ISO 17025 Software Requirements: Validating Your LIMS and Lab Tools

Software in the ISO 17025 Context

ISO/IEC 17025:2017 explicitly addresses software in several clauses. Section 7.11 (Control of data and information management) requires laboratories to validate software used for the acquisition, processing, recording, reporting, storage, or retrieval of test or calibration data.

For modern labs, this touches nearly every digital tool in your environment.

What the Standard Requires

Clause 7.11.2 - Software Validation

Laboratory software must be validated before use. This includes:

• Commercial off-the-shelf (COTS) software - including LIMS, spreadsheets, and statistical packages
• Custom-developed software - in-house tools and scripts
• Modified software - any changes to validated software trigger re-validation

Clause 7.11.3 - Data Protection

• Data must be protected from unauthorized access, tampering, and loss
• Electronic records must maintain integrity equivalent to paper records
• Backup and recovery procedures must be documented and tested

Clause 6.4.13 - Equipment Software

Software critical to laboratory equipment performance must be identified, and its correct functioning verified before use. Version tracking is essential.

A Practical Validation Framework

For LIMS and Major Systems

1. User Requirements Specification (URS) - Define what the system must do in your specific lab context.
2. Vendor audit/assessment - Evaluate the vendor's development and QA processes. Request their validation documentation package.
3. Installation Qualification (IQ) - Verify correct installation, version, and configuration.
4. Operational Qualification (OQ) - Test all functions you use against your URS. Document pass/fail with evidence.
5. Performance Qualification (PQ) - Run the system with real data under real conditions for a defined period.
6. Validation summary report - Consolidate findings, approve for use.

For Spreadsheets and Calculators

These are often the most overlooked risk area in labs:

• Lock formulas and structure - Prevent accidental modification.
• Test with known inputs/outputs - Verify calculations produce correct results.
• Version control - Track changes. Store master copies in a controlled location.
• Access control - Limit who can modify templates vs. who uses them.

For Instrument Software

• Verify correct firmware version against manufacturer specifications
• Test communication with LIMS (data transfer accuracy)
• Document any custom configurations

Data Integrity Principles (ALCOA+)

Accreditation assessors increasingly focus on data integrity. The ALCOA+ framework applies:

• Attributable - Who performed the action and when?
• Legible - Can records be read and understood?
• Contemporaneous - Recorded at the time of the activity?
• Original - Is this the first-captured version?
• Accurate - Free from errors, reflecting what actually occurred?
• Plus: Complete, Consistent, Enduring, Available

Your LIMS audit trail should satisfy all of these. If it does not, you have a gap to close.

Re-validation Triggers

Maintain a change control process. Re-validate when:

• Software version upgrades (even minor patches if they affect core functions)
• Operating system or infrastructure changes
• Configuration changes to validated parameters
• Migration to new hardware or cloud environments
• Issues identified through routine use or audits

Tips for Assessor Readiness

• Keep a software register - list of all validated software with version, validation date, and next review
• Maintain validation files accessible and organized - assessors will ask to see them
• Show evidence of ongoing monitoring - not just initial validation but periodic checks
• Demonstrate that staff are trained on the validated use of each system

Key takeaway: ISO 17025 treats software as equipment. If it touches your data, it must be validated, controlled, and maintained with the same rigor as your analytical instruments.