ISO/FDIS 22367

ISO/DISFDIS 22367:2025(en)
ISO/TC 212
Secretariat: ANSI
Date: 2025-06-2312-22
Medical laboratories — Application of risk management to medical
laboratories
Laboratoires de biologie médicale — Application de la gestion des risques aux laboratoires de biologie médicale
FDIS stage
TThhiis drs draafftt i is s susubbmmiitttteed d ttoo aa ppaarraallellel l vvoottee i inn IISSOO,, CCEEN.N.
VVoottiing bng beegiginsns o on:n: 20220266--0101--0202
VoVotintingg t tererminminatateses o onn::

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
EmailE-mail: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
ISO/DISFDIS 22367:20252026(en)
Contents
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Risk management . 10
4.1 Risk management process . 10
4.2 Management responsibilities . 10
4.3 Qualification of personnel . 11
4.4 Risk management activities . 11
5 Proactive risk management . 15
5.1 Proactive risk management plan . 15
5.2 Scope of the plan . 16
5.3 Contents of the plan . 16
5.4 Revisions to the plan . 17
5.5 Documentation of the risk management plan . 17
6 Proactive risk analysis . 17
6.1 General . 17
6.2 Risk analysis process . 18
6.3 Documentation of the risk analysis process . 18
7 Risk evaluation . 19
7.1 Overview . 19
7.2 Benefit-risk analysis . 20
7.3 Proactive risk evaluation . 21
8 Risk control . 22
8.1 General . 22
8.2 Risk control options . 22
8.3 Risks external to the laboratory . 24
8.4 Risks arising from risk control measures . 24
8.5 Residual risk evaluation . 24
8.6 Risk control verification . 25
9 Risk management review . 25
9.1 General . 25
9.2 Completeness of risk control . 25
9.3 Evaluation of overall residual risk . 25
9.4 Risk management report . 26
10 Risk monitoring, analysis and control activities . 26
10.1 Risk monitoring procedure . 26
10.2 Internal sources of risk information . 27
10.3 External sources of risk information . 27
11 Immediate actions to reduce risk . 27
Annex A (informative) Implementation of risk management within the management system . 29
Annex B (informative) Guidance on establishing risk acceptability criteria . 41
Annex C (informative) Guidance on risk acceptability considerations . 43
iii
Annex D (informative) Identification of characteristics related to safety . 46
Annex E (informative) Examples of foreseeable risks, hazards, foreseeable sequences of events
and hazardous situations . 53
Annex F (informative) Nonconformities potentially leading to significant risks . 62
Annex G (informative) Risk analysis tools and techniques . 71
Annex H (informative) Risk analysis of foreseeable user actions . 77
Annex I (informative) Methods of risk assessment, including estimation of probability and
severity of harm . 82
Annex J (informative) Overall residual risk evaluation and risk management review . 88
Annex K (informative) Conducting a benefit-risk analysis . 91
Annex L (informative) Residual risks . 94
Bibliography . 95

iv
ISO/DISFDIS 22367:20252026(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of
ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent rights
in respect thereof. As of the date of publication of this document, ISO had not received notice of (a) patent(s)
which may be required to implement this document. However, implementers are cautioned that this may not
represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO'sISO’s adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 212, Medical laboratories and in vitro diagnostic
systems, in collaboration with the European Committee for Standardization (CEN) Technical Committee
CEN/TC 140, Inin vitro diagnostic medical devices, in accordance with the Agreement on technical cooperation
between ISO and CEN (Vienna Agreement).).
This second edition cancels and replaces the first edition (ISO 22367:2020), which has been technically
revised.
The main changes are as follows:
— — the application of risk management to processes has been emphasized;
— — reactive and proactive risk management has been discussed, differentiated, and illustrated;
— — the content is as far as possible in agreement the requirements for risk management in
ISO 15189:2022;
— — the relation with ISO 15189:2022 is indicated in Annex AAnnex A in which Figure A.1Figure A.1
provides a flow chart for the underlying management system to underpin this standarddocument;
— Clause I.5— Clause I.5 has been slightly modified to emphasize that risks most often require
benefit-risk assessment to determine risk acceptability.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
Introduction
Medical laboratories deal with risks as part of their usual activities; these risks affect patients, personnel,
caregivers, and the organization as a whole. Risks span the range of services: pre-examination, examination
and post-examination processes, including the design and development of laboratory examinations. The
intent of this document is not to introduce risk as a concern for the laboratory but to provide a structure for
addressing, managing, and documenting risks that are part of the day-to-day and long-term (strategic)
activities of the laboratory.
ISO 15189 requires that medical laboratories review all work processes to identify potential failures for risk
of harm to patients and opportunities for improvement, modify the processes to reduce or eliminate the
identified risks, and document the decisions and actions taken. This document describes a process for
managing these risks to the patient, the operator, other persons, equipment and other property, the healthcare
enterprise as a whole, and the environment. It does not address business enterprise risks, which are the
subject of ISO 31000; however, ISO 31000 is consistent with and can provide further understanding for the
concepts in this document.
Medical laboratories span a broad range of activities, some of which rely on the use of in vitro medical devices
to achieve their quality objectives. When such devices are involved, risk management is a shared responsibility
between the in -vitro diagnostic (IVD) manufacturer and the medical laboratory. Since most IVD
manufacturers have already implemented ISO 14971, this document has adopted similar concepts, principles
and framework to manage the risks associated with the medical laboratory when appropriate. This is
especially meaningful for laboratories that implement their own examinations on devices (laboratory
developed tests or LDTs); concepts integral to ISO 14971:2019 can be directly applicable. ISO 5649 is a useful
reference for identifying and addressing risks in the development, implementation and retirement phases of
LDTs.
Activities in a medical laboratory can expose patients, workers or other stakeholders to a variety of hazards,
which can lead directly or indirectly to varying degrees of harm. The concept of risk has two components:
a) a) the probability of occurrence of harm;
b) b) the consequence of that harm, that is, how severe the harm might be.
Risk management is complex because each stakeholder can place a different value on the risk of harm.
Risk management interfaces with quality management at many points in the medical laboratory. In ISO 15189,
as an example, risk management is a component of complaint management, internal audit, corrective action,
quality control, management review and external assessment (for both accreditation and proficiency testing).
Management of risk also coincides with the management of safety in the medical laboratories, as exemplified
by the safety audit checklists in ISO 15190. This standarddocument is intended to assist medical laboratories
with the integration of risk management into their routine organization, operation and management.
While this document is intended for use throughout the currently recognized medical laboratory disciplines,
it can effectively be applied to other healthcare services, such as diagnostic imaging, respiratory therapy,
physiological sciences, blood banks and transfusion services.
The use of this document facilitates cooperation between medical laboratories and other healthcare services,
assists in the exchange of information, and in the harmonization of methods and procedures.
vi
DRAFT International Standard ISO/DIS 22367:2025(en)

Medical laboratories — Application of risk management to medical
laboratories
1 Scope
This document specifies a process for a medical laboratory to identify and manage the risks to patients,
laboratory workers and service providers that are associated with medical laboratory examinations. The
process includes identifying, estimating, evaluating, controlling and monitoring the risks.
The requirements of this document are applicable to all aspects of the examinations and services of a medical
laboratory, including the pre-examination, examination, and post-examination aspects including accurate
transmission of examination results into the electronic medical record, as well as other technical and
management processes described in ISO 15189.
This document does not specify acceptable levels of risk.
This document does not apply to risks from post-examination clinical decisions made by healthcare providers.
This document complements the management of risks affecting medical laboratory enterprises that are
addressed by ISO 31000, such as business, economic, legal, and regulatory risks.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— — ISO Online browsing platform: available at https://www.iso.org/obp
— — IEC Electropedia: available at https://www.electropedia.org/
3.1 3.1
benefit
impact or desirable outcome of a process (3.21(3.21),), procedure (3.19(3.19)) or the use of a medical device
on the health of an individual or a positive impact on patient management or public health
Note 1 to entry: Benefits include prolongation of life, reduction of pain, relief of symptoms, improvement in function, or
an increased sense of well-being.
3.2 3.2
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
Note 4 to entry: An event without consequences can also be referred to as a “near miss”, “incident”, “near hit” or “close
call”.
[SOURCE: ISO 31073:2022, 3.3.11. modified –— Note to entry 2 is simplified, Notes was changed; the original
Note 3 to entry 3was removed, and a new Note 3 to entry and a Note 4 were added].]
3.3 3.3
examination
set of operations having the objective of determining the numerical value, text value or characteristics of a
property
Note 1 to entry: An examination may be the total of a number of activities, observations or measurements required to
determine a value or characteristics.
Note 2 to entry: Laboratory examinations that determine a numerical value of a property are called “quantitative
examinations”; those that determine the characteristics of a property are called “qualitative examinations”.
Note 3 to entry: Laboratory examinations are also called “assays” or “tests”.
[SOURCE: ISO 15189:2022, 3.8]
3.4 3.4
foreseeable risk
risk (3.25(3.25)) that is predictable prior to its occurrence
Note 1 to entry: Risk (3.25) can be known from prior experience, assessment of current circumstances, prior occurrence
of an event (3.2(3.2),), or other sources.
Note 2 to entry: Addressing foreseeable risk results in preventive action.
Note 3 to entry: A risk (3.25) that is foreseeable does not imply that it has been anticipated or addressed.
3.5 3.5
frequency
number of events (3.2(3.2)) or outcomes per defined unit of time
Note 1 to entry: Frequency can be applied to past events (3.2) or to potential future events (3.2),, where it can be used as
a measure of likelihood or probability (3.20(3.20))
[SOURCE: ISO 31073:2022, 3.3.20]
3.6 3.6
harm
injury or damage to the health of people, or damage to property or the environment
[SOURCE: ISO/IEC Guide 51:2014, 3.1]
3.7 3.7
hazard
source of potential harm (3.6(3.6))
[SOURCE: ISO 31073:2022, 3.3.12, modified — Note 1 to entry has been deleted.]
ISO/DISFDIS 22367:20252026(en)
3.8 3.8
hazardous situation
circumstance in which people, property, or the environment are exposed to one or more hazard(s) (3.7(3.7))
[SOURCE: ISO/IEC Guide 51:2014, 3.4]
3.9 3.9
healthcare provider
individual authorized to deliver health services to a patient
EXAMPLE Physician, nurse, ambulance attendant, dentist, diabetes educator, laboratory technician, laboratory
technologist, biomedical laboratory scientist, medical assistant, medical specialist, respiratory care practitioner.
[SOURCE: ISO 18113-1:2022, 3.1.28, modified — “laboratory technologist” and “biomedical laboratory
scientist” were added to the example.]
3.10 3.10
in vitro diagnostic manufacturer
IVD manufacturer
natural or legal person with responsibility for the designanddesign and/or manufactureofmanufacture of an
IVD medical device (3.11(3.11)) with the intention of making the IVD medical device (3.11) available for use,
under his name, whether or not such an IVD medical device (3.11) is designed and/or manufactured by that
person himself or on that person'sperson’s behalf by another person(s)
[SOURCE: ISO 14971:2019, 3.9, modified –— The term “manufacturer” has beenwas changed to “in vitro
diagnostic manufacturer”. “A ”; in the definition, “medical device” has beenwas changed to “an IVD medical
device” (3.11).]”; Notes to entry were removed.]
3.11 3.11
in vitro diagnostic medical device
IVD medical device
medical device, whether used alone or in combination, intended by the manufacturer for the in vitro
examination (3.3(3.3)) of specimens derived from the human body solely or principally to provide information
for diagnostic, monitoring or compatibility purposes.
Note 1 to entry: The device includes reagents, calibrators, control materials, specimen receptacles, software, and related
instruments or apparatus or other articles.
[SOURCE:Note 2 to entry: Adapted from ISO 18113-1:2022, 3.1.53, modified].
3.12 3.12
in vitro diagnostic instrument
IVD instrument
equipment or apparatus intended by a manufacturer to be used as an IVD medical device (3.11(3.11))
[SOURCE: ISO 18113-1:2022, 3.1.32]
3.13 3.13
information supplied by the manufacturer
labelling
information that is related to identification, technical description, intended use (3.15(3.15)) and proper use of
the IVD medical device (3.11(3.11),), but excluding shipping documents
EXAMPLE :
Labels;, instructions for use;, manual;, written, printed, electronic, or graphic matter.
Note 1 to entry: In IEC standards, documents provided with a medical device and containing important information for
the responsible organization or operator, particularly regarding safety, are called “accompanying documents”.
Note 2 to entry: Catalogues and material safety data sheets are not considered information supplied by the manufacturer
of IVD medical devices (3.11).
Note 3 to entry: Adapted from ISO 18113-1:2022, 3.1.35.
3.14 3.14
instructions for use
information supplied by the manufacturer (3.13(3.13)) to enable the safe and proper use of an IVD medical
device (3.11(3.11))
Note 1 to entry: Includes It includes the directions supplied by the manufacturer for the use, maintenance,
troubleshooting and disposal of an IVD medical device (3.11),, as well as warnings and precautions.
Note 2 to entry: Instructions for use can also be referred to as ‘“package insert’insert” or manual for instruments.
[SOURCE: adaptedNote 3 to entry: Adapted from ISO 18113-1:2022, 3.1.36 ].
3.15 3.15
intended use
intended purpose
objective intent of an IVD manufacturer (3.10(3.10)) regarding the use of a product, process (3.21(3.21)) or
service (3.38(3.38)) as reflected in the specifications, instructions and information supplied by the IVD
manufacturer (3.10)
Note 1 to entry: Intended use statements for IVD information supplied by the manufacturer (3.13(3.13)) can include two
components: a description of the functionality of the IVD medical device (3.11(3.11)) (e.g.,. an immunochemical
measurement procedure (3.19(3.19)) for the detection of analyte “x” in serum or plasma), and a statement of the intended
medical use of the examination (3.3(3.3)) results.
[SOURCE: ISO 18113-1:2022, 3.1.37, modified — In Note 1 to entry, “labelling” was changed andto
“information supplied by the manufacturer”; Note 2 deleted]was removed.]
3.16 3.16
laboratory management
person(s) with responsibility for, and authority over, a laboratory
Note 1 to entry: Laboratory management has the power to delegate authority and provide resources within the
laboratory.
Note 2 to entry: The laboratory management includes the laboratory director(s) and delegates together with individuals
specifically assigned to ensure the quality of the activities of the laboratory.
[SOURCE: ISO 15189:2022, 3.15]
3.17 3.17
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and
described using general terms or mathematically (such as a probability (3.20(3.20)) or a frequency (3.5(3.5)) over a given
time period).
Note 2 to entry: The English language term “likelihood” does not have a direct equivalent in some languages; instead, the
equivalent of the term “probability” (3.20) is often used. However, in English, “probability” (3.20) is often narrowly
ISO/DISFDIS 22367:20252026(en)
interpreted as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that
it should have the same broad interpretation as the term “probability” (3.20) has in many languages other than English.
[SOURCE: ISO 31073:2022, 3.3.16.]
3.18 3.18
medical laboratory
laboratory
entity for the examination (3.8(3.8)) of materials derived from the human body for the purpose of providing
information for the diagnosis, monitoring, management, prevention and treatment of disease, or assessment
of health
Note 1 to entry: The laboratory can also provide advice covering all aspects of examinations including appropriate
selection, the interpretation of results and advice on further examinations.
Note 2 to entry: Laboratory activities include pre-examination (3.25),, examination (3.8) and post-examination processes
(3.21(3.24).).
Note 3 to entry: Materials for examination (3.8) include but are not limited to, microbiological, immunological,
biochemical, immunohaematological, haematological, biophysical, cytological, tissue and cells, and genetic material.
[SOURCE: ISO 15189:2022, 3.20]
3.19
3.19
procedure
specified way to carry out an activity or a process (3.21(3.21) )
Note 1 to entry: Procedures can be documented or not.
[SOURCE: ISO 9000:2015, 3.4.5]
3.20 3.20
probability
measure of the chance of occurrence expressed as a number between 0 and 1, where 0 is impossibility and 1
is absolute certainty
Note 1 to entry: See definition of likelihood (3.17(3.17),), Note 2 to entry.
[SOURCE: ISO 31073:2022, 3.3.19]
3.21 3.21
process
set of interrelated or interacting activities that use inputs to deliver an intended result
Note 1 to entry: Whether the “intended result” of a process is called output, product or service (3.38(3.38)) depends on
the context of the reference.
[SOURCE: ISO 9000:2015, 3.4.1, modified– Note — Notes 2 to entry to Note 6 to entry have been
deletedremoved.]
3.22 3.22
reasonably foreseeable misuse
use of a product, process (3.21(3.21)) or service (3.38(3.38)) in a way not intended by the supplier, but which
can result from readily predictable human behaviour
Note 1 to entry: Readily predictable human behaviour includes the behaviour of all types of intended users (3.43(3.43).).
Note 2 to entry: In the context of consumer safety, the term “reasonably foreseeable use” is increasingly used as a
synonym for both “intended use” (3.15(3.15)) and “reasonably foreseeable misuse.””.
Note 3 to entry: Applies to use of examination (3.3(3.3)) results by a healthcare provider (3.9(3.9)) contrary to the
intended use (3.15),, as well as use of IVD medical devices (3.11(3.11)) by the laboratory contrary to the instructions for
use (3.14(3.14).).
Note 4 to entry: Misuse includes abnormal use, i.e. intentional use of the device in a way not intended by the
manufacturer.
Note 5 to entry: Misuse is intended to mean incorrect or improper performance of an examination (3.3) procedure
(3.19(3.19)) or any procedure (3.19) critical for patient safety.
[SOURCE: ISO/IEC Guide 51:2014, 3.7 modified — inIn the definition, “system” was changed to “process or
service”; examples were removed from Note 1; Notes 3 to 5 were added.]
3.23 3.23
record
document stating results achieved or providing evidence of activities performed
Note 1 to entry: Records can be used, for example, to formalize traceability and to provide evidence of verification
(3.45(3.45),), preventive action and corrective action.
Note 2 to entry: Generally, records need not be under revision control.
[SOURCE: ISO 9000:2015, 3.8.10]
3.24 3.24
residual risk
risk (3.25(3.25)) remaining after risk control (3.28(3.28)) measures have been taken
[SOURCE: ISO/IEC Guide 63:2019, 3.9]
3.25 3.25
risk
combination of the probability (3.19(3.19)) of occurrence of harm (3.6(3.6)) and the severity (3.39(3.39)) of
that harm (3.6)
Note 1 to entryThis entry: This definition focuses on risks to the safety of patients and other persons. Other documents
that emphasize risk to a business enterprise will have alternative definitions
[SOURCE: ISO/IEC Guide 51:2014, 3.9, modified — The original Note 1 to entry has been modifiedwas
removed and a new note was added.]
3.26 3.26
risk analysis
systematic use of available information to identify hazards (3.7(3.7)) and to estimate the risk (3.25(3.25))
Note 1 to entry: Risk analysis includes examination of different sequences of events (3.2(3.2)) that can produce hazardous
situations (3.8(3.8)) and harm (3.6(3.6).).
[SOURCE: ISO/IEC Guide 51:2014, 3.10, modified — Note 1 to entry has beenwas added.]
ISO/DISFDIS 22367:20252026(en)
3.27 3.27
risk assessment
overall process (3.21(3.21)) comprising a risk analysis (3.26(3.26)) and a risk evaluation (3.30(3.30))
[SOURCE: ISO/IEC Guide 51:2014, 3.11]
3.28 3.28
risk control
process (3.21(3.21)) in which decisions are made and measures implemented by which risks (3.25(3.25)) are
reduced to, or maintained within, specified levels
[SOURCE: ISO/IEC Guide 63:2019, 3.12]
3.29 3.29
risk estimation
process (3.21(3.21)) used to assign values to the probability (3.19(3.19)) of occurrence of harm (3.6(3.6)) and
the severity (3.39(3.39)) of that harm (3.6)
[SOURCE: ISO/IEC Guide 63:2019, 3.13]
3.30 3.30
risk evaluation
process (3.21(3.21)) of comparing the estimated risk (3.25(3.25)) against given risk criteria to determine the
acceptability of the risk
[SOURCE: ISO/IEC Guide 63:2019, 3.14]
3.31 3.31
risk management
systematic application of management policies, procedures (3.19(3.19)) and practices to the tasks of analysing,
evaluating, controlling and monitoring risk (3.25(3.25))
[SOURCE: ISO/IEC Guide 63:2019, 3.15]
3.32 3.32
risk management documentation
set of records (3.23(3.23)) and other documents that are produced by risk management (3.31(3.31))
[SOURCE: ISO 14971:2019, 3.25, modified — The term “risk management file” was changed to “risk
management documentation”.]
3.33 3.33
risk management plan
scheme specifying the approach, the management components and resources to be applied to the management
of risk (3.25(3.25))
Note 1 to entry: Adapted from ISO 31000:2009.
3.34[SOURCE: ISO 31073:2022, 3.2.3, modified — “scheme within the risk management framework” was
changed to “scheme”; the Notes to entry were removed.]
3.34
risk management policy
statement of the overall intentions and direction of an organization related to risk management (3.31(3.31))
[SOURCE: ISO 31073:2022, 3.2.2]
3.35 3.35
risk monitoring
surveillance
continual checking, critically observing or determining the status in order to identify change from the risk
(3.25(3.25)) level required or expected
[SOURCE: ISO 31073:2022, 3.3.40, modified — The term “Monitoringmonitoring” has been changed to “risk
monitoring”;”, and surveillance was added as a preferred term; in the definition, “supervising” has beenwas
deleted, and “performance level” has beenwas changed to “risk level”; Note 1 to entry has beenwas deleted.]
3.36 3.36
risk reduction
actions taken to lessen the probability (3.19(3.19)) or negative consequences, or both, associated with a risk
(3.25(3.25))
[SOURCE: ISO 22300:20182025, 3.2102.20]
3.37 3.37
safety
freedom from unacceptable risk (3.25(3.25))
[SOURCE: ISO/IEC Guide 63:2019, 3.16]
3.38 3.38
service
laboratory medicine activity performed by a medical laboratory for the benefit (3.1(3.1)) of patients, the
healthcare providers (3.9(3.9)) responsible for the care of those patients, or screened populations.
Note 1 to entry: Medical laboratory services include arrangements for examination (3.3(3.3)) requests, patient
preparation, patient identification, collection, transportation, storage, processing and examination (3.3) of clinical
samples, together with subsequent interpretation, reporting and advice, in addition to the considerations of safety
(3.36(3.36)) and ethics in medical laboratory work.
Note 2 to entry: Adapted from ISO 15189:2022.
3.39 3.39
severity
measure of the possible consequences of a hazard (3.7(3.7))
[SOURCE: ISO/IEC Guide 63:2019, 3.17]
3.40 3.40
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or
activity
[SOURCE: ISO 31073:2022, 3.3.2, modified from — The preferred term “interested party to stakeholder]” was
removed.]
3.41 3.41
state of the art
developed stage of technical capability at a given time as regards products, processes (3.21(3.21)) and services
(3.38(3.38),), based on the relevant consolidated findings of science, technology and experience
ISO/DISFDIS 22367:20252026(en)
Note 1 to entry: The state of the art embodies what is currently and generally accepted as good practice. The state of the
art does not necessarily imply the most technologically advanced solution. The state of the art described here is
sometimes referred to as the “generally acknowledged state of the art”.
[SOURCE: ISO/IEC Guide 63:2019, 23.18]
3.42 3.42
use error
laboratory medicine user (3.43(3.43)) action or lack of user (3.43) action while performing a laboratory
examination (3.3(3.3)) or using an IVD medical device (3.11(3.11)) or performing any task in any procedure
(3.19(3.19)) that leads to a different result than that intended by the laboratory or manufacturer or expected
by the user (3.43)
Note 1 to entry: Use error includes the inability of the user (3.43 to complete a task.
Note 2 to entry: Use errors can result from a mismatch between the characteristics of the user (3.43),, user interface, task,
or use environment.
Note 3 to entry: Users (3.43) might be aware or unaware that the use error has occurred.
Note 4 to entry: An unexpected physiological response of the patient is not by itself considered use error.
Note 5 to entry: A malfunction of an IVD medical device that causes an unexpected result is not considered a use error.
Note 6 to entry: Use error includes the use of an examination (3.3) result for an unintended target group or for an
unintended diagnostic or patient management purpose.
Note 7 to entry: The term was chosen over “user error”, “human error” or “laboratory error” because not all causes of
error are partially or solely due to the user (3.43). Use errors are often the result of poorly designed user (3.43) interface
or processes (3.21(3.21),), or, inadequate instructions for use (3.14(3.14).).
[SOURCE: IEC 62366-1:2015, 3.21 modified – — In the definition, “user” was changed to “laboratory
medicine” has been added; user”, and “performing a laboratory examination”,” and “performing any task in
any procedure” have beenwere added.; the original Note 6 to entry was deleted. A removed and a new Note 6
to entry and a Note 7 to entry were added.]
3.43 3.43
user
individual responsible for an action that is intended to lead to a desired outcome
Note 1 to entry: Although such individuals are often laboratory personnel that are expected to be trained and competent
to perform the action, this term is not limited to such personnel and can include the patient.
Note 2 to entry: The use of this term is not intended to imply that a device is utilized for the action; it is used as a general
term to include any individual that has a role in producing the desired outcome.
3.44 3.44
validation
confirmation, through the provision of objective evidence, that the requirements for a specific intended use
(3.15(3.15)) or application have been fulfilled
Note 1 to entry: The objective evidence needed for a validation is the result of a test or other form of determination such
as performing alternative calculations or reviewing documents.
Note 2 to entry: The word “validated” is used to designate the corresponding status.
Note 3 to entry: The use conditions for validation can be real or simulated.
[SOURCE: ISO 9000:2015, 3.8.13]
3.45 3.45
verification
confirmation, through the provision of objective evidence, that specified requirements have been fulfilled
Note 1 to entry: The objective evidence needed for a verification can be the result of an inspection or of other forms of
determination such as performing alternative calculations or reviewing documents.
Note 2 to entry: The activities carried out for verification are sometimes called a qualification process (3.21(3.21).).
Note 3 to entry: The word “verified” is used to designate the corresponding status.
[SOURCE: ISO 9000:2015, 3.8.12]
4 Risk management
4.1 Risk management process
The medical laboratory shall establish, document, implement and maintain processes for identifying hazards
associated with its examinations and services, estimating and evaluating the associated risks, controlling these
risks, and monitoring the effectiveness of the controls. The scope of specific risk management processes may
be broad (e.g. for the development of a new examination with which a laboratory has little or no experience),
or the scope may be limited (e.g. for resolving the risks associated with either anticipated or unanticipated
nonconformities).
NOTE 1 The activities of the laboratory have an underlying concern with risk, especially risks to the patient. The
considerations that occur in developing and implementing such activities involve understanding and approaching such
risks; this can be referred to as “risk-based thinking”. To be an effective part of the quality management system, such risk
management activities require a structured approach.
Where a documented management system exists, such as that described in ISO 15189, it shall incorporate risk
management into the appropriate parts.
A master plan as described in Clause B.2Clause B.2 should be in place when multiple individual risk
management plans are present
NOTE 1 Annex A 2 Annex A provides additional guidance for using a documented management system,
such as is required in ISO 15189, to address patient safety in a systematic manner, in particular to enable the early
identification of hazards and hazardous situations in order to implement appropriate risk control measures.
[3
NOTE 2 3 ISO/TR 24971:2020, Annex H provides guidance on risk management for in vitro diagnostic medical devices.
4.2 Management responsibilities
The medical laboratory management shall show evidence of its commitment to the risk management process
by providing adequate resources and qualified personnel for risk management to ensure conformance to this
document (see 4.34.3).).
The laboratory management shall:
— — define and document the laboratory’s risk management policy, including the policy for determining
risk acceptability (see 7.3.17.3.1););
— — approve all risk assessments and risk management reports;
ISO/DISFDIS 22367:20252026(en)
— — review the suitability of risk management processes at planned intervals to ensure their continuing
effectiveness, and document any decisions and actions taken during the review. This review may be part
of the management system review.
The laboratory shall retain records for each activity required in this standarddocument. The records shall be
retrievable and available for review as needed.
NOTE The required documentation and records can be incorporated within the documentation produced by the
laboratory’s management system.
4.3 Qualification of personnel
Persons performing risk management tasks shall have the knowledge and experience for the tasks assigned
to them. This knowledge and experience shall include, where appropriate, the process and procedures that
are intended to be assessed;, the medical uses of the results that are produced;, and the techniques used to
assess the risks.
Such persons may be qualified by training, competence, and through the provision of sufficient instruction for
managing instances of risk. Qualification does not imply a level of education or responsibility.
NOTE 1 An example of a foreseeable risk (4.4.2(4.4.2)) can be the authorization of routine personnel who receive
specimens to assess whether collection tubes for functional coagulation studies are sufficiently full, given that underfilled
tubes can lead to artificially prolonged measurement times. By training and use of visual aids, such personnel can assess,
reject an underfilled specimen, document this action in the patient record, and contact the provider for a valid specimen
prior to submission for testing. If the provider requests that the specimen be processed regardless, this can be beyond
the training and competence of the individual
...