SBS - The best value in QMS software

ASL Question for GitHub

nbonds007

Starting to get Involved
#1
We are a SaMD and are utilizing GitHub for hosting software development code and providing code management such as branches, tags, and version control. All our validation and verification will be done through GitHub, but will ultimately be uploaded in our eQMS for review and approval.

For our ASL we have the following:
Class 1: Critical-direct commercial product impact.
Types of Services: Contract manufacturers / developers, critical components, finished product, product labeling, etc.

Class 2: Non-critical direct commercial impact.
Types of Services: Non-critical components that do not have a risk to safety or defectiveness, etc,

Class 3: Indirect and/or no commercial product impact.
Types of Services: Validated software, QMS Consulting, pest control, graphic designer, etc.

FYI: I realize these are more along the lines of manufactures with parts and not software. We are a start-up and are just now beginning to review and update our recently released QMS now that we have the resources to do so.

My question is - what Class would you put GitHub under?
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
The point of the classes is to drive the supplier qualification and approval, right? GitHub is a commercially-available product and not something you could go have an onsite audit to qualify and approve. Nor will you be able to execute a quality agreement. Where do you put your compiler / IDE supplier? To me, this is analogous to suppliers like Mouser for electronics. They are a reputable company providing industry-standard products. Not much more you can do / say. (Now the question of validation for your intended use is, of course, a whole other ball of wax. :)
 

nbonds007

Starting to get Involved
#3
I'm not familiar with compiler / IDE supplier. Can you explain this to me? Even though GitHub is a reputable industry-standard company, they are still a major part the design of our software. It is my understanding that they still need to be placed on our ASL. Maybe once I get a grasp on compiler / IDE supplier then I can go back and update our SOP accordingly.

And yes, validation is a whole other ball of wax, but I'm letting R&D handle that :)
 

Tidge

Trusted Information Resource
#4
I'm not familiar with compiler / IDE supplier. Can you explain this to me?
Unless you are actually distributing a compiler as part of a medical device, the compiler itself (despite being used to build an executable) is typically (1) not evaluated for impact to the quality of a compiled executable. I'm skipping a lot of details, but the key product in this example is an executable (which must undergo proper development and testing) and not the compiler (or the repository system). I'm also including a lot of assumptions to shortcut this point, including an assumption that the production floor wouldn't be compiling the executables as part of the assembly process for the device.

Generally: A repository has quality system impact (e.g. maintaining version control, record of approvals) but not product impact. Locally, I am advocating that my teams be very conscious of the difference between a quality system and products. I have no disagreement that a poorly implemented quality system can have product impact, but a perfectly implemented quality system is never going to guarantee a safe and effective product.

TL/DR: For the three classifications listed in the original post, I would identify it as "Class 3: Indirect and/or no commercial product impact. " If you recognize that the GitHub software requires some level of validation, and "validated software" is one of the examples for class 3, I'm not sure why there is any second-guessing what the answer is.

(1) It is possible for some compilers to be used to support verification activities; the level of qualification necessary for a compiler depends on its use.
 

nbonds007

Starting to get Involved
#5
Unless you are actually distributing a compiler as part of a medical device, the compiler itself (despite being used to build an executable) is typically (1) not evaluated for impact to the quality of a compiled executable. I'm skipping a lot of details, but the key product in this example is an executable (which must undergo proper development and testing) and not the compiler (or the repository system). I'm also including a lot of assumptions to shortcut this point, including an assumption that the production floor wouldn't be compiling the executables as part of the assembly process for the device.

Generally: A repository has quality system impact (e.g. maintaining version control, record of approvals) but not product impact. Locally, I am advocating that my teams be very conscious of the difference between a quality system and products. I have no disagreement that a poorly implemented quality system can have product impact, but a perfectly implemented quality system is never going to guarantee a safe and effective product.

TL/DR: For the three classifications listed in the original post, I would identify it as "Class 3: Indirect and/or no commercial product impact. " If you recognize that the GitHub software requires some level of validation, and "validated software" is one of the examples for class 3, I'm not sure why there is any second-guessing what the answer is.

(1) It is possible for some compilers to be used to support verification activities; the level of qualification necessary for a compiler depends on its use.
Thank you for your response. We develop stand-alone software. V/V will be performed in GitHub, but as I mentioned above, it goes through review & approval in our eQMS, which is a validated system. There is no "sign-off" in GitHub. That is why I'm "second-guessing" as to whether or not GitHub will be a critical supplier.
 

yodon

Staff member
Super Moderator
#6
There is no "sign-off" in GitHub. That is why I'm "second-guessing" as to whether or not GitHub will be a critical supplier.
What does your process require if you classify them as critical suppliers? You're not going to be able to audit them, I expect it's highly unlikely they'd respond to a questionnaire, they likely don't have a quality system. Don't paint yourself into a corner by having inflexible rules or overly-aggressive rules.
 

nbonds007

Starting to get Involved
#7
What does your process require if you classify them as critical suppliers? You're not going to be able to audit them, I expect it's highly unlikely they'd respond to a questionnaire, they likely don't have a quality system. Don't paint yourself into a corner by having inflexible rules or overly-aggressive rules.
It states "or equivalent" which leaves it open to provide documents of their security, privacy and other certificates that they have. I do believe that we'll have to revise the procedure to be more specific for commercially-available companies. As always, a QMS is a work in progress :)
 
Thread starter Similar threads Forum Replies Date
briteme4 ASL - AS9100 / Supplier Survey Supplier Quality Assurance and other Supplier Issues 3
J Help settle a disagreement: Should external providers of preventive maintenance be on your ASL? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
A ASL requirement when the supplier is certified for ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 6
D Licensee as a Supplier on the ASL Medical Device and FDA Regulations and Standards News 10
C ASL - Buying from unqualified manufacturers through qualified distributors Supplier Quality Assurance and other Supplier Issues 2
S Companies that maintain your machine should be in ASL? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
F Which Business Function should Approve Suppliers and maintain the ASL Supplier Quality Assurance and other Supplier Issues 8
B Before new supplier register into ASL ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
GStough When Is It OK to Remove a Defunct Supplier From the AVL/ASL? Supplier Quality Assurance and other Supplier Issues 15
D Is a separate spreadsheet required for the ASL (Approved Supplier List)? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
S AS9100 Approved Supplier List (ASL) Requirements AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 7
S Is it acceptable to have an ASL for Critical suppliers alone? Supplier Quality Assurance and other Supplier Issues 4
M Why do I have to rev change my ASL everytime I add or remove a supplier? Quality Manager and Management Related Issues 6
L Approving myself as a Supplier - Should we be on our own ASL AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
GStough Approved Supplier List (ASL): Document or Record? Supplier Quality Assurance and other Supplier Issues 29
Q ISO 9001/IATF 16949 Audit Finding Question - Document Retention IATF 16949 - Automotive Quality Systems Standard 7
J IATF 16949 Calibration/Verification records question ISO 26262 - Road vehicles – Functional safety 5
I IMDS Error Message Question RoHS, REACH, ELV, IMDS and Restricted Substances 1
lanley liao Question regarding the calibration of monitoring and measure equipment. Oil and Gas Industry Standards and Regulations 0
C Gauge R&R Question Using Minitab Software 1
J IATF 16949 Internal Audit question - Auditor's responsibility Internal Auditing 6
K Question on MDR classification EU Medical Device Regulations 4
D Question on equipment - when to use reference only or research only stickers ISO 13485:2016 - Medical Device Quality Management Systems 5
D Work Instruction Question ISO 13485:2016 - Medical Device Quality Management Systems 5
M Clinical Decision Support Software Question 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
John C. Abnet VDA 6.3 - Question 7.3 - "blocking of parts" VDA Standards - Germany's Automotive Standards 6
D Approved supplier list - Distributors question ISO 13485:2016 - Medical Device Quality Management Systems 6
D Equipment Register and PM question ISO 13485:2016 - Medical Device Quality Management Systems 2
D Question regarding "storage and distribution" ISO 13485:2016 - Medical Device Quality Management Systems 1
D Calibration tolerance question using Pipettes Medical Device and FDA Regulations and Standards News 3
D Question regarding customer feedback process ISO 13485:2016 - Medical Device Quality Management Systems 3
D Equipment Register related question ISO 13485:2016 - Medical Device Quality Management Systems 1
S Study sign off question / responsibilities ISO 13485:2016 - Medical Device Quality Management Systems 3
S Qualification question - ISO 13485 - Setting up a small lab Reliability Analysis - Predictions, Testing and Standards 2
M Question for Auditors - "Off the Record" Conversation? General Auditing Discussions 14
D Question regarding ECO process, specifically for Life Science products and defining form fit and function ISO 13485:2016 - Medical Device Quality Management Systems 1
R Accelerated Aging - Creating test samples - Implantable medical device Question Other Medical Device Related Standards 4
A Question on Authorized Representative in Malaysia Other Medical Device Regulations World-Wide 3
D Limited Scope for second site Question? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
I ISO 2233:2000 Question - Medical Device Shipping/Transportation Validation Other ISO and International Standards and European Regulations 1
Anonymous16-2 Labeling Question (Dietary Supplements/Food) Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
T Question for: Cg & Cgk calculation General Measurement Device and Calibration Topics 3
hogheavenfarm GDT Flatness measurement question Inspection, Prints (Drawings), Testing, Sampling and Related Topics 10
A Question on ISO 14001:2015 - Are annual audits required? ISO 14001:2015 Specific Discussions 11
dinaroxentool Question about FDA Classification of a Device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
J Another DFAR question 252.225-7009 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
F Conflict Mineral Smelter Question RoHS, REACH, ELV, IMDS and Restricted Substances 8
R NRTL - Scope Question - Off-the-Shelf Plug In IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D API 6A Certification Question Oil and Gas Industry Standards and Regulations 4
dinaroxentool Question about qualification as a medical device or accessory in Europe EU Medical Device Regulations 2

Similar threads

Top Bottom