk-based thinking in relation to their activities. This publication provides a summary of the risk management requirements specified in ISO/IEC 17025:2017. It also specifies other ways that risk management principles can be applied to ensure compliance with the standard and good laboratory practice (GLP) in this context.
ISO/IEC 17025:2017 requires all the parties involved in a laboratory’s operation to act to reduce, and where possible, eliminate risks. The standard also specifies the main principles of risk-based thinking.
How to implement risk-based thinking according to ISO 17025?
The first three chapters of ISO/IEC 17025:2017 are all about risk management, with a focus on laboratory operational risks. The fourth chapter includes a separate risk management standard for the laboratory in compliance with GLP as well as other applicable standards.
Risk can be defined as uncertainty about the occurrence or nonoccurrence of an event. Risk exists when a specific outcome is uncertain. In risk-based thinking, one should identify and assess all the possible outcomes for every action taken by the laboratory and all the potential effects on the laboratory to meet its objectives.
Risk management is a systematic process that can be used to identify, evaluate, and manage risks in a controlled manner. When performing risk assessment as specified in ISO/IEC 17025:2017, laboratories need to determine whether there is an unacceptable risk on the laboratory to meet its objectives if they do not take further action(s).
The first step in a risk assessment consists of identifying hazards associated with activities at a laboratory (hazard identification).
The next step consists of determining if there is any significant exposure to hazardous substances or situations (risk estimation). If there are such exposures, the next step consists of evaluating their potential effects on the laboratory to meet its objectives (risk characterization) when combined with other factors such as routes of exposure or duration of exposure.
The final step consists of determining the risk mitigation measures required to ensure a suitable level of protection.
The results of a risk assessment should be documented in a risk assessment report that is provided to the appropriate authority. Note that in case of unanticipated effects resulting from activities or situations at a laboratory, it is up to the laboratory itself to communicate them to the appropriate authority.
In addition to the requirements for reporting unanticipated effects, ISO/IEC 17025:2017 specifies requirements for reporting non-conformities and other unexpected occurrences with potentially serious consequences for the laboratory to meet its objectives. A nonconformity is any deficiency found during an evaluation by an accreditation body or by an inspection carried out by the competent authority, which may have an adverse effect on health and/or safety. It is expected that laboratories will evaluate their own operation and modify what needs to be modified after any occurrence mentioned above.
It may sometimes be necessary for laboratories conducting tests involving infectious agents or toxins (as listed in Annex E) to take precautions against accidental exposures in order to protect human subjects and others who may be at risk if such agents were released outside the laboratory.
How to evaluate the Risk?
The risk evaluation in a laboratory should be expressed as the probability of the event happening and its severity if it does happen.
The severity of consequences after an event is often expressed on a scale from 1 (no adverse effects to health) to 5 (homicide, permanent disability). From a risk management perspective, it is not sufficient to evaluate risks only by evaluating their probability. The potential damage or loss of resources and other effects associated with the consequences can increase or decrease the importance attached to risks by stakeholders. In addition, stakeholders may have conflicting objectives. It is the responsibility of all parties involved in laboratory operations to ensure that these effects are taken into account when performing a risk assessment and that all affected parties are made aware of them.
Risks and opportunities must be periodically reviewed as conditions and resources change within the laboratory, and with changes in the external environment. All parties involved in the laboratory’s operation should be involved in managing and mitigating risks by identifying opportunities to improve the way they run their business.
ISO/IEC 17025:2017 specifies several other benefits of applying risk management principles in a laboratory context:
• Risk-based thinking will drive continuous improvement and learning.
• It will facilitate better communication about operational risks between the laboratory’s staff, customers, and competent authorities.
• It will allow a laboratory to demonstrate when it identifies risks and takes action to reduce or eliminate them that it is fulfilling all its obligations under ISO/IEC 17025:2017.
• It provides proof that a laboratory is taking its responsibility for risk management seriously. This may limit its liability for any damage caused by an adverse event occurring as a result of activity within its premises or during its operations (e.g., because particular precautions were not taken).