Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
ISO 9001 vs ISO 17025:2017, NABL accreditation in India, quality control vs assurance vs TQM, reference materials, measurement uncertainty and the audit trail behind a BSA 2023 Section 63 certificate.
ISO/IEC 17025:2017 is the international standard that says a testing or calibration laboratory is technically competent and produces results you can trust. In an Indian forensic context it is the standard NABL accredits against, and the accreditation is what lets a CFSL or SFSL chemical examiner sign a certificate that holds under cross-examination as instrumental evidence under BSA 2023 Section 63.
ISO 9001 is the older, broader management-system standard. Any organisation can certify against it. ISO 17025 is narrower and stricter. It assumes the ISO 9001 management discipline is in place, then layers on the technical depth a testing lab actually needs: personnel competence, equipment traceability to SI units through national metrology institutes, validated methods, measurement uncertainty, control charts, certified reference materials and proficiency-testing performance. A lab holding ISO 17025 implicitly meets ISO 9001. A lab holding only ISO 9001 is not running a testing system that survives a defence challenge.
The point most students miss is that NABL accreditation is not a one-shot certificate. It is a four-year cycle with surveillance audits every 12 to 18 months, a documented quality manual, SOPs versioned per method, training records, non-conformities tracked through CAPA, an annual management review, and a sustained record of satisfactory PT performance. Drop any of those and the accreditation lapses, the certificate stops carrying the same weight in court, and the lab is back to producing reports a smart defence counsel can break.
One says you have a process. The other says the process produces results a court can use.
ISO 9001:2015 is generic. It applies to a hospital, a software company, a cement plant or a forensic lab without modification, because what it certifies is that the organisation has documented its processes, monitors customer satisfaction, controls non-conformities and reviews the system at the top. The standard is short on technical specifics for one good reason. It was never meant to certify technical output.
ISO/IEC 17025:2017 is the opposite. It was written for one job: to give external users (regulators, courts, customers) confidence that the numbers a testing or calibration lab puts on paper are technically defensible. The 2017 revision restructured the standard into five clause families: general (impartiality and confidentiality), structural (legal entity, management responsibility), resource (personnel, facilities, equipment, traceability), process (review of requests, sample handling, method selection, validation, measurement uncertainty, ensuring validity of results, reporting), and management-system (documentation, control of records, action on risk, internal audit, management review).
Read those five families and the picture sharpens. ISO 17025 covers everything ISO 9001 covers under management-system, then adds three full families (resource, process, structural) of technical requirements that ISO 9001 leaves silent. An ISO 17025-accredited lab is meeting ISO 9001 plus the technical layer. An ISO 9001-certified lab is not, which is why a defence counsel who finds an ISO 9001-only forensic lab on the certificate has an easy opening line.
| Scope | Generic quality management for any organisation | Specific to testing and calibration laboratories |
| Technical competence requirement | Not addressed | Personnel qualifications, equipment traceability, method validation, MU |
General, structural, resource, process, management system. Five families, every one of them auditable.
The 2017 standard runs to about 30 pages of normative text. The audit-ready summary maps onto its five clause families, and a NABL assessor walks through each at every surveillance visit.
General requirements cover impartiality and confidentiality. The lab must be structured so analytical decisions are not pressured by commercial or internal forces, and a risk register identifies threats to impartiality. Confidentiality covers everything the lab learns about the sample and the case.
Structural requirements name the lab as a legal entity, define management responsibility, identify a quality manager and a technical manager (both mandatory designated positions), and document the accredited scope. The scope is precise: a CFSL might be accredited for "GC-MS confirmation of amphetamines, opioids and benzodiazepines in whole blood and urine", and anything outside that boundary downgrades to a screening result.
Resource requirements cover personnel, facilities, equipment and metrological traceability. Personnel must have documented qualifications, training records and authorisation matrices that name which analyst can sign which result. Facilities must control environmental conditions where they affect the measurement. Equipment must be uniquely identified, calibrated on schedule, traceable to SI, and pulled from service when out of calibration with a back-trace of any results affected.
Process requirements are the technical heart of the standard. The lab reviews each request to confirm it can do the work inside its scope, handles the sample under documented chain of custody, selects a method (preferably a published standard method, otherwise a validated in-house method), establishes measurement uncertainty, runs QC checks every batch, and documents the result in the standard's format. We unpack method validation, MU and PT in the Method Validation, Measurement Uncertainty and Proficiency Testing topic.
Management-system requirements give the lab two options. Option A is to build a full management system that meets ISO 17025's own clauses 8.2 to 8.9. Option B is to use an existing ISO 9001 management system that already addresses these clauses. Most Indian forensic labs pick Option A.
QC is what you do at the bench. QA is what you set up so QC stays trustworthy. TQM is the philosophy that makes both stick.
Three terms travel together and the casual use of one for another is a giveaway that the speaker has not actually worked inside an accredited lab.
Quality control sits at the level of the individual batch. The analyst injects a reagent blank before the first calibrator, includes a CRM and rejects the batch if its result lies outside the certified uncertainty, runs one duplicate per batch and rejects on poor agreement, and plots the CRM result on a Levey-Jennings control chart with Westgard rules to detect drift before it spoils case results. Every QC check is a here-and-now decision that the batch is releasable.
Quality assurance sits one level up. It is the system that ensures every QC check is defined, documented, trained, scheduled and audited: the SOP that specifies the CRM and rejection rule, the training record that proves the analyst was qualified, the calibration schedule that keeps the balance traceable to NPL, the internal audit that checks every six months that QC actually happens, the CAPA file that tracks what changed when a QC check failed. QA is invisible on any given day. Its absence shows up two years later when a case is challenged and the lab cannot produce the record that would have closed the question.
Total quality management is the organisation-wide layer. It is a philosophy more than a procedure, popularised by Deming, Juran and Ishikawa in post-war Japan and carried into Indian manufacturing through the CII quality movement of the 1990s. TQM holds that quality is everyone's job from director to helper, that continuous improvement (kaizen) is the operating mode rather than a one-off project, and that the customer (in a forensic context, the criminal-justice system) is the reason the lab exists. A lab can hold ISO 17025 without practising TQM, but a lab that practises TQM finds ISO 17025 easier to maintain.
| Quality control (QC) | Per batch, daily | Bench analyst | CRM result on a Levey-Jennings chart, duplicate agreement, blank check |
Every number on the certificate must trace, through an unbroken chain, back to the kilogram, the metre, the second.
Metrological traceability is the property that links a measurement result to a stated reference through a documented unbroken chain of calibrations, each with a stated uncertainty. In practice that chain ends at one of the seven SI base units (kilogram, metre, second, ampere, kelvin, mole, candela) realised by a national metrology institute and inter-compared through the Bureau International des Poids et Mesures (BIPM) in Sèvres.
In India the national metrology institute is the National Physical Laboratory (NPL) at Pusa Road, New Delhi, a constituent unit of the CSIR. NPL maintains India's primary standards for mass, length, time, temperature, electrical units, photometry and select chemical reference materials, and Indian calibration labs traceably link their working standards to NPL through certified calibration certificates. The lab's analytical balance is calibrated against a working-standard mass that is calibrated against a secondary mass that traces to NPL's primary kilogram standard. The chromatograph's column-oven temperature traces through a calibrated platinum-resistance thermometer to NPL's temperature scale. The volumetric pipettes trace through gravimetric calibration to the same kilogram.
Reference materials carry the chemistry side of the chain. A reference material (RM) is any material with property values sufficiently homogeneous and well established to use for calibration or method validation. A certified reference material (CRM) is an RM with a certificate stating property values, their uncertainty and a traceability statement. NIST SRM 1577c bovine liver (certified for As, Pb, Hg, Cd and trace elements) is the canonical example. A primary CRM is measured by a fully described primary method (NIST SRM 3149 mercury, IRMM-014 boron). A secondary CRM is measured against a primary: commercial ampoules from Cerilliant, Restek, Sigma-Aldrich and Cayman Chemical fall here.
The Indian Pharmacopoeia Reference Standards (IPRS) deserve a special mention. Issued by the Indian Pharmacopoeia Commission at Ghaziabad under the Ministry of Health and Family Welfare, IPRS are the official Indian reference standards for pharmacopoeial assays and the preferred materials for ayurvedic-product authentication, herbal-drug forensic work and FSSAI compliance testing. The catalogue covers roughly 350 active pharmaceutical ingredients and 200 herbal markers, extended annually.
What the standard requires of CRM use is straightforward. Run one every batch where available, verify the result lies within its certified uncertainty, document the lot and certificate version on the batch record and the analytical certificate, replace expired CRMs and document the change. The chain is the audit trail the defence counsel will follow if the case is contested.
NABL accreditation is not a certificate on the wall. It is a four-year discipline with audits every 12 to 18 months.
NABL (National Accreditation Board for Testing and Calibration Laboratories) is a constituent board of the Quality Council of India, established in 1998. It is the sole laboratory-accreditation body in India and a signatory to the APAC and ILAC Mutual Recognition Arrangements, which means a NABL-accredited result is recognised internationally without re-testing.
NABL accredits Indian forensic-science labs against ISO/IEC 17025:2017, supplemented by NABL 112: Specific Criteria for Forensic Science Laboratories. NABL 100 (General Information Brochure) and NABL 122 (for ISO 15189 medical labs) sit alongside as related guidance. NABL 112 adds the forensic-specific layers ISO 17025 does not address: chain-of-custody discipline, court-going competence for technical witnesses, deposition-readiness, defence-challenge procedures, and the PT schemes (GeT-RM for DNA, CTS for trace and chemistry, NIJ for digital) that forensic labs participate in.
The accreditation cycle runs roughly as follows. The lab files an application with a defined scope. NABL appoints a lead assessor and technical experts for a pre-assessment and then a full witnessed assessment with live sample testing. The lab closes non-conformities and NABL grants accreditation valid for two years initially, extended to four years on satisfactory surveillance. Surveillance audits run every 12 to 18 months and verify that the management system, personnel, equipment and PT performance remain in conformance and that previous non-conformities are closed. Re-assessment at four years is equivalent to the original.
Major Indian forensic labs with current NABL accreditation include CFSL Chandigarh (T-0023), CFSL Hyderabad, CFSL Pune, CFSL Bhopal, CFSL Kolkata, FSL Madhuban Sector 14, FSL Kalina Mumbai, and the Karnataka, Tamil Nadu and Andhra Pradesh state FSLs. The MHA roadmap published in late 2024 targets all major state SFSL divisions for NABL accreditation by end-2027, with central modernisation funding tied to the milestones.
Two transitions, an IS and a retention-time match are not enough on their own. The certificate also needs the QA chain that produced them.
The Bharatiya Sakshya Adhiniyam 2023 came into force on 1 July 2024 and replaced the Indian Evidence Act 1872. Section 63 sets the evidentiary frame for electronic records and instrumental analytical evidence, and the forensic community has converged on a checklist for what a confirmatory certificate needs to survive a defence challenge under it.
The certificate must come from a NABL-accredited lab where the technique falls inside the accredited scope. Out-of-scope results can be reported only as screening, not as accredited confirmation. It must reference the SOP version used (defence counsel routinely subpoena the SOP and verify the run matches), and the CRM batch and lot with certified value, certificate uncertainty and as-measured value. A CRM result outside its uncertainty invalidates the batch.
The certificate must include a measurement-uncertainty statement. For an LC-MS/MS toxicology result the convention is the analyte concentration plus or minus the expanded uncertainty U at coverage factor k = 2 (95 percent confidence). For example: "ethanol 110 mg per 100 mL whole blood, U = 5 mg per 100 mL at k = 2". A bare number with no stated uncertainty is the easiest defence opening. The certificate also carries the analyst's name, designation and signature, the technical manager's counter-signature where the SOP requires it, and the chain-of-custody identifier linking back to a retrievable custody record. The detailed reporting requirements for the analytical method (two MRM transitions, IS, retention-time match, ratio tolerance, R-squared, LOD, LOQ) are in the Tandem Mass Spectrometry and Spectral Interpretation topic. The hyphenated workflows behind the chromatogram and spectrum are in the Hyphenated Techniques: GC-MS, LC-MS and GC-FTIR topic.
The documentation hierarchy supporting the certificate runs four levels deep: the quality manual at the top (policy, scope, organisation), SOPs at level two (each method in enough detail to reproduce without verbal instruction), work instructions at level three (step-by-step bench procedures), and records at level four (logbooks, instrument data, training records, calibration and CRM certificates, raw data, the analytical certificate itself).
What is the structural difference between ISO 9001:2015 and ISO/IEC 17025:2017 that matters most for a forensic lab?
| Customer |
| Anyone the organisation serves |
| External users of the test result: regulator, court, requesting agency |
| Reference standards and CRMs | Not specified | Mandatory, with documented traceability to SI through a national metrology institute |
| Measurement uncertainty | Not required | Required, reported on the certificate where the decision rule depends on it |
| Proficiency-testing participation | Not required | Required at a frequency justified by the scope (typically annual per technique) |
| Accrediting body in India | Various certification bodies | NABL, sole accreditor |
| Carries weight under BSA 2023 Section 63 | Not on its own | Yes, when the technique falls inside the accredited scope |
The shorthand to remember: ISO 17025 implies ISO 9001 plus a technical depth that the older standard does not even attempt to define. The two are not alternatives. They sit on the same axis at different points.
The 2005 edition required a separate preventive-action procedure. The 2017 edition deleted preventive action as a standalone clause and replaced it with risk-based thinking woven through the standard. The lab now identifies risks to impartiality, to the validity of results and to the management system itself, then decides how to address them. A NABL assessor in 2025 will not ask to see your preventive-action register. They will ask to see your risk register and the action plan that came out of it.
| Quality assurance (QA) | Per year, ongoing | Quality manager | Quality manual, SOPs, training records, internal-audit report, CAPA file |
| Total quality management (TQM) | Organisational, multi-year | Top management | Kaizen culture, continuous improvement programme, customer-feedback loop |
The sample-prep and calibration discipline that links the analyte in a case sample to the CRM in the calibrator bottle is covered in the Sample Preparation, Purification and Instrument Calibration topic.