Question
We’re currently using SaaS tools like GitHub to host our code. Our consultant told us that that’s not okay and we need to self-host everything. His reason was that we’re only allowed to use tools which we can “validate” ourselves. That would mean that any third-party-hosted software like GitHub would be prohibited. Help!
Short Answer
Your consultant is wrong. You can use GitHub. And look for another consultant.
Long Answer
The ISO 13485 requires you to “validate” all quality-relevant software prior to use. That applies to GitHub, too. The fact that GitHub is hosted somewhere else and you don’t have full control over it is not a problem per se. You should just write down some sort of explanation why you’re okay with that.
The most obvious line of reasoning would be this: The availability of third-party-hosted software like GitHub is much higher if they take care of the hosting. So, it’s a good thing. On the other hand, what would the risks be? Data gets leaked or you lose access to the service, e.g. because you live in a country which is affected by U.S. export bans.
Include those points in your software validation and you’re good to go. See this answer to a similar question for a more in-depth explanation of what to.