In a recent ISO 13485 audit of a company who is only marketing a stand-alone software application, the auditor said that software updates must be considered service activities per 7.5.4. I had never a) previously considered software updates as a service activity; or b) heard another auditor make such an assertion.
In several respects, software updates are not typical of a service activity in that instead of operating on an individual device, the entire application is re-built and re-distributed (even if only patching ... unless you have something like with antivirus software where you update definitions periodically without updating the entire application). Also, instead of being a specific service activity, in many cases, software updates may contain numerous changes, including new design. Finally, updates are done by the design and development team (and all the work effectively falls under design controls).
This was not written up as a finding, just a discussion. I'm curious what others' opinions / experiences are on this.
In several respects, software updates are not typical of a service activity in that instead of operating on an individual device, the entire application is re-built and re-distributed (even if only patching ... unless you have something like with antivirus software where you update definitions periodically without updating the entire application). Also, instead of being a specific service activity, in many cases, software updates may contain numerous changes, including new design. Finally, updates are done by the design and development team (and all the work effectively falls under design controls).
This was not written up as a finding, just a discussion. I'm curious what others' opinions / experiences are on this.