SOUP is an acronym for "Software of Unknown Provenance". The IEC 62304 defines a SOUP as follows:
„SOFTWARE ITEM that is already developed and generally available and that has not been developed for the purpose of being incorporated into the MEDICAL DEVICE (also known as “off- the-shelf software”) or SOFTWARE ITEM previously developed for which adequate records of the development PROCESSES are not available“
Source: IEC 62304 3.29
Please mind, that the term SOUP is not quite equivalent to the term OTS of the FDA.
It’s exactly these three terms which confuse many manufacturers of medical devices that contain software or standalone software, namely COTS, OTS and SOUP. These terms are not entirely congruent.
There are software components that are SOUP but not OTS and vice versa.
The FDA, which defines the term OTS(S), and IEC 62304, from which the term SOUP originates, also have different approaches when it comes to dealing with these components. These differences include:
How do you deal with software that has already included components, that manufacturers get from third parties?
Components such as:
Johner Institute does not recommend treating this software as SOUP, for the following reasons:
The question of whether software within hardware components is a SOUP, is a question we get a lot from manufacturers who define the totality of all software in a medical device as the software system. But we advise against it. You should define a software system as the totality of software within a processor- or storage system.
In medical devices there can be several software systems: At least one per PESS (programmable electrical subsystem). Why should you want to split it, we reveal, among others thing, in the e-learning library.
The following criteria may be relevant when selecting a SOUP manufacturer or a SOUP:
Create a value benefit analysis and weigh the criteria specifically for your situation and application.
The IEC 62304 treats SOUP as software components. The manufacturer must specify the requirements for the SOUP and test their performance (like for any other component).
In addition, to "normal" components, manufacturers must also specify the preconditions with respect to resources (RAM, CPU, ...) or to the operating system.
In order to implement the requirements of the IEC 62304, the Johner Institute recommends that the SOUPs are documented (e.g. in tabular form) based on the following parameters:
The question often arises: Would it not be better to take a certified SOUP? There would be, for example, manufacturers of operating systems that would offer something like this.
A SOUP manufacturer must not comply with any medical device regulation, as they are not a manufacturer placing medical devices into the market. Of course, it would make sense to select a SOUP manufacturer, from which one can assume that he is developing software professionally.
It is questionable that there are products marketed as IEC 62304 compliant because the IEC 62304 is a process standard and not a product standard. This means that one can only get certified if one remains compliant with the standard. But this doesn’t say anything about the quality of the product.
We even consider this form of advertising / communication to be misleading.