Problems while documenting the SOUPs used for the software we are developing

L

Luis Garc

Hello everyone

I am having problems while documenting the SOUPs used for the software we are developing,

Do you recommend it to dedicate an special document for the SOUP's and just do references in the other documents?

On the moment I have documented it, in the Software Architecture, since some of the SOUPS are some open source libraries, but what about the Operating System, or the database server?

Until now I have been reading th "Off-The-Shelf Software Use in Medical Devices" to have a better idea what are the suggestions from the FDA

Best regards
 
Y

yodon

Leader
Super Moderator
If you look at 62304, you see an expectation to address SOUP in:
* Software Development Plan (CM and integration / test)
* Risk Management Planning
* Software Requirements
* Architecture (in terms of functional and performance requirements & hw / sw support)
* Verification of the architecture
* Maintenance
* Risk Management
* Change Management
* Configuration Management (including identification)

So having a single, dedicated SOUP doc is probably not possible. We typically do have a single document dedicated to a specific SOUP item that covers the known issues part of risk management, the identification part of configuration management, and the functional requirements and interoperability requirements of the architecture (we also include a level of concern analysis to support a risk-based approach to management and control).

Other aspects are scattered throughout.

The maintenance part is, IMO, rather important and probably doesn't get the attention it deserves. This plays into all the surveillance activities, cybersecurity aspects, and, well, maintenance aspects. This is generally a sizeable section of our Maintenance Plan.
 
N

normzone

Trusted Information Resource
As a tyro, I had to go look that one up.

Wow, that SOUP sure covers a can of worms.

Wait .... does that sound like a recipe?

" SOUP stands for software of unknown (or uncertain) pedigree (or provenance), and is a term often used in the context of safety-critical and safety-involved systems such as medical software."
 
Y

yodon

Leader
Super Moderator
Mmm... worm SOUP.

Yes, it's a bit messy.

By the way, since SOUP can be an entry point for hackers, all SOUP in the application should be considered, not just that in safety-critical applications. Of course, greater risk --> higher levels of controls.
 
L

Luis Garc

Thank you so much for the help, basically I have documented as you have described, but I wasn't completely sure if I was on the right path.
 
You must log in or register to reply here.

Similar threads

D
SOUP soup
Replies
1
Views
568
yodon
Y
T
Risks related to Software of Unknown Provenance (SOUP)
Replies
6
Views
633
shimonv
shimonv
C
Can SaMD consist almost entirely of Software of Unknown Provenance (SOUP)?
Replies
4
Views
844
CharmaineK
C
J
IEC 62304, Multiple software systems in one medical device
Replies
6
Views
956
DanMann
D
S
QMS Development Question- Small Medical Device Manufacturer
Replies
9
Views
454
davishont02
D
Top Bottom