IEC 62304 requires the documentation of SOUP, which stands for Software of Unknown Provenance. In simpler terms, these are third-party libraries integrated into your code, often listed in files such as
requirements.txtorGemfile.
| Classes | IEC 62304:2006 Section | Document Section |
|---|---|---|
| B, C | 5.3.3 (Functional and Performance Requirements) | 2 |
| B, C | 5.3.4 (Hardware and Software Requirements) | 2 |
| B, C | 7.1.2 (Hazardous Situations) | 2 |
| B, C | 7.1.3 (SOUP Anomaly Lists) | 2 |
| A, B, C | 8.1.2 (Identify SOUP) | 2 |
1. Risk Level Definitions
IEC 62304 requires an evaluation of risks related to SOUP. One way to approach this is by classifying each SOUP according to its risk level. For most software development not involving high-risk scenarios, SOUP risk levels will typically be “low” or “medium”.
| Risk Level | Definition |
|---|---|
| Low | Issues in SOUP are not capable of causing patient harm. |
| Medium | Issues in SOUP could cause reversible harm to patients. |
| High | Issues in SOUP could result in irreversible patient harm. |
2. SOUP List
This section is for the SOUP list. For each third-party library in use, add a corresponding entry in the table below. Maintain one comprehensive “global” SOUP list for the medical device, even if the code is distributed across different repositories. The “software system” column can be used to note the relevant (git) repository.
In line with IEC 62304, when specifying requirements, functional, performance, hardware, and software requirements must be noted. However, you may not need to restate common requirements that apply to all SOUP, such as “runs on Linux.” It’s best to keep requirements simple and clear, as if explaining to a development colleague why a specific library was included.
Remember, the focus is on the content (i.e., the columns below) rather than the format (Google Sheets, markdown, etc.). Choose a format that integrates seamlessly with your workflow, such as a markdown file in your git repository. Just ensure it can be exported for auditors.
| ID | Software System | Package Name | Programming Language | Version | Website | Last Verified | Risk Level | Requirements | Verification Reasoning |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Mobile App | react-native | JavaScript | 0.61 | Link | 23.10.2020 | Low | * Runs JS on Android / iOS | Commonly used, maintained by a large organization, sufficient test coverage |