ISO 17025 Certified Testing Lab Not Required to Provide Raw Testing Data?

ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories


I have sent a sample for testing to a lab which is ISO certified, they have provided me with the test results, however, when I asked them for the Raw Data to support the testing performed as well as to keep it on record for the future investigational use, the testing lab refuses to provide the raw data, stating that we are not a GMP lab and as an ISO certified lab, we are not obliged to provide the raw data. They say the raw data could be shown to the regulatory authorities. Is this true?

The contract testing lab we mentioned is certified to ISO 17025.


Since the laboratory is “accredited” to ISO/IEC 17025, it will be useful to review a few relevant passages from that standard (note that the term “certified” or “registered” is usually used for organizations registered or certified to ISO 9001 quality management systems).

ISO/IEC 17025 Clause states:

“The laboratory shall retain records of original observations, derived data and sufficient information to establish an audit trail, calibration records, staff records and a copy of each test report or calibration certificate issued, for a defined period. The records for each test or calibration shall contain sufficient information to facilitate, if possible, identification of factors affecting the uncertainty and to enable the test or calibration to be repeated under conditions as close as possible to the original. The records shall include the identity of personnel responsible for the sampling, performance of each test and/or calibration and checking of results.”

ISO/IEC 17025 Clause 5.10.1 paragraph 3 states:

“In the case of tests or calibrations performed for internal customers, or in the case of a written agreement with the customer, the results may be reported in a simplified way. Any information listed in 5.10.2 to 5.10.4 which is not reported to the customer shall be readily available in the laboratory which carried out the tests and/or calibrations.”

Further, ISO/IEC 17025 Clause paragraph 2 states:

“When a statement of compliance with a specification is made omitting the measurement results and associated uncertainties, the laboratory shall record those results and maintain them for possible future reference.”

The ISO/IEC 17025 accredited laboratories are required to retain test results when they do not report the results on the test certificate (or report) to the customer. A word of caution: The laboratory may have a record retention policy (it should be documented in their quality system per ISO/IEC 17025 Clause Ensure that future record requests are made within the record retention policy period!

In the future, it would be best to specify in the purchase requisition what test data the customer requires from the test laboratory. This forms the basis for a contractual requirement and can be contested legally if the laboratory does not fulfill the customer’s requirements if it accepted the purchase requisition (This would apply to both ISO 9001 registered and ISO/IEC 17025 accredited laboratories).

The laboratory’s other argument about “GMP lab and as an ISO certified lab, they are not obliged to provide the raw data” is not consistent with the requirements of ISO/IEC 17025. The customer should file the refusal to provide data as a complaint to the laboratory under the clauses cited and ask the laboratory for corrective action under ISO/IEC 17025 Clause 4.8 (complaints) and 4.11 (corrective action).

If an ISO/IEC 17025 accredited laboratory refutes to provide corrective action under the requirements stated in this article, it is possible to escalate this complaint to their accrediting body.

Dilip A Shah
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services.
Past Chair, ASQ Measurement Quality Division (2012-2013)
Former Member of the A2LA Board of Directors (2006-2014)

Postponement of Surveillance Audit Due to Force Majeure Event

Force majeure


If a Force Majeure event effects the company during the time that the annual Surveillance Audit was to be done, can the Surveillance Audit be postponed until after the conclusion of the Force Majeure period without losing ISO 9001 certification?  Will the impact be 1.) Merely a certificate lapse rectified with passing the re-scheduled Surveillance Audit loss, 2.) Loss of certification requiring the next audit to be a Certification Audit instead of a Surveillance Audit, or 3.) Is it up to the Registrar? In this case, assume the Surveillance schedule delay is only 3 months or less, and the company has an excellent ISO audit track record. Thank you.


Thanks for Contacting ASQ’s Ask the Experts program.  With regard to the frequency of surveillance audits as well as deferral of an audit as a result of force majeure, it’s important know that all reputable Registrars or certification bodies (CBs) are accredited by an accreditation body (AB) as such ANAB.  This is intended to ensure a consistent approach for issuance of certifications by CBs.  To maintain certification the CB may conduct periodic surveillance audits.  Registered or certified organizations must be re-certified every 3 years or prior to the expiration date listed on their certification certificate.

Surveillance audits are conducted by the Registrar to verify the organization’s continued implementation as well as the improvement of the effectiveness of their QMS.  Registrars may increase or decrease the frequency of surveillance audits based upon the maturity level of the organization’s QMS.  For this reason, the frequencies that surveillance audits are conducted may vary, but are usually scheduled annually or every 12 months.  Other situations that may affect actual frequency of surveillance audits may be the availability of Auditors or possibly, unusual situations being experienced by the Auditee or organization.

As already mentioned, re-certification audits are required to be conducted every 3 years.  A Registrar typically does not have the authority to extend any organization’s ISO 9001 certification beyond the expiration date as shown on the certification certificate.  I would suggest that the certification contract agreement between your organization and the Registrar be reviewed to determine how conditions of force majeure are to be addressed.  This review should be followed up with a discussion with the Registrar to ensure there will be no impact on your organization’s existing QMS certification.  For more information about surveillance audits and other information regarding certification bodies (CBs) review IAF guidance document “Application of ISO/IEC Guide 65:1996, Issue 3 (IAF GD 2006).  A copy of this document can be downloaded at

I hope this helps.

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX  77339

The Role of an Observer During an Audit

Audit, audit by exception


A customer of ours wants to participate as an observer in an upcoming audit. I’ve not been able to find much information about the role of observer – what they can and cannot do.

For instance, I assume that they cannot ask questions during the audit interview process. Does anyone have an appropriate checklist for an observation – list of dos and don’ts?


The auditors should be notified of a presence of the observer in advance. There are times where this may not be allowed depending on the type of the audit.

The customer should sign a confidentiality agreement on not disclosing any information outside the audit process. The rules should be established as part of this confidentiality agreement.

An observer (customer) may not engage in any part of the audit.

The observer may not interfere in any aspect of the audit (may not inject, provide opinions, argue a finding, speak for or against a finding, use the audit information for a future punitive measure).

If questioned during the audit, the observer should explain the role as observer. Ideally this should be brought to the attention of the auditor in advance.

These basic rules ensure that the audit is not compromised in any way and the customer’s request to witness the audit is conducted in a professional manner.

Dilip A Shah
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services.
Past Chair, ASQ Measurement Quality Division (2012-2013)
Former Member of the A2LA Board of Directors (2006-2014)

Switch from ANSI/ASQ Z1.9 to ANSI/ASQ Z1.4?

PLCs, programmable logic controllers



We are using ANSI z1.9 for a dimension test of packaging components. As dimension is under variable, can we switch to ANSI z1.4? The reason for this is to align with our supplier who is using ANSI z1.4.

Can you please advise if this switching is acceptable. If yes, what should be taken into consideration like AQL, etc.?


The ANSI/ASQ Z1.4 standard is for incoming inspection of attribute characteristics.  As you measurement is a variable measurement, it is appropriate to use ANSI/ASQ Z1.9.  Both plans are indexed by AQL, but have different sample size requirements based on the level of protection you are looking to maintain.  I assume your real question is can you switch from a variable plan (Z1.9) to an attribute plan (Z1.4) for your inspection to align with your supplier’s use of Z1.4.   Though I do not believe harmonizing with the supplier’s use of Z1.4 for your acceptance testing is necessary, it is possible to use Z1.4 by redefining the variable measurements as either good or no-good.  Choosing to move to Z1.4 from Z1.9 will increase your sample size for the same level of protection and same lot size.  For example, a lot size of 5000 would have a sample size of 75 in Z1.4 and 200 for Z1.4 for a General Inspection Level II plan.  Both plans give approximately the same AQL and LTPD, though the Z1.4 will require 2.67x more samples.

Steven Walfish
Chair Z1, U.S. TAG to ISO/TC 69
Staff Statistician, BD

“As received/As found” Condition Requirement in ISO/TS 16949?

Automotive inspection, TS 16949, IATF 16949


It’s been mentioned to me by several people that TS16949 requires that the “as found” (sometimes known as the “as received”) condition is required to be documented on calibration certificates. However, I’ve read 7.6.2 several times and I can’t find where it requires that.

Can you point me to the section that is being understood to mean the “as found” must be included?


Thank you for your question.

Although recording the as-received readings over the range of calibration is a best practice, it is not required by ISO/TS 16949.  Clause 7.6.2 – Calibration/Verification Records requires only that “records……shall include, any out-of-specification readings as received for calibration/verification.” Therefore, “as found” readings are only required to be recorded if they are out of specification. If they are within specification, they are not.

Denis J. Devos, P.Eng
Fellow of the American Society for Quality
Devos Associates Inc.
Advisors to the Automotive Industry