In this article, regulatory requirements are explored as they are meant to create confidence that cannabis and cannabis-infused products are safe to use.
The legalization of medicinal and adult use of cannabis in many states has resulted in state-by-state variability in the regulatory requirements that affect cannabis growers, producers, and testing laboratories. While many approaches to regulation exist, what they all share is the goal of providing regulators, industry leaders and, most importantly, consumers with greater confidence that cannabis and cannabis-infused products are safe to use. Cannabis testing laboratories play an essential role in establishing this safeguard. Many states require these laboratories to obtain accreditation to the ISO/IEC 17025, General Requirements for the Competence of Calibration and Testing Laboratories, for licensure. The technical aspects of the standard serve as an effective foundation for quality in the laboratory; however, the comprehensive management system is equally important. Pursuing technical acumen in the laboratory with an equal company-wide commitment to the pursuit of quality is the winning combination to achieve excellence in serving customers and ensuring the safety of cannabis products.
The lack of universal requirements for achieving, documenting, and maintaining quality practices in cannabis testing laboratories is evident as the trend toward state legalization of medicinal and adult use of cannabis continues in the United States. States have developed a wide variety of requirements with the goal of ensuring safety for consumers, patients, and the public. Many states require conformance with ISO/IEC 17025, General Requirements for the Competence of Calibration and Testing Laboratories (1). The ISO/IEC 17025 standard can be an effective foundation on which to build a quality cannabis testing laboratory, but it is not the entire structure. Laboratories must effectively and actively implement a comprehensive management system to realize the full value of ISO/IEC 17025 accreditation. Meaningful accreditation requires not only foundational quality standards, but also a commitment by laboratory leadership and engagement of the entire laboratory team.
The importance of accuracy in cannabis testing laboratories for protection of the public has been receiving media attention, most recently from a case in Michigan involving the recall of cannabis products due to “inaccurate and/or unreliable results” from a testing laboratory (2). Potency and terpene profiles are important for effective medicinal and adult use of cannabis, but assurance that products are free from harmful contaminants such as pesticides, residual solvents, mycotoxins, and bacterial contaminants are also of paramount concern to public safety.
Founded in 1947, ISO refers to the International Organization for Standardization. The purpose of the organization is to develop and publish international standards that convey consumer confidence across the globe that products and services are safe, reliable, and of worthy quality. Scientific experts and quality management leaders develop standards through consensus-building processes. Standards are updated, as needed, to incorporate breakthroughs in science, technology, modern methods, and best practices. Updates also address evolving customer, government, and societal requirements and expectations.
Laboratories rely on a broad array of standards from sources including regulatory bodies, analytical methods, and materials to ensure the reliability and accuracy of their test results. In the cannabis testing industry, one of the most common standards is ISO/IEC 17025 (3). ISO 17025 was developed in collaboration with the International Electrotechnical Commission (IEC). Both organizations have a long history of producing International Standards. ISO/IEC 17025 was most recently updated in 2017.
ISO/IEC 17025:2017 covers structural and resource requirements, along with technical process requirements. In addition, ISO/IEC 17025:2017 incorporates the principles of ISO 9001, which centers on the implementation and operation of a management system. A well-designed and implemented management system is the cornerstone of a quality operation, and must be maintained throughout the accreditation cycle. Similar to a comprehensive quality assessment (QA) program in a clinical laboratory setting, cannabis testing laboratories must not only control records, monitor processes, and identify corrective actions, but must also proactively evaluate risks and opportunities associated with laboratory activities to (1):
When developing, operationalizing, and maintaining laboratory systems to ensure quality and technical competency, adopting a risk-based approach can prove valuable. Consider the risks, opportunities, and operational process, systems, and training that must be established and continuously maintained to meet the testing laboratory’s business and customer requirements. This, and many other requirements in the standard, takes active engagement and a deep commitment to quality by the management team.
In preparing to demonstrate conformity to ISO/IEC 17025:2017, laboratories first need to obtain a copy of the current standard. This article does not purport to explain the standard in its entirety, but rather to provide a brief overview of some of the requirements covered in eight clauses of the standard, and to emphasize the importance of commitment and engagement of the entire laboratory team.
These three clauses are informational and specify the scope of the standards, normative references, and terms and definitions. Clause 3 is helpful for becoming acquainted with ISO terminology.
Requirements 4.1–4.1.5 speak to the importance of safeguarding impartiality of the testing performed. [Note: Impartiality is defined under the ISO standard as “presence of objectivity.” Furthermore, “Objectivity means that conflicts of interest do not exist, or are resolved so as not to adversely influence subsequent activities of the laboratory.] The management team is expected to demonstrate in words and actions its commitment to safeguarding impartiality in laboratory activities. If any conflict of interest or other risk to impartiality is identified, swift action is also expected.
Requirements 4.2–4.2.4 emphasize the central role of confidentiality of customer information and laboratory activities under ISO/IEC 17025:2017.Care must be taken to ensure that customer information and laboratory activities performed on behalf of the customer are confidential. There may be times when release of information is required by law. It is the laboratory’s responsibility to inform the customer, in advance, what information will reside in the public domain.
Furthermore, information obtained from other sources about a customer must also be kept confidential. Personnel, including external contractors, are expected to maintain customer confidentiality in accordance with the laboratory’s established policy or terms of employment or contract.
Requirements 5.1–5.7 outline the organizational expectations of ISO/IEC 17025:2017. Among the general structural requirements for testing laboratories are:
It is important to ensure that the laboratory has clearly defined functional roles and responsibilities at all levels of the organization and that personnel have the authority and resources to perform their assigned laboratory activities. The management team has the responsibility to ensure that communication is occurring regarding the effectiveness of the management system and conveying the organizational values regarding the importance of meeting customers’ and other requirements to all staff.
Requirements 6.1–6.6.3 outline the resource expectations of ISO/IEC 17025:2017.
Generally, it must be clear that the laboratory possesses the resources, facilities, equipment, systems, and support systems needed to provide services to its customers.
Laboratories are expected to ensure that persons involved in laboratory activities are trained and competent to perform their jobs. Records must be kept of training and competency. Additional requirements are listed below.
Facilities and Environmental Conditions
Requirements for ensuring that the facility and environment is suitable for performing laboratory activities safely and accurately include, for example:
The term laboratory equipment extends beyond the instrumentation or analyzers to include other items such as reagents, reference materials, software, and measuring instruments.
Generally, the specific requirements related to equipment used to perform laboratory activities are designed to ensure that equipment it is suitable and fit for its tasks, maintained, calibrated, updated, and verified.
Testing laboratories are required to maintain metrological traceability of its measurement results under the ISO/IEC 17025:2017 standard.
Equipment used by laboratories to produce measurement results must be calibrated and verified for each tested analyte using only reference materials (RM), certified reference materials (CRM) or, in cases of proprietary or unique methods, materials that can demonstrate appropriate metrological traceability. In cases where it is not possible to obtain metrological traceability to the International System of Units (SI), laboratories may use certified reference materials from a competent producer or use consensus standards, methods, or procedures that are clearly defined and accepted as providing measurement results fit for their intended use and ensured by suitable comparison.
Externally Provided Products and Services
When subcontracting and purchasing products and services those products and services must be suitable for laboratory activities and procured in accordance with the laboratory’s criteria for evaluation and selection of external providers. In addition, the laboratory must demonstrate how it routinely monitors the performance of external providers and how it re-evaluates performance over time. The laboratory is expected to communicate any requirements to external providers related to the products or services to be purchased.
Requirements 7.1–7.11 outline the process expectations of ISO/IEC 17025:2017.While all clauses are important within the ISO framework, the process requirements are extensive and should be studied carefully to ensure that the many operational processes, which are central to managing and producing quality results, are indeed satisfied.
Review of Requests, Tenders, and Contracts
It is important that the laboratory engage and serve its customers in a way that supports clear communication and cooperation, ensures that customer requests are clearly defined, documented, and understood, and that the laboratory has the capability and resources to meet unique customer requirements. This will strengthen the laboratory’s commitment to the highest quality experience.
Laboratories are prohibited from either directly or implicitly implying that certain activities are covered in its scope of accreditation when this is not the case.
Selection, Verification, and Validation of Methods
The selection and verification of methods is vital to providing customers with valid and accurate results. Procedures for the evaluation of measurement uncertainty and statistical techniques for the analysis of data are a necessity. All methods, procedures, and supporting documentation must be current and readily available to laboratory personnel.
When introducing a new method, performance parameters should be established by the laboratory. Recognized reference methods should be used when available and appropriate for the laboratory’s activities. It is imperative that the laboratory verify that a method can be performed properly before it is implemented. This includes verification of statistical parameters such as precision, measurement range, measurement uncertainty, and limit of detection, as established by the laboratory.
In addition, if the laboratory changes the standard methods used for testing, or the method is modified by the laboratory, the method must be validated to confirm the method can achieve required performance. The records of the method verification must be retained.
The importance of proper sampling in ensuring an accurate, high quality laboratory result cannot be overstated. If the laboratory is performing sampling for customers, there must be a sampling plan, including the method for carrying out sampling of substances, materials, and products. If sampling is occurring away from the laboratory, it is important that the laboratory convey the sampling plan and method to the site where sampling is being conducted and ensure that those responsible for performing sampling are trained and competent in the sampling procedure. Sampling plans, whenever feasible, should incorporate relevant statistical methods.
This section also covers requirements for documenting and maintaining sampling records.
Handling of Test or Calibration Items
The laboratory must have a procedure for the transport, receipt, handling, protection, storage, retention, and disposal of testing materials when calibration services are included in the laboratory activities.
The appropriate technical records must accompany each laboratory activity. The technical record for each laboratory activity must include the date, the person responsible for that activity, the test result, report, and any data or information that is important to assist with determining the effects of measurement uncertainty and more. Clear records must be kept along with traceability of any modifications to the original observations, including the person responsible for the changes made.
Evaluation of Measurement Uncertainty
Measurement uncertainty is a key consideration in laboratory testing and is commonly seen as the statistical representation of the dispersion or range of values that can be attributed to what you are measuring. Contributions to measurement uncertainty must be identified and clearly documented, including those related to sampling and the analytical method.
Ensuring Validity of Results
Laboratories are required to rely upon internal and external controls to ensure the ongoing validity of test results. The primary purpose of controls is to ensure that the test procedure is performing in accordance with the validated method. The laboratory must develop an appropriate monitoring process and all activities must be documented. Examples of controls include: use of alternative instruments validated to provide traceable results; function checks of measuring and testing equipment; use of control charts; intermediate checks on measuring equipment; replicate tests; retesting of retained materials; correlation of results for different characteristics; intra-laboratory comparisons and participation in proficiency testing. In some states, specific regulatory requirements may apply so it is beneficial to review state laws related to quality control and proficiency testing requirements.
Reporting of Test Results
Laboratory results must be reviewed and authorized before they are reported. Results must be reported accurately and clearly in accordance with the agreements between the laboratory and its customers. In addition, ISO/IEC 17025:2017 is very specific about the common elements of a test report so be sure to review those elements and include them in the laboratory test report.
The laboratory is required to implement a process for handling complaints to include an acknowledgment to the complainant, confidentiality, investigation of the complaint, assessment of the validity of the complaint, and decisions and actions taken to resolve the complaint.
All noted instances where laboratory activities failed to adhere to the laboratory’s documented policies and procedures for conformance to ISO/IEC 17025:2017 must be identified as a “nonconformity” with a corrective action cycle. The nonconformity procedure is in place to ensure that operational and technical laboratory activities are continuously conducted in accordance with the laboratory’s policies and procedures, customer requirements, and best practices. The laboratory must establish procedures describing the actions to be taken when a nonconformity is identified.
Nonconforming events can be addressed based upon risk levels, with the highest risk nonconformities given the highest priority. In some cases, it may be necessary to inform customers of the nonconformity and any impact on testing results, if applicable. Records of corrective actions to address the nonconformity must be retained.
Control of Data and Information Management
The laboratory’s information management system must be protected from unauthorized access and safeguarded from tampering, theft, and loss of data. This requirement applies to computerized and noncomputerized data and information systems. Systems must be maintained in a way that ensures the integrity of the data and information.
To the extent interfaces are relied upon, those interfaces between systems must be validated for proper functioning. Software configurations must be authorized, documented, and validated before implementation. In cases where data is being transferred, the data must be checked, including a check to ensure any calculations are appropriate and accurate.
Requirements 8.1–8.9 outline the management system requirement of ISO/IEC 17025:2017.
Generally, this clause outlines the management system requirements to ensure that the laboratory can achieve continuous, consistent conformance to the ISO/IEC 17025:2017 requirements. Through the management system, the laboratory has the opportunity to systematically evaluate the laboratory activities, initiate correct action cycles for nonconformities, evaluate whether nonconformities have affected the integrity of reported results, respond to customer complaints, and more.
If the laboratory management system is established and maintained in accordance with ISO 9001, and has shown that it is capable of supporting consistency in laboratory conformity to the requirements of ISO/IEC 17025:2017, then the ISO 9001 established system can satisfy the intent of these management system requirements.
Management System Documentation
Management system documentation is important in conveying the many values, behaviors, policies, and processes that must be operationalized to ensure that laboratory activities are clearly and competently performed by trained staff, resources are well deployed and maintained, and customers receive excellence in service. It is a system that can lead to meaningful improvement and support the organizational and business goals while addressing risk and capitalizing on opportunities.
Success in the laboratory’s pursuit of quality management and technical competence is largely dependent on the commitment at the top of the organization. An engaged management team is one indicator of success. In addition, all personnel performing laboratory activities must have access to all parts of the management system documentation related to the responsibilities and authorities of their position.
It is not only essential to have the system of documentation, but also to be able to demonstrate through evidence how application of the system leads to improvement. A systematic focus on nonconformities and initiating and closing corrective action cycles over time can improve laboratory operations, competence, and results.
Control of Management System Documents
Management system documentation must be controlled to ensure that the documentation-in-use reflects the latest in policy and procedures. As is also the case with the creation of new documents, changes in documents must be approved for adequacy before they are distributed or become available to staff or customers. Documents must also be routinely reviewed and updated as necessary. A system for uniquely identifying documents is an excellent strategy for keeping documentation organized and accessible.
Control of Records
Management system records must be legible, consistent with confidentiality requirements, and clearly identified. Furthermore, controls are needed to store, protect, back-up, archive, retrieve, retain, and dispose of records. The period for retaining records must be consistent with the laboratory’s contractual obligations.
Actions to Address Risks and Opportunities
A continual assessment and consideration of risks and opportunities makes good business sense. Assessing risk and opportunities can occur at all layers of the organization and, in many cases, this is an activity that already happens every day; staff members are meeting the needs of customers today while having their eyes on future opportunities and threats. The purpose of this requirement is to create an intentional focus on routinely reviewing the risks and opportunities facing the specific laboratory and the industry as a whole, and determining when the laboratory should implement action plans to mitigate the risk or take advantage of the opportunity.
As has been previously addressed, a central goal of a management system is to find, select, and act upon opportunities for improvement. The management system, if done well with a sustained focus, will enable the laboratory to identify a number of opportunities and improve the laboratory over time. This requirement also speaks to the value of implementing a customer feedback process, which can generate a wealth of information and ideas for improvement.
Corrective actions must be taken to correct nonconformities identified internally or during external assessments. The first step to take when a nonconformity is identified is to examine the factors and conditions leading to the nonconformity. This is critical to development of a corrective action plan that does not just fix an incident, but attempts to prevent that incident from occurring again. Not only is it important to correct problems and nonconformities, but also to monitor the effectiveness of any corrective action taken. Corrective action cycles should be well documented and can be a powerful tool for organizational learning and sustained improvement.
Internal audits are an established tool to support organizations as they assess different areas of their business on a rotating planned schedule. The goal of audits is to evaluate whether the management system is working and whether various departments or teams within the laboratory are following policy, protocols, and established best practices. It can be seen as an opportunity for learning and offers a chance to right the ship before it has gone too far off course. Consider internal audits as a calibration activity in being proactive in setting things right. It is also a great opportunity to engage new members of the team in business policy, practices, and protocols.
Internal audit activities must be documented and outcomes shared with applicable supervisors or managers. Nonconformities identified during internal audits require evaluation and timely corrective action cycles. Audits are also a good source of data to identify improvement opportunities.
As a final component to the management system, laboratories seeking to show conformity to ISO/IEC 17025:2017 must engage in routine management reviews. Management reviews are conducted with many participants from various areas of the laboratory who come together to evaluate the fulfillment of the management system. This is an opportunity to look backwards and forwards to consider the performance of the management system, and assess the need for changes and improvements.Allocation of resources and training may also be topics for discussion in the context of meeting goals. All inputs since the last review and any new inputs are considered to ensure timely closing of corrective action cycles.
Cannabis testing laboratories, whether testing products for medicinal or adult use, have a responsibility to provide accurate test results for potency, terpenes, and contaminants to build the public trust in the safety and efficacy of cannabis products. While ISO/IEC 1725:2017 can provide a good foundation for building a quality laboratory, each laboratory must establish analytical parameters, define personnel qualifications, and develop detailed procedures that reflect the needs of the laboratory and its customers. Laboratories should think of ISO/IEC 1025:2017 accreditation as a tool toward reaching the goal of accurate testing, rather than holding ISO/IEC 17025:2017 accreditation itself as the goal. This takes commitment from the top of the organization to those performing clerical functions, sampling, processing specimens, and performing testing.
Kathy Nucifora, MPH, MT (ASCP) is the Chief Operating Officer, COLA. Direct correspondence to: email@example.com.
K. Nucifora, Cannabis Science and Technology® Vol. 5(4), 42-50 (2022).