[1] In the medical device development standard IEC 62304, SOUP expands to software of unknown provenance, and in some contexts uncertain is used instead of unknown, but any combination of unknown/uncertain and provenance/pedigree refer to the same concept; all with the same abbreviation.
A risk that SOUP poses is that it cannot be relied upon to perform safety-related functions, and it may prevent other software, hardware or firmware from performing their safety-related functions.
Addressing the risk involves insulating the safety-involved parts of a system from potentially undesirable effects caused by the SOUP.
[2] Rather than prohibiting SOUP, additional controls are often imposed to mitigate risk.
Practices may include static program analysis and review of the vendor's development process, design artifacts, and safety guidance.