R-019-001 Software validation report_GitHub_GPG key signature_2024
Scope
The aim is to gather additional requirements and configuration specifications not encompassed within the application, together with their respective validations. This ensures adherence to both our internal requirements and those imposed by regulatory bodies. This involves detailing specifications and criteria which are external to the application but fundamental for ensuring our outputs align with all requisite standards and regulations.
Software description
Name
GitHub.
It is worth mentioning that we use GitHub alongside the GPG technology to verify our commits. GPG is a suite of cryptographic software that can be used to encrypt or sign data and communications to ensure its authenticity.
The GPG signature enables our use of GitHub to be compliant with the requirements of 21 CFR Part 11.
Manufacturer
GitHub, Inc., owned by Microsoft
Intended use
We selected GitHub to have a controlled system to be used:
- As our Quality Management System (QMS), to contain all the procedures and records required, compling with the applicable regulations.
Risk-based analysis
Quality Management System (QMS)
The software is used as a controlled quality management system to document and register the procedures and records required to safetly perform the design and manufacturing of the medical devices. This software is well-established and validated, therefore, its failure to perform as intended should not result in a quality problem that foreseeably leads to compromised safety. As such, the software does not pose a high process risk.
Requirements and design specification
Quality Management System (QMS)
- Requirement 01: Users sign the documentation according to their role and in compliance with the 21 CFR part 11.
- Requirement 02: Only the approved versions are released and visible to the users.
Assurance activities and test plan
In addition to the tests and checks designed to ensure the configuration complies with the establised requirements, we have performed an assessment of the system capability (see R-002-007 Process validation card 2023_003) and a supplier evaluation (see R-010-001 Suppliers evaluation), being considered the only tool providing, in the same ecosystem, a task manger, a knowledgebase and a git code repository. This makes it perfect to manage all the process mentioned: QMS, DHF and NC & CAPAs applications.
Quality Management System (QMS)
| ID | Test description | Acceptance criteria | Requirement tested |
|---|---|---|---|
| Test 01 | Verification of the electronic signature | Signature comply with the regulatory requirements | Requirement 01 |
| Test 02 | Approval version release | Only the approved versions are released and visible to the users | Requirement 02 |
Test Results and deviations detected
Quality Management System (QMS)
Test 01
- Result: Pass
- Deviation: No deviations found
Test 02
- Result: Pass
- Deviation: No deviations found
Design review
| Result | |
|---|---|
| Have the appropriate tasks and expected results, outputs, or products been established for each software life cycle activity? | TRUE |
| Do the tasks and expected results, outputs, or products of each software life cycle activity: | |
| Comply with the requirements of other software life cycle activities in terms of correctness, completeness, consistency, and accuracy? | TRUE |
| Satisfy the standards, practices, and conventions of that activity? | TRUE |
| Establish a proper basis for initiating tasks for the next software life cycle activity? | TRUE |
Conclusion
No error is observed in the signature procedure implemented: it allows us to comply with 21 CFR part 11, as we can always check the version of the document, the changes introduced in it and the person responsible for each modification. All employees making any changes to any document, or review and approval activities, must sign each commit as a mandatory activity.
In addition, the implemented procedure prevents users from viewing unapproved versions of documents.
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003, JD-004
- Approver: JD-001