ISO 17025:2017 specifies the general requirements for the competency, impartiality, and consistency of the operation of calibration and testing laboratories. This standard is applicable to all organizations that perform laboratory activities, regardless of the number of people.
Laboratory customers, regulatory authorities, and organizations using peer review or accreditation bodies use ISO 17025:2017 as the basis for confirming or recognizing the competency of laboratories.
Item 7.11 (Control of Data and Information Management) presents guidelines for controlling the management of data and information generated throughout laboratory activities.
One of the notes accompanying the item, when confronted with the other requirements of ISO 17025:2017 opens a debate about the need (or the lack thereof) to validate software considered off-the-shelf, used in the activities of testing and calibration laboratories.
The note states:
"Note 2: Commercial off-the-shelf software of a general nature, within its designed application range, may be considered sufficiently validated."
The note could potentially be understood as meaning there is no need for validation of a general-purpose, off-the-shelf software within the specifications for which it was developed. In the case of calibration and testing laboratories, the following requirements of the ISO must be reported. This reinforces the understanding that validation is necessary.
ISO 17025:2017 item 7.11.2 says:
"Prior to implementation, the laboratory information management system(s) used for the collection, processing, recording, reporting, storage, or retrieval of data shall be validated by the laboratory for functionality, including the proper functioning of the interfaces of the laboratory information management system(s).
Whenever there are any changes, including configurations or modifications made by the laboratory to commercial off-the-shelf software, they must be authorized, documented, and validated prior to implementation."
In the implementation phase of an off-the-shelf software, it is important to verify it during validation, based on user requirements and risk scenarios, the use of the functionalities available by the software, including calculations and interfaces with equipment that avoid data transcription (i.e., functionalities that impact the quality of the analysis or summary, patient health and/or consumer safety).
As stated above in Item 7.11.2: there is the need for validation of a new functionality, developed in an off-the-shelf software to meet the laboratory's process requirements.
In these cases, a mapping of the entire process is performed. This usually includes a business risk analysis, with attention to the use of this new functionality and the necessary actions to reduce these risks.
Regardless of the development of any new functionality, there is the need for a data management validation software, reinforced in the text of item 7.11.3 of ISO 17025:2017:
"The laboratory information management system(s) shall:
Access control to the system where data is stored is essential to protect against unauthorized access. This defines what data a particular user can access and to record it precisely when, where and by whom the action has been performed on the system.
This prevents tampering with data, and if it does occur, the audit trail function (logging) also makes it possible to identify who has made the change and what data was altered.
Protecting laboratory information from loss means ensuring that backup procedures and storage redundancy are in place so that laboratory data can be accessed and/or recovered in the event of unavailability in its primary source file version.
The item also requires that conditions be in place to maintain the integrity of manually recorded data, in case of non-computerized systems.
Although ISO 17025:2017 - Item 7.11 could be possibly interpretated that there is no need for validation of the functions of off-the-shelf software in testing and calibration laboratories, at the same time it reinforces that compliance, with requirements focused on data integrity, risk mitigation, data security, access restriction, and other conditions can only be guaranteed with validation of this kind of software.