ASL Question for GitHub

nbonds007

Starting to get Involved
#1
We are a SaMD and are utilizing GitHub for hosting software development code and providing code management such as branches, tags, and version control. All our validation and verification will be done through GitHub, but will ultimately be uploaded in our eQMS for review and approval.

For our ASL we have the following:
Class 1: Critical-direct commercial product impact.
Types of Services: Contract manufacturers / developers, critical components, finished product, product labeling, etc.

Class 2: Non-critical direct commercial impact.
Types of Services: Non-critical components that do not have a risk to safety or defectiveness, etc,

Class 3: Indirect and/or no commercial product impact.
Types of Services: Validated software, QMS Consulting, pest control, graphic designer, etc.

FYI: I realize these are more along the lines of manufactures with parts and not software. We are a start-up and are just now beginning to review and update our recently released QMS now that we have the resources to do so.

My question is - what Class would you put GitHub under?
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
The point of the classes is to drive the supplier qualification and approval, right? GitHub is a commercially-available product and not something you could go have an onsite audit to qualify and approve. Nor will you be able to execute a quality agreement. Where do you put your compiler / IDE supplier? To me, this is analogous to suppliers like Mouser for electronics. They are a reputable company providing industry-standard products. Not much more you can do / say. (Now the question of validation for your intended use is, of course, a whole other ball of wax. :)
 

nbonds007

Starting to get Involved
#3
I'm not familiar with compiler / IDE supplier. Can you explain this to me? Even though GitHub is a reputable industry-standard company, they are still a major part the design of our software. It is my understanding that they still need to be placed on our ASL. Maybe once I get a grasp on compiler / IDE supplier then I can go back and update our SOP accordingly.

And yes, validation is a whole other ball of wax, but I'm letting R&D handle that :)
 

Tidge

Quite Involved in Discussions
#4
I'm not familiar with compiler / IDE supplier. Can you explain this to me?
Unless you are actually distributing a compiler as part of a medical device, the compiler itself (despite being used to build an executable) is typically (1) not evaluated for impact to the quality of a compiled executable. I'm skipping a lot of details, but the key product in this example is an executable (which must undergo proper development and testing) and not the compiler (or the repository system). I'm also including a lot of assumptions to shortcut this point, including an assumption that the production floor wouldn't be compiling the executables as part of the assembly process for the device.

Generally: A repository has quality system impact (e.g. maintaining version control, record of approvals) but not product impact. Locally, I am advocating that my teams be very conscious of the difference between a quality system and products. I have no disagreement that a poorly implemented quality system can have product impact, but a perfectly implemented quality system is never going to guarantee a safe and effective product.

TL/DR: For the three classifications listed in the original post, I would identify it as "Class 3: Indirect and/or no commercial product impact. " If you recognize that the GitHub software requires some level of validation, and "validated software" is one of the examples for class 3, I'm not sure why there is any second-guessing what the answer is.

(1) It is possible for some compilers to be used to support verification activities; the level of qualification necessary for a compiler depends on its use.
 

nbonds007

Starting to get Involved
#5
Unless you are actually distributing a compiler as part of a medical device, the compiler itself (despite being used to build an executable) is typically (1) not evaluated for impact to the quality of a compiled executable. I'm skipping a lot of details, but the key product in this example is an executable (which must undergo proper development and testing) and not the compiler (or the repository system). I'm also including a lot of assumptions to shortcut this point, including an assumption that the production floor wouldn't be compiling the executables as part of the assembly process for the device.

Generally: A repository has quality system impact (e.g. maintaining version control, record of approvals) but not product impact. Locally, I am advocating that my teams be very conscious of the difference between a quality system and products. I have no disagreement that a poorly implemented quality system can have product impact, but a perfectly implemented quality system is never going to guarantee a safe and effective product.

TL/DR: For the three classifications listed in the original post, I would identify it as "Class 3: Indirect and/or no commercial product impact. " If you recognize that the GitHub software requires some level of validation, and "validated software" is one of the examples for class 3, I'm not sure why there is any second-guessing what the answer is.

(1) It is possible for some compilers to be used to support verification activities; the level of qualification necessary for a compiler depends on its use.
Thank you for your response. We develop stand-alone software. V/V will be performed in GitHub, but as I mentioned above, it goes through review & approval in our eQMS, which is a validated system. There is no "sign-off" in GitHub. That is why I'm "second-guessing" as to whether or not GitHub will be a critical supplier.
 

yodon

Staff member
Super Moderator
#6
There is no "sign-off" in GitHub. That is why I'm "second-guessing" as to whether or not GitHub will be a critical supplier.
What does your process require if you classify them as critical suppliers? You're not going to be able to audit them, I expect it's highly unlikely they'd respond to a questionnaire, they likely don't have a quality system. Don't paint yourself into a corner by having inflexible rules or overly-aggressive rules.
 

nbonds007

Starting to get Involved
#7
What does your process require if you classify them as critical suppliers? You're not going to be able to audit them, I expect it's highly unlikely they'd respond to a questionnaire, they likely don't have a quality system. Don't paint yourself into a corner by having inflexible rules or overly-aggressive rules.
It states "or equivalent" which leaves it open to provide documents of their security, privacy and other certificates that they have. I do believe that we'll have to revise the procedure to be more specific for commercially-available companies. As always, a QMS is a work in progress :)
 
Thread starter Similar threads Forum Replies Date
D Licensee as a Supplier on the ASL Medical Device and FDA Regulations and Standards News 10
C ASL - Buying from unqualified manufacturers through qualified distributors Supplier Quality Assurance and other Supplier Issues 2
S Companies that maintain your machine should be in ASL? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
F Which Business Function should Approve Suppliers and maintain the ASL Supplier Quality Assurance and other Supplier Issues 8
B Before new supplier register into ASL ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
GStough When Is It OK to Remove a Defunct Supplier From the AVL/ASL? Supplier Quality Assurance and other Supplier Issues 15
D Is a separate spreadsheet required for the ASL (Approved Supplier List)? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
S AS9100 Approved Supplier List (ASL) Requirements AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
S Is it acceptable to have an ASL for Critical suppliers alone? Supplier Quality Assurance and other Supplier Issues 4
M Why do I have to rev change my ASL everytime I add or remove a supplier? Quality Manager and Management Related Issues 6
L Approving myself as a Supplier - Should we be on our own ASL AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
GStough Approved Supplier List (ASL): Document or Record? Supplier Quality Assurance and other Supplier Issues 29
D Question regarding customer feedback process ISO 13485:2016 - Medical Device Quality Management Systems 3
A Quality engineering positions in US - question Job Openings, Consulting and Employment Opportunities 1
D Equipment Register related question ISO 13485:2016 - Medical Device Quality Management Systems 1
S Study sign off question / responsibilities ISO 13485:2016 - Medical Device Quality Management Systems 3
S Qualification question - ISO 13485 Reliability Analysis - Predictions, Testing and Standards 0
M Question for Auditors - "Off the Record" Conversation? General Auditing Discussions 14
D Question regarding ECO process, specifically for Life Science products and defining form fit and function ISO 13485:2016 - Medical Device Quality Management Systems 1
R Accelerated Aging - Creating test samples - Implantable medical device Question Other Medical Device Related Standards 4
A Question on Authorized Representative in Malaysia Other Medical Device Regulations World-Wide 3
D Limited Scope for second site Question? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
I ISO 2233:2000 Question - Medical Device Shipping/Transportation Validation Other ISO and International Standards and European Regulations 1
Anonymous16-2 Labeling Question (Dietary Supplements/Food) Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
T Question for: Cg & Cgk calculation General Measurement Device and Calibration Topics 3
hogheavenfarm GDT Flatness measurement question Inspection, Prints (Drawings), Testing, Sampling and Related Topics 10
A Question on ISO 14001:2015 - Are annual audits required? ISO 14001:2015 Specific Discussions 8
dinaroxentool Question about FDA Classification of a Device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
J Another DFAR question 252.225-7009 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
F Conflict Mineral Smelter Question RoHS, REACH, ELV, IMDS and Restricted Substances 8
R NRTL - Scope Question - Off-the-Shelf Plug In IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D API 6A Certification Question Oil and Gas Industry Standards and Regulations 4
dinaroxentool Question about qualification as a medical device or accessory in Europe EU Medical Device Regulations 2
R DHR question: Traceability of components ISO 13485:2016 - Medical Device Quality Management Systems 2
C MDR - Question around software accesories EU Medical Device Regulations 2
K My question is, what/when is a nonconformity? Therefore what requires an NCR? Nonconformance and Corrective Action 9
Watchcat Authoritative References about the Research Question? Quality Tools, Improvement and Analysis 0
T Question about Quality Department employee position titles Quality Manager and Management Related Issues 10
N Question on creepage/clearance requirements for HF Active Accessories for 2nd edition 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
I Question 1 - Nitpicking on Document Approval - can a document approval record be separate? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
J Question: How to create an IMDS RoHS, REACH, ELV, IMDS and Restricted Substances 3
K Question on whether IEC 60601-2-62 standard is applied IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
B QMS question in regards to multiple medical devices/products and N/A activities Other Medical Device Related Standards 12
C NB approval - Basic question about Notified Bodies and their role EU Medical Device Regulations 10
G Question about Non-conformances during New Product Introduction Nonconformance and Corrective Action 14
F ISO 13485 8.2.3 Reporting to regulatory authorities: Question regarding a procedure for this clause. ISO 13485:2016 - Medical Device Quality Management Systems 4
O Mitutoyo Digital Caliper to PC USB question General Measurement Device and Calibration Topics 2
R Probability - Need a help to solve the below question Statistical Analysis Tools, Techniques and SPC 5
B Minitab Type 1 Gage Study on True Position Question Measurement Uncertainty (MU) 1
Q Supplier audit question cataloque VDA Standards - Germany's Automotive Standards 0

Similar threads

Top Bottom