Abstract
Background:
ISO 20387:2018 is the first international standard specifically designed for biobanks, defining requirements for competence, impartiality, and operational consistency. In 2022, the Multi-Specialistic Biobank of the Azienda Ospedaliero-Universitaria Pisana became the first biobank in Italy to achieve ISO 20387 accreditation, setting a national benchmark for public-sector quality governance.
Approach:
The accreditation pathway followed a structured 12-month plan combining gap analysis, document harmonization, competence development, and internal audits. A multidisciplinary quality working group redesigned the quality management system and aligned managerial and operational processes with ISO 20387 requirements. Fourteen quality documents were revised or newly developed to standardize workflows, strengthen traceability, and embed risk-based principles throughout the biobank’s activities.
Outcomes:
ISO 20387 accreditation was granted on July 14, 2022. Subsequent surveillance audits in 2023, 2024, and 2025 confirmed sustained compliance and progressive improvements, including expanded internal audits, enhanced risk assessment, digital competence tracking, and strengthened Corrective and Preventive Action effectiveness. Persistent challenges—including infrastructural constraints, limited information technology support, and delays in software modifications—reflected structural limitations typical of public health care settings.
Significance:
This article provides an integrated account of ISO 20387 implementation and long-term maintenance in a public hospital biobank. The Pisa experience offers a replicable model for institutions operating under similar constraints, demonstrating how technical rigor, coordinated governance, and a shared quality culture can sustain accreditation and advance national biobanking excellence.
Keywords
Introduction
Biobanks are critical infrastructures underpinning precision medicine, translational research, and the reproducibility of biomedical studies. The integrity of biospecimens depends on rigorous control of preanalytical, analytical, and postanalytical steps; robust documentation; and harmonized processes that ensure traceability, comparability, and fitness-for-purpose. 1
Biobanking has historically been guided by best-practice frameworks such as the International Society for Biological and Environmental Repositories (ISBER) Best Practices 2 and the Organisation for Economic Co-operation and Development (OECD) Guidelines. 3 Over time, this guidance has evolved into formalized international standards. ISO 20387:2018 4 —Biotechnology—Biobanking—General Requirements for Biobanking—is the first global standard specifically developed for biobanks, covering technical competence, impartiality, method validation, quality management system (QMS) structure, personnel qualification, equipment verification, data integrity, and chain-of-custody. It incorporates principles from ISO 9001:2015, 5 providing a comprehensive and structured quality framework.
The Multi-Specialistic Biobank (BMS) at the Azienda Ospedaliero-Universitaria Pisana (AOUP), Pisa, Italy, is part of BBMRI.it, the Italian node of BBMRI-ERIC, which supports national harmonization of biobanking practices and alignment with European quality standards. Prior to pursuing ISO 20387 accreditation, the biobank operated under ISO 9001. While effective as a general quality management standard, ISO 9001 did not fully address biobank-specific requirements, including formal competence evaluation, metrological and digital traceability, method validation, or complete life cycle documentation of biospecimens.6–8 For this reason, ISO 9001 certification remained active within the hospital quality framework, while ISO 20387 was adopted as a separate, biobank-specific accreditation scheme. According to clause 8.1 of ISO 20387, the accreditation application was submitted under Option B, whereby a biobank that has established and maintains an ISO 9001-compliant QMS is considered to fulfil the intent of clauses 8.2–8.9, provided that conformity with clauses 4–7 is ensured. 4 This approach enabled the biobank to build on an existing certified quality system while addressing biobank-specific requirements related to competence, traceability, and life cycle control.
At the national level, early adoption of ISO 20387 was limited and largely uncoordinated, leaving public institutions without consolidated models for implementation.
To address this gap, the BMS sought to pioneer ISO 20387 implementation within a public hospital setting. Achieving accreditation in 2022 positioned Pisa as the first ISO 20387-accredited biobank in the country; the second accreditation in Italy occurred only in 2025. This experience required reconciling institutional workflows, research needs, and international quality expectations within a single coherent system.
This article describes the Pisa Biobank’s approach to achieving and maintaining ISO 20387 accreditation. It outlines the structured implementation strategy, documents results from three consecutive surveillance audits, and provides practical insights into how public hospital biobanks can sustain compliance over time.
Materials and Methods
Setting and design
ISO 20387 accreditation requires not only technical compliance but also a shared institutional understanding of quality as a collective responsibility. AOUP established a multidisciplinary quality working group, including the Biobank Unit, the Quality and Risk Management Office, the Legal Office, and an institutional information technology (IT) representative. The group coordinated the accreditation pathway, oversaw technical and organizational changes, and served as the reference interface with Accredia, the Italian national accreditation body.
The implementation plan was structured into four consecutive phases over 12 months: preparation and gap analysis; document and process alignment; internal readiness; and external audit (see Fig. 1).
Overview of the ISO 20387:2018 accreditation pathway implemented at the Pisa Biobank. ALCOA+, Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available; CAPA, Corrective and Preventive Action; KPIs, key performance indicators; SIPOC, Suppliers, Inputs, Process, Outputs, and Customers; SOPs, standard operating procedures.
Continuous improvement activities were sustained during the 2023–2025 surveillance.
Phase I: Preparation and gap analysis
A clause-by-clause assessment of ISO 20387 identified gaps beyond the existing ISO 9001 certification. All key biobanking processes—from sample collection and transport to accessioning, storage, internal use, and distribution—were mapped using Suppliers, Inputs, Process, Outputs, and Customers (SIPOC) diagrams and detailed flowcharts. Governance structures, roles, responsibilities, and existing documentation were reviewed to assess the alignment with the actual practice.
Equipment qualification status, calibration plans, and environmental monitoring records were analyzed to evaluate control of preanalytical and storage conditions. Digital tools were assessed for their ability to support traceability, metadata completeness, and audit-trail functionality, with particular attention to chain-of-custody risks such as sample mix-ups, incomplete records, or inconsistent data between systems.
Staff qualifications and authorizations were analyzed through training histories and job descriptions to identify gaps in role-specific competence. For example, the analysis revealed the absence of a formalized system for documenting, authorizing, and periodically reassessing staff competence for critical biobanking activities, a requirement not fully addressed under the existing ISO 9001 framework.
Overall, the analysis highlighted the need for a centralized document control system, harmonized workflows, formalized risk assessment, and improved integration between physical and digital traceability.
These findings informed a detailed implementation plan for subsequent phases, including responsibilities, timelines, and performance indicators.
Phase II: Document and process alignment
Phase II focused on redesigning the QMS to align with ISO 20387. The existing quality manual was restructured to mirror ISO clauses, clarifying relationships between policies, operational procedures and records, and facilitating identification of missing, redundant, or unclear documents.
Fourteen documents—11 standard operating procedures (SOPs) and 3 management procedures—were newly developed or substantially revised. They covered sample reception and accessioning, labeling, and chain-of-custody, aliquoting and reagent handling, storage management, temperature monitoring, equipment qualification, data integrity and the management of nonconformities, Corrective and Preventive Actions (CAPA), and internal audits. Of these, SOPs related to basic operational activities—such as sample reception, storage management, and temperature monitoring—were already in place under the previous ISO 9001-based framework and required substantial revision to meet ISO 20387 requirements, whereas SOPs addressing biobank-specific elements, including the formal competence assessment, the chain-of-custody documentation, and comprehensive life cycle traceability, were largely absent and were developed ex novo following the gap analysis.
As a concrete example, the SOP governing sample reception, accessioning, and labeling required substantial redesign to introduce standardized identifiers, explicit chain-of-custody checkpoints, and harmonized metadata fields consistently applied across both paper-based and digital records.
Document development followed drafting, multidisciplinary review, pilot testing in simulated or routine conditions, and formal approval with version control.
A digital document control system was implemented to ensure controlled distribution, secure archiving, and traceable withdrawal of obsolete documents. The decision to implement an electronic document control system was driven by limitations that emerged as the number and complexity of controlled documents increased during the transition to ISO 20387. Under the previous document management approach, version updates, distribution records, and withdrawal of obsolete documents relied on a combination of manual processes and shared repositories, which limited the ability to demonstrate document control in a consistent and auditable manner. In particular, the absence of an integrated audit-trail constrained reliable reconstruction of document histories during internal audits and accreditation assessments. The electronic system was therefore adopted to ensure robust version control, demonstrable controlled distribution, and traceable management of the document life cycle in accordance with accreditation requirements.
A structured training plan supported competence development. Three staff members conducted an in-depth internal study of ISO 20387, translating requirements related to data integrity, chain-of-custody, and risk-based thinking into procedural revisions. Workshops involving technicians helped align expectations, identify bottlenecks, and standardize terminologies and critical definitions.
Phase II concluded with a detailed implementation plan for QMS rollout, defining responsibilities, authority levels, timelines for introducing revised documents and processes, and performance indicators. Key performance indicators (KPIs), defined as measurable metrics used to monitor the effectiveness and stability of critical quality processes, addressed documentation completeness and use, competence maintenance and refresher training, and critical aspects of equipment qualification, calibration, and environmental monitoring. For example, KPIs included monitoring the proportion of authorized staff with up-to-date competence assessment for critical biobanking activities, as well as assessing the completeness of specimen traceability records by measuring the percentage of samples for which all required metadata could be consistently reconstructed across the life cycle.
Phase III: Internal readiness and system validation
Internal readiness activities validated implementation under real operating conditions. Traceability exercises required staff to reconstruct full specimen life cycles by verifying identifiers, timestamps, and storage locations. Staff compared paper and electronic records and confirmed that all required metadata—such as donor and sample type, processing conditions, storage parameters, and intended use—were complete and consistent. The data were evaluated using Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available (ALCOA+) principles.
During these exercises, traceability testing identified inconsistencies between electronic records and manual logs for a subset of historical samples, revealing gaps in data entry practices and record updating responsibilities. These findings prompted corrective actions to harmonize documentation workflows, strengthen audit-trail completeness, and clarify roles in record maintenance.
Digital systems supporting different parts of the workflow—including specimen management tools, temperature monitoring software, the document control platform, and spreadsheet-based operational logs—were assessed for audit-trail robustness, access-control adequacy, version history, and consistency across systems. Where spreadsheet-based operational logs were used, they were adapted to support ISO 20387 requirements by introducing predefined metadata fields, restricted editing rights, documented version control, and periodic review and approval by the authorized personnel, ensuring traceability and consistency with QMS-controlled records.
Interoperability gaps and manual data-transfer points were identified and addressed through corrective actions implemented jointly by internal staff and external software providers.
Critical equipment underwent the review of qualification status, calibration records, maintenance logs, and alarm functionality. The temperature mapping confirmed the stability of ultralow-temperature freezers and refrigerators.
Personnel competence was assessed through direct observation, structured interviews on role awareness, and the review of training and authorization records. For critical activities such as aliquoting and labeling, operators were evaluated on their ability to perform tasks consistently according to SOPs, with particular attention to error-prone steps such as patient/sample identification and documentation. Competence matrices were updated to ensure that only qualified staff performed critical tasks.
Phase IV: External audit by Accredia
Accredia conducted a 2-day on-site audit combining document review, process observation, staff interviews, and horizontal and vertical traceability assessments.
Horizontal audits evaluated real-time activities such as sample reception, aliquoting, labeling, storage, temperature checks, and associated documentation. Vertical audits followed individual specimens through their full life cycle from accessioning to storage and distribution, where applicable.
Audit trails and digital logs were scrutinized for metadata completeness, time-stamping, management of corrections, and adequacy of access control and permissions. Storage infrastructure—including ultralow-temperature freezers, refrigerators, and centrifuges—was inspected, along with temperature monitoring systems, alarm escalation procedures, calibration and qualification records, backup power arrangements, access control measures, and storage room layout.
Staff interviews assessed awareness of responsibilities, understanding of traceability and nonconformity reporting, engagement with CAPA processes, and adherence to impartiality and ethical requirements.
During the audit, Accredia issued observations highlighting the opportunity to further strengthen temperature monitoring schemes, particularly with respect to trend analysis and documentation of responses to deviations. These observations were addressed through targeted refinements of monitoring procedures and records.
Results
Accreditation and documentation outputs
On July 14, 2022, AOUP’s BMS became the first Italian biobank accredited to ISO 20387:2018. The accreditation confirmed the maturity of the QMS and operational practices developed during the 12-month implementation period.
Outputs included a reorganized quality manual aligned with ISO 20387, 14 updated SOPs and management procedures, and a digital document control platform ensuring controlled document life cycle management. KPIs were implemented to monitor documentation performance, staff competence, and equipment control.
Internal system performance and readiness
Readiness activities demonstrated that specimen life cycles could be reliably reconstructed and that metadata met ALCOA+ requirements. Identified weaknesses in documentation and data integration were corrected through targeted CAPA actions.
The evaluation of digital systems revealed fragmentation characteristic of public health care environments, with multiple software platforms from different providers. Nevertheless, audit trails, access controls, and correction-handling mechanisms were strengthened to support ISO 20387 traceability requirements.
Equipment qualification and environmental monitoring confirmed appropriate performance and responses to deviations. Personnel competence assessments reinforced alignment between training, authorization, and task assignment.
Surveillance audits and continuous improvement (2023–2025)
Accreditation certificates issued by Accredia in Italy are valid for a 4-year cycle. 9 During this period, accredited biobanks are subject to periodic external surveillance audits conducted at 12-month intervals to verify continued conformity with ISO 20387 requirements. Accredited organizations are also required to formally notify Accredia of any revisions to the QMS and of proposed changes to procedures related to accredited activities, including the associated documentation framework.
At the end of the 4-year cycle, a renewal application must be submitted to initiate a new accreditation cycle.
Surveillance audits conducted in 2023, 2024, and 2025 confirmed ongoing conformity and progressive system strengthening. Over the same period, a digital training and competence management module was implemented, enabling complete and traceable records of staff qualifications, automated reminders for refresher training and reauthorization, and documented participation in audits, CAPA activities, and quality improvement initiatives. The module also supported alignment between QMS-recorded authorizations and permissions granted in digital systems.
Following accreditation, the institutional IT representative who had supported implementation was no longer assigned to the biobank. In the absence of dedicated IT support, staff members with informatics expertise assumed broader responsibilities for system optimization, troubleshooting, and implementation of digital corrective actions, working in collaboration with the AOUP Technical Office and external software providers. While this approach ensured operational continuity, it also increased reliance on internal expertise and introduced delays related to external response times and public procurement procedures.
Internal audit activities were expanded to systematically test digital traceability, chain-of-custody, and environmental monitoring. The biobank adapted procedures in response to evolving institutional conditions, including changes in clinical workflows, privacy and consent governance, staff turnover, and new clinical or research pathways. These adjustments required regular updating of procedures, documentation and training, and ongoing dialogue with clinical and administrative stakeholders.
Across the surveillance period, Accredia confirmed that the QMS remained robust under dynamic institutional conditions.
Discussion
This study demonstrates that ISO 20387:2018 accreditation is both achievable and sustainable within the complex environment of a public hospital biobank, provided that technical, organizational, and cultural components are addressed in parallel.
Technical integration and data integrity
A major lesson concerned the integration of technical systems needed to ensure end-to-end traceability of biospecimens. Achieving a secure chain-of-custody required standardized metadata structures, harmonized data-entry practices, and elimination of local documentation variants. Method validation for freezing, aliquoting, and storage procedures was essential to demonstrate fitness-for-purpose, while environmental monitoring and alarm escalation mechanisms had to be reinforced to guarantee continuous control of storage conditions.
The reliance on multiple software platforms managed by external providers highlighted vulnerabilities in digital infrastructures. Even minor modifications—such as adding metadata fields or enhancing audit-trail capacity—required formal requests, contractual processing, and alignment with provider development schedules, resulting in delays that hindered the implementation of corrective actions identified through audits or risk assessments. This underscores the importance of dedicated and stable IT support as a core requirement for sustaining ISO 20387 compliance.
Organizational coordination and governance
The implementation of ISO 20387 in Pisa underscored the need for robust cross-functional governance. Biobanking activities intersect with clinical workflows, ethical and legal requirements, administrative processes, and research priorities. The multidisciplinary working group was crucial in defining roles and responsibilities, aligning expectations, and establishing communication channels between units involved in sample collection, transport, processing, and documentation.
Harmonizing legacy documentation, particularly informed consent forms and associated governance materials, was essential for aligning historical practices with contemporary ethical, legal, and quality requirements. Organizational alignment proved to be a dynamic process, requiring periodic reassessment as the QMS matured and institutional structures evolved.
Quality culture and staff engagement
Another key finding relates to the cultural shift required to sustain accreditation over the long term. Initial perceptions of ISO implementation as an administrative burden gradually gave way to recognition of quality as a practical tool for error reduction, clarity of responsibilities, and improved reproducibility.
Structured training, participatory workshops, and direct involvement in audits and CAPA activities helped embed ISO 20387 principles into everyday practice. Over time, internal audits evolved from evaluative exercises into opportunities for learning and system improvement, supporting a shared quality mindset.
Systemic constraints in public health care settings
The Pisa Biobank’s experience reveals systemic constraints typical of public health care environments. Limited and fluctuating dedicated IT support placed a significant burden on internal staff with informatics expertise and highlighted the need for stable, biobank-dedicated digital governance.
Dependence on externally administered laboratory software constrained the speed at which digital systems could be adapted in response to audit findings or emerging risks. Public procurement rules and multi-layered administrative procedures further limited responsiveness.
Operational complexity, variable clinical workflows, budget restrictions, and infrastructural limitations (e.g., space, environmental control, and power systems) required enhanced monitoring and contingency planning to safeguard sample integrity. Moreover, the institutional visibility of the biobank did not always reflect its strategic role, complicating advocacy for resources and recognition of the regulatory implications of ISO 20387.
Conclusions
Taken together, these findings suggest that ISO 20387 accreditation can act as a catalyst for organizational maturity in public hospital biobanks. The Pisa experience indicates that:
Technical, organizational, and cultural components must advance in parallel. Gaps in institutional IT support can be partially mitigated through internal staff and structured collaboration with external providers, but the presence of a dedicated IT figure remains essential for sustaining ISO 20387 compliance. Documentation and consent harmonization are essential for coherence and legal–ethical compliance. Continuous improvement mechanisms—such as CAPA, internal audits, and management reviews—are indispensable for sustaining a high-performing QMS.
As the first Italian biobank to achieve ISO 20387 accreditation, the Pisa Biobank provides a replicable model for public institutions seeking to embed international quality standards into routine operations. When integrated into organizational routines and supported by systematic continuous improvement, accreditation can evolve from a one-time achievement into a strategic framework that reinforces reproducibility, enhances institutional credibility, and contributes to the overall quality of national biobanking infrastructures.
Authors’ Contributions
All authors contributed substantially to the conception, preparation, and finalization of this article. A.Z.: Conceived the project, supervised the accreditation process, and drafted the article. E.B.: Coordinated the quality management activities and contributed to the article preparation. F.N.: Contributed to staff training and audit coordination. S.L.: Critically revised the article for important intellectual content. All authors have reviewed and approved the final version of the article and agree to be accountable for all aspects of the work.
Footnotes
Author Disclosure Statement
The authors declare no conflicts of interest.
Funding Information
No funding was received for this article.
References
Supplementary Material
Please find the following supplemental material available below.
For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.
For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.
