SOUP Software Definition and a Guide to Software Regulations of Unknown Provenance
SOUP, or Software of Unknown Provenance, is any piece of software used in a medical device that wasn’t developed for use in a medical device (i.e. under 62304) or for which such documentation doesn’t exist. Examples include:
- Open Source Software
- Cloud Software
- Commercial libraries
- Third-party libraries for IoT (e.g. printer software, software on display)
IEC 62304 defines Software of Unknown Provenance (SOUP)
A software item that is already developed and generally available and that has not been developed for the purpose of being incorporated into the medical device (also known as “off- the-shelf software”) or software previously developed for which adequate records of the development processes are not available.
Why should Med Tech Companies Report on & Manage Software of Unknown Provenance (SOUP)?
SOUP (and, as a result, any third-party software) is outside of the software manufacturer's control. As a result, it can adversely affect the product and/or the infrastructure of the regulated application it is being produced in. Reliability, cyber, and other risk factors can negatively affect safety. As a result, medical software manufacturers are told in numerous guidances that SOUP, and especially third-party software, isn’t secure without proper procedures, including risk assessment and validation.
What is Off-The-Shelf (OTS/COTS) Software?
A software item that is commercially available to developers for purchase that can be modified to fit the user’s needs rather than build software from scratch.
OTS stands for "Off-The-Shelf" and it refers to a type of software product that is commercially available and can be purchased or used without significant modification. In the context of medical devices, the US Food and Drug Administration (FDA) classifies OTS software as a type of pre-made software that can be used as a component in the development of a medical device software product. Manufacturers want to use as much OTS software as possible in their applications, to avoid developing product features that are already easily available.
The FDA requires that OTS software used in medical devices meet the same regulatory requirements as other types of software, such as custom software, and must be validated to ensure it is safe and effective for use in healthcare applications. This may involve reviewing the vendor's software development process, testing the software, and verifying that it meets regulatory standards. The use of OTS software in medical devices can reduce the development time and costs associated with creating a custom software solution, but it also requires careful selection and management of the OTS software components to ensure they meet regulatory requirements.
The future of SOUP management in medical environments
The use of SOUP and OTS software in regulated medical applications offers numerous benefits, including improved efficiency, reduced errors, and increased patient outcomes, as more functionality is available. However, it is essential to ensure that these programs are used in a manner that complies with relevant regulations and standards. This means that the software must be validated and verified to meet the necessary requirements, and any changes to the software must be thoroughly tested and documented. By taking the necessary steps to ensure compliance, healthcare providers can effectively utilize the benefits of these software programs while maintaining the highest level of patient safety. Integrating SOUP and OTS technology in the medical industry represents a significant step forward. With proper implementation, it has the potential to significantly enhance the delivery of healthcare services. In an upcoming blog post, we will discuss in more detail how to integrate SOUP and OTS into regulated applications, and the type of lifecycle processes manufacturers need to take to achieve that.
Managing SOUP with a software bill of materials (SBOM)
The FDA states that all organizations must “provide to the Secretary a software bill of materials, including commercial, SOUP, and off-the-shelf software components.” The software bill of materials is a constantly changing list of open source software that provides a bird's eye view and tracks each software item you bring into your medical device. With the ideal SBOM, developers always know what they are using and can react to changes and risks as they occur rather than hunting them down after damage has been done. Read more about, and how to produce, the FDA required SBOM here.