One key aspect of software lifecycle management under ISO 62304 is the handling of Software of Unknown Provenance (SOUP). SOUP refers to software components that are not developed by the manufacturer but are used within a medical device system. These can include third-party libraries, open-source software, or commercial software components. While SOUP can accelerate development, it also introduces risks related to safety, security, and compliance.

With the increasing connectivity of medical devices, cybersecurity has become a vital consideration in SOUP management. This blog post will explore the requirements for SOUP in ISO 62304, best practices for mitigating risks, and how cybersecurity ties into SOUP management for medical device software.

What is SOUP in ISO 62304?

Definition of SOUP

ISO 62304 defines SOUP (Software of Unknown Provenance) as any software that was not developed explicitly for the medical device but is used within it. This includes:

  • Third-party software components
  • Open-source software
  • Commercial off-the-shelf (COTS) software
  • Legacy software not developed under the current software development lifecycle (SDLC)

SOUP can introduce vulnerabilities if not properly managed, especially concerning functional safety, security risks, and regulatory compliance.

Why SOUP is Used

Using SOUP can provide several advantages:

  1. Reduces development time by leveraging pre-built components
  2. Access to well-tested functionality (e.g., cryptographic libraries, operating systems, UI frameworks)
  3. Cost efficiency as opposed to developing proprietary solutions

However, these benefits come with risks that must be assessed and mitigated as part of the medical device software lifecycle.

SOUP Management in ISO 62304

1. Identification of SOUP Components

ISO 62304 requires manufacturers to identify and document all SOUP components used within the software system. This includes:

  • Software name, version, and supplier details
  • Source (e.g., open-source, proprietary, third-party vendor)
  • Intended functionality and how it integrates with the medical device
  • Dependencies on other components

A comprehensive Software Bill of Materials (SBOM) should be maintained to track SOUP usage.

2. Risk Management for SOUP

A major requirement of ISO 62304 is conducting risk analysis on SOUP components. The risks associated with SOUP include:

  • Functionality Risks: Unexpected behavior in clinical environments
  • Security Risks: Potential cybersecurity vulnerabilities
  • Regulatory Risks: Non-compliance with medical device regulations
  • Software Interoperability Risks: Incompatibility with the main software system

The standard mandates:

  • Identifying potential hazards and failures caused by SOUP
  • Assessing the severity and probability of each risk
  • Implementing risk control measures, such as software isolation, version control, or continuous monitoring

3. Verification and Validation (V&V) of SOUP

Manufacturers must ensure that SOUP components function correctly within the medical device. This includes:

  • Conducting unit and integration testing for SOUP interactions
  • Performing static and dynamic code analysis
  • Ensuring compliance with ISO 14971 (Risk Management for Medical Devices)
  • Documenting test results and justifications for SOUP selection

4. Change Management and Maintenance

Since SOUP components are developed externally, they may be updated or deprecated by their providers. ISO 62304 requires:

  • Monitoring SOUP component updates for security patches and bug fixes
  • Conducting impact assessments before updating SOUP in the device software
  • Retesting and revalidating SOUP after changes are applied

A SOUP maintenance strategy should be in place to handle new releases, security patches, and obsolescence.

Cybersecurity Considerations in relation to SOUP Management

1. Threat Modeling and Vulnerability Analysis

ISO 62304 requires risk assessments, but cybersecurity-specific assessments should be performed under ISO 27001 (Information Security) and IEC 81001-5-1 (Health Software Cybersecurity). Manufacturers should:

  • Conduct threat modeling to identify potential attack vectors involving SOUP
  • Perform vulnerability analysis using tools such as CVE (Common Vulnerabilities and Exposures) databases
  • Address secure coding practices for SOUP integration

2. Software Patch Management & SOUP Management

Many SOUP components receive security patches over time. A proper patch management process should include:

  • Continuous monitoring for security updates from vendors or open-source communities
  • Evaluating regulatory impact before applying patches
  • Testing security patches in a controlled environment before deployment

3. Access Control and Hardening

To mitigate cybersecurity threats:

  • Apply least privilege principles to SOUP components
  • Disable unused features and APIs to reduce attack surfaces
  • Implement secure authentication and encryption for SOUP-integrated modules

4. Software Bill of Materials (SBOM) and Supply Chain Security

With increasing cybersecurity threats, maintaining an SBOM for all SOUP components is essential. This allows:

  • Tracking third-party software dependencies
  • Assessing supply chain security risks
  • Quickly identifying affected components during security incidents

Best Practices for SOUP Management

To effectively manage SOUP in compliance with ISO 62304 and cybersecurity requirements, organizations should:

  1. Establish a formal SOUP management process within the software lifecycle.
  2. Conduct rigorous risk assessments focusing on safety and cybersecurity.
  3. Maintain a comprehensive SBOM for all third-party components.
  4. Monitor regulatory and security updates continuously.
  5. Perform independent security testing on critical SOUP components.
  6. Implement a cybersecurity incident response plan to handle vulnerabilities.
  7. Ensure software traceability and documentation for audits and compliance.

Conclusions

OUP management is an essential component of medical device software development under ISO 62304. While SOUP can accelerate innovation, it also introduces risks that must be carefully assessed and mitigated. In today’s cybersecurity landscape, integrating cybersecurity best practices into SOUP management is no longer optional—it is a regulatory necessity.

By implementing robust risk management, continuous monitoring, and secure development practices, manufacturers can ensure that their medical device software remains safe, reliable, and compliant with ISO 62304 and other regulatory requirements. A proactive approach to SOUP management will not only help in achieving regulatory approvals but also in protecting patient safety and device security in an increasingly interconnected world.

Subscribe to 4EasyReg Newsletter

4EasyReg is an online platform dedicated to Regulatory matters within the medical device, information security and AI-Based business.

We offer a wide range of documentation kits to support your compliance efforts towards a wide range of standards and regulations, such as ISO 13485, EU MDR, ISO 27001, ISO 42001 and much more. . Specifically, in our webshop you will find:

Within our sister platform QualityMedDev Academy, a wide range of online & self-paced training courses is available, such as for example:

As one of the leading online platforms in the medical device sector, 4EasyReg offers extensive support for regulatory compliance. Our services cover a wide range of topics, from EU MDR & IVDR to ISO 13485, encompassing risk management, biocompatibility, usability, software verification and validation, and assistance in preparing technical documentation for MDR compliance.

Do not hesitate to subscribe to our Newsletter!

Leave a Reply

Your email address will not be published. Required fields are marked *

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

4EasyReg will use the information you provide on this form to be in touch with you and to provide updates and marketing.