No SOUP for you? Using off-the-shelf software in medical devices

A three-part video that explores the role of SOUP in safety-critical products.

Would you put this
in a medical device?
You can build a perfectly safe railway braking system if you never allow the train to move. And you can build a perfectly safe drug infusion system if you never allow it to infuse anything. But what's the use of that?

In the real world, designers of medical devices and other critical systems have to create products that are both safe and functional. They also have to satisfy time-to-market pressures: A safe system is no good to anyone if you take too long to build it.

To cut development time, manufacturers in many industries use commercial off-the-shelf (COTS) software in their products. But medical manufacturers have been reluctant to follow suit. They worry that COTS means SOUP — software of uncertain provenance. And SOUP can make a mess of safety claims, not to mention approvals by the FDA and other agencies.

Or perhaps not. When it comes to SOUP, my colleague Chris Hobbs argues for a nuanced approach. He states that if manufacturers distinguish between opaque SOUP (which should be avoided) and clear SOUP (for which source code, fault histories, and long in-use histories are available), they will discover that COTS software is, in many cases, the optimal choice for safety-related medical devices.

Chris isn't a lone voice crying in the wilderness. He notes, for example, that IEC 62304, which is becoming the de facto standard for medical software life-cycle processes, assumes manufacturers will use SOUP.

Enough from me. Check out this three-part video in which Chris explores the ingredients that can make SOUP the right choice for a medical software design:

Part 1

Part 2

Part 3

Webinar alert
Yesterday, Chris and his colleague Justin Moon presented a webinar on this very topic. If you missed it, no worries: It should soon be available for download through the QNX webinar page.


Fergal Glynn said...

Good post. I thought you might also be interested in these two assets on Software of Unknown Pedigree http://www.veracode.com/security/software-of-unknown-pedigree and http://www.veracode.com/blog/2013/01/global-enterprises-serve-up-risky-s-o-u-p-infographic/

Paul N. Leroux said...

Love the graphics. I assume this solution is more focused on IT systems than on medical devices, yes?