Home
>
Articles

The how and the what of external software components (SOUP or OTS software) in medical devices

March 23, 2026

Currently, when developing software for medical devices, there are two sets of rules that deal with external software components: IEC 62304 and the FDA guidance from 2019 (‘Off-The-Shelf Software Use in Medical Devices’).

Definitions: SOUP vs OTS

IEC 62304 defines SOUP as follows:

So it’s really part of the software – a package, a dependency, a module linked in.

The FDA casts a wider net with their definition of Off-The-Shelf software (OTS):

Software Safety Classification (IEC 62304)

IEC 62304 has Software Safety Classifications for each medical device software – A, B and C. This also defines the level of documentation required for SOUP’s.

Documentation Requirements

SOUP documentation requirements for IEC 62304:

Title A,B,C
Manufacturer A,B,C
Unique designator (version number) A,B,C
Functional Requirements B,C
Performance requirements B,C
Software required B,C
Hardware required B,C

FDA 2019 documentation requirements:

Minor Level of Concern before mitigations Minor Level of Concern after mitigations Moderate Level of Concern Major Level of Concern after mitigations
Hazard Analysis Hazard Analysis Hazard Analysis Hazard Analysis
Basic Documentation Basic Documentation Basic Documentation Basic Documentation
Hazard Mitigations Hazard Mitigations Hazard Mitigations
Describe and Justify Residual Risk Describe and Justify Residual Risk
Special Documentation

You see the documentation burden increase based on the risk level. This makes sense – the more there’s at stake (in terms of patient safety), the more careful we are.

Workload Implications

In the case of IEC 62304, you can imagine having to spend maybe half an hour per SOUP on documentation. Modern apps can have anything between 20 and 200 dependencies, so the workload can be up to 100 hours or 2.5 weeks.

For the FDA, the workload increases considerably. Basic Documentation overlaps with the 62304 documentation mostly. A Hazard Analysis can also be quite simple. But doing full blown risk management is a lot more work, as is the Special Documentation. This can easily take a few days per OTS.

Real-World Observation

As a consultant, I have peeked into many companies’ software documentation. SOUP and OTS documentation is rarely 100% compliant, and often our team ends up doing the heavy lifting of getting all that documentation in place.

Related articles

Reliability in medical devices

March 24, 2026

What reliability really means in medical devices—and why it goes beyond trust, safety, quality, and regulation. A clear breakdown of how reliable systems are defined and evaluated in practice.

Read More »

The pros and cons of current regulations on using external software components in medical device software (SOUP or OTS)

March 25, 2026

Strict medical software regulations are slowing down updates and innovation — especially for widely used open-source components.

Read More »