OPENREGULATORY
Sign in Get started
Ask a question
Quality Management 3 answers

How do you assess and qualify SOUP suppliers, and how do you determine their criticality?

Anonymous · Published January 27, 2026 · 1 comment
Do you assess and qualify suppliers of SOUP (Software of Unknown Provenance)? For example, some SOUP items like cloud infrastructure can directly impact product safety and performance and are included on our approved supplier list, but other SOUP items like programming languages and libraries seem to fall into a grey area. How do you categorize the criticality of different SOUP items, and what is your approach to supplier qualification and control for these?
Thank you in advance!

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

Anonymous 5 months ago
This is a nuanced area—cloud infrastructure and libraries may be viewed differently by auditors.
 Reply to this comment

Discussion

3 Answers

Accepted answer Dr. Oliver Eidel · Founder & CEO, OpenRegulatory ·
In our implementation, SOUP suppliers are not added to the main supplier list. Instead, our supplier selection procedure describes how we control suppliers, including SOUP suppliers. Each SOUP item is controlled individually, and we perform reviews when upgrading SOUP items (for example, security reviews on the SOUP supplier).
Similarly, suppliers of tools aren't always handled through the supplier selection process, but the tools themselves are controlled and this approach is also explained in our procedure.
If a tool or SOUP item is custom-made for us, or adapted specifically for our use, then we formally select and monitor that supplier.

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

No comments yet. Be the first to share your thoughts.
A
Anonymous ·
This is a tricky topic. In our case, we chose not to include cloud infrastructure in our SOUP list because these services don't have version numbers like typical software components. Instead, we treat cloud infrastructure more like a utility provider (e.g., electricity)—it's critical, but not versioned as a software dependency.

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

No comments yet. Be the first to share your thoughts.
A
Anonymous ·
We initially listed SOUP suppliers in our supplier list, but during an audit we learned this isn't necessary. As long as you have sufficient control over your SOUP items (e.g., evaluating them during PMS activities), that's considered adequate. Our approach is simple—we control SOUPs via tools like dependabot on git and npm audit, though our documentation for this could be better.

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

No comments yet. Be the first to share your thoughts.
Want to add your answer to this question?
Write an answer under your name by logging in or signing up, or post anonymously.

Keep reading

All questions
A

How to document SOUP for IEC 62304 compliance?

Anonymous
about 2 years ago
Our python backend contains lots of dependencies, for example flask and the requests library. According to the IEC 62304, third-party dependencies are “SOUP” and must be documented. We have no idea ho
Accepted 1 answer

You need to create a list of your dependencies. That list can be a spreadsheet, a markdown file, or pretty much anything else which you can save as do

SOUP List (Software of Unknown Provenance)

SOUP List (Software of Unknown Provenance)

Dr. Oliver Eidel

updated about 2 years ago
SOP Purchasing

SOP Purchasing

Dr. Oliver Eidel

updated over 1 year ago

Still have a question? Ask a question here publicly — for free.

Or talk to one of our consultants — first calls are free. Check out our services and prices.

Looking to automate your regulatory work? Check out our eQMS, Formwork. Built for lean, founder-led companies. There’s a free version too.