When the ISO/IEC 17025:2017 standard was revised, one of the biggest changes for calibration laboratories was the requirement that laboratories must now plan and implement actions to address the risks inherent in the laboratory’s activities. This risk-based approach and the assessment of the risks is not always an easy and straightforward concept to grasp and is likely to present challenges to most calibration laboratories.
When a laboratory identifies its risks, it has the capability to assess them to determine their consequences and also prioritize the actions to reduce the risks. The risks are identified and addressed to ensure that the laboratory and management system can achieve its intended results, achieve the objectives of the laboratory, prevent, or reduce undesired effects and potential activity failures, and achieve continual improvement.
There is no formal requirement in the standard for setting up a risk management program or specific details on the documentation required. The laboratory is responsible for the development of the risk assessment processes and for identifying which risks need to be addressed. The risks identified and the actions to reduce those risks should always be aligned with the objectives and purpose of the laboratory activities.
There are four main steps in the risk assessment process, the identification of the risks, an assessment of the risks, an evaluation of the risks and the continued monitoring of the risk.
Identification of the Risks
The laboratory will need to review the scope of the laboratory activities and identify the risks associated with each activity. Risk identification methods can stem from an overall brainstorming of the laboratory activities and identifying the risks that are possible and the scenarios in which those risks could occur.
Consideration should be given to both the internal strengths, weaknesses, values and culture within the laboratory and its external threats and concerns, such as those related to the laboratory customers and suppliers, legal implications and local economic environments. The objective should be to determine which laboratory activities have the potential for unwanted risks.
Assessment of the Risks
Once the risks have been identified, the laboratory will need to review each risk to estimate the overall level of risk. The likelihood of the risk resulting in an unintended consequence and the potential severity or impact of that consequence should be accessed to determine the acceptability of the risk. Any possible interactions between the identified risks should be considered during the assessment.
The likelihood that the risk will occur should be assessed by analyzing the number of occurrences this risk has had in the past and the expected rate of the risk occurring in the future.
The severity or impact that the activity will have should be assessed by asking the following questions:
What impact will the risk will have on the laboratory activities?
How will this risk affect the customer?
How difficult or expensive will the risk be to fix?
Does the laboratory have the resources to address the risk?
A risk with a high likelihood of occurrence and a severe impact on the laboratory would be considered a high level of risk. A risk with a rare likelihood of occurrence and a low impact on the laboratory would be considered a low level of risk. A table, graph or matrix can be used to assist in assigning a representative value to the risk determination.
Evaluation of the Risks
When the overall assessment of the risks has been completed, risk mitigation strategies must be developed and documented for any risks with an associated risk level in the High range to either eliminate or reduce the risk to an acceptable level.
Options to mitigate the risks can include, avoiding the risk, eliminating the risk source, reducing the likelihood of the risk occurrence, accepting the risk as presented.
The laboratory is responsible to set priorities and assign responsibilities for the actions to be taken for the risk mitigation. The actions taken should be proportionate to the potential impact on the laboratory activities. Where appropriate, the resulting evaluations and actions can be implemented within the existing laboratory corrective action process to document the evaluation.
Monitoring of the Risks
The risk assessment process needs to be reviewed annually to determine whether changes to the laboratory have occurred that would necessitate the identification of new risks, whether changes to the identified risks have occurred that would require a new assessment of the risk, and whether the specific risk mitigation strategies previously developed have been effective in reducing the risk.