Skip to content
CROSSWALK

QMSR / ISO 13485 §820.30(g)

Maps to

QMSR / ISO 13485: §820.30(g)

ISO 14971: §5.4

IEC 62304: §5.3.3

Requirement text

The manufacturer shall evaluate the risk associated with each SOUP item, including assessment of known anomalies (published bugs, errata, known limitations) and their potential impact on the medical device software. The risk assessment shall consider the SOUP item's safety classification contribution, its known anomaly list, and the adequacy of documentation and community/vendor support.

What changed

The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (PATCH Act, effective October 1, 2023).

Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, connects to the internet (directly or indirectly), or could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.

FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.

Atomic constraints

  • Each SOUP item must have a documented risk assessment considering its contribution to device safety.
  • Known anomalies (published bugs, errata, security advisories) for each SOUP item must be evaluated.
  • The potential impact of each known anomaly on the medical device software must be assessed.
  • SOUP items contributing to safety-critical functions must receive enhanced scrutiny and documentation.
  • The adequacy of vendor/community support and documentation must be evaluated as a risk factor.
  • SOUP risk assessment must be integrated with the ISO 14971 risk management process.

Common gaps

SOUP risk assessment ignores known anomalies for specific versions

major

Risk assessments evaluate general risk ('is this a reputable library?') rather than reviewing specific known anomalies — published bugs, CVE entries, errata, and security advisories for the exact version in use. Safety-critical SOUP does not receive enhanced scrutiny.

Evidence signals

  • FILE_EXISTS

    SOUP.*Risk|SOUP.*Assessment|Third.*Party.*Risk|Component.*Risk|SOUP.*Evaluation

  • CONTENT_MATCH

    Does this document assess the risk of each SOUP or third-party component by evaluating known anomalies (bugs, CVEs, errata), their potential impact on device safety, the adequacy of vendor support, and the component's contribution to safety-critical functions?

Audit defense

The SOUP Risk Assessment for [your product] (Doc ID: [your document ID]) evaluates each third-party component per IEC 62304 section 5.3.3, assessing known anomalies, safety classification contribution, and vendor support adequacy, integrated with our ISO 14971 risk management process.

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.