Updated May 18, 2022

Template: SOUP List (Software of Unknown Provenance)

Dr. Oliver Eidel

Template Download

This is a free template, provided by OpenRegulatory.

You can download it as Word (.docx), PDF, Google Docs or Markdown file. Scroll down for a preview!

The template license applies (don't remove the copyright at the bottom).

Word

PDF

GDocs

Markdown

Don't Miss Updates to This Template

Subscribe to our newsletter and we'll keep you posted on which templates we've changed.

Questions? Still Lost in Regulation?

Good news! Our goal is to provide lots of stuff for free, but we also offer consulting if you need a more hands-on approach. We get stuff done really fast. Have a look!

Related Articles

We've mentioned this template in the following articles. Read them to get a better understanding of how to fill it out! :)

Related Documents

The following templates are Documents or SOPs related to this template. That means that they mention this template somewhere and (most likely) contain instructions on how and when to fill it out.

Template preview

SOUP List (Software of Unknown Provenance)

The 62304 requires you to document your SOUP, which is short for Software of Unknown Provenance. In human language, those are the third-party libraries you’re using in your code, typically in your requirements.txt or Gemfile.

Classes IEC 62304:2006 Section Document Section
B, C 5.3.3 (Functional and Performance Requirements) 2
B, C 5.3.4 (Hardware and Software Requirements) 2
B, C 7.1.2 (Hazardous Situations) 2
B, C 7.1.3 (SOUP Anomaly Lists) 2
A, B, C 8.1.2 (Identify SOUP) 2

1 Risk Level Definitions

The 62304 requires you to assess risks associated with SOUP. The simplest way to do this is to classify each SOUP as a certain risk level. Unless you’re developing software which shoots radiation at patients, it’s likely that your SOUP risk levels remain “low” or “medium”.

Risk Level Definition
Low Malfunction in SOUP can’t lead to patient harm.
Medium Malfunction in SOUP can lead to reversible patient harm.
High Malfunction in SOUP can lead to irreversible patient harm.

2 SOUP List

This is the actual SOUP list. For each third-party library you use, add an entry in the table below. The idea is to only have one “global” SOUP list for your medical device even though the code may actually live in multiple repositories. That’s what the “software system” column is for; you could also mention your (git) repository there.

When specifying requirements, the 62304 requires you to mention functional, performance, hard- and software requirements. However, you may not have to re-state certain requirements if they apply to all SOUP, e.g. “runs on linux”. So prefer to keep the requirements simple, in a way in which you would communicate it to colleages on your development team when answering the question “why did we import this library?”.

As with all templates: It’s more about the content (i.e. the columns you see below) than the tool (filling this out in google sheets / markdown / wherever). Nobody says that you have to maintain this as a google sheet. If you can find a way to integrate this in your workflow in a better way, e.g. in a markdown file in your git repository, go for it! Just keep in mind that you need to be able to export it to send it to auditors.

ID Software System Package Name Programming Language Version Website Last verified at Risk Level Requirements Verification Reasoning
1 Mobile App react-native JavaScript 0.61 Link 23.10.2020 Low * Runs JS on Android / iOS Commonly used, maintained by large organisation, sufficient test coverage

Template Copyright openregulatory.com. See template license.

Please don’t remove this notice even if you’ve modified contents of this template.

No Cookie For You Privacy Policy Imprint
No QMS on this planet will save you from creating crappy software.