ISO 17025 definitions: Policies, Procedures, Instructions, Documents and Records

Scan this QR Code with your phone and get bonus info on useful documentation that comes with being an ISO 17025 lab
Scan this QR Code with your phone and get bonus info on useful documentation that comes with being an ISO 17025 lab

In a series of posts, I am going to introduce the reader to the existence of ISO 17025 and its importance.  I am going to introduce it in bite-sized bits for easy digestion.  Just like all matters of learning, knowledge is incremental over time and builds upon previous exposure.

In our first post we answered the question:  What is ISO 17025?

The next post we answered the question:  Why do we need standards? Why ISO 17025 and policy, procedures and instructions matter.

Then we answered the question:  Why is ISO 17025 so important to us in forensic science?

Just two days ago, we asked and answered:  Why should the criminal defense community care about ISO 17025?

A little while ago we examined how ISO 17025 provides a simple method to develop themes to cross-examine experts.

In order to examine the lab, you must understand the terminology and ways of the lab

One of the major benefits to the criminal practitioner to the implementation of ISO 17025 is the adoption of universal nomenclature. This will help us out demonstrably with respect to discovery. For example, I am sure in the past that when you have requested certain documents that we know must exist there is a tremendous amount of “hide the ball” wherein a request for a specified item  is made, but because we did not use the particular sui generis language of that particular crime laboratory on that particular day, the crime laboratory feigns ignorance and reports that there is no such document.

Some crime labs play "hide the ball"
Some crime labs play "hide the ball"

It is not so much that the concept behind the document request or the data behind the document does not exist, but rather through our understandable ignorance, we do not know the proper nomenclature for what to request.

The solution for this can be found in ISO 17025 and in particular subpart 4.3 (Document Control). Per 4.3, there is a clear delineation between controlled and uncontrolled documents.

  • Controlled documents can be characterized as those documents which once the laboratory disseminates them, it becomes the responsibility of that laboratory to seek out those who have a copy of them, collect the old documents and replace them with the new, most recent documents in order to assure that the most current documents are in use. Therefore, it would be extremely useful for a criminal practitioner, for example, to obtain a controlled copy of the Policy, Procedure and Instructions for particular type of test. Therefore, in the frequent event that new documents are adopted, it becomes incumbent upon the laboratory, in order for it to keep its accreditation, to seek you out and replace your copy with the most current one.
  • Uncontrolled documents are copies of the Policies, Procedures and Instructions that exist at a finite point in time, but may not be the current ones in place and in use. A lab has no obligation to update uncontrolled documents.

Section 4.3 in conjunction with Sections 4.13 and 5.4.7 makes a very fine distinction between documents and records. This distinction between documents and records is crucial.

  • “Documents” include such writings specifically labeled as “Policies”, “Procedures”, and “Instructions.”
  • “Records”, on the other hand, are those which are generated during the analytical process unique to the test on the sample itself such as the chain of custody, the particular notes of the analyst as well as the analytical device output in its raw form and finally the conclusory opinion letter that is generated that goes to the “customer” called the “Test Report”.

ISO 17025 in its attempt to employ universal nomenclature establishes a clear distinction within the “Document” designation.  The subsets of types of “Documents” are: “Policies”, “Procedures”, and “Instructions”.

  • “Policies” answer the organizational question of why. Why do we do this? Why is this important? As one can glean from this description of what is contained in a well formulated policy per ISO 17025, if one were to receive the policy, for example, in pre-consumption (solid) drug dose examination, this policy could include some very useful language that has to do with the importance of accuracy, precision, reliability, robustness, and the need to follow the procedures and instructions in order to obtain a valid result. The “Policy” also answers the large institutional question of who has control over the laboratory. In the “Policy”, who has control of the development of the science is defined. Who develops, implements and monitors the underlying “Procedure” and “Instructions” is also defined. This could be most useful in order to show bias of the laboratory at an institutional level.
  • On the other hand, “Procedures” are best classified as answering the questions of who, what, where, and when. Who in general does the testing? Who has control over the testing? What testing is to be performed? Where is testing to be performed? On what instruments is the testing to be performed? When is it to be performed? Under what circumstances are specimens to be tested?  What priorities are set in terms of scarce resources?
  • Finally there are the “Instructions”. This is where we find the technical aspects answering the question how do I, as a bench technician, perform this test specifically in my laboratory using the resources and equipment that are available to me right now.

The additional advantage to the criminal practitioner is in the necessity to uniformly document certain parts of the analytical process as well as the methodology and its validation that heretofore may not have been documented at all in a crime laboratory. This is particularly true in the event of such testing agencies as the DEA. If one has “dealt” with a particular regional laboratory of the DEA and attempted to discover how a particular analyst analyzes any pre-consumption (solid) drug dose sample by requesting the Standard Operating Procedures (SOPs), it is a frequent occurrence that the DEA will respond that there is no such SOP[i].

Under ISO 17025 Section 4.3, if one knows now the proper terminology used in ISO 17025 , one will know to request not only the particular instructions of the analysis, but also the procedures and the policy. As such, the DEA will no longer be able to claim its previous position that they do not exist truthfully in court.

As one can see that if one asks for the “Standard Operating Procedures” for the laboratory expecting to get information that is best answered per ISO 17025 nomenclature by requesting the “Instructions” of the test, a practitioner will be sorrowfully disappointed in the result and will possibly not obtain the information that is included in the “Instructions.” Hence, the uniform nomenclature is key and necessary to understand.

As mentioned previously the important distinction of what constitutes a “Record” can be found in section 4.13 (Control of Records) and is different from Section 4.3, which deals exclusively with documents. Again, “Records” are output from the analytical process as defined supra. Section 4.13.1.1 very specifically outlines that, not only “Records” of the particular analytical tests are to be kept, but also the entirety of the “Records” from the quality control measures as well as the quality assurance aspects of the process leading up to the production of the “Records” of the particular analytical testing being preformed. This is important in that some laboratories in the past have discarded calibration curves or the raw data that generates calibration curves. Now this will not be a possibility under ISO 17025 procedures. In addition, per Section 4.13.1.2, not only are these items to be preserved but also they are to be stored and retained in such a way that they are “readily retrievable.” This should end the gamesmanship that the requested items are but a “needle in a haystack” as has been undoubtedly asserted in the past by laboratories as an excuse to not comply with discovery demands or orders.

Additionally, per 4.13.2.1, we will now be able to insist upon receiving the raw data that is generated as a result of any testing and to try to definitively establish complete compliance with Melendez-Diaz and to make sure that “dry labbing[ii]” did not occur as the provision reads:

The laboratory shall retain records of original observations, derived data and sufficient information to establish an audit trail, calibration records, staff records and a copy of each test report or calibration certificate issued, for a defined period. The records for each test or calibration shall contain sufficient information to facilitate, if possible, identification of factors affecting the uncertainty and to enable the test or calibration to be repeated under conditions as close as possible to the original. The records shall include the identity of personnel responsible for the sampling, performance of each test and/or calibration and checking of results.

Further Note 2[iii] of this subsection includes a preferred definition of “Technical records” as the accumulations of data that may include such items as “forms, contracts, work sheets, work books, check sheets, work notes, control graphs, external and internal test reports and calibration certificates, customers’ notes, papers and feedback”.

Finally, section 4.13.2.2 requires that observations, data and calculations shall be recorded at the time they are made, not later.

Turning towards the specifics of a particular test and a technician’s specific performance, internal auditing is addressed in Section 4.14.1 and in 4.14.2 requires that when error or deviations are discovered that the laboratory shall notify its customers in writing.  This could be very useful for obvious reasons.


[i] This former clumsy request can now be easily identified as “Procedure” and “Instructions”.

[ii] Dry Labbing is the act of generating a conclusory report or “Test Report” when no actual analysis occurs.

[iii] It is important to understand that per Section 1.3 “Notes” that appear after the requirements are not requirements, but they do provide important clarification of the text and guidance for best practices.

Leave a Reply

Your email address will not be published. Required fields are marked *