COTS and SOUP
Commercial off-the-shelf (COTS) software gets quite a bad press in the safety-critical systems world (public transport, nuclear power, etc) as many think that general-purpose software produced by the likes of Microsoft and Google does not meet the quality standards that they expect or require. But is this criticism really justified?
International standard IEC 62304:2006 (Medical device software - life cycle processes) introduced the term 'software of unknown provenance' (SOUP) to describe software that "had not been specifically designed for incorporation into a medical device, OR software for which adequate records of the development process are not [publicly] available“. For obvious commercial reasons, big companies like Microsoft seldom make their development processes public, but that does not mean that the software produced is not developed to a high standard.
It is actually quite attractive for medical device manufacturers to use OTS software components (either proprietary or open source) as the software is generally "tried and tested" and has probably gone through several post-release improvement cycles. However - and here's the rub - the medical device manufacturer is legally liable if the software in the device subsequently fails, so it is the developer's responsibility to ensure that OTS components are of the required standard. Helpfully, IEC 62304 outlines the checks that need to be done by the manufacturer to provide this assurance.
Although still in the minority, a few industry observers have recently argued that the apparent distrust of SOUP is misplaced and that, with a few provisos, it actually represents a sound basis for the development of SaMD. There is a detailed discussion of the use of SOUP in the design of medical device software in the book mentioned on the Publications page.
Note: The modern notion of a Software Bill of Materials (SBOM) is closely related to that of SOUP.