When the ISO/IEC
17025:2017 standard was revised, one of the biggest changes for calibration
laboratories was the requirement that laboratories must now plan and implement
actions to address the risks inherent in the laboratory’s activities. This risk-based approach and the assessment of the
risks is not always an easy and straightforward concept to grasp and is likely to present challenges to most calibration laboratories.
When a laboratory identifies
its risks, it has the capability to assess them to determine their consequences
and also prioritize the actions to reduce the risks. The risks are identified
and addressed to ensure that the laboratory and management system can achieve
its intended results, achieve the objectives of the laboratory, prevent, or
reduce undesired effects and potential activity failures, and achieve continual
There is no formal
requirement in the standard for setting up a risk management program or specific
details on the documentation required. The laboratory is responsible for the
development of the risk assessment processes and for identifying which risks
need to be addressed. The risks identified and the actions to reduce those
risks should always be aligned with the objectives and purpose of the laboratory
There are four main steps
in the risk assessment process, the identification of the risks, an assessment
of the risks, an evaluation of the risks and the continued monitoring of the
Identification of the Risks
laboratory will need to review the scope of the laboratory activities and
identify the risks associated with each activity. Risk identification methods can stem from an
overall brainstorming of the laboratory activities and identifying the risks
that are possible and the scenarios in which those risks could occur.
Consideration should be
given to both the internal strengths, weaknesses, values and culture within the
laboratory and its external threats and concerns, such as those related to the
laboratory customers and suppliers, legal implications and local economic
environments. The objective should be to determine which laboratory activities
have the potential for unwanted risks.
Assessment of the Risks
Once the risks have been identified, the laboratory will need to review each risk to
estimate the overall level of risk. The likelihood of the risk resulting in an
unintended consequence and the potential severity or impact of that consequence
should be accessed to determine the acceptability of the risk. Any possible interactions
between the identified risks should be considered during the assessment.
The likelihood that the risk will occur should
be assessed by analyzing the number of occurrences this risk has had in the
past and the
expected rate of the risk occurring in the future.
The severity or impact that the activity will
have should be assessed by asking the following questions:
What impact will the risk will have on the laboratory activities?
How will this risk affect the customer?
How difficult or expensive will the risk be to fix?
Does the laboratory have the resources to address the risk?
A risk with a high likelihood
of occurrence and a severe impact on the laboratory would be considered a high
level of risk. A risk with a rare likelihood of occurrence and a low impact on
the laboratory would be considered a low level of risk. A table, graph or
matrix can be used to assist in assigning a representative value to the risk
Evaluation of the Risks
When the overall
assessment of the risks has been completed, risk mitigation strategies must be developed and
documented for any risks with an associated
risk level in the High range to either eliminate or reduce the risk to an
Options to mitigate the risks can include, avoiding the risk,
eliminating the risk source, reducing the likelihood of the risk occurrence, accepting
the risk as presented.
The laboratory is responsible to set priorities and assign
responsibilities for the actions to be taken for the risk mitigation. The
actions taken should be proportionate to the potential impact on the laboratory
activities. Where appropriate, the resulting evaluations and actions can be
implemented within the existing laboratory corrective action process to
document the evaluation.
Monitoring of the Risks
The risk assessment process needs to be reviewed
annually to determine whether changes to the laboratory have occurred that
would necessitate the identification of new risks, whether changes to the identified
risks have occurred that would require a new assessment of the risk, and whether
the specific risk mitigation strategies previously developed have been
effective in reducing the risk.