Software in the ISO 17025 Context
ISO/IEC 17025:2017 explicitly addresses software in several clauses. Section 7.11 (Control of data and information management) requires laboratories to validate software used for the acquisition, processing, recording, reporting, storage, or retrieval of test or calibration data.
For modern labs, this touches nearly every digital tool in your environment.
What the Standard Requires
Clause 7.11.2 - Software Validation
Laboratory software must be validated before use. This includes:
- Commercial off-the-shelf (COTS) software - including LIMS, spreadsheets, and statistical packages
- Custom-developed software - in-house tools and scripts
- Modified software - any changes to validated software trigger re-validation
Clause 7.11.3 - Data Protection
- Data must be protected from unauthorized access, tampering, and loss
- Electronic records must maintain integrity equivalent to paper records
- Backup and recovery procedures must be documented and tested
Clause 6.4.13 - Equipment Software
Software critical to laboratory equipment performance must be identified, and its correct functioning verified before use. Version tracking is essential.
A Practical Validation Framework
For LIMS and Major Systems
- User Requirements Specification (URS) - Define what the system must do in your specific lab context.
- Vendor audit/assessment - Evaluate the vendor's development and QA processes. Request their validation documentation package.
- Installation Qualification (IQ) - Verify correct installation, version, and configuration.
- Operational Qualification (OQ) - Test all functions you use against your URS. Document pass/fail with evidence.
- Performance Qualification (PQ) - Run the system with real data under real conditions for a defined period.
- Validation summary report - Consolidate findings, approve for use.
For Spreadsheets and Calculators
These are often the most overlooked risk area in labs:
- Lock formulas and structure - Prevent accidental modification.
- Test with known inputs/outputs - Verify calculations produce correct results.
- Version control - Track changes. Store master copies in a controlled location.
- Access control - Limit who can modify templates vs. who uses them.
For Instrument Software
- Verify correct firmware version against manufacturer specifications
- Test communication with LIMS (data transfer accuracy)
- Document any custom configurations
Data Integrity Principles (ALCOA+)
Accreditation assessors increasingly focus on data integrity. The ALCOA+ framework applies:
- Attributable - Who performed the action and when?
- Legible - Can records be read and understood?
- Contemporaneous - Recorded at the time of the activity?
- Original - Is this the first-captured version?
- Accurate - Free from errors, reflecting what actually occurred?
- Plus: Complete, Consistent, Enduring, Available
Your LIMS audit trail should satisfy all of these. If it does not, you have a gap to close.
Re-validation Triggers
Maintain a change control process. Re-validate when:
- Software version upgrades (even minor patches if they affect core functions)
- Operating system or infrastructure changes
- Configuration changes to validated parameters
- Migration to new hardware or cloud environments
- Issues identified through routine use or audits
Tips for Assessor Readiness
- Keep a software register - list of all validated software with version, validation date, and next review
- Maintain validation files accessible and organized - assessors will ask to see them
- Show evidence of ongoing monitoring - not just initial validation but periodic checks
- Demonstrate that staff are trained on the validated use of each system
Key takeaway: ISO 17025 treats software as equipment. If it touches your data, it must be validated, controlled, and maintained with the same rigor as your analytical instruments.