Search the Elsmar Cove!
**Search ALL of** with DuckDuckGo Especially for content not in the forum
Such as files in the Cove "Members" Directory
Social Distancing - It's not just YOUR life - It's ALL of OUR lives!
Me <——————— 6 Feet ———————-> You

ISO 17025 8.5 Actions to address risks and opportunities


Quality Coordinator - Hitachi High-Tech
We're going to be assessed to the new edition at the end of the year, sooner than I anticipated, so digging in and reading a lot. There are some good crosswalk help with ANAB, Eurolab and others.

I've been mulling over this section for a while. What I find interesting is the NOTE in 8.5.2. After all this Shall consider this and that, it states there is no formal requirement for formal methods.. or documented .. process.

Was this glossed over in the final working of the standard? It's so vague as to question what to do or if there is a need to document anything.

Last edited by a moderator:

Jen Kirley

Quality and Auditing Expert
Staff member
I am going to go off of the 9001 standard, which also uses the term "consider" without further detail. Even 9000:2015 does not define the term. So we are left to dictionaries for definition of consider.

As for 8.5.2, it is also true that methods are not prescribed. That is because there could be any number of methods that would work, some better for different subjects. The organization is free to use methods of their choosing.

In case it helps, EuroLab has published an ISO/IEC 17025:2017 Handbook. I have no affiliation with EuroLab.
From my limited training so far regarding assessment for the new 17025, the audits will have a much more "dialog" feel than a "Let's go over the checklist and see your documents".

You should expect to be asked how your lab handles risk, which is a driver in this standard. I would expect that you will need to demonstrate your risk assessment methods, give examples, show results. You will not need a documented method, what is important is that you achieve positive results and can demonstrate them.
What did you decide were the risks and opportunities when you addressed the Context? How do you intend demonstrating to an auditor you've considered your internal and external issues? The clue is there...


Involved In Discussions
What did you decide were the risks and opportunities when you addressed the Context? How do you intend demonstrating to an auditor you've considered your internal and external issues? The clue is there...
Yes, Andy
Risks assessment covers :
1) internal and external contexts or issues identified
2) risk how to address your own SWOT analysis
3) how to address risks for operations and external environment risk like political climate, market demand, revised standards, test/ calibration methods, etc.
4) rank or evaluate the TOTAL risk in term of severity or consequences and likelihood/ frequency of occurrence and classify the critical risks
5) develop a Risk mitigation action plan to address all identified critical risks
6) monitor the mitigation action plan : what to monitor, Person In Charge, deadline , results, etc.
we had a long back and forth with the auditors about making a bunch of revisions to our preventive action and management review sections, only to have their boss give us the go ahead on 2017 (after showing follow up documentation on a potential source of risk, action to assess/mitigate and evaluate effectiveness of action). we ended up using some of the 9001 verbiage, but dumbed it down and made kind of a flow chart where risk and opportunities can percolate up to management or arise during management meetings. If the severity is high enough a document for corrective/preventative action is authored, and after remediation/opportunism is executed, effectiveness is evaluated at management meetings and closed during review. i dont think this is what they were looking for, but i kept telling them that we do not need any formal risk/opportunity anything, and that we had already gone above and beyond the ISO.


Starting to get Involved
In any case, when doing something you are using method. As a „formal method” for risks assessment, I recommend to use some parts of standard BS 8800:2004 «Occupational health and safety management systems — Guide». This standard is from health and safety area, but the method described can be applied in lab business.

1)You can use “Table E.1 — Examples of harm categories” of the standard for categorization of likelihood (“Very likely”, “Likely”, “Unlikely”, “Very unlikely”) of actions in question.

2)You can use “Table E.3 — A simple risk estimator” of the standard for estimation (“Very low risk”, “Low risk”, “Medium risk”, “High risk”, “Very high risk”) of risks.

3)You can use “Table E.4 — A simple risk categorization” of the standard for evaluation of tolerability (“Acceptable”, “Risks that should be reduced so that they are tolerable or acceptable”, “Unacceptable”) of risks.

4)You can use “Table E.5 — A simple risk-based control plan” of the standard as a guidance on necessary action and timescale.
Top Bottom