Understanding SOUP Software in Medical Device Development

Homepage Understanding SOUP Software in Medical Device Development

In the realm of medical device software development, understanding the nuances and compliance requirements of SOUP (Software of Unknown Provenance or Pedigree) is crucial.

SOUP plays a pivotal role in the development lifecycle but also brings with it a set of challenges that must be carefully managed.

This blog delves into what constitutes SOUP, its applications in medical devices, and the essential standards like IEC 62304 that govern its use.

What is SOUP?

During the design phase, medical product designers can develop the software from scratch and master everything and/or rely on existing software bricks.

With the increase in the complexity of medical products, the addition of increasingly advanced human-machine interfaces and increasingly advanced connectivity needs, we are seeing more and more the need to integrate already available software.

Most of the software available has not been developed following medical processes and is not medically certified, but it can still be integrated into medical products by following clear rules. This software, which was not originally developed for integration into a medical environment, is considered SOUP.

Examples of SOUP

  • Graphical frameworks enabling the development of HMI on medical products.
  • Libraries accelerating the development of features.
  • Drivers or system components managing system resources and hardware interfaces.
Need help with your device development?

Integration of SOUP in a medical product

The choice to integrate a SOUP into a medical product must be carefully considered and requires dedicated management.

Our recommendations for choosing the integration of a SOUP are as follows:

  • We recommend restricting the use of SOUPs to the least essential parts of the medical product as much as possible. The parts of the product delivering treatment and monitoring a patient’s vital signs are more appropriate for hardware and software designed with medical processes while the human-machine interface can rely on SOUPs.
  • We recommend minimizing the libraries as much as possible. You should avoid libraries that include many functions, some of which are not used.
  • We recommend that you restrict yourself to open-source libraries when dealing with SOUP. This allows both to carry out more in-depth risk analyses but also to improve, if necessary, the integration and testing capabilities of these SOUPs.
  • We recommend choosing active and properly maintained software. This will be essential for you to correctly fulfil the requirements of IEC 62304 and also to respond to the increasingly important challenges linked, for example, to cybersecurity.

Navigating Compliance with IEC 62304

The IEC 62304 standard outlines life cycle requirements for medical device software, providing a framework to manage SOUP.

Compliance involves:

  • Reviewing the impact of the SOUP on your whole software executing risk analysis
  • Implementing solutions to mitigate the risks identified in the integration of the SOUP
  • Monitoring the evolution of versions and the SOUP changelog
  • Monitoring the bug report associated with the SOUP

These prerequisites require advanced skills whether in the design, execution or maintenance of the software integrating SOUPs:

  • System Architecture & Analysis: Expertise in system architecture and code analysis across software systems (OS, drivers, applications, UI) ensures optimal integration of SOUP (Software of Unknown Pedigree) for each context.


  • Development & Validation: Broad development skills enable adaptation and validation of SOUP integration using tools like static code analysis, code reviews, and both automatic and manual testing.


  • Monitoring & Maintenance: Advanced knowledge of software mechanisms aids in assessing risks of SOUP updates. Experience in software maintenance helps address emerging cybersecurity requirements while maintaining functional software.


Witekio: Your Trusted Partner in Medical Software Development

Witekio brings comprehensive expertise in medical software development, ensuring compliance with IEC 62304 and addressing future challenges like cybersecurity and internal product updates.

Why Witekio?

  • Proven Experience: With 21 years of designing software systems from chip to cloud, including BSP, application, and UI, we understand the intricacies of integrating SOUP software into any ecosystem.
  • Versatile Solutions: Our software platforms are designed for diverse contexts, facilitating seamless integration and minimizing system impacts.
  • Automated Testing: Our test teams utilize automated tools, including our own Embedded Kit – Pluma, ensuring continuous issue checking throughout development.
  • Cybersecurity Readiness: Anticipating the Cyber Resilience Act, we proactively monitor and maintain numerous projects using our Embedded Kit – CVE Scan to address bugs and vulnerabilities.
  • Regulatory Expertise: We have contributed to a host of medical products’ development, complying with FDA and IEC 62304 (Class A, B, and C).


How We Can Help:

Witekio supports you whether your medical software integrates SOUPs or not, ensuring robust and compliant development tailored to your needs.

  • Medical Product Design: Addressing software needs and constraints.
  • Software Design: Selecting and integrating SOUPs based on your specific context.
  • Risk Analysis: Conducting impact analyses focused on integrated SOUPs.
  • Software Development: Enhancing and integrating SOUPs while adhering to risk analysis constraints.
  • Compliance Setup: Creating the software environment for IEC 62304 compliance and automated development proofs.
  • Maintenance: Managing updates and cybersecurity requirements per CRA standards.

Ready to talk to our medical device team?

On-Page Form
Pierre Lecomte - Solutions Manager
31 May 2024