ISO 17025:2017 General Requirements for the Competency of Calibration and Testing Laboratories


ISO 17025:2017 General Requirements for the Competency of Calibration and Testing Laboratories

ISO (International Organization for Standardization) is a worldwide organization composed of collaborating groups in more than 160 countries. The work of preparing international standards is usually carried out by ISO technical committees. Each member body interested in a subject, for which a technical committee has been established, has the right to be represented. International organizations, governmental and non-governmental, in liaison with ISO, also participate.

ISO 17025:2017 specifies the general requirements for the competency, impartiality, and consistency of the operation of calibration and testing laboratories. This standard is applicable to all organizations that perform laboratory activities, regardless of the number of people.

Laboratory customers, regulatory authorities, and organizations using peer review or accreditation bodies use ISO 17025:2017 as the basis for confirming or recognizing the competency of laboratories.

System Validation – ISO 17025-2017 ITEM 7.11

Item 7.11 (Control of Data and Information Management) presents guidelines for controlling the management of data and information generated throughout laboratory activities.

Click here to watch our Webinar

One of the notes accompanying the item, when confronted with the other requirements of ISO 17025:2017 opens a debate about the need (or the lack thereof) to validate software considered off-the-shelf, used in the activities of testing and calibration laboratories.

The note states:

"Note 2: Commercial off-the-shelf software of a general nature, within its designed application range, may be considered sufficiently validated."

The note could potentially be understood as meaning there is no need for validation of a general-purpose, off-the-shelf software within the specifications for which it was developed. In the case of calibration and testing laboratories, the following requirements of the ISO must be reported. This reinforces the understanding that validation is necessary.


Validating off-the-shelf software in a testing and metrology lab?

ISO 17025:2017 item 7.11.2 says:

"Prior to implementation, the laboratory information management system(s) used for the collection, processing, recording, reporting, storage, or retrieval of data shall be validated by the laboratory for functionality, including the proper functioning of the interfaces of the laboratory information management system(s).

Whenever there are any changes, including configurations or modifications made by the laboratory to commercial off-the-shelf software, they must be authorized, documented, and validated prior to implementation."

In the implementation phase of an off-the-shelf software, it is important to verify it during validation, based on user requirements and risk scenarios, the use of the functionalities available by the software, including calculations and interfaces with equipment that avoid data transcription (i.e., functionalities that impact the quality of the analysis or summary, patient health and/or consumer safety).

As stated above in Item 7.11.2: there is the need for validation of a new functionality, developed in an off-the-shelf software to meet the laboratory's process requirements.

In these cases, a mapping of the entire process is performed. This usually includes a business risk analysis, with attention to the use of this new functionality and the necessary actions to reduce these risks.

Regardless of the development of any new functionality, there is the need for a data management validation software, reinforced in the text of item 7.11.3 of ISO 17025:2017:

"The laboratory information management system(s) shall:

  1. be protected against unauthorized access;
  2. be protected against tampering or loss;
  3. be operated in an environment that conforms to the provider's or laboratory's specifications, or in the case of non-computerized systems, provide conditions that protect the accuracy of manual recordings and transcriptions;
  4. be maintained in a way that ensures the integrity of the data and information;
  5. include a record of system failures and the immediate and appropriate corrective actions."

Access control to the system where data is stored is essential to protect against unauthorized access. This defines what data a particular user can access and to record it precisely when, where and by whom the action has been performed on the system.

This prevents tampering with data, and if it does occur, the audit trail function (logging) also makes it possible to identify who has made the change and what data was altered.

Protecting laboratory information from loss means ensuring that backup procedures and storage redundancy are in place so that laboratory data can be accessed and/or recovered in the event of unavailability in its primary source file version.

The item also requires that conditions be in place to maintain the integrity of manually recorded data, in case of non-computerized systems.


Although ISO 17025:2017 - Item 7.11 could be possibly interpretated that there is no need for validation of the functions of off-the-shelf software in testing and calibration laboratories, at the same time it reinforces that compliance, with requirements focused on data integrity, risk mitigation, data security, access restriction, and other conditions can only be guaranteed with validation of this kind of software.