In many industries, manufacturers have reduced
development times by using COTS (commercial-off-
the-shelf) software and hardware in their products.
Pressures to bring new, feature-rich products to
market quickly affect medical device manufacturers
as much as anyone, but the industry may be
reluctant to follow suit due to well-justified concerns
that COTS implies SOUP (software of uncertain
provenance), and thus may compromise device
safety and pre-market approval by the FDA and
other regulatory agencies.
While we should indeed exercise diligence and
caution when considering COTS software for medical
devices, neither the IEC 62304 “software for medical
devices” standard, nor the demands of functional
safety preclude its use. In fact, COTS software may
be perfectly acceptable, given stringent selection
criteria, and appropriate and equally stringent
validation of the completed systems and devices. If
we make the fine but critical distinction between
opaque SOUP1 (which should be avoided) and clear
SOUP, that is, SOUP for which source code, fault
histories and long in-use histories are available, we
will find that COTS software may be the optimal
choice for many safety-related medical devices.