FORENSIC SCIENCE AND CRIME RESEARCH

The implementation of a Quality Management System for different scopes in a testing laboratory and its periodic evaluation, with the aim to obtain and maintain an accreditation through an external body, guarantees the reliability and validity of the results issued and therefore, contributes to the decisions that will be made from them.

The foregoing becomes particularly important at a Forensic Science Laboratory since its results will be admitted within the Judiciary System of a country and considered by a Court or a Judge to impose a sentence or penalty on the guilty party. It is worth remembering that the work carried out at a forensic laboratory is often limited by the amount of sample received and by the fact that these samples are unique, therefore, laboratories can’t do all the types of testing that may be required on the same sample, or repetition is not possible, having to prioritize or bear in mind what it is intended to discover with a particular analysis.

From a quality management´s point of view, the periodic evaluation of the work carried out, and most of all, the objective examination of the statements of the organization on how to perform a laboratory process safely and effectively, to make sure the organization complies with the defined quality system processes, constitutes an aspect of capital importance to determine its effectiveness and, if needed, take the required corrective actions. For a Forensic Science Laboratory, those requirements are considered under a Quality Management System based on ISO / IEC 17020: 2012 and ISO / IEC 17025:2017 standards. These standards are complemented by ILAC G-19 guide for optimal interpretation and the mandatory regulations, defined by national laws, as well as the requirements from the accreditation body and those of the laboratory itself, all of these considered topics to be audited. 

One of the main tools for the periodic evaluation and examination of the work carried out at the internal level of a laboratory are the internal quality audits, defined in ISO 19011: 2018 as a: “…Systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled”.

One of the key requirements for both ISO / IEC 17020: 2012 and ISO / IEC 17025: 2017 standards, is to perform internal audits at planned intervals to obtain information about the management system (mainly to ensure that your processes are meeting quality standards and conformance, or in case of non-compliance, actions may be taken internally to achieve compliance, always informing the laboratory management about the current state).

It should be noted, that ISO / IEC 17020: 2012, establishes in requirement 8.6.2: “An audit programme shall be planned, taking into consideration the importance of the processes and areas to be audited, as well as the results of previous audits”. Also requirement 8.6.3 mentions: “The inspection body shall conduct periodic internal audits covering all procedures in a planned and systematic manner, in order to verify that the management system is implemented and is effective” (the underlined and bold are not from the original document) and requirement 8.6.4 defines: “Internal audits shall be performed at least once every 12 months. The frequency of internal audits may be adjusted depending on the demonstrable effectiveness of the management system and its proven stability”.

At the accreditation body level, additional or complementary requirements are also usually indicated. For example, regarding internal audits, the ANSI National Accreditation Board (ANAB) of the United States of America establishes in document AR 3125 (2019/04/29): ISO / IEC 17025: 2017 Accreditation Requirements Forensic Science Testing and Calibration Laboratories, point 8.8.2 b)1: “Internal audits shall include direct observation of a sample of accredited services within each discipline” (underlined and bold are not from the original document) and at 8.8.1.1: “Internal audits shall be conducted at least annually, as well as prior to the initial accreditation assessment”.

By way of a summary, the following aspects can be considered in general terms when performing an internal audit of a Quality Management System in a Forensic Science Laboratory: 

- Perform the internal audit at least once a year.

- Keep in mind the importance of the processes and areas to be audited.

- Keep in mind the results of previous audits.

- Cover all the procedures (involved in the process and areas to be audited).

- Include direct observation of examinations and tests. 

The execution of such activities, as well as the actions taken resulting from the results of the evaluation, are carried out internally at the laboratory by meetings or previous coordination between the members of the internal audit team, by conducting opening and closing meetings of the internal audit and interviews with the audited personnel to obtain objective evidence for compliance with the requirements of the Quality Management System. These activities usually require several days for its execution, access to different areas, possible contact with surfaces in the audited areas, physical closeness of the auditor or auditors to the auditee, the handling of documents presented as evidence of the work carried out, etc., common tasks that under normal conditions would not represent a problem, but in the face of the situation due to the COVID-19 outbreak, must be reconsidered, having in mind the time needed for its execution, the way to perform it and the level of detail desired.

When redefining the way to attend these tasks, the concept of “risk” as defined in the recent version of ISO / IEC 17025: 2017 becomes particularly relevant, as it is associated with the activities that are carried out. On the specific requirement 8.5.1, it is mentioned: “The laboratory shall consider the risks and opportunities associated with the laboratory activities in order to: a) give assurance that the management system achieves its intended results; b) enhance opportunities to achieve the purpose and objectives of the laboratory; c) prevent, or reduce, undesired impacts and potential failures in the laboratory activities”. Moreover, requirement 8.5.2, states: “The laboratory shall plan: a) actions to address these risks and opportunities” and requirement 8.5.3 defines: “Actions taken to address risks and opportunities shall be proportional to the potential impact on the validity of laboratory results”. 

It is considered by the authors that a quality internal audit must cover, to a greater or lesser degree (which will be detailed shortly), the evaluation of all the requirements established by the audit criteria, regardless the years of implementation of the quality system or how long ago the laboratory undergoes an accreditation process by an accreditation body, because the above provides a guarantee of compliance with these criteria over time.

However, in the face of the situation caused by the COVID-19 pandemic, and considering the measures required to prevent its spread, which includes social distancing (avoid meetings, avoid free transit through areas, avoid collaborators mixing who don´t usually work in the same area, avoid contact with objects that may be subjected to manipulation by several people, etc.) it is necessary to become creative when related to perform an internal audit process of a Quality Management System.

Therefore, a series of aspects are proposed when conducting such internal audit at a forensic laboratory, taking into account the minimum measures required to prevent the spread of COVID-19 and complying with the minimum requirements to perform the audit as well. To do so, three levels of risk are assumed, being a decision of the laboratory, to manage the level of risk: 

Risk level 1: high, newly implemented quality management systems. The laboratory has done at least one internal audit of their Quality Management System and have never undergone an accreditation process by an accreditation body.

Risk level 2: intermediate. The laboratory has a quality management system implemented and the system has been working for at least 3-4 years (the first accreditation cycle of the accrediting body). The internal audit processes over time has demonstrated the reduction of non-conformities within the Quality Management System, without considering possible non-conformities by the extension of accreditation scopes.

Risk level 3: low. The laboratory has a mature quality management system, with more than one accreditation cycle (which is generally 3-4 years), from an accreditation body. The internal audit process over time, has demonstrated the reduction of non-conformities within the quality management system, without considering possible non-conformities by the extension of accreditation scopes.

The following are some aspects that might be considered for the conduction of an internal audit of a Quality Management System in a Forensic Laboratory, under the measures required to avoid the spread of COVID-19, but guaranteeing compliance with the minimum ISO requirements established, under a given level of risk:

1.  Preferably use video conferences instead of face meetings.
2. If direct observation of activities or services is required, they must be carried out taking into account measures such as hand washing before and after entering an area and avoid placing objects by the auditor anywhere in the area that it is being audited.
3. It is suggested for the auditor to wear protective clothes, disposable gloves and face masks and safety goggles (goggles must be for personal use).
4. Do not conduct direct observation for more than 10 minutes, focus on the main critical aspects.
5. Always maintain social distancing with the person being audited, who must also have at least disposable gloves and face masks and safety goggles (goggles must be for personal use).
6.  Do not exchange any type of object with audited personnel (for example a pencil). If it is required to collect evidence such as documents, take photographs of it, without manipulation of the documents.
7.  Evaluate the replacement of direct face-to-face observation with direct observation of activities using video call.
   

1. Consider the documentary evaluation of aspects such as policies to guarantee impartiality and confidentiality, the requirements related to the structure, several of the requirements of the management system (system documentation, document control, records control, improvement, management review, etc.).
2. Personnel requirements: focus mainly on personnel newly admitted to the laboratory or those personnel who have just been declared competent to carry out specific work, starting since the last internal audit carried out. Also focus on the mechanisms used to guarantee that the technical competence of the personnel is maintained.
3.  Requirements about facilities and environmental conditions: if there have been no changes since the last internal audit carried out, the evaluation could also be carried out in a documentary manner by reviewing condition records, environmental or laboratory entry records, etc.
4.  Equipment requirements: focus mainly on the equipment that has reported incidents since the last internal audit performed and on the new equipment. As well in the existence of a schedule for the reception of maintenance and calibration services for the equipment that require it.
5.  Metrological traceability requirements: focus mainly on those standards or reference materials that have been changed since the last internal audit performed.
6.  Requirements for products and services supplied externally: focus on reports related to any inconvenient or those related to new suppliers or products/services (never been acquired before) since the last internal audit carried out.
7. Requirements for review of requests, offers and contracts: focus mainly on changes that may have occurred since the last internal audit carried out.
8.  Method selection, verification and validation requirements, measurement uncertainty evaluation: focus mainly on methodologies with changes introduced after the last internal audit (bearing in mind any changes in their validation).
9.  Handling requirements of the test or calibration items: focus mainly on changes in handling since the last internal audit performed.
10.  Requirements for reporting of results: if there have been no changes since the last internal audit regarding the testing and inspection tasks, it is considered to choose a sample of the reports issued, since this is the final product of the laboratory to its customers. It is also important to keep in mind the revision of any declaration of conformity for the service provided, in which the specification or standard against which said declaration is made has been changed.
11.  Requirement for control of data and information management: focus mainly on changes in the information system modules that the laboratory manages digitally and the validation of those changes, as well as requesting registration of system failures, together with the indication of the actions taken in this regard.
12.  Requirement of actions by the management system, to address risks and opportunities: focus mainly on the materialization of some of the risks and the respective actions taken, as well as the appearance of new risks since the last internal audit performed. It is convenient to assess the way the laboratory approaches the risk of carrying out the internal audit of its Quality Management System, under aspects such as those proposed in this document, in the event of a pandemic situation.
13.  Direct observation of activities or services: regardless of whether it is carried out face to face or virtually, as noted above, it is important to focus on those activities that mainly include aspects of the application of controls and in the interpretation of whether said controls were effective or not, together with the respective actions taken in the latter case.
14.  Results of previous audits (internal or external): it is recommended to audit within the internal audit process at least the verification of previously detected critical non-conformities (evaluating if possible to include all critical non-conformities from the beginning of the current accreditation cycle).
15.  Requirements for ensuring the validity of results: these specific aspects along with the next one, are the “heart” of the quality management system, demanding daily attention. Thus, it is highly recommended that compliance with the different quality control mechanisms be fully assessed, regardless of whether any situation has been reported since the last internal audit performed.
16.  Complaints requirements, non-conforming work and corrective actions: it is recommended that all aspects presented regarding this requirement should be reviewed since the last internal audit carried out.

Finally, the specific aspects proposed for evaluation during an internal audit, considering the level of risk previously indicated, can be combined with the evaluation of specific aspects defined by the accreditation body for its next external audit visit.