SOUP Assessment Form
Built for Medical Device Teams.
Stop starting from scratch. A professionally structured, audit-ready template for documenting Software of Unknown Provenance — so your team can move fast without sacrificing compliance.
What’s Inside
Every section your QMS team needs.
The form maps directly to IEC 62304 requirements and covers the full lifecycle of a SOUP item — from identification through post-market surveillance.
§ 1
SOUP Identification
Capture name, version, vendor, license type, and source. Structured for CVE database traceability and version control from day one.
§ 2
Intended Use & Requirements
Define functional, performance, and system requirements per IEC 62304 Cl. 5.3.3. Pre-filled examples like REQ-SOUP-01 and REQ-PERF-01 guide your team instantly.
§ 3
Risk & Anomaly Assessment
Document known bugs, perform cybersecurity CVE reviews, and classify your SOUP item as Class A, B, or C. Aligned with IEC 62304 Cl. 7.1.2.
§ 4
Verification Strategy
Define how you’ll prove SOUP meets requirements. Treat it as a black-box — the template structures your interface testing approach per IEC 62304 Cl. 5.3.4.
§ 5
Post-Market Surveillance
Monitoring plan, responsible roles, update strategy, vendor support level, and obsolescence risk assessment. Stay covered for the device’s full lifetime.
✓
Approvals Block
Ready-to-use sign-off section with fields for roles, dates, and signatures — compatible with your existing QMS workflow.
Why teams use this template over DIY.
Medical device software audits are unforgiving. A missing field or misclassified SOUP item can derail a submission. This form eliminates guesswork.
- Guidance text included per section — no interpretation gaps
- Example entries show exactly what level of detail auditors expect
- Covers both Open Source and Commercial Off-The-Shelf (COTS)
- Editable .docx — drop into your existing QMS or DMS
- Class A, B, C safety classification built in
- Cybersecurity CVE review checklist included
What People Say
Trusted by MedTech teams.
“We were scrambling to put SOUP documentation together before an FDA submission. This template saved us at least two days of work and the auditor had zero questions about our SOUP section.” — Quality Engineer, Class II Device Manufacturer
“The pre-filled examples for functional and performance requirements made it so much easier to train new engineers on what level of detail we need. Worth every cent.” — Regulatory Affairs Lead, EU MDR Submission Team
Pricing
One template. One team. One time.
No subscriptions. No per-seat fees. Purchase once and use across your entire organisation.
SOUP Assessment Form
one-time · team license
- Full .docx template (editable)
- IEC 62304 Cl. 5.3.3 & 7.1.2 coverage
- Pre-filled guidance & examples
- CVE cybersecurity review checklist
- Class A/B/C risk classification section
- Post-market surveillance plan section
- Approvals block ready for sign-off
- Instant download after purchase
Secure checkout · instant .docx delivery
SOUP Assessment Guide
What is a SOUP Assessment and why does it matter?
A SOUP assessment — Software of Unknown Provenance assessment — is a mandatory process under IEC 62304 for any medical device that incorporates pre-existing software components. Whether your device uses open-source libraries, commercial SDKs, or off-the-shelf algorithms, each must be formally evaluated before it can be used in a regulated product.
The standard requires teams to document what the SOUP must do (functional and performance requirements), assess known anomalies and cybersecurity vulnerabilities, classify the software by safety class (A, B, or C), define a verification strategy, and maintain surveillance over the software’s lifetime.
Failure to conduct a thorough SOUP assessment is one of the most common audit findings in FDA 510(k) submissions and EU MDR technical files. A structured template ensures nothing is missed.
Core SOUP Assessment Methods (IEC 62304)
Name, version, vendor, source, and license — the foundation for CVE tracking and version control.
Functional, performance, and system requirements define exactly what the SOUP must deliver.
Known bugs, CVE cybersecurity review, and Class A/B/C safety classification.
Black-box interface testing strategy plus ongoing CVE monitoring and update planning.
FAQ
Common SOUP Assessment Questions
What is a SOUP assessment in medical device software?
A SOUP assessment (Software of Unknown Provenance assessment) is a structured evaluation required by IEC 62304 for any pre-existing software used in a medical device — including open-source libraries, commercial SDKs, and off-the-shelf algorithms. It documents what the software must do, what risks it introduces, how compliance is verified, and how it will be monitored post-market.
What SOUP assessment methods does IEC 62304 require?
IEC 62304 requires several SOUP assessment methods: defining functional and performance requirements (Cl. 5.3.3), reviewing known anomalies and performing a CVE cybersecurity assessment (Cl. 7.1.2), determining the SOUP safety class (A, B, or C), establishing a black-box verification strategy (Cl. 5.3.4), and maintaining a post-market surveillance plan for the lifetime of the device.
Does this cover both open-source and commercial (COTS) SOUP?
Yes. The template is designed to handle Software of Unknown Provenance from any source — open source libraries, third-party SDKs, and Commercial Off-the-Shelf (COTS) software. The anomaly and risk assessment sections guide you through both public issue trackers (for open source) and vendor release notes (for commercial software).
Which regulatory standards does this SOUP assessment form align with?
The form is structured around IEC 62304 requirements — specifically Clauses 5.3.3 (intended use and requirements), 7.1.2 (anomaly and risk assessment), and 5.3.4 (verification strategy). It is also consistent with FDA expectations for SOUP documentation in 510(k) and PMA submissions, and EU MDR technical file requirements.
What file format is the SOUP assessment template?
The SOUP Assessment Form is delivered as an editable Microsoft Word (.docx) file. It works in Word, Google Docs, and LibreOffice — and can be dropped directly into your existing QMS or document management system.
Can I customise it for our company’s QMS?
Absolutely. The .docx format makes it straightforward to add your logo, adjust section numbering to match your existing document control system, or modify fields to fit your internal terminology and document templates.
Is this a one-time purchase for our whole team?
Yes. The $49 price is a one-time, organisation-wide license. No per-seat fees, no renewals, no subscriptions. Use it across as many SOUP assessments and team members as you need.