Skip to content
CROSSWALK

QMSR / ISO 13485 §820.50

Maps to

QMSR / ISO 13485: §820.50

ISO 13485: §7.4.1

IEC 62304: §5.3.3-5.3.4

Requirement text

The manufacturer shall identify all Software of Unknown Provenance (SOUP) items used in the medical device software and document their functional and performance requirements. For each SOUP item, the manufacturer shall specify the title, version, manufacturer, and the requirements that the SOUP item is expected to fulfill in the context of the medical device software.

What changed

The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (PATCH Act, effective October 1, 2023).

Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, connects to the internet (directly or indirectly), or could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.

FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.

Atomic constraints

  • All SOUP items (third-party libraries, open-source components, COTS software) must be identified and listed.
  • Each SOUP entry must include component name, version, manufacturer/maintainer, and license.
  • Functional requirements that each SOUP item is expected to fulfill must be documented.
  • Performance requirements (response time, throughput, resource usage) for each SOUP item must be specified where relevant.
  • The SOUP list must include both direct dependencies and significant transitive dependencies.
  • The SOUP list must be maintained and updated when components are added, removed, or updated.

Common gaps

SOUP list missing functional requirements and transitive dependencies

major

Manufacturers maintain component lists (name, version) but fail to document functional and performance requirements each SOUP item must fulfill per IEC 62304 5.3.3-5.3.4. Transitive dependencies and firmware-level SOUP are routinely omitted. The list diverges from deployed software because it is manually maintained.

Evidence signals

  • FILE_EXISTS

    SOUP.*List|SOUP.*Register|Third.*Party.*Component|Software.*Component|OTS.*Software|SOUP.*Management

  • CONTENT_MATCH

    Does this document list all SOUP (Software of Unknown Provenance) or third-party software components with their name, version, manufacturer, license, and the functional and performance requirements each component is expected to fulfill?

Audit defense

The SOUP List for [your product] (Doc ID: [your document ID]) identifies all third-party software components per IEC 62304 sections 5.3.3-5.3.4, documenting each component's name, version, supplier, license, and the functional/performance requirements it fulfills in our medical device software.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.