prEN ISO 22367

SLOVENSKI STANDARD
01-junij-2025
Medicinski laboratoriji - Uporaba obvladovanja tveganja v medicinskih
laboratorijih (ISO/DIS 22367:2025)
Medical laboratories - Application of risk management to medical laboratories (ISO/DIS
22367:2025)
Medizinische Laboratorien - Anwendung des Risikomanagements auf medizinische
Laboratorien (ISO/DIS 22367:2025)
Laboratoires de biologie médicale - Application de la gestion des risques aux
laboratoires de biologie médicale (ISO/DIS 22367:2025)
Ta slovenski standard je istoveten z: prEN ISO 22367
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
11.100.01 Laboratorijska medicina na Laboratory medicine in
splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/DIS 22367
ISO/TC 212
Medical laboratories — Application
Secretariat: ANSI
of risk management to medical
Voting begins on:
laboratories
2025-04-02
Laboratoires de biologie médicale — Application de la gestion
Voting terminates on:
des risques aux laboratoires de biologie médicale
2025-06-25
ICS: 11.100.01
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
ISO/DIS 22367:2025(en)
DRAFT
ISO/DIS 22367:2025(en)
International
Standard
ISO/DIS 22367
ISO/TC 212
Medical laboratories — Application
Secretariat: ANSI
of risk management to medical
Voting begins on:
laboratories
Laboratoires de biologie médicale — Application de la gestion
Voting terminates on:
des risques aux laboratoires de biologie médicale
ICS: 11.100.01
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO 2025
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/DIS 22367:2025(en)
ii
ISO/DIS 22367:2025(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Risk Management . 8
4.1 Risk management process .8
4.2 Management responsibilities .9
4.3 Qualification of personnel .9
4.4 Risk management activities .10
4.4.1 Foreseeable risk .11
4.4.2 Opportunity . 12
4.4.3 Information provided to users . 12
5 Management of proactive risks .12
5.1 Proactive risk management plan. 12
5.2 Scope of the plan . 13
5.3 Contents of the plan . 13
5.4 Revisions to the plan . 13
5.5 Documentation of the risk management plan.14
6 Proactive risk analysis . 14
6.1 General .14
6.2 Risk analysis process . 15
6.3 Documentation of the risk analysis process . 15
6.3.1 Intended medical laboratory use and reasonably foreseeable misuses . 15
6.3.2 Identification of characteristics related to safety . 15
6.3.3 Identification of hazards . 15
7 Risk evaluation .16
7.1 General .16
7.1.1 Evaluation of reactive risks .16
7.1.2 Evaluation of proactive risks.16
7.2 Benefit-Risk analysis .17
7.3 Proactive risk evaluation .17
7.3.1 Risk acceptability criteria .17
7.3.2 Risk reduction . . .18
8 Risk control .18
8.1 Risk control options .19
8.1.1 Role of standards in risk control .19
8.1.2 Role of IVD medical devices in risk control .19
8.2 Risks external to the laboratory . 20
8.3 Risks arising from risk control measures . 20
8.4 Residual risk evaluation . 20
8.5 Risk control verification .21
9 Risk management review .21
9.1 Completeness of risk control .21
9.2 Evaluation of overall residual risk .21
9.3 Risk management report . 22
10 Risk monitoring, analysis and control activities .22
10.1 Surveillance procedure . 22
10.2 Internal sources of risk information . 23
10.3 External sources of risk information. 23

iii
ISO/DIS 22367:2025(en)
11 Immediate actions to reduce risk .23
Annex A (informative) Implementation of risk management within the management system .24
Annex B (informative) Risk acceptability considerations .34
Annex C (informative) Risk acceptability considerations .36
Annex D (informative) Annex identification of characteristics related to safety .39
Annex E (informative) Examples of foreseeable risks, hazards, foreseeable sequences of events
and hazardous situations .45
Annex F (informative) Annex Nonconformities potentially leading to significant risks .53
Annex G (informative) Annex Risk analysis tools and techniques . 61
Annex H (informative) Annex Risk analysis of foreseeable user actions.65
Annex I (informative) Annex Methods of risk assessment, including estimation of probability
and severity of harm .69
Annex J (informative) Overall residual risk evaluation and risk management review . 74
Annex K (informative) Annex Conducting a benefit-risk analysis . 76
Annex L (informative) Annex Residual risk(s) .78
Bibliography .79

iv
ISO/DIS 22367:2025(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 212, Medical laboratories and in vitro diagnostic
systems.
This second edition cancels and replaces (ISO 22367:2020), which has been technically revised. The main
changes compared to the previous edition are as follows:
— The application of risk management to processes has been emphasized;
— Reactive and proactive risk management has been discussed, differentiated, and illustrated;
— The content is as far as possible in agreement the requirements for risk management in ISO 15189:2022;
— The relation with ISO 15189:2022 is indicated in Annex A in which Figure A.1 provides a flow chart for
the underlying quality management system to underpin this standard;
— Annex I.5 has been slightly modified to emphasize that risks most often require benefit-risk assessment
to determine risk acceptability.
Recognizing the effort required for translation, only Annex A and Annex I as mentioned above and
Annex sections F.1, F.6.1 and F.8 have been modified. The remaining annexes have been retained unchanged
after review from the prior edition.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

v
ISO/DIS 22367:2025(en)
Introduction
Medical laboratories deal with risks as part of their usual activities; these risks affect patients, personnel,
caregivers, and the organization as a whole. Risks span the range of services: pre-examination, examination
and post-examination processes, including the design and development of laboratory examinations. The
intent of this document is not to introduce risk as a concern for the laboratory but to provide a structure
for addressing, managing, and documenting risks that are part of the day-to-day and long-term (strategic)
activities of the laboratory
ISO 15189 requires that medical laboratories review all work processes to identify potential failures for
risk of harm to patients and opportunities for improvement, modify the processes to reduce or eliminate
the identified risks, and document the decisions and actions taken. This document describes a process
for managing these risks to the patient, the operator, other persons, equipment and other property, the
healthcare enterprise as a whole, and the environment. It does not address business enterprise risks, which
are the subject of ISO 31000; however, ISO 31000 is consistent with and can provide further understanding
for the concepts in this document.
Medical laboratories span a broad range of activities, some of which rely on the use of in vitro medical devices
to achieve their quality objectives. When such devices are involved, risk management has to be a shared
responsibility between the IVD manufacturer and the medical laboratory. Since most IVD manufacturers
have already implemented ISO 14971:2019, “Medical devices Application of risk management to medical
devices,” this standard has adopted similar concepts, principles and framework to manage the risks
associated with the medical laboratory when appropriate. This is especially meaningful for laboratories
that implement their own examinations on devices (laboratory developed tests); concepts integral to
ISO 14971:2019 can be directly applicable. ISO 5649:202X is a useful reference for identifying and addressing
risks in the development, implementation and retirement phases of LDT.
Activities in a medical laboratory can expose patients, workers or other stakeholders to a variety of hazards,
which can lead directly or indirectly to varying degrees of harm. The concept of risk has two components:
a) the probability of occurrence of harm;
b) the consequence of that harm, that is, how severe the harm might be.
Risk management is complex because each stakeholder may place a different value on the risk of harm.
Risk management interfaces with quality management at many points in the medical laboratory. In
ISO 15189, as an example, risk management is a component of complaint management, internal audit,
corrective action, quality control, management review and external assessment (for both accreditation
and proficiency testing). Management of risk also coincides with the management of safety in the medical
laboratories, as exemplified by the safety audit checklists in ISO 15190. This standard is intended to assist
medical laboratories with the integration of risk management into their routine organization, operation and
management.
vi
DRAFT International Standard ISO/DIS 22367:2025(en)
Medical laboratories — Application of risk management to
medical laboratories
1 Scope
This document specifies a process for a medical laboratory to identify and manage the risks to patients,
laboratory workers and service providers that are associated with medical laboratory examinations. The
process includes identifying, estimating, evaluating, controlling and monitoring the risks.
The requirements of this document are applicable to all aspects of the examinations and services of a
medical laboratory, including the pre-examination and post-examination aspects, examinations, accurate
transmission of examination results into the electronic medical record and other technical and management
processes described in ISO 15189.
The primary reason for risk management in medical laboratories is to reduce risk of harm to patients and
identify opportunities for improved patient care.
This document does not specify acceptable levels of risk.
This document does not apply to risks from post-examination clinical decisions made by healthcare
providers.
This document complements the management of risks affecting medical laboratory enterprises that are
addressed by ISO 31000, such as business, economic, legal, and regulatory risks.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
benefit
impact or desirable outcome of a process (3.20), procedure (3.18) or the use of a medical device on the health
of an individual or a positive impact on patient management or public health
Note 1 to entry: Benefits include prolongation of life, reduction of pain, (relief of symptoms), improvement in function,
or an increased sense of well-being.
3.2
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.

ISO/DIS 22367:2025(en)
Note 4 to entry: An event without consequences can also be referred to as a “near miss”, “incident”, “near hit” or “close call”.
[SOURCE: ISO 31073:2022, 3.3.11]
3.3
examination
set of operations having the objective of determining the numerical value, text value or characteristics of a
property
Note 1 to entry: An examination may be the total of a number of activities, observations or measurements required to
determine a value or characteristics.
Note 2 to entry: Laboratory examinations that determine a numerical value of a property are called “quantitative
examinations”; those that determine the characteristics of a property are called “qualitative examinations”.
Note 3 to entry: Laboratory examinations are also called “assays” or “tests”.
[SOURCE: ISO 15189:2022, 3.8]
3.4
foreseeable risk
a risk (3.24) that is predictable prior to its occurrence.
Note 1 to entry: Risk (3.24) can be known from prior experience, assessment of current circumstances, prior
occurrence of an event (3.2), or other sources.
Note 2 to entry: A risk (3.24) that is foreseeable does not imply that it has been anticipated or addressed.
3.5
frequency
number of events (3.2) or outcomes per defined unit of time
Note 1 to entry: Frequency can be applied to past events (3.2) or to potential future events (3.2), where it can be used
as a measure of likelihood or probability (3.19)
[SOURCE: ISO 31073:2022, 3.3.20]
3.6
harm
injury or damage to the health of people, or damage to property or the environment
[SOURCE: ISO/IEC Guide 51:2014, 3.1]
3.7
hazard
source of potential harm (3.6)
[SOURCE: ISO 31073:2022, 3.3.12, modified – Note 1 to entry have been deleted.]
3.8
hazardous situation
circumstance in which people, property, or the environment are exposed to one or more hazard(s) (3.7)
[SOURCE: ISO/IEC Guide 51:2014, 3.4]
3.9
healthcare provider
individual authorized to deliver health services to a patient
EXAMPLE Physician, nurse, ambulance attendant, dentist, diabetes educator, laboratory technician, laboratory
technologist, biomedical laboratory scientist medical assistant, medical specialist, respiratory care practitioner.
[SOURCE: ISO 18113-1:2022, 3.1.28]

ISO/DIS 22367:2025(en)
3.10
in vitro diagnostic manufacturer
IVD manufacturer
natural or legal person with responsibility for the design, manufacture, packaging, or labelling (3.13) of an
IVD medical device (3.11), assembling a system, or adapting an IVD medical device (3.11) before it is placed on
the market or put into service, regardless of whether these operations are carried out by that person or on
that person's behalf by a third party
Note 1 to entry: Provisions of national or regional regulations can apply to the definition of manufacturer.
[SOURCE: ISO 14971:2007, definition 2.8, modified – “manufacturer” has been changed to “in vitro diagnostic
manufacturer”. “A medical device” has been changed to “an IVD medical device” (3.11). “Attention is drawn to
the fact that” has been deleted in Note 1 to entry. In addition, Note 2 to entry has been deleted.]
3.11
in vitro diagnostic medical device
IVD medical device
Medical device, whether used alone or in combination, intended by the manufacturer for the in vitro
examination (3.3) of specimens derived from the human body solely or principally to provide information
for diagnostic, monitoring or compatibility purposes and including reagents, calibrators, control materials,
specimen receptacles, software, and related instruments or apparatus or other articles
[SOURCE: ISO 18113-1:2022, 3.1.33, Note 1 merged into body, Note 2 deleted]
3.12
in vitro diagnostic instrument
IVD instrument
equipment or apparatus intended by a manufacturer to be used as an IVD medical device (3.11)
[SOURCE: ISO 18113-1:2022, 3.1.32]
3.13
information supplied by the manufacturer
labelling
written, printed or graphic matter
— affixed to an IVD medical device (3.11) or any of its containers or wrappers or
— provided for use with an IVD medical device (3.11),
related to identification and use, and giving a technical description, of the IVD medical device (3.11), but
excluding shipping documents
EXAMPLE Labels, instructions for use (3.14).
Note 1 to entry: In IEC standards, documents provided with a medical device and containing important information
for the responsible organization or operator, particularly regarding safety, are called “accompanying documents”.
Note 2 to entry: Catalogues and material safety data sheets are not considered labelling of IVD medical devices (3.11).
[SOURCE: ISO 18113-1:2022, 31.35, modified]
3.14
instructions for use
information supplied by the manufacturer (3.13) to enable the safe and proper use of an IVD medical device (3.11)
Note 1 to entry: Includes the directions supplied by the manufacturer for the use, maintenance, troubleshooting and
disposal of an IVD medical device (3.11), as well as warnings and precautions.
[SOURCE: ISO 18113-1:2022, 3.1.6, modified ]

ISO/DIS 22367:2025(en)
3.15
intended use
intended purpose
objective intent of an IVD manufacturer (3.10) regarding the use of a product, process (3.20) or service (3.37)
as reflected in the specifications, instructions and information supplied by the IVD manufacturer (3.10)
Note 1 to entry: Intended use statements for IVD labelling (3.13) can include two components: a description of the
functionality of the IVD medical device (3.11) (e.g., an immunochemical measurement procedure (3.18) for the detection
of analyte “x” in serum or plasma), and a statement of the intended medical use of the examination (3.3) results.
[SOURCE: ISO 18113-1:2022, 3.1.7, Note 2 deleted]
3.16
laboratory management
person(s) with responsibility for, and authority over a laboratory
Note 1 to entry: Laboratory management has the power to delegate authority and provide resources within the
laboratory.
Note 2 to entry: The laboratory management includes the laboratory director(s) and delegates together with
individuals specifically assigned to ensure the quality of the activities of the laboratory.
[SOURCE: ISO 15189:2022, 3.15]
3.17
likelihood
chance of something happening
Note 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something
happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and
described using general terms or mathematically (such as a probability (3.19) or a frequency (3.5) over a given time
period).
Note 2 to entry: The English language term “likelihood” does not have a direct equivalent in some languages; instead,
the equivalent of the term “probability” (3.19) is often used. However, in English, “probability” (3.19) is often narrowly
interpreted as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent
that it should have the same broad interpretation as the term “probability” (3.19) has in many languages other than
English.
[SOURCE: ISO 31073:2022, 3.3.16]
3.18
procedure
specified way to carry out an activity or a process (3.20) Note 1 to entry: Procedures can be documented or not.
[SOURCE: ISO 9000:2015, 3.4.5]
3.19
probability
measure of the chance of occurrence expressed as a number between 0 and 1, where 0 is impossibility and 1
is absolute certainty
Note 1 to entry: See definition of likelihood (3.17), Note 2 to entry.
[SOURCE: ISO 31073:2022, 3.3.19]
3.20
process
set of interrelated or interacting activities that use inputs to deliver an intended result
Note 1 to entry: Whether the “intended result” of a process is called output, product or service (3.38) depends on the
context of the reference.
[SOURCE: ISO 9000:2015, 3.4.1, modified– Note 2 to entry to Note 6 to entry have been deleted.]

ISO/DIS 22367:2025(en)
3.21
reasonably foreseeable misuse
use of a product, process (3.20) or service (3.37) in a way not intended by the supplier, but which may result
from readily predictable human behaviour
Note 1 to entry: Readily predictable human behaviour includes the behaviour of all types of intended users (3.43).
Note 2 to entry: In the context of consumer safety, the term “reasonably foreseeable use” is increasingly used as a
synonym for both “intended use” (3.15) and “reasonably foreseeable misuse.”
Note 3 to entry: Applies to use of examination (3.3) results by a healthcare provider (3.9) contrary to the intended use
(3.15), as well as use of IVD medical devices (3.11) by the laboratory contrary to the instructions for use (3.14).
Note 4 to entry: Misuse includes abnormal use, i.e. intentional use of the device in a way not intended by the
manufacturer.
Note 5 to entry: Adapted from ISO Guide 63:2012, 2.8, to apply to medical laboratories. [SOURCE: ISO/IEC Guide 51:2014,
3.7, modified- “a product or system” has been changed to “a product, process (3.20) or service” (3.38), and “can” has
been changed to “may”. In addition, “Note 3 to entry to Note 5 to entry” have been added.]
Note 6 to entry: Misuse is intended to mean incorrect or improper performance of an examination (3.3) procedure
(3.18) or any procedure (3.18) critical for patient safety
[SOURCE: ISO/IEC Guide 51:2014, 3.7 modified-Note 1 examples were removed]
3.22
record
document stating results achieved or providing evidence of activities performed
Note 1 to entry: Records can be used, for example, to formalize traceability and to provide evidence of verification
(3.44), preventive action and corrective action.
Note 2 to entry: Generally, records need not be under revision control.
[SOURCE: ISO 9000:2015, 3.8.10]
3.23
residual risk
risk (3.24) remaining after risk (3.24) control measures have been taken
[SOURCE: ISO/IEC Guide 63:2019, 2.9]
3.24
risk
combination of the probability (3.19) of occurrence of harm (3.6) and the severity (3.38) of that harm (3.6)
Note 1 to entry: In standards that focus on management of risks to a business enterprise, such as ISO 31000, risk is
defined as “the effect of uncertainty on objectives.” ISO 14971 and this document have retained the definition from
ISO/IEC Guide 51:1999 because they are externally focused on risks to the safety of patients and other persons.
[SOURCE: ISO/IEC Guide 51:2014, 3.9]
3.25
risk analysis
systematic use of available information to identify hazards (3.7) and to estimate the risk (3.24)
Note 1 to entry: Risk analysis includes examination (3.3) of different sequences of events (3.2) that can produce
hazardous situations (3.8) and harm (3.6).
[SOURCE: ISO/IEC Guide 51:2014, 3.10, modified - Note 1 to entry has been added.]

ISO/DIS 22367:2025(en)
3.26
risk assessment
overall process (3.20) comprising a risk analysis (3.25) and a risk evaluation (3.29)
[SOURCE: ISO/IEC Guide 51:2014, 3.11]
3.27
risk control
process (3.20) in which decisions are made and measures implemented by which risks (3.24) are reduced to,
or maintained within, specified levels
[SOURCE: ISO/IEC Guide 63:2019, 2.12]
3.28
risk estimation
process (3.20) used to assign values to the probability (3.19) of occurrence of harm (3.6) and the severity
(3.39) of that harm (3.6)
[SOURCE: ISO/IEC Guide 63:2019, 2.13]
3.29
risk evaluation
process (3.20) of comparing the estimated risk (3.24) against given risk (3.24) criteria to determine the
acceptability of the risk (3.24)
[SOURCE: ISO/IEC Guide 63:2019, 2.14]
3.30
risk management
systematic application of management policies, procedures (3.18) and practices to the tasks of analysing,
evaluating, controlling and monitoring risk (3.24)
[SOURCE: ISO/IEC Guide 63:2019, 2.15]
3.31
risk management documentation
set of records (3.22) and other documents that are produced by risk management (3.30)
[SOURCE: ISO 14971:2007, 2.23]
3.32
risk management plan
scheme specifying the approach, the management components and resources to be applied to the
management of risk (3.24)
[SOURCE: ISO 31000:2009, 2.6]
3.33
risk management policy
statement of the overall intentions and direction of an organization related to risk management (3.30)
[SOURCE: ISO 31073:2022, 3.2.2]
3.34
risk monitoring
surveillance
continual checking, critically observing or determining the status in order to identify change from the risk
(3.24) level required or expected
[SOURCE: ISO 31073:2022, definition 3.3.40, modified – “Monitoring” has been changed to “risk monitoring”.
“Supervising” has been deleted, and “performance” has been changed to “risk” (3.24) In addition, Note 1 to
entry has been deleted.]
ISO/DIS 22367:2025(en)
3.35
risk reduction
actions taken to lessen the probability (3.19) or negative consequences or both, associated with a risk (3.24)
[SOURCE: ISO 22300:2018, 3.210]
3.36
safety
freedom from unacceptable risk (3.24)
[SOURCE: ISO/IEC Guide 63:2019, 2.16]
3.37
service
laboratory medicine activity performed by a medical laboratory for the benefit (3.1) of patients and the
healthcare providers (3.9) responsible for the care of those patients
Note 1 to entry: Medical laboratory services include arrangements for examination (3.3) requests, patient preparation,
patient identification, collection of samples, transportation, storage, processing and examination (3.3) of clinical
samples, together with subsequent interpretation, reporting and advice, in addition to the considerations of safety
(3.36) and ethics in medical laboratory work.
Note 2 to entry: Adapted from ISO 15189:2022, Introduction
3.38
severity
measure of the possible consequences of a hazard (3.7)
[SOURCE: ISO/IEC Guide 63:2019, 2.17]
3.39
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or
activity
Note 1 to entry: A decision maker can be a stakeholder.
[SOURCE: ISO Guide 73:2009, 3.2.1.1]
3.40
state of the art
developed stage of technical capability at a given time as regards products, processes (3.20) and services
(3.37), based on the relevant consolidated findings of science, technology and experience
Note 1 to entry: The state of the art embodies what is currently and generally accepted as good practice. The state of
the art does not necessarily imply the most technologically advanced solution. The state of the art described here is
sometimes referred to as the “generally acknowledged state of the art”.
[SOURCE: ISO/IEC Guide 63:2019, 2.19]
3.41
use error
laboratory medicine user (3.43) action or lack of user (3.43) action while performing a laboratory examination
(3.3) or using an IVD medical device (3.11) or performing any task in any procedure (3.18) that leads to a
different result than that intended by the laboratory or manufacturer or expected by the user (3.42)
Note 1 to entry: Use error includes the inability of the user (3.43) to complete a task.
Note 2 to entry: Use errors can result from a mismatch between the characteristics of the user (3.43), user interface,
task, or use environment.
Note 3 to entry: Users (3.43) might be aware or unaware that the use error has occurred.
Note 4 to entry: An unexpected physiological response of the patient is not by itself considered use error.

ISO/DIS 22367:2025(en)
Note 5 to entry: A malfunction of an IVD medical device that causes an unexpected result is not considered a use error.
Note 6 to entry: Use error includes the use of an examination (3.3) result for an unintended target group or for an
unintended diagnostic or patient management purpose.
Note 7 to entry: The term was chosen over “user error”, “human error” or “laboratory error” because not all causes
of error are partially or solely due to the user (3.42). Use errors are often the result of poorly designed user (3.43)
interface or processes (3.20), or, inadequate instructions for use (3.14).
[SOURCE: ISO/IEC 62366-1:2015, 3.21 modified – “(laboratory medicine)” has been added. “Performing a
laboratory examination (3.3) or”, “an IVD” and “laboratory or” have also been added. Note 6 to entry was
deleted. A new Note 6 to entry and a Note 7 to entry were added.]
3.42
user
individual responsible for an action that is intended to lead to a desired outcome
Note 1 to entry: Although such individuals are often laboratory personnel that are expected to be trained and
competent to perform the action, this term is not limited to such personnel
Note 2 to entry: The use of this term is not intended to imply that a device is utilized for the action; it is used as a
general term to include any individual that has a role in producing the desired outcome.
3.43
validation
confirmation, through the provision of objective evidence, that the requirements for a specific intended use
(3.15) or application have been fulfilled
Note 1 to entry: The objective evidence needed for a validation is the result of a test or other form of determination
such as performing alternative calculations or reviewing documents.
Note 2 to entry: The word “validated” is used to designate the corresponding status. Note 3 to entry: The use conditions
for validation can be real or simulated.
[SOURCE: ISO 9000:2015, 3.8.13]
3.44
verification
confirmation, through the provision of objective evidence, that specified requirements have been fulfilled
Note 1 to entry: The objective evidence needed for a verification can be the result of an inspection or of other forms of
determination such as performing alternative calculations or reviewing documents.
Note 2 to entry: The activities carried out for verification are sometimes called a qualification process (3.20).
Note 3 to entry: The word “verified” is used to designate the corresponding status.
[SOURCE: ISO 9000:2015, 3.8.12]
4 Risk Management
4.1 Risk management process
The medical laboratory shall establish, document, implement and maintain processes for identifying hazards
associated with its examinations and services, estimating and evaluating the associated risks, controlling
these ri
...