Early access registrations are open for Headstart, a predictable, fixed-price program for becoming compliant.

Updated October 11, 2020

Can We Use GitHub and Other SaaS For Our Software as a Medical Device?

Dr. Oliver Eidel
ISO 13485 IEC 62304

Question

We’re currently using SaaS tools like GitHub to host our code. Our consultant told us that that’s not okay and we need to self-host everything. His reason was that we’re only allowed to use tools which we can “validate” ourselves. That would mean that any third-party-hosted software like GitHub would be prohibited. Help!

Short Answer

Your consultant is wrong. You can use GitHub. And look for another consultant.

Long Answer

The ISO 13485 requires you to “validate” all quality-relevant software prior to use. That applies to GitHub, too. The fact that GitHub is hosted somewhere else and you don’t have full control over it is not a problem per se. You should just write down some sort of explanation why you’re okay with that.

The most obvious line of reasoning would be this: The availability of third-party-hosted software like GitHub is much higher if they take care of the hosting. So, it’s a good thing. On the other hand, what would the risks be? Data gets leaked or you lose access to the service, e.g. because you live in a country which is affected by U.S. export bans.

Include those points in your software validation and you’re good to go. See this answer to a similar question for a more in-depth explanation of what to.

Congratulations! You read this far.

Get notified when I post something new.

Sign up for my free newsletter.

I work as a regulatory consultant for Healthcare software startups. I try to publish all my knowledge here so that startups can certify their medical devices themselves in the future.

If you're still lost and have further questions, just send me an email and I'll be happy to answer them for free. More about me

No Cookie For You Privacy Policy Imprint
No QMS on this planet will save you from creating crappy software.