Risk Management of Off-The-Shelf (OTS) Software

April 2, 2024

Your software is likely to contain a number of components, items, packages, libraries, etc. not developed directly by your company. It may include open-source or purchased software. Unless you have a very close relationship with the developer and access to the source code, these components are black boxes for you.

According to IEC 62304, the definition of SOUP (software of unknown provenance) is “SOFTWARE ITEM that is already developed and generally available and that has not been developed for the purpose of being incorporated into the MEDICAL DEVICE (also known as “off-the-shelf software”) or SOFTWARE ITEM previously developed for which adequate records of the development PROCESSES are not available”.

Any component that is not developed according to IEC 62304 can be considered SOUP, which is the vast majority of OTS software.

Now, you need to include these components into your Risk Management File.

What is the best approach?

We have already discussed the general process for software risk analysis in a previous post, and the same applies for SOUP components. In addition, IEC 62304 requires a company to at a minimum “evaluate published SOUP anomaly lists” (you can consider anomaly = bug).

Note: if the developer has not provided a list of known bugs, it may mean that the maturity of the company behind it is not great.

Top-Down Approach

For this approach remember, that you will not do a Hazard Analysis for a SOUP component only. You will need to understand that SOUP failures are accounted for as causes of a higher level software system failure.

Advantages:

  • It requires little knowledge of the SOUP items;
  • It naturally fits into the existing risk analysis documents.

Disadvantages:

  • It is easy to miss some SOUP failure modes if they do not fit into the existing cause-event analyses.

Bottom-Up Approach – FMEA

For complex systems, large number of SOUP items or high risk devices, it is advisable to use a bottom-up approach to analyse SOUP.

This means having each SOUP item as a component entry in a risk analysis, like other software items and components. In certain cases, a separate SOUP FMEA may be a good idea.

Advantages:

  • Exhaustive approach;
  • Easy fit for known bugs/anomalies.

Disadvantages:

  • More burdensome than a top-down approach, leading potentially to duplications.

Conclusion

SOUP items are integral part of any modern software product, but they must be assessed adequately as unpredicted failures may lead to dire consequences.

You can also apply the Benefit-Risk assessment to determine whether it is worth developing a component in-house rather than purchasing it.

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

13485 implementation guide
Picture of Marion Lepmets

Marion Lepmets

CEO
December 18, 2024

The Internet is full of articles about the implementation of ISO 13485. They talk about “Getting management support”, “Obtain The Documents And Study The Requirements”, “Develop An Implementation Plan”, “Evolution of a Quality Management System”, and other seemingly complex topics. Although comprehensive, most of these articles are self-serving, aimed at...

SaMD Guide to Compliance
Picture of Matteo Gubellini

Matteo Gubellini

Regulatory Affairs Manager
December 3, 2024

Introduction The first contact with the Medical Device regulatory world is a shock for most startups. These companies usually have excellent technical and clinical ideas on how to improve the patient’s life, but little knowledge of the legal burdens required to bring the medical device to the market. The technical...

e-signature
Picture of Matteo Gubellini

Matteo Gubellini

Regulatory Affairs Manager
November 26, 2024

What is an “Electronic Signature”? Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature. (21 CFR 11.3) In other words, to Electronically Sign a document means to...