We’re currently using SaaS tools like GitHub to host our code. Our consultant told us that that’s not okay and we need to self-host everything. His reason was that we’re only allowed to use tools which we can “validate” ourselves. That would mean that any third-party-hosted software like GitHub would be prohibited. Help!
Your consultant is wrong. You can use GitHub. And look for another consultant.
The ISO 13485 requires you to “validate” all quality-relevant software prior to use. That applies to GitHub, too. The fact that GitHub is hosted somewhere else and you don’t have full control over it is not a problem per se. You should just write down some sort of explanation why you’re okay with that.
The most obvious line of reasoning would be this: The availability of third-party-hosted software like GitHub is much higher if they take care of the hosting. So, it’s a good thing. On the other hand, what would the risks be? Data gets leaked or you lose access to the service, e.g. because you live in a country which is affected by U.S. export bans.
Include those points in your software validation and you’re good to go. See this answer to a similar question for a more in-depth explanation of what to.