Software Validation in ISO 17025 | Enhance your Laboratory

Software validation in ISO 17025

Software can be considered as a type of equipment. It is used to acquire, record, manipulate and store data and information. This means that software used in laboratories must comply with the exact requirements of other types of equipment. ISO 17025 Standard regards software as equipment and groups it with measuring instruments, standards, and reference materials. Therefore, software validation in ISO 17025 is considered a must have to ensure the competency of laboratories.

The International Organization for Standardization (ISO) has developed ISO 17025 for testing laboratories for their competence in testing and calibrating their equipment. This standard describes the characteristics of a competent laboratory and the criteria required to achieve it. If you want to learn more about ISO 17025, read the article about ISO 17025 Laboratory Management System.

ISO 17025 has been regarding software as a measuring tool for laboratories since 2005; however, the latest version issued in 2017 took the meaning of software validation to a whole new level. Technology and market changes served as the main impetus for such revision to take place. For instance, the latest edition considers newly created IT approaches, modifications to the lexicon, and technical elements. The most recent iteration of ISO 9001 is taken into account by these upgraded requirements.

  1. Commercial-off-the-shelf software (COTS) which include:
    • Operating systems – Windows, Linux, Apple OS and Unit
    • Productivity applications – Microsoft office, Mathworks, Fluke’s Metcal, LIMS
    • Firmware – electronic instrumentation
  2. Modified off-the-shelf software (MOTS) which include Excel, which even though is under COTS, will allow users to insert formulae, scripts and routines, which will then require validation.
  3. Custom written software which may be written with any computer language such as Java, C++, VBA in Excel. In such cases this will definitely require validation.

COTS are usually the only exception to the rule for requiring validation, as the vendor would have validated the software before release. Having said that, no software is bug-free, and as such, the software must be thoroughly tested during qualification protocols to ensure that proper usage does not give erroneous outputs.

Software Validation in ISO 17025 | Why should we Validate?

Such an obvious question, right? Think twice; for some, this is not as straightforward as it is for others.

The laboratory’s quality of the laboratory results is influenced by the software utilized. The software may be used to control equipment taking the measurements or for conducting computations on the raw data.

As with equipment qualification, software validation aims to prove that the results that are being outputted are indeed in line with the purpose of the software itself. That also means that the software must be prepared to receive incorrect inputs. That is where the robustness of the software comes in. How will it react to false information? Will it still produce some form of data that may be inaccurate, or will it stop any calculations and warn the user? If it is not the latter, the software can be labeled as bugged and should, therefore, not be used.

Software Validation in ISO 17025 | What should be Validated?

As with all validations in the laboratory, each software used within the lab must be documented in a validation procedure. Like all other validations, every aspect of the software must be addressed during the validation process, thus requiring a good understanding of its operation. This documentation will form the basis of the validation. It would explain the workings of each section and its expected output. Any change notices or updates from the vendor would be essential to be included in the validation.

Software Validation in ISO 17025 | How is Software Validation carried out?

Section 7.11.3 of the manual describes what software needs to have under an ISO 17025 standard. These include password protection of excel sheets and specific cell locks, backup of data to protect from malicious damage, theft by malware or hacking, and backup data to ensure proper traceability and avoid unnecessary or willful change in client data. The latter is easily controlled by cloud systems such as Microsoft SharePoint and Google documents.

The software requires periodic maintenance, as in hardware and other equipment. Section 6.4.3 mentions “contamination and deterioration”, which will refer to file corruption or even manual manipulation by a user. Thus software validation before use must be compounded with periodic reviews to check for any form of breakdowns, many of which may come from system upgrades.

Software validation can be carried out using “black box” and “white box” testing.


Whether you’re after ISO Certification, internal audits, or results-oriented consultancy, Luke has the plan for you. Reach out to him and start your journey today.


Luke has a plan for you whether you want ISO certification, internal audits, or results-oriented consulting. Contact him immediately to begin your adventure.

“Black Box” testing ignores the internal structures of the software but focuses on the system’s external behavior. The user will only be testing the inputs and the outputs generated. Such an example, using excel, would be looking at the input or output of a sum formula. In this case, the tester will not look at the =sum() formulas but will focus on the individual values 2 and 2, which result in 4.

“White Box” testing refers to the code and structure of the product, where the user will have access to the formula so that it can be validated against the method. In such cases, the tester must have extensive knowledge of the technology used to develop this system. Using a similar example, the tester, rather than using a separate calculator to calculator 2 + 2 = 4, will look at the formulas =sum() and ensure that the sum is directed to the correct cells.

Both methods could also be used when looking at VBA or line code, by Java or C++ language. Black Box testing would include running a routine sample file to compare the final worksheet with a master test file. On the other hand, if White box testing is to be used, standard programs could be used to compare each line of code with a master test file. It is important to note that in this case, the master test file refers to the final software just before release.

Both methods are complementary, and a combination of them can be used depending on the complexity of the software. With the vast formula options that can be used in excel, indexing or lookup formulas may require “white box” testing compared to statistical or mathematical formulas, which can use the “black box” method. For more information about such testing methods, visit here.

Software Validation in ISO 17025 | Information security

Software validation in ISO 17025 also involves the security of the software. Security is essential to be checked to ensure that no unauthorized changes can be made. Cells containing formulas, after validation, should be locked and protected to ensure that users do not manipulate or change the formulas. This check needs to be included in the validation. Such protection can be checked via a White box method, where the cell’s protection flag and the status are confirmed. Furthermore, such password protections need to be documented to ensure that the worksheet can be accessed by authorized persons.

Once all the necessary validation is carried out, documentation of the verification needs to be done. This could be done by combining the procedure and report, where the test data and the results of the validation are reported on the same document. This would be together with the filename and version of the software, the date, name, and signature of the person performing the validation. Alternatively, a separate procedure and report can be used or if Excel is used, have an independent validation sheet within the same workbook.

Interested in learning more?

Luke Desira is an ISO management system consultant who realizes that achieving ISO accreditation is a road that companies find it difficult to take – learn how to achieve ISO 17025 accreditation here! To further learn about Software validation in ISO 17025 and the ISO 17025 Laboratory Management System and validating your laboratory, click here!

All management systems based on ISO Standards that are implemented should pertain directly to the organization’s objectives, and ISO 17025 – Testing and Calibration Laboratories should be no different. Have a look at the ISO Certification specialised by Industry to understand in which category your organization falls.

Luke offers a variety of ISO certification services that puts him as the number 1 ISO Certification consultant in Malta. He can help you achieve ISO accreditation efficiently. When ready, take the leap to success and call Luke Desira.

Don’t forget to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel for more great content.

Book a Free 15 minute discovery call

Select a date and time to schedule a free 15 minute discovery call with Luke Desira.

Message Luke through an email

Give Luke a call

+356 7920 6686

Related Articles

pitfalls when implementing an ISO Management System

Avoid these 10 Pitfalls when Implementing an ISO Management System

Misconceptions about ISO Earlier versions of all ISO standards placed a greater emphasis on documentation. As a result, in the past, ISO standards pushed firms to focus on having as many processes as possible, which did not supply much value to the organization. However, in recent revisions of the standard, the standard has been altered

Read More »
Clause 8 Management System Options in ISO 17025
ISO 17025

How-To: Clause 8 Management System Options in ISO 17025

The Continuation of the ISO 17025 How-To Series… How-To: Clause 8 Management System Options in ISO 17025 – Why are we given such options? For Clause 8 of ISO 17025, the organization has to choose from either Option A or Option B. But what are these options, and why are there even options in the

Read More »
ISO 9001 Question and Answer
ISO 9001

Why you Need to get Certified – ISO 9001 Question and Answer (Part 1)

“What does this ISO standard do and what is the difference between those two?”… This might be a common question that you might encounter when looking at all the different ISO standards that exist in today’s virtual world. As your organization gets exposed to further standards, misconceptions might form. As a Management System Specialist with

Read More »
Shopping Cart
Scroll to Top