All terms
Software of Unknown Provenance
Software not developed for medical device use, or lacking adequate development records, incorporated into a device.
Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026
Definition
Per IEC 62304 clause 3.29, SOUP is a software item that is already developed and generally available and that has not been developed for the purpose of being incorporated into the medical device (also known as OTS - off-the-shelf software), or a software item previously developed for which adequate records of the development processes are not available. Common examples: operating systems, compilers, open-source libraries, third-party SDKs, and firmware components. What the regulation says
Regulators view Software of Unknown Provenance (SOUP) as a critical component requiring stringent controls due to its potential impact on medical device safety and effectiveness. Standards like IEC 62304:2006+A1:2015, "Medical device software, Software life cycle processes," specifically address SOUP, outlining requirements for its identification, risk management, and documentation within the medical device software life cycle. The FDA also emphasizes the importance of managing off-the-shelf software, which includes SOUP, in its guidance documents regarding premarket submissions for medical devices.What this means in practice
IEC 62304 clauses 5.3.3, 5.3.4, 7.1.2, and 7.1.3 impose specific obligations: identify the SOUP item (title, version, manufacturer), specify functional and performance requirements, document hardware and software requirements, evaluate anomaly lists published by the SOUP supplier, and address SOUP-related hazards in the risk file. FDA's 2023 Cybersecurity in Medical Devices guidance and Section 524B further require every SOUP component to appear in the SBOM (SPDX or CycloneDX), be monitored for vulnerabilities throughout the device lifecycle, and have a coordinated disclosure and patch plan. Notified Bodies routinely audit SOUP evaluation as part of QMS surveillance.Examples
- Linux kernel in a bedside monitor: SOUP requiring version pinning, CVE monitoring, and hazard analysis of relied-upon kernel features.
- OpenSSL used for TLS: SOUP that must be tracked in the SBOM with active vulnerability monitoring (Heartbleed-class risks).
- A commercial DICOM library: SOUP with functional requirements documented against the vendor's release notes and known anomaly list.
- A Python numerical library (NumPy) used in an image-analysis SaMD: SOUP requiring documented rationale for numerical accuracy in the intended clinical range.
Common pitfalls
- •Listing SOUP only in the SBOM but not evaluating anomaly lists or writing SOUP-specific requirements. IEC 62304 requires both.
- •Treating an internally reused legacy component as 'in-house' when development records are inadequate - it is SOUP by definition.
- •Not re-evaluating SOUP after a version bump. Any SOUP change triggers a change impact analysis under IEC 62304 clause 6.
- •Missing SOUP in Class C software items where clause 5.3.4 requires additional performance requirements and hardware requirements to be specified.
- •Assuming an FDA-cleared SOUP inherits regulatory status - it does not; the device manufacturer remains responsible.
Frequently asked questions
Almost always yes. Even if source is available, it typically was not developed for medical device use and lacks lifecycle records meeting IEC 62304. The exception is when the manufacturer takes it in-house and applies the full IEC 62304 process including retrospective evidence.
Cross-references
Used by
Related terms
Shared paths + categorySoftware & AI
Software Safety Classification
IEC 62304 classes A, B, C reflecting potential harm from software failure.
SaMD & AI/ML Devices · adjacentSoftware Team Onboarding · adjacent
Standards
IEC 62304
Lifecycle requirements for medical device software.
SaMD & AI/ML DevicesSoftware Team Onboarding
Cybersecurity
Section 524B of the FD&C Act(524B)
The federal statute that gives FDA explicit premarket authority over cybersecurity for cyber devices.
Software Team Onboarding
Cybersecurity
Software Bill of Materials(SBOM)
A machine-readable inventory of all software components, including open-source and third-party libraries, used to build a medical device.
Software Team Onboarding
Cybersecurity
CycloneDX
A lightweight, OWASP-maintained SBOM format designed for application security and supply-chain use cases.
Cybersecurity
SPDX(SPDX)
An open SBOM and license-data format published as ISO/IEC 5962:2021.
Latest in MedTech
Primary references
3 sourcesLink health: 3 verified· last checked 2026-06-20
ISO·1FDA·1MDCG·1
- 1IEC 62304:2006/AMD1:2015VerifiedISOiso.org
- 2FDA Cybersecurity in Medical Devices (2023)VerifiedFDAfda.gov
- 3MDCG Software GuidanceVerifiedMDCGhealth.ec.europa.eu
Inline markers like [1] jump to the matching reference above.