Tracey Evans
November 4, 2020
A corrective action is a mandatory activity for all laboratories accredited to ISO/IEC 17025. It should, however, not be seen as a “rule” or a singular step, but as a core process of an interrelated, functional Quality Management System.
Laboratories often struggle with nonconformances and corrective actions, where they are excessively time-consuming or the chosen corrective action does not achieve the intended result. Furthermore, the level of control is often not proportionate to the impact on quality objectives. Typically, this is because a risk-based approach was not adopted, or inadequate steps were taken.
This article provides an overview of applying risk-based thinking to corrective action. It is presented through statements of five risk-based principles and practical steps to improve the handling of nonconformances and root cause analysis to achieve effective corrective actions.
When a laboratory’s results or activities do not conform to its own procedures or customer requirements, the undesired situation is classified as a nonconformance. ISO/IEC 17025:2017 requires laboratories to follow a procedure to handle nonconformances. Where there is doubt about the compliance, or if there is a risk that the nonconforming work could recur, a decision must be made to follow the corrective action procedure. This is nothing new; the same was required in ISO/IEC 17025:2005, the previous version.
What has changed is the requirement for handling corrective actions. There is now no mandatory procedure required and laboratories can decide, based on evaluation, if there is a need for action to eliminate the cause(s) of the nonconformity. This means that laboratories should take a risk-based approach and should implement any action needed (in light of the risk).
The following principles are a foundation for a suitable risk-based approach to corrective actions:
A correction addresses the short-term need, being a remedial reaction to control and correct the nonconformance. Corrections would be applied to every nonconformance. Corrective action, however, taking a risk-based approach, is not always necessary, and in some cases not possible. As the objective is to control the ongoing risk so that the same or a similar problem does not happen again, taking remedial action alone will require justifying the event as an isolated incident or why the current risk level is accepted.
The difficulty for many laboratories is deciding whether correction alone is sufficient.
Application:
Never ignore an event, even if only a correction is necessary. Record it and monitor for any reoccurrence and change in risk level.
There are two primary reactive situations that trigger the need for a corrective action after a correction:
Laboratories will benefit from interlinking a process approach, proactive (risk), and reactive (corrective action) activities.
Application:
Processes should be understood well and mapped, with known inputs and desired outputs for each step. A laboratory should proactively identify risks and put controls in place to reduce the chance of a nonconforming event to an acceptable level.
For those of you familiar with only using the fishbone diagram for root cause analysis, note that it (and other cause-and-effect tools) can also be used for risk assessment. Instead of the effect at the fish head being the problem statement, you state the desired outcome. The causes are the same, using your knowledge of the process.
A well-established management system should have standardized processes, procedures, documentation, and monitoring that provide a level of protection from undesired deviations (something did not happen as it should have) or deficiencies (gaps). Realistically, though, because of the complexity of laboratory operations, risks of nonconforming events will always exist.
A risk register is a valuable tool to help with the evaluation of nonconforming events. Nonconformances fall into two groups:
Application:
If the risk was not identified, consider why not and enter it in the register. If it was identified, review the process steps and prior analysis. Indicate in the register that, due to a nonconformance, the risk levels will be reviewed after the agreed corrective action.
It is often a chain of events that leads to a nonconformance. If a laboratory approaches cause analysis looking for a singular “root cause,” there is an increased risk of ineffective corrective action.
The “root” should be viewed as a system, not a singular ”right answer.” There may be a number of contributory (causal) factors that could be identified during evaluation. These fall into two categories:
Each of these casual factors has a primary reason for happening—its root cause.
Application:
For the laboratory activity and system that have been affected, take the following steps:
Application:
Risks are not static, so actions need monitoring, and risks should be updated after other activities such as audits, client and personnel feedback, and management reviews. Look out for changed risk levels, as well as trends. For example, if many of the nonconformances experienced were previously identified as risks, yet still occurred, it could indicate that controls need improvement.
Taking a more deliberate risk-based approach to corrective actions and root cause analysis is new for many laboratories. What concerns many is defending risk-based decisions during ISO 17025 accreditation assessments.
Adopting and documenting your approach and strategy based on the principles and practical steps introduced in this article should provide the required assurance and drive a more efficient corrective action process.
To implement ISO 17025 easily and efficiently, use our ISO 17025 Documentation Toolkit that provides step-by-step guidance and all documents for full ISO 17025 compliance.