Tools, Technologies and Training for Healthcare Laboratories


ISO 9001:2015 Quality Management Systems Requirements

Contributing editor Dr. Pereira begins Part 1 of a series on the ISO standards applicable to medical laboratories. As this global standard spreads, labs need to take a closer look at what is required to implement them. ISO 9001 had a recent revision in 2015, and Dr. Pereira looks in detail at the new changes.

ISO series update

Part 1 - ISO 9001:2015 applied to medical laboratory scope

Paulo Pereira, PhD
January 2017


ISO standards are intended to standardize practices globally. Unfortunately ISO implementation is frequently accompanied by misunderstandings. This series discusses the pros and cons, and some myths regarding the ISO standards’ implementation in medical laboratories. It will be divided into five parts:

  • Part 1 - ISO 9001:2015 “Quality management systems - Requirements”
  • Part 2 - ISO 15189: 2012 “Medical laboratories - Requirements for quality and competence”
  • Part 3 - ISO 10012:2003 “Measurement management systems - Requirements for measurement processes and measuring equipment”
  • Part 4 - ISO 19011 “Guidelines for auditing management systems”
  • Part 5 - ISO 15190: 2003 “Medical laboratories - Requirements for safety”

Occasionally, the reader of an ISO standard may be challenged to identify what is mandatory and what is not required. ISO 9001 makes the reader’s life easier by noting in the introduction that “shall” specifies a requirement, “should” specifies a recommendation, “may” specifies a permission, and “can” specifies a possibility or a capability. Laboratories must to all “Shalls” but all the others are not mandatory.


While very well known in manufacturing, ISO standards are relatively new in service and healthcare organizations. This is one of the reasons why ISO guidelines have been labeled as “product manufacturing standards” for a long time. The ISO 9001:2015 is the fifth edition, and it unlike the significant changes that occurred in the switch from the third to the fourth edition, this new edition is more of an evolution. As the certification of different organizations has become more widespread, its applicability to services organizations such as medical laboratory has been better understood. It’s important to realize that while, ISO 9001 is a global standard, the practical approach to meet ISO 9001 requirements is designed at each individual medical laboratory; there is no one “single approach” that must be used.

ISO 9001 is intended for the certification of companies of all sizes and types, which explains why it is a generic approach. It has evolved from the requirements of the ISO 9000 series. Its goals are based on the Deming cycle, or the Plan-Do-Check-Act (PDCA) cycle: provide a logical and scientific management model for (continual) quality improvement focused on customer satisfaction [1,2].

On the standard introduction is denoted that “The adoption of a quality management system is a strategic decision for an organization that can help to improve its overall performance and provide a sound basis for sustainable development initiatives ” (Clause 0.1 of [2]). Accordingly, it could be interpreted that the management system is oriented to assure the quality of reported results in the medical laboratory satisfying the interested parties (stakeholders) relevant to the quality management system (QMS), i.e., to assure the results meet the specifications, e.g., the total error is allowable, and ISO 9001 certification is maintained. It can also be understood that it implies sustainable practices, but they are not required.

Major changes to the ISO 9001:2008

The medical laboratory with a valid ISO 9001:2008 certification is principally interested in the major changes from the fourth to the fifth edition. Table 1 summarizes these changes.

ISO 9001:2008 ISO 9001:2015
a. Quality management principles
8 Principles: Customer-focus, involvement of people, process approach, system approach to management, continual improvement, factual approach to decision making, and mutually beneficial supplier relationships (Subclause 0.2 of [3]) 7 Principles: Customer-focus, leadership, engagement of people, process approach, improvement, evidence-based decision-making, and relationship management (Subclause 2.3 of [1])
b. Applicability
Exclusions to requirements that “cannot be applied due to the nature of an organization and its product” (Clause 1.2 of [4]) No exclusions
c. Organizational knowledge
No referred, it was referred the “organization environment” and the “organizational structure” The organizational knowledge shall be determined and managed to guarantee the operation of the processes and to accomplish the conformity of products and services - fulfilling the   specifications (Subclause 7.1.6 of [2])
d. Documents
Quality manual and standard documents to the control of documents, records, internal audits, corrective and preventive action (Subclauses 4.2.2, 4.2.3, 4.2.4, 8.2.2, 8.5.2, and 8.5.3 of [4)] “Quality manual” such as previously mandatory document are no longer required, despite the information contained on these shall be documented (Subclause 7.5 of [2])
e. Interested parties
The system was oriented to satisfy the customer (Subclause 5.2 of [4]) The system is oriented to the needs and expectation of the interested parties, e.g., customer, regulatory agency, certification entity (Subclause 4.2 of [2])
f. Risk-based thinking
The risk was already associated with the planning, review, improvement including preventive actions (Subclauses 5.4, 5.6, and 8.5 of [4]) All the QMS must act as a preventive tool (Subclause 0.3.3 of [2])
g. Control of externally provided processes, products, and services
Focused on the purchasing (Subclause 7.4 of [4]) Focused on the external provision of processes, products, and services (Subclause 8.4 of [2])
h. Control of changes
It was indirectly referred in several subclauses mentioning changes (Subclauses 0.1, 4.2.3, 5.4.2, 5.6.1, 5.6.2, 7.2.2, and 7.3.7 of [4]) It is now directly referred in the (Subclause 8.5.6 of [2])
i. Terminology
“Products” “Products and services”

“Documentation,” “quality manual,” “documented procedures,” and “records”

“Documented information”
“Management representative” Unused - It is not required
“Work environment” “Environment for the operation of processes”
“Monitoring and measuring equipment” “Monitoring and measuring resources”
“Purchased product” “Externally provided products and services”
“Supplier” “External provider”
“Preventive action” Unused - It was “replaced” by the “risk-based thinking”
“Continual improvement” “Improvement”

The approach

The Deming cycle is implicit to enable an organization to improve its production quality, e.g., the analytical test result - to guarantee the continuous satisfaction of the stakeholder which may be for instance patients, athletes, blood donors, and receptors of cells and tissues, but also State and certification agencies. ISO 9001 certification is not a product or service-oriented standard, which means it is not focused on specific/technical requirements. It is assumed that different laboratories certified by ISO 9001 might not share the same technical requirements and may deliver varying levels of quality, even if the same tests are offered. The intent is to provide general guidance for quality management, enabling any organization to fulfill interested parties’ requirements. The stakeholders are expected to be the final auditor, but this is not practicable in a medical laboratory where patients usually evaluated the clinical decision outcome.

The new version requires “risk-based thinking” in decisions in all four stages of PDCA cycle. “Risk” is in defined as “the effect of uncertainty” (entry 3.7.9 of [1]), i.e., the risk is equivalent to a deviation from the expected result.

Figure 1 shows a PDCA cycle focused on ISO 9001 approach in the medical laboratory context [1] [2]. The cycle is focused on the organizational context and the stakeholders’ requirements. All the phases are leadership-dependent and they consider the “risk-based thinking” in all decisions. Risk assessment and analysis is a complementary methodology, not mandatory - e.g., using ISO 31000:2009. The cycle starts with the responsibility of top management to deliver proof of its commitment to the development and application of the QMS and to improve its effectiveness. Top management defines which plans/projects are needed to achieve specified targets, which should be based on intended use, i.e., to obtain interested parties satisfaction. The need of human resources, infrastructure, and work environment – to support to the process activities - is identified and should be guaranteed by top management. The realization output is essentially the laboratory’s reported results, which should meet stakeholders’ satisfaction. Production processes are controlled and periodically monitored by appropriate key process indicators (KPI), as well as periodic internal audits, control of nonconforming results, implementation of corrective and preventive actions, and verification of the achievement of the intended quality of results and services. Laboratories must define their methodology to measure, analyze and evaluate customer satisfaction. The evaluation of customer satisfaction is part of management review, as well as other KPI that are specified in the Subclause 9.3.2. After review, top management identifies actions for improvement. In health care, patients have limited ability to evaluate their satisfaction (be the final auditor), but a “perfect” reported result is the one that does not negatively impact the clinical decision due to any laboratory process nonconformity.

 ISO 9001 2015 figure1

Figure 1 PDCA cycle for improvement of the quality management system in medical laboratory according to the ISO 9001:2015 standards

I had started my role as quality manager during 2002 when the Regional Blood Center of Lisbon began its ISO 9001 certification. During the implementation process, as well as during its maintenance, there were many questions asked by the medical laboratory staff. Most of these issues arise in any ISO 9001 implementation in a medical laboratories. The most frequently-asked-questions (FAQs) are discussed later, and the answers provide a useful set of recommendations.

For ISO 9001 to be successfully applied, there must be a dynamic quality improvement cycle that guarantees the continuous improvement and customer satisfaction. This means to produce a product or service, such as a medical laboratory reported result, is must satisfy customer requirements. The ISO 9001 dynamic success depends on the efficiency in implementing the “Seven Quality Principles” described in ISO 9000:2015 (Subclause 2.3 of [1]):

Customer-focus: Medical laboratories should know the current as well as anticipate the future medical laboratory customer requirements; State laws may define them, but they are not synonymous with technical requirements; medical laboratories and their clients can set non-regulatory requirements by contract or agreement.

Leadership: Medical laboratories should establish a unity of purpose and direction creating an internal environment where all the staff - directors, researchers, medical technicians, others - can contribute to the achievement of the laboratory’s expected management results.

Engagement of people: All the staff should be fully involved to engage their abilities for the benefit of medical laboratories – and enhance the efficacy of management targets.

Process approach: Medical laboratories must identify and manage their different processes - which include the three testing phases and others - defining the interactions among their processes - which are the inputs and outputs of each process, and which are the process supplier and customer - in order to design an efficient flow and produce acceptable results (e.g., turnaround time).

Improvement: Medical laboratories should have a permanent objective of continuous improvement for both technical, analytical performance, as well as other critical specifications such as turnaround time.

Evidence-based decision making: Medical laboratories must make decisions based on logical analysis and reliable data, which may or may not include data related to technical requirements.

Relationship management: Medical laboratories must establish relationships with interested stakeholders to enhance the ability to create value; the laboratory must define and inform suppliers about their purchase requirements for products or services, such as blood collection tubes or analytical reagents, and the providers should understand the laboratory requirements.


What medical laboratory technical requirements are required by ISO 9001?
None, but... The guideline does not feature directly any technical requirements, i.e., requirements for a specific field, such as method validation specification. The auditor cannot register directly any technical nonconformity based on ISO 9001, but he could indirectly register based mainly on Clause 8 “Operation.” It is suggested to internal auditors with advanced medical laboratory skills - consultants/experts - to place on the audit report a set of technical recommendations.

So, which ISO 9001 requirements can be cross-referenced with medical laboratory technical requirements?
The specifications are principally but not uniquely related to Clause 7 “Support” and Clause 8. Occasionally, medical laboratory operators confuse technical requirements with method verification and validation, internal and external quality control, and even measurement uncertainty - not all are specified in the ISO 9001. Meanwhile, there are many other technical requirements such as associated to human resources, equipment, and infrastructure. Also, the medical laboratories shall fulfill technical requirements not referred to this standard, such as required by the national law. Table 2 shows medical laboratory technical requirements crossed with ISO 9001 specifications.

Table 2 Cross table for ISO 9001 requirements versus technical demands in a medical laboratory.

ISO 9001 Major technical requirements
4 Context of the organization and 8.5 Products and services provision

- Pre-examination processes

- Examination processes

- Post-examination processes

- Reporting of results

7.1.2 People, 7.2 Competence, and 7.3 Awareness

- Personnel

- Training

- Competence assessment

- Review of staff performance

- Continuing education and professional development

7.1.3 Infrastructure

- Accommodation and environmental conditions

- General

- Laboratory and office facilities

- Storage facilities

- Staff facilities

- Patient sample collection facilities

7.1.5 Monitoring and measuring resources

- Equipment instructions for use

- Equipment calibration and metrological traceability

- Equipment maintenance and repair

- Equipment adverse incident reporting

- Reagents and consumables instructions for use

- Reagents and consumables adverse incident reporting

8.4 Control of externally provided processes, products, and services

- External services and supplies

- Examination by referral laboratories

- Selecting and evaluating referral laboratories and consultants

- Provision of examination results

- Laboratory equipment, reagents, and consumables

- Equipment

- Reagents and Consumables

- Reception and storage

- Equipment acceptance testing

- Reagents and consumable acceptance testing

8.5.1 Control of production and service provision

- Selection, verification, and validation of examination procedures

- Verification of examination procedures

- Validation of examination procedures

- Measurement uncertainty of measured quantity values

8.5.2 Identification and traceability - Sample reception
8.5.3 Property belonging to customers or external providers - Storage, retention and disposal of clinical samples
8.5.4 Preservation - Information systems


How do ISO 9001 add value to the medical laboratory?
The implementation and maintenance of a management system approach is a critical choice for the constant improvement in the medical laboratory services. Despite the fact that ISO 9001 does not feature direct technical requirements, the activities such as management view, audits, control of nonconforming product, and improvement are dependent on technical specifications. Let consider a possible goal of a management review: decreasing the number of rejected runs by internal quality control. This target is directly related to technical requirements, and it is essential to the sustainability of the laboratory.

Is there some other management system guideline intended uniquely to the medical laboratory?
Yes, ISO 15189 [5] - well, that is the expected answer! This standard fulfills the ISO 9001 approach, but it is specifically oriented to the medical laboratory. It could be the first choice for a medical laboratory or a second option, for example after ISO 9001 certification. The higher cost of consultant service, such as the increased cost of maintenance when compared to ISO 9001 approach, are part of causes that the majority of worldwide laboratories choose a preference for other approaches, such as ISO 9001. Nevertheless, there are some exceptions: Australia, Latvia, and France, where the State requires laboratories to achieve ISO 15189. By 2013, all French medical laboratories, public or private, were required to demonstrate that they had at least initiated a process of accreditation and after January 1st 2016 at least 50% of the tests were required to be accredited to this ISO standard - 70 % by 2018, and 100% by 2020 [6]. In the Netherlands, the majority of medical laboratory tests are already accredited according to the CCKL approach. However, the current accreditation method is being replaced mandatorily by ISO 15189 and implementation of this switch must be complete by January 1st 2018 [7]. For a deeper discussion on ISO 15189 see the next Part 2 of the ISO series update.

Are there guidelines that support the metrology specifications (Subclause 7.1.5)?
Yes, ISO 10012:2003 [8] is the guideline for the control of monitoring and measuring equipment. There are several other complementary ISO guidelines for verification and validation of different types of equipment, such as the ISO 8655 series for piston-operated volumetric devices, including dilutors, dispensers, burettes, and pipettes [9-15]. Most of metrology agencies, such as the International Bureau of Weights and Measures (BIPM), the European Association of National Metrology Institutes (EURAMET), the European Federation of National Associations of Measurement, Testing and Analytical Laboratories (EUROLAB), EURACHEM, the Cooperation on International Traceability in Analytical Chemistry (CITAC), the National Institute of Standards and Technology (NIST), and the Instituto Portugues de Acreditacao (IPAC) publishes an extensive set of free guidelines.

The interpretation of metrology requirements in ISO will dispel some common myths, such as that no pipette calibration is required - this is simply untrue, and its value to the accuracy of the results could be impacted if this myth is believed. See Part 3 of these series to a deeper discussion on metrology specifications.

Are there guidelines to support the infrastructure specifications required to safety (Subclause 7.1.3)?
Yes, ISO 15190 [16] should be the first choice. Even if this standard is not entirely applicable, it answers to most of safety needs in a medical laboratory. Part 5 of these series discusses the safety specification in med lab.

Are there guidelines to support on internal audit requirements (9.2)?
Yes, ISO 19011 [17]. This standard is intended for auditing management systems. Even though this standard is intended principally to apply to external audits, it will be useful to help develop the internal audit methodology. Part 5 of these series debates audit requirements.

Are there guidelines to a review the maturity level of the implementation of the ISO 9001 approach?
Yes, ISO 9004:2009 [18]. This guide provides direction to organizations to support the accomplishment of continuous improvement in the quality management approach. Many of the new specifications of the current ISO 9001 edition arose from this document.

Are there other guidelines to support additional ISO 9001 specifications?
Yes, there is a set of guidelines in the ISO 10000 series that are recommended for most of the ISO 9001 requirements. Usually, they are not used - probably because they are not freely available. However, these guidelines to provide valuable assistance in assuring the accuracy of the procedures. Table 3 shows a cross-walk of these standards with ISO 9001 Clauses. Please, see also references.

Table 3 Cross table for ISO 9001 versus ISO 10000 series

ISO 9001:2015 Clause
Standards 4 5 6 7 8 9 10
ISO 10001 [19] 8.2.2, 8.5.1 9.1.2
ISO 10002 [20] 8.2.1 9.1.2 10.2.1
ISO 10003 [21] 9.1.2
ISO 10004 [22] 9.1.2, 9.1.3
ISO 10005 [23] 5.3 6.1, 6.2 X X 9.1 10.2
ISO 10006 [24] X X X X X X X
ISO 10007 [25] 8.5.2
ISO 10008 [26] X X X X X X X
ISO/TR 100013 [27] 7.5
ISO 100014 [28] X X X X X X X
ISO 100015 [29] 7.2
ISO/TR 100017 [30] 6.1 7.1.5 9.1
ISO 100018 [31] X X X X X X X
ISO 100019 [32] 8.4


The implementation of a QMS according to the ISO 9001 standard has several advantages to the medical laboratory.

The pros could be summed up as:
- Focus on the satisfaction of customers and other relevant interested parties;
- Risk-based thinking applied to all relevant decisions, including (indirectly) technical decisions;
- Process approach matching the pre-analytical, analytical, and post-analytical phases;
- Context of the organization, that includes the needs related to the pre-pre-analytical and post-post-analytical phases, both related to the clinical decision accuracy [33];
- Indirectly, the trueness, measurement uncertainty and total error are utilized during method validation and internal QC/EQA/PT to determine if the test results are acceptable;
- Identification and traceability information of the different phases of the medical laboratory process;
- Monitoring and measuring of devices that significantly contribute to the trueness and uncertainty of the reported results;
- Training and competence assessment of the staff which is critical to good management and good laboratory practices, and;
- Infrastructure to correctly support the operation practices.

Nevertheless, there are a few cons to the ISO 9001 in medical laboratory:
- It is not oriented uniquely to the medical laboratory;
- The QMS assumed is only the basic cycle compared, for instance, to advanced models such as the total quality management cycle;
- It does not require sustainability;
- The operation specifications are generic;
- Procedures and allowable errors are not standardized, and;
- The safety specifications are basic.


  1. International Organization for Standardization (2015). ISO 9000 Quality management systems - Fundamentals and vocabulary. 3rd ed. Geneva: ISO.
  2. International Organization for Standardization (2015). ISO 9001 Quality management systems - Requirements. 5th ed. Geneva: ISO.
  3. International Organization for Standardization (2005). ISO 9000 Quality management systems - Fundamentals and vocabulary. 2nd ed. Geneva: ISO.
  4. International Organization for Standardization (2008). ISO 9001 Quality management systems - Requirements. 4th ed. Geneva: ISO.
  5. International Organization for Standardization (2012). ISO 15189 Medical laboratories - Requirements for quality and competence. 3rd ed. Geneva: ISO.
  6. Journal Officiel de la République Française (2003). LOI no 2013-442 du 30 mai 2013 portant réforme de la biologie médicale.
  7. Raad voor Accreditatie (2016). Accessed October 14, 2016
  8. International Organization for Standardization (2003). ISO 1012 Measurement management systems - Requirements for measurement processes and measuring equipment. Geneva: ISO.
  9. International Organization for Standardization (2002). ISO 8655-1 Piston-operated volumetric apparatus - Part 1: Terminology, general requirements and user recommendations. Geneva: ISO.
  10. International Organization for Standardization (2002). ISO 8655-2 Piston-operated volumetric apparatus - Part 2: Piston pipettes. Geneva: ISO.
  11. International Organization for Standardization (2002). ISO 8655-3 Piston-operated volumetric apparatus - Part 3: Piston burettes. Geneva: ISO.
  12. International Organization for Standardization (2002). ISO 8655-4 Piston-operated volumetric apparatus - Part 4: Dilutors. Geneva: ISO.
  13. International Organization for Standardization (2002). ISO 8655-5 Piston-operated volumetric apparatus - Part 5: Dispensers. Geneva: ISO.
  14. International Organization for Standardization (2002). ISO 8655-6 Piston-operated volumetric apparatus - Part 6: Gravimetric methods for the determination of measurement error. Geneva: ISO.
  15. International Organization for Standardization (2005). ISO 8655-7 Piston-operated volumetric apparatus - Part 7: Non-gravimetric methods for the assessment of equipment performance. Geneva: ISO.
  16. International Organization for Standardization (2003). ISO 15190 Medical laboratories - Requirements for safety. Geneva: The Organization.
  17. International Organization for Standardization (2011). ISO 19011 Guidelines for auditing management systems. 2nd ed. Geneva: ISO.
  18. International Organization for Standardization (2009). ISO 9004 Managing for the sustained success of an organization - A quality management approach. 3rd ed. Geneva: ISO.
  19. International Organization for Standardization (2007). ISO 10001 Quality management - Customer satisfaction - Guidelines for codes of conduct for organizations. Geneva: ISO.
  20. International Organization for Standardization (2014). ISO 10002 Quality management - Customer satisfaction - Guidelines for complaints handling in organizations. 2nd ed. Geneva: ISO.
  21. International Organization for Standardization (2007). ISO 10003 Quality management - Customer satisfaction - Guidelines for dispute resolution external to organizations. Geneva: ISO.
  22. International Organization for Standardization (2012). ISO 10004 Quality management - Customer satisfaction - Guidelines for monitoring and measuring. Geneva: ISO.
  23. International Organization for Standardization (2005). ISO 10005 Quality management systems - Guidelines for quality plans. 2nd ed. Geneva: ISO.
  24. International Organization for Standardization (2003). ISO 10006 Quality management systems - Guidelines for quality management in projects. 2nd ed. Geneva: ISO.
  25. International Organization for Standardization (2003). ISO 10007 Quality management systems - Guidelines for configuration management. 2nd ed. Geneva: ISO.
  26. International Organization for Standardization (2013). ISO 10008 Quality management - Customer satisfaction - Guidelines for business-to-consumer electronic commerce transactions. Geneva: ISO.
  27. International Organization for Standardization (2001). ISO/TR 10013 Guidelines for quality management system documentation. Geneva: ISO.
  28. International Organization for Standardization (2006). ISO 10014 Quality management - Guidelines for realizing financial and economic benefits. Geneva: ISO.
  29. International Organization for Standardization (1999). ISO 10015 Quality management - Guidelines for training. Geneva: ISO.
  30. International Organization for Standardization (2003). ISO/TR 10017 Guidance on statistical techniques for ISO 9001:2000. 2nd ed. Geneva: ISO.
  31. International Organization for Standardization (2012). ISO 10018 Quality management - Guidelines on people involvement and competence. Geneva: ISO.
  32. International Organization for Standardization (2005). ISO 10019 Guidelines for the selection of quality management system consultants and use of their services. Geneva: ISO.
  33. Goldschmidt, HMJ (2004). The NEXUS vision: an alternative to the reference value concept. Clin Chem Lab Med, 42(7):868-873.
Joomla SEF URLs by Artio