SOUP (Software of Unknown Provenance) Anomaly Documentation

KrishQA

Starting to get Involved
#1
Hello all,

We are developing a class C medical device and have evaluated a list of SOUP anomalies from the manufacturer. Just want to know what is a typical way of documenting the list of anomalies that were evaluated.
  • Part of a risk analysis session?
  • Include the anomaly list in the architecture document?
  • Link the online SOUP list from manufacturer directly (this would be prone to change of links/reference)
Looking to see how you would document it best
 
Elsmar Forum Sponsor

shimonv

Trusted Information Resource
#2
Linking to an online SOUP resource is not a good idea and you have no control over.
What I've seen done a couple of times is SOUP report that includes, among others, a description of known defects.

Shimon
 

Tidge

Trusted Information Resource
#3
At a minimum, you should capture the known state of the SOUP at the time you implement it, including any published anomolies. As @shimonv hints, the online resource could evaporate leaving you with no records. It used to be the case that suppliers of SOUP-y things like chipset-specific compilers and libraries would remove all links and documentation for almost any reason: The chipset is no longer produced, the mfg has a new suite of tools, etc.

There are many possibilities as to "where" you want to keep a record of the review of SOUP anomalies. I hesitate to be prescriptive, but a simple answer is "however you handle the review of anomalies before launch... why not review the known SOUP anomalies the same way, but as a single unit?" (1) Different companies will take a different approach to maintaining the anomaly list (post-launch); most companies are uniform in their approach that closed/resolved anomalies are not kept on a post-launch anomaly list, but are instead archived as part of the development process. (2)

I cannot guarantee the behavior/expectations of any external reviewer when it comes to software; I've seen some that keep strictly to deliverables, I've seen others obsessed with seeing raw source code. My personal experience is that there is more variability among external reviewers of software (both in the development of software in devices, as well as software control of processes) than in any other compliance area.

(1) Anomaly tracking should include risk analysis for both open/closed anomalies, but not every software anomaly's risk analysis necessarily requires a line of analysis in a risk file. For example: during initial development, a piece of code that simply doesn't work and requires rework to meet a requirement wouldn't necessarily have or need a dedicated risk analysis line, as the risk is simply that requirements aren't met. If the code is used without rework and still doesn't meet requirements, that's a bigger issue as it is an unresolved anomaly which you'll be carrying forward.

(2) If there is a SOUP anomaly than contributes to risk (pre- or post-controls) I would expect it to be analyzed in a risk document such as a Software HA, especially as you have no control over the SOUP and don't have the option of 'fixing' it. If there is a SOUP anomaly cannot be resolved, then I would expect such a specific anomaly to carried forward on the post-launch anomaly list.
 
Thread starter Similar threads Forum Replies Date
J Custom Tools as SOUP? (Software of Unknown Provenance) IEC 62304 - Medical Device Software Life Cycle Processes 9
A OTS and SOUP Software Documentation Requirements Other US Medical Device Regulations 9
K IEC 62304 - Functional and performance requirements for SOUP items IEC 62304 - Medical Device Software Life Cycle Processes 2
F Firmware as SOUP - Sensor with third party produced firmware IEC 62304 - Medical Device Software Life Cycle Processes 2
K SDK: SOUP or not? IEC 62304 - Medical Device Software Life Cycle Processes 8
P SOUP anomaly evaluation for MMA (Mobile Medical Application) IEC 62304 clause 7.1.3 IEC 62304 - Medical Device Software Life Cycle Processes 6
J Converting SOUP to "SOKP" ... IEC 62304 - Medical Device Software Life Cycle Processes 1
U The Importance of Correct Sample Size Calculation - Greek Alphabet Soup Book, Video, Blog and Web Site Reviews and Recommendations 7
V Internal Audit Software IATF 16949 - Automotive Quality Systems Standard 5
Watchcat New Draft Guidance on Content of Premarket Submissions for Software Device "Functions" Other US Medical Device Regulations 2
Watchcat Software validation vs design V&V? Other US Medical Device Regulations 27
M Initial Importer/Distributor and Software Validation IEC 62304 - Medical Device Software Life Cycle Processes 1
F Configurator for a power unit - Software or other solution? Manufacturing and Related Processes 0
D Test Management Software Software Quality Assurance 1
E ISO 13485 software validation ISO 13485:2016 - Medical Device Quality Management Systems 7
D Tracking software versions used with instruments ISO 13485:2016 - Medical Device Quality Management Systems 0
dgrainger Informational MHRA's Software and AI as a Medical Device Change Programme UK Medical Device Regulations 0
S Do you follow your QMS for non-device software features? Medical Information Technology, Medical Software and Health Informatics 4
J Can we register non-device clinical decision support software under draft guidance? Other US Medical Device Regulations 5
I Software (SaMD) mobile application verification testing: objective evidence Medical Information Technology, Medical Software and Health Informatics 2
J EU equivalent to Clinical Decision Support Software EU Medical Device Regulations 3
Y ISO 13485:2015 Software Validation IQ/OQ/PQ ISO 13485:2016 - Medical Device Quality Management Systems 13
S Recommended software to send Quality scorecards to suppliers (external providers) Supplier Quality Assurance and other Supplier Issues 3
J Software as a Medical Device - SaMD IEC 62304 - Medical Device Software Life Cycle Processes 3
BeaBea QMS/ Training Management Software Service Industry Specific Topics 4
shimonv Working with a software developer who is not setup for IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 9
R Debug mode in software/device validation IEC 62304 - Medical Device Software Life Cycle Processes 2
Q Gage calibration / tracking software General Measurement Device and Calibration Topics 5
M Software verification and validation AS9100 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
Y RT-qPCR Software result EU Medical Device Regulations 0
B A.I. diagnostic software is considered as medical device in FDA? US Food and Drug Administration (FDA) 6
F WANTED Senior Software engineer Career and Occupation Discussions 2
P Blood establishment computer software EU classification EU Medical Device Regulations 0
S Examples of FDA acceptable Software Design Specification (SDS) Medical Device and FDA Regulations and Standards News 6
D Integrated Management System Software Quality Manager and Management Related Issues 2
B Sampling strategies/techniques for software QA Software Quality Assurance 3
K MDCG-2020-3 (about the software of UI) EU Medical Device Regulations 3
D PFMEA Software search IATF 16949 - Automotive Quality Systems Standard 7
C MDR software classification EU Medical Device Regulations 12
H Class II a vs "software safety class A" IEC 62304 - Medical Device Software Life Cycle Processes 4
Z Software for design control ISO 13485:2016 - Medical Device Quality Management Systems 5
V Medical Device Literature Translation Software ISO 13485:2016 - Medical Device Quality Management Systems 1
D FDA Guidance on Computer Software Assurance versus 21 CFR Part 11 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
P Software verification and validation procedure IEC 62304 - Medical Device Software Life Cycle Processes 6
Aymaneh UDI-PI Software CE Marking (Conformité Européene) / CB Scheme 0
Q Software as a medical device vs software not sold as medical device: local regulations for sale? EU Medical Device Regulations 4
Y Software updates considered servicing (7.5.4) ISO 13485:2016 - Medical Device Quality Management Systems 4
S How to perform verification of the Statistical Analysis Software? Qualification and Validation (including 21 CFR Part 11) 7
I Document Control Software Document Control Systems, Procedures, Forms and Templates 2
E Software maintenance Process Software maintenance Process to IEC 6204? IEC 62304 - Medical Device Software Life Cycle Processes 3

Similar threads

Top Bottom