OpenRegulatory
⌘J Log in Get started for free

Template: SOUP List (Software of Unknown Provenance)

Dr. Oliver Eidel IEC 62304 Templates Published June 09, 2022 OTS Software , SOUP

Template Download

This is a free template, provided by OpenRegulatory.
If you are a user of Formwork, our eQMS software, you can save a lot of time by choosing “QMS” on the top menu and “OpenRegulatory Templates” on the left menu, then opening the relevant folder to find this template ready to load into Formwork.

If, for some mysterious reason, you're using a different QMS software, you can also simply download this template – specifically, as Word (.docx), PDF, Google Docs or Markdown file. Scroll down for a preview!

The template license applies (don't remove the copyright at the bottom, don't re-use this for commercial purposes).

Download Word File DOCX
Download PDF PDF
Download HTML (Google Docs) HTML
Download Markdown MD

Lost In Regulation? We're here to help.

Unsure how to get started and how to get your EU MDR medical device certified?
We've already helped 100+ companies with their MDR compliance.
Take a look at our services and book a free 30-minute consulting call.

Chat with us now → View Services & Pricing →
Document Template
Dr. Oliver Eidel

IEC 62304:2006 Mapping of Requirements to Documents

Dr. Oliver Eidel
updated about 1 year ago
A

How to document SOUP for IEC 62304 compliance?

Anonymous
updated about 1 year ago
Our python backend contains lots of dependencies, for example flask and the requests library. According to the IEC 62304, third-party dependencies are “SOUP” and must be documented. We have no idea ho
Dr. Oliver Eidel

Accepted answer

You need to create a list of your dependencies. That list can be a spreadsheet, a markdown file, or pretty much anything else which you can save as do

Document Template
Dr. Oliver Eidel

Software Development and Maintenance Plan

Dr. Oliver Eidel
updated 9 months ago

Template Preview

SOUP List (Software of Unknown Provenance)

The 62304 requires you to document your SOUP, which is short for Software of Unknown Provenance. In human
language, those are the third-party libraries you're using in your code, typically in your
requirements.txt or Gemfile.

Classes IEC 62304:2006 Section Document Section
B, C 5.3.3 (Functional and Performance Requirements) 2
B, C 5.3.4 (Hardware and Software Requirements) 2
B, C 7.1.2 (Hazardous Situations) 2
B, C 7.1.3 (SOUP Anomaly Lists) 2
A, B, C 8.1.2 (Identify SOUP) 2

1 Risk Level Definitions

The 62304 requires you to assess risks associated with SOUP. The simplest way to do this is to classify each
SOUP as a certain risk level. Unless you're developing software which shoots radiation at patients, it's
likely that your SOUP risk levels remain "low" or "medium".

Risk Level Definition
Low Malfunction in SOUP can't lead to patient harm.
Medium Malfunction in SOUP can lead to reversible patient harm.
High Malfunction in SOUP can lead to irreversible patient harm.

2 SOUP List

This is the actual SOUP list. For each third-party library you use, add an entry in the table below. The
idea is to only have one "global" SOUP list for your medical device even though the code may actually live
in multiple repositories. That's what the "software system" column is for; you could also mention your (git)
repository there.

When specifying requirements, the 62304 requires you to mention functional, performance, hard- and software
requirements. However, you may not have to re-state certain requirements if they apply to all SOUP,
e.g., "runs on Linux". So prefer to keep the requirements simple, in a way in which you would communicate them
to colleagues on your development team when answering the question "why did we import this library?".

As with all templates: It's more about the content (i.e., the columns you see below) than the tool (filling
this out in Google sheets / markdown / wherever). Nobody says that you have to maintain this as a Google
sheet. If you can find a way to integrate this in your workflow in a better way, e.g., in a markdown file in
your git repository, go for it! Just keep in mind that you need to be able to export it to send it to
auditors.

ID Software System Package Name Programming Language Version Website Last verified at Risk Level Requirements Verification Reasoning
1 Mobile App react-native JavaScript 0.61 Link 23.10.2020 Low * Runs JS on Android / iOS Commonly used, maintained by a large organisation, sufficient test coverage

Template Copyright openregulatory.com. See template
license.

Please don't remove this notice even if you've modified contents of this template.

Dr. Oliver Eidel avatar

Dr. Oliver Eidel

I’m a medical doctor, software engineer and regulatory dude. I’m also the founder of OpenRegulatory.

Through OpenRegulatory, I’ve helped 100+ companies with their medical device compliance. While it’s also my job that we stay profitable, I try to dedicate a lot of my time towards writing free content like our articles and templates. Maybe that will make consulting unnecessary some day? :)

If you’re still lost and have further questions, reach out any time!
More about me