Thought Leadership

“Software of unknown provenance (SOUP) – The first course of action”

By Scot Morrison

Today’s medical device manufacturers are faced with several challenges: developing innovative devices connected to in-home, hospital, and office networks and making these devices faster and more customizable, and the need to ensure product safety and security. Medical device security and connectivity have become increasingly complex. Often, engineering projects are faced with several constraints and pressures—economic or otherwise. A powerful tool to resolve this conundrum can be a SOUP.

IEC 62304, the international standard that defines life cycle requirements for the development of medical software inside medical devices defines SOUP as a “software item that is already developed and generally available, and that has not been developed for the purpose of being incorporated into the medical device (also known as “off-the-shelf software”) or a software item previously developed for which adequate records of the development process are not available”.

SOUP allows a medical device manufacturer to use uncertified software on a device as long as they fully consider the risks of using SOUP on their device and mitigate them appropriately based on the kinds of risks that a failure of the SOUP might expose a patient to. Beyond that, the manufacturer is required to consider the possibility that future issues might be identified in their SOUP and how they might manage these as-yet-unknown failures; these issues might be issues in the SOUP’s functionality, or may be newly discovered security flaws in the SOUP. As a result, being able to understand both the quality of the SOUP being used up-front as well as understanding how that will be maintained must be considered before it is used.

Many medical device manufacturers are looking at Open-Source Software (OSS) such as Linux® to help them solve the many connectivity, security, and functionality requirements that are part of a modern medical device. The use of this OSS is possible in many cases but must be considered as SOUP by the device developer. Not all OSS can satisfy the requirements to be used as SOUP, but major software packages such as the Linux kernel, OpenSSL™ or the libgcc library can be appropriate to use in these devices as long as potential failures are understood and mitigated.

Siemens Embedded has many facilities to help medical device manufacturers to wade through these SOUP requirements for OSS, including professional product development and verification, services, security, defect monitoring and more that helps fulfill the requirements to use OSS as SOUP in a device. Most recently Siemens have augmented these offerings with a package called the Linux® Quality Package to further answer regulators’ questions about the kinds of open-source software that is being used.

Some of the information provided in the Linux Quality Package are:

  • A history of Linux and other important OSS modules, and how they are developed and maintained by their communities. This helps to explain why these modules are of high quality even if they are not certified to a medical safety or security standard.
  • A mapping of both the community and Siemens Embedded practices to standards such as ISO 13485 and IEC 62304.
  • A security design guide mapping security best practices to the capabilities of Linux and major open-source modules such as OpenSSL.
  • Test Plans and results for Siemens’ Sokol™ Linux products

This information combined with Siemens Embedded expertise, professional services, and post-release support for security issues such as those that through the Common Vulnerabilities and Exposures (CVE) process to streamline the justification for using Linux as SOUP in medical devices. This facilitates the risk management requirements of using this software, which streamlines this part of regulatory approval.

All of this allows the device manufacturer to focus on the capabilities of the devices they’re working towards instead of worrying about those foundational capabilities that are required.

For more information, visit the new landing page on embedded software for medical device development at

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at