ISO 17025 and Quality Management in Forensic Laboratories

ISO 9001:2015 is generic. It applies to a hospital, a software company, a cement plant or a forensic lab without modification, because what it certifies is that the organisation has documented its processes, monitors customer satisfaction, controls non-conformities and reviews the system at the top. The standard is short on technical specifics for one good reason. It was never meant to certify technical output.

ISO/IEC 17025:2017 is the opposite. It was written for one job: to give external users (regulators, courts, customers) confidence that the numbers a testing or calibration lab puts on paper are technically defensible. The 2017 revision restructured the standard into five clause families: general (impartiality and confidentiality), structural (legal entity, management responsibility), resource (personnel, facilities, equipment, traceability), process (review of requests, sample handling, method selection, validation, measurement uncertainty, ensuring validity of results, reporting), and management-system (documentation, control of records, action on risk, internal audit, management review).

ISO 17025 covers everything ISO 9001 covers under management-system, then adds three full clause families (resource, process, structural) of technical requirements that ISO 9001 leaves silent. An ISO 17025-accredited lab meets ISO 9001 plus that technical layer. An ISO 9001-certified lab does not, which is why a defence counsel who finds an ISO 9001-only lab on the certificate has a straightforward opening line.

ISO 17025 implies ISO 9001 plus a technical depth the older standard does not attempt to define. They are not alternatives; they address different aspects of organisational and technical assurance.

The 2017 standard runs to about 30 pages of normative text. The audit-ready summary maps onto its five clause families, and a NABL assessor walks through each at every surveillance visit.

General requirements cover impartiality and confidentiality. The lab must be structured so analytical decisions are not pressured by commercial or internal forces, and a risk register identifies threats to impartiality. Confidentiality covers everything the lab learns about the sample and the case.

Structural requirements name the lab as a legal entity, define management responsibility, identify a quality manager and a technical manager (both mandatory designated positions), and document the accredited scope. The scope is precise: a CFSL might be accredited for "GC-MS confirmation of amphetamines, opioids and benzodiazepines in whole blood and urine", and anything outside that boundary downgrades to a screening result.

Resource requirements cover personnel, facilities, equipment and metrological traceability. Personnel must have documented qualifications, training records and authorisation matrices that name which analyst can sign which result. Facilities must control environmental conditions where they affect the measurement. Equipment must be uniquely identified, calibrated on schedule, traceable to SI, and pulled from service when out of calibration with a back-trace of any results affected.

Process requirements are the technical heart of the standard. The lab reviews each request to confirm it can do the work inside its scope, handles the sample under documented chain of custody, selects a method (preferably a published standard method, otherwise a validated in-house method), establishes measurement uncertainty, runs QC checks every batch, and documents the result in the standard's format. We unpack method validation, MU and PT in the Method Validation, Measurement Uncertainty and Proficiency Testing topic.

Management-system requirements give the lab two options. Option A is to build a full management system that meets ISO 17025's own clauses 8.2 to 8.9. Option B is to use an existing ISO 9001 management system that already addresses these clauses. Most Indian forensic labs pick Option A.

The three terms are often conflated, but each operates at a distinct level of the quality system.

Quality control sits at the level of the individual batch. The analyst injects a reagent blank before the first calibrator, includes a CRM and rejects the batch if its result lies outside the certified uncertainty, runs one duplicate per batch and rejects on poor agreement, and plots the CRM result on a Levey-Jennings control chart with Westgard rules to detect drift before it spoils case results. Every QC check is a here-and-now decision that the batch is releasable.

Quality assurance sits one level up. It is the system that ensures every QC check is defined, documented, trained, scheduled and audited: the SOP that specifies the CRM and rejection rule, the training record that proves the analyst was qualified, the calibration schedule that keeps the balance traceable to NPL, the internal audit that checks every six months that QC actually happens, the CAPA file that tracks what changed when a QC check failed. QA is invisible on any given day. Its absence shows up two years later when a case is challenged and the lab cannot produce the record that would have closed the question.

Total quality management is the organisation-wide layer. It is a philosophy more than a procedure, popularised by Deming, Juran and Ishikawa in post-war Japan and carried into Indian manufacturing through the CII quality movement of the 1990s. TQM holds that quality is everyone's job from director to helper, that continuous improvement (kaizen) is the operating mode rather than a one-off project, and that the customer (in a forensic context, the criminal-justice system) is the reason the lab exists. A lab can hold ISO 17025 without practising TQM, but a lab that practises TQM finds ISO 17025 easier to maintain.

Metrological traceability is the property that links a measurement result to a stated reference through a documented unbroken chain of calibrations, each with a stated uncertainty. In practice that chain ends at one of the seven SI base units (kilogram, metre, second, ampere, kelvin, mole, candela) realised by a national metrology institute and inter-compared through the Bureau International des Poids et Mesures (BIPM) in Sèvres.

In India the national metrology institute is the National Physical Laboratory (NPL) at Pusa Road, New Delhi, a constituent unit of the CSIR. NPL maintains India's primary standards for mass, length, time, temperature, electrical units, photometry and select chemical reference materials, and Indian calibration labs traceably link their working standards to NPL through certified calibration certificates. The lab's analytical balance is calibrated against a working-standard mass that is calibrated against a secondary mass that traces to NPL's primary kilogram standard. The chromatograph's column-oven temperature traces through a calibrated platinum-resistance thermometer to NPL's temperature scale. The volumetric pipettes trace through gravimetric calibration to the same kilogram.

Reference materials carry the chemistry side of the chain. A reference material (RM) is any material with property values sufficiently homogeneous and well established to use for calibration or method validation. A certified reference material (CRM) is an RM with a certificate stating property values, their uncertainty and a traceability statement. NIST SRM 1577c bovine liver (certified for As, Pb, Hg, Cd and trace elements) is the canonical example. A primary CRM is measured by a fully described primary method (NIST SRM 3149 mercury, IRMM-014 boron). A secondary CRM is measured against a primary: commercial ampoules from Cerilliant, Restek, Sigma-Aldrich and Cayman Chemical fall here.

The Indian Pharmacopoeia Reference Standards (IPRS) deserve a special mention. Issued by the Indian Pharmacopoeia Commission at Ghaziabad under the Ministry of Health and Family Welfare, IPRS are the official Indian reference standards for pharmacopoeial assays and the preferred materials for ayurvedic-product authentication, herbal-drug forensic work and FSSAI compliance testing. The catalogue covers roughly 350 active pharmaceutical ingredients and 200 herbal markers, extended annually.

What the standard requires of CRM use is straightforward. Run one every batch where available, verify the result lies within its certified uncertainty, document the lot and certificate version on the batch record and the analytical certificate, replace expired CRMs and document the change. The chain is the audit trail the defence counsel will follow if the case is contested.

The sample-prep and calibration discipline that links the analyte in a case sample to the CRM in the calibrator bottle is covered in the Sample Preparation, Purification and Instrument Calibration topic.

NABL (National Accreditation Board for Testing and Calibration Laboratories) is a constituent board of the Quality Council of India, established in 1998. It is the sole laboratory-accreditation body in India and a signatory to the APAC and ILAC Mutual Recognition Arrangements, which means a NABL-accredited result is recognised internationally without re-testing.

NABL accredits Indian forensic-science labs against ISO/IEC 17025:2017, supplemented by NABL 112: Specific Criteria for Forensic Science Laboratories. NABL 100 (General Information Brochure) and NABL 122 (for ISO 15189 medical labs) sit alongside as related guidance. NABL 112 adds the forensic-specific layers ISO 17025 does not address: chain-of-custody discipline, court-going competence for technical witnesses, deposition-readiness, defence-challenge procedures, and the PT schemes (GeT-RM for DNA, CTS for trace and chemistry, NIJ for digital) that forensic labs participate in.

The accreditation cycle runs roughly as follows. The lab files an application with a defined scope. NABL appoints a lead assessor and technical experts for a pre-assessment and then a full witnessed assessment with live sample testing. The lab closes non-conformities and NABL grants accreditation valid for two years initially, extended to four years on satisfactory surveillance. Surveillance audits run every 12 to 18 months and verify that the management system, personnel, equipment and PT performance remain in conformance and that previous non-conformities are closed. Re-assessment at four years is equivalent to the original.

1. 1. Gap assessment and SOP build-out
   The lab maps its current operations against ISO 17025:2017 and NABL 112, identifies gaps, writes or revises the quality manual, SOPs, work instructions and forms, trains personnel, runs internal audits and a management review, and produces a documented evidence base ready for assessment.
2. 2. Application and scope definition
   The lab files the NABL application with a precise scope: the analytes, the matrices, the techniques, the LOQs and the methods. The scope is what defines the boundary of accredited certification. Outside-scope work can be reported but not as accredited results.
3. 3. Pre-assessment and full assessment
   A NABL lead assessor and one or more technical experts visit the lab. The pre-assessment is advisory. The full assessment is binding: documentation review, facility walk-through, equipment inspection, witnessed sample testing on the lab's actual instruments, personnel interviews and a closing meeting where non-conformities are raised in writing.
4. 4. Non-conformity closure
   The lab investigates each non-conformity, identifies the root cause, implements corrective action, implements preventive action (now risk-based action), documents the closure with objective evidence and submits to NABL within the stipulated deadline (typically 60 days for major, 90 days for minor).
5. 5. Accreditation grant and surveillance cycle
   NABL grants accreditation valid for an initial two-year period, extended to four years on satisfactory surveillance. Surveillance audits run at 12 to 18 month intervals. Re-assessment is at four years. PT participation, scope changes and significant management or equipment changes must be notified to NABL within the timelines documented in NABL 100.

Major Indian forensic labs with current NABL accreditation include CFSL Chandigarh (T-0023), CFSL Hyderabad, CFSL Pune, CFSL Bhopal, CFSL Kolkata, FSL Madhuban Sector 14, FSL Kalina Mumbai, and the Karnataka, Tamil Nadu and Andhra Pradesh state FSLs. The MHA roadmap published in late 2024 targets all major state SFSL divisions for NABL accreditation by end-2027, with central modernisation funding tied to the milestones.

The Bharatiya Sakshya Adhiniyam 2023 came into force on 1 July 2024 and replaced the Indian Evidence Act 1872. Section 63 sets the evidentiary frame for electronic records and instrumental analytical evidence, and the forensic community has converged on a checklist for what a confirmatory certificate needs to survive a defence challenge under it.

The certificate must come from a NABL-accredited lab where the technique falls inside the accredited scope. Out-of-scope results can be reported only as screening, not as accredited confirmation. It must reference the SOP version used (defence counsel routinely subpoena the SOP and verify the run matches), and the CRM batch and lot with certified value, certificate uncertainty and as-measured value. A CRM result outside its uncertainty invalidates the batch.

The certificate must include a measurement-uncertainty statement. For an LC-MS/MS toxicology result the convention is the analyte concentration plus or minus the expanded uncertainty U at coverage factor k = 2 (95 percent confidence). For example: "ethanol 110 mg per 100 mL whole blood, U = 5 mg per 100 mL at k = 2". A bare number with no stated uncertainty is the easiest defence opening. The certificate also carries the analyst's name, designation and signature, the technical manager's counter-signature where the SOP requires it, and the chain-of-custody identifier linking back to a retrievable custody record. The detailed reporting requirements for the analytical method (two MRM transitions, IS, retention-time match, ratio tolerance, R-squared, LOD, LOQ) are in the Tandem Mass Spectrometry and Spectral Interpretation topic. The hyphenated workflows behind the chromatogram and spectrum are in the Hyphenated Techniques: GC-MS, LC-MS and GC-FTIR topic.

The documentation hierarchy supporting the certificate runs four levels deep: the quality manual at the top (policy, scope, organisation), SOPs at level two (each method in enough detail to reproduce without verbal instruction), work instructions at level three (step-by-step bench procedures), and records at level four (logbooks, instrument data, training records, calibration and CRM certificates, raw data, the analytical certificate itself).