SOUP Evaluation Checklist for IEC 62304 Compliance

Software of Unknown Provenance (SOUP) evaluation is a critical part of IEC 62304 compliance. This checklist ensures thorough evaluation of all third-party components.

What is SOUP?

SOUP refers to software that is used in a medical device but was not developed specifically for that purpose. This includes:

• Open source libraries
• Commercial off-the-shelf (COTS) software
• Legacy code
• Third-party SDKs and frameworks

SOUP Evaluation Process

1. Identification

• List all third-party software components
• Identify version numbers
• Document source and license information

2. Functional Requirements

• Define what functionality the SOUP provides
• Document interfaces with your software
• Identify dependencies

3. Known Anomalies

• Review known bugs and limitations
• Document workarounds
• Assess impact on device safety

4. System Requirements

• Hardware requirements
• Operating system compatibility
• Environmental constraints

5. Segregation from Other Systems

• Security boundaries
• Data isolation
• Network segregation requirements

Risk Assessment

Evaluate risks associated with:

• SOUP failures or malfunctions
• Known anomalies
• Security vulnerabilities
• Maintenance and support availability

Documentation Requirements

Your SOUP management file should include:

1. SOUP list with versions
2. Functional requirements
3. Hardware/software requirements
4. Known anomalies
5. Risk assessment
6. Verification activities
7. Configuration management procedures

Common SOUP Components

Operating Systems: Windows, Linux, iOS, Android

Frameworks: React, Angular, .NET, Spring

Libraries: OpenSSL, SQLite, TensorFlow

Development Tools: Compilers, IDEs, version control

Ongoing Management

SOUP evaluation is not a one-time activity:

• Monitor security advisories
• Track version updates
• Re-evaluate when updating SOUP
• Maintain traceability

Managing multiple SOUP components? Captain Compliant helps track and evaluate your software supply chain.