Corrective actions principles and root cause analysis in ISO 17025

A corrective action is a mandatory activity for all laboratories accredited to ISO/IEC 17025. It should, however, not be seen as a “rule” or a singular step, but as a core process of an interrelated, functional Quality Management System.

Laboratories often struggle with nonconformances and corrective actions, where they are excessively time-consuming or the chosen corrective action does not achieve the intended result. Furthermore, the level of control is often not proportionate to the impact on quality objectives. Typically, this is because a risk-based approach was not adopted, or inadequate steps were taken.

This article provides an overview of applying risk-based thinking to corrective action. It is presented through statements of five risk-based principles and practical steps to improve the handling of nonconformances and root cause analysis to achieve effective corrective actions.

What has changed in the new revision of ISO/IEC 17025?

When a laboratory’s results or activities do not conform to its own procedures or customer requirements, the undesired situation is classified as a nonconformance. ISO/IEC 17025:2017 requires laboratories to follow a procedure to handle nonconformances. Where there is doubt about the compliance, or if there is a risk that the nonconforming work could recur, a decision must be made to follow the corrective action procedure. This is nothing new; the same was required in  ISO/IEC 17025:2005, the previous version.

What has changed is the requirement for handling corrective actions. There is now no mandatory procedure required and laboratories can decide, based on evaluation, if there is a need for action to eliminate the cause(s) of the nonconformity. This means that laboratories should take a risk-based approach and should implement any action needed (in light of the risk).

The following principles are a foundation for a suitable risk-based approach to corrective actions:

What are ISO 17025 corrective actions?

Principle 1. Not all nonconformances need corrective action.

A correction addresses the short-term need, being a remedial reaction to control and correct the nonconformance. Corrections would be applied to every nonconformance. Corrective action, however, taking a risk-based approach, is not always necessary, and in some cases not possible. As the objective is to control the ongoing risk so that the same or a similar problem does not happen again, taking remedial action alone will require justifying the event as an isolated incident or why the current risk level is accepted.

The difficulty for many laboratories is deciding whether correction alone is sufficient.


Never ignore an event, even if only a correction is necessary. Record it and monitor for any reoccurrence and change in risk level.

There are two primary reactive situations that trigger the need for a corrective action after a correction:

  1. When the evaluation of the nonconformance indicates a risk of it happening again.
  2. When there is doubt about the laboratory’s operations conforming to its own management system. For example, variation in the quality of operations or lack of competency to meet ISO 17025 requirements.

Principle 2. A process approach and root cause analysis are both proactive and reactive tools.

Laboratories will benefit from interlinking a process approach, proactive (risk), and reactive (corrective action) activities.


Processes should be understood well and mapped, with known inputs and desired outputs for each step. A laboratory should proactively identify risks and put controls in place to reduce the chance of a nonconforming event to an acceptable level.

For those of you familiar with only using the fishbone diagram for root cause analysis, note that it (and other cause-and-effect tools) can also be used for risk assessment. Instead of the effect at the fish head being the problem statement, you state the desired outcome. The causes are the same, using your knowledge of the process.

A well-established management system should have standardized processes, procedures, documentation, and monitoring that provide a level of protection from undesired deviations (something did not happen as it should have) or deficiencies (gaps). Realistically, though, because of the complexity of laboratory operations, risks of nonconforming events will always exist.

Principle 3. Nonconformances are risks that have occurred.

A risk register is a valuable tool to help with the evaluation of nonconforming events. Nonconformances fall into two groups:

  1. Those identified prior to the current nonconformity as a risk and recorded in the risk register. Either prior to any previous event (perceived risk) or originally not perceived, but identified after occurring.
  2. Those not identified as a risk and not recorded in the risk register.


If the risk was not identified, consider why not and enter it in the register. If it was identified, review the process steps and prior analysis. Indicate in the register that, due to a nonconformance, the risk levels will be reviewed after the agreed corrective action.

Principle 4. The cause is seldom a singular issue leading to a singular corrective action.

It is often a chain of events that leads to a nonconformance. If a laboratory approaches cause analysis looking for a singular “root cause,” there is an increased risk of ineffective corrective action.
The “root” should be viewed as a system, not a singular ”right answer.” There may be a number of contributory (causal) factors that could be identified during evaluation. These fall into two categories:

  • Missing best practices (gaps), or
  • Deviations from specified controls already in place

Each of these casual factors has a primary reason for happening—its root cause.


For the laboratory activity and system that have been affected, take the following steps:

  1. Consider the process and chain of events (what, who, when, how).
  2. Identify multiple possible causal factors by identifying missing best practices or deviations from specified controls already in place.
  3. Using current knowledge, find the root cause of each of the factors—why that specific factor had an impact.
  4. Consider multiple solutions: behaviors, actions, or conditions that could be changed or introduced.
  5. Select the “best solutions,” bearing in mind the available resources and acceptable risk level. These are those solutions that are most likely to have a positive impact and influence, and to control the risk of a reoccurring event.

 Principle 5. Monitoring and trend evaluation drive improvement.


Risks are not static, so actions need monitoring, and risks should be updated after other activities such as audits, client and personnel feedback, and management reviews. Look out for changed risk levels, as well as trends. For example, if many of the nonconformances experienced were previously identified as risks, yet still occurred, it could indicate that controls need improvement. 

Benefits of adopting a risk-based approach to corrective action

Taking a more deliberate risk-based approach to corrective actions and root cause analysis is new for many laboratories. What concerns many is defending risk-based decisions during ISO 17025 accreditation assessments.

Adopting and documenting your approach and strategy based on the principles and practical steps introduced in this article should provide the required assurance and drive a more efficient corrective action process.

To learn more about handling the nonconformances and other requirements of ISO/IEC 17025, download this free Clause-by-clause explanation of ISO 17025:2017.

Advisera Tracey Evans
Tracey Evans
Tracey Evans is an ISO 17025 expert with an MSc degree in Biochemistry, and more than 15 years of experience in Laboratory Management Systems.
This experience includes a variety of testing and calibration laboratories in the pharmaceutical, biotechnology, medical pathology, veterinary, engineering, mining, water, and agricultural sectors. Tracey has used her insight into ISO 17025 and ISO 9001 to assist clients in developing and implementing systems, performing method validation and internal audits, addressing risks and opportunities, and achieving ISO 17025 accreditation.
Tracey also has a working knowledge of GLP and GCP and has expertise as an internal auditor for a GCP laboratory.