Software can be considered as a type of equipment. It is used to acquire, record, manipulate and store data and information. This means that software used in laboratories must comply with the exact requirements of other types of equipment. ISO 17025 Standard regards software as equipment and groups it with measuring instruments, standards, and reference materials. Therefore, software validation in ISO 17025 is considered a must have to ensure the competency of laboratories.
The International Organization for Standardization (ISO) has developed ISO 17025 for testing laboratories for their competence in testing and calibrating their equipment. This standard describes the characteristics of a competent laboratory and the criteria required to achieve it. If you want to learn more about ISO 17025, read the article about ISO 17025 Laboratory Management System.
ISO 17025 has been regarding software as a measuring tool for laboratories since 2005; however, the latest version issued in 2017 took the meaning of software validation to a whole new level. Technology and market changes served as the main impetus for such revision to take place. For instance, the latest edition considers newly created IT approaches, modifications to the lexicon, and technical elements. The most recent iteration of ISO 9001 is taken into account by these upgraded requirements.
- Commercial-off-the-shelf software (COTS) which include:
- Operating systems – Windows, Linux, Apple OS and Unit
- Productivity applications – Microsoft office, Mathworks, Fluke’s Metcal, LIMS
- Firmware – electronic instrumentation
- Modified off-the-shelf software (MOTS) which include Excel, which even though is under COTS, will allow users to insert formulae, scripts and routines, which will then require validation.
- Custom written software which may be written with any computer language such as Java, C++, VBA in Excel. In such cases this will definitely require validation.
COTS are usually the only exception to the rule for requiring validation, as the vendor would have validated the software before release. Having said that, no software is bug-free, and as such, the software must be thoroughly tested during qualification protocols to ensure that proper usage does not give erroneous outputs.
Software Validation in ISO 17025 | Why should we Validate?
Such an obvious question, right? Think twice; for some, this is not as straightforward as it is for others.
The laboratory’s quality of the laboratory results is influenced by the software utilized. The software may be used to control equipment taking the measurements or for conducting computations on the raw data.
As with equipment qualification, software validation aims to prove that the results that are being outputted are indeed in line with the purpose of the software itself. That also means that the software must be prepared to receive incorrect inputs. That is where the robustness of the software comes in. How will it react to false information? Will it still produce some form of data that may be inaccurate, or will it stop any calculations and warn the user? If it is not the latter, the software can be labeled as bugged and should, therefore, not be used.
Software Validation in ISO 17025 | What should be Validated?
As with all validations in the laboratory, each software used within the lab must be documented in a validation procedure. Like all other validations, every aspect of the software must be addressed during the validation process, thus requiring a good understanding of its operation. This documentation will form the basis of the validation. It would explain the workings of each section and its expected output. Any change notices or updates from the vendor would be essential to be included in the validation.
Software Validation in ISO 17025 | How is Software Validation carried out?
Section 7.11.3 of the manual describes what software needs to have under an ISO 17025 standard. These include password protection of excel sheets and specific cell locks, backup of data to protect from malicious damage, theft by malware or hacking, and backup data to ensure proper traceability and avoid unnecessary or willful change in client data. The latter is easily controlled by cloud systems such as Microsoft SharePoint and Google documents.
The software requires periodic maintenance, as in hardware and other equipment. Section 6.4.3 mentions “contamination and deterioration”, which will refer to file corruption or even manual manipulation by a user. Thus software validation before use must be compounded with periodic reviews to check for any form of breakdowns, many of which may come from system upgrades.
Software validation can be carried out using “black box” and “white box” testing.