Problems while documenting the SOUPs used for the software we are developing


Luis Garc

Hello everyone

I am having problems while documenting the SOUPs used for the software we are developing,

Do you recommend it to dedicate an special document for the SOUP's and just do references in the other documents?

On the moment I have documented it, in the Software Architecture, since some of the SOUPS are some open source libraries, but what about the Operating System, or the database server?

Until now I have been reading th "Off-The-Shelf Software Use in Medical Devices" to have a better idea what are the suggestions from the FDA

Best regards


Super Moderator
If you look at 62304, you see an expectation to address SOUP in:
* Software Development Plan (CM and integration / test)
* Risk Management Planning
* Software Requirements
* Architecture (in terms of functional and performance requirements & hw / sw support)
* Verification of the architecture
* Maintenance
* Risk Management
* Change Management
* Configuration Management (including identification)

So having a single, dedicated SOUP doc is probably not possible. We typically do have a single document dedicated to a specific SOUP item that covers the known issues part of risk management, the identification part of configuration management, and the functional requirements and interoperability requirements of the architecture (we also include a level of concern analysis to support a risk-based approach to management and control).

Other aspects are scattered throughout.

The maintenance part is, IMO, rather important and probably doesn't get the attention it deserves. This plays into all the surveillance activities, cybersecurity aspects, and, well, maintenance aspects. This is generally a sizeable section of our Maintenance Plan.


Trusted Information Resource
As a tyro, I had to go look that one up.

Wow, that SOUP sure covers a can of worms.

Wait .... does that sound like a recipe?

" SOUP stands for software of unknown (or uncertain) pedigree (or provenance), and is a term often used in the context of safety-critical and safety-involved systems such as medical software."


Super Moderator
Mmm... worm SOUP.

Yes, it's a bit messy.

By the way, since SOUP can be an entry point for hackers, all SOUP in the application should be considered, not just that in safety-critical applications. Of course, greater risk --> higher levels of controls.

Luis Garc

Thank you so much for the help, basically I have documented as you have described, but I wasn't completely sure if I was on the right path.
Top Bottom