Engineering Software Licensing

Many teams start software development under IEC 62304 without realizing how early decisions can cause long-term compliance problems. This list of 10 common missteps (and their safer alternatives) offers a practical way to build compliant, maintainable software from day one: 1. Start with software safety classification. Instead of assigning one safety class for the whole system, classify each item individually. Use the standard’s three-question method (IEC 62304 §4.3), and document failure scenarios with a clear rationale. 2. SOUP management is often underestimated. Avoid simply listing third-party components. Instead, analyze specific versions, known anomalies, device requirements, and how you’ll mitigate risks for each one. 3. For requirements traceability, don’t wait until the end to build a matrix or assume tools take care of it. Establish bidirectional traceability early, and link everything: requirements, architecture, tests, risk controls. 4. When planning verification tests, don’t save them for the end. Use the V-model to test each level along the way from architecture down to individual units ideally with real hardware. 5. For documentation, it’s risky to treat IEC 62304 deliverables as a separate effort. Align your templates and tools with the actual development phases. Write while you build (it's very important). 6. Software risk analysis should not live apart from system risk management. Use ISO 14971 and maintain traceability from system hazards to software items, from hazards to harm, and include linked control measures and verification. 7. In configuration management, don’t limit yourself to source code or overcomplicate it. Apply version control across all lifecycle artifacts and streamline changes between development and maintenance. 8. On the testing strategy: rely less on manual testing. Use unit tests for each software unit, add HIL integration, and aim for over 70% regression coverage with automation. 9. For your problem resolution process, move beyond bug tracking. Document criticality, trends, “no action” justifications, and verify regressions properly with sign-off from relevant stakeholders. 10. And finally, agile development is possible with IEC 62304, but not without discipline. Tie user stories to formal requirements. Document as you go. Review for compliance every sprint. Need a clearer starting point for your IEC 62304 documentation? We just released a full template system built to help teams: → Follow a compliant process aligned with IEC 62304/AMD1:2015 → Connect easily with ISO 13485 and ISO 14971 → Organize software documentation by safety class (A, B, or C) → Ensure traceability across requirements, tests, and risk controls → Save time no need to start from a blank page 📚 Our IEC 62304 Template Bundle is now available here : https://lnkd.in/eAB4r65y 14 Word templates in a bundle, ready to adapt and integrate into your QMS.

I bet if your business/organisation has more than 50 employees, you've had people leave and forgot to tell your IT team or external company? At Reformed IT we've seen this all too often. We've taken on new clients and reviewed their Microsoft 365 accounts, as we go through the list of users, we'll hear "Oh, John left months ago, is his account still active?" The impact of this is that; 1) You're probably still paying for licences that you no longer need. 2) You could possibly be billed for this person by your IT partner for support as they don't realise they've left. 3) You're not staying on top of your cyber security risks and if you're Cyber Essentials certified, you're not actually compliant as you should be promptly removing user access when someone leaves. At Reformed IT we've now built some automation into our HaloPSA management system which monitors all our client's inactive 365 accounts (by checking when they last logged in) and creating a task for us to review any inactive accounts. We ensure that every one of our clients is up to Cyber Essentials standards and we always look to implement anything which can automate processes to maintain compliance. This proactive service also reduces costs for our clients, as they won't be paying for licences and support for employees who are no longer with the organisation. The record we've found at a new client is 17 licences being paid for which didn't need to be. This was an immediate cost saving of around £350 per month in Microsoft licenses alone. If you haven't reviewed your licenced/active user list recently, I suggest you put it on your to do list. I bet you find some and wonder why your IT partner didn't pick up on this for you. #microsoft365 #efficiency #automation

GDPR & PDPA Compliance Testing isn’t just a checkbox — it’s your user’s trust at stake. When you build software that collects personal data, your testing strategy needs a serious upgrade. It’s not only about catching bugs anymore — it’s about preventing legal trouble and protecting real people. Test every data flow: how it's collected, stored, shared, and even deleted. Validate consent. Review access controls. Simulate breach scenarios. Ask yourself: can a user really delete their data? Can they access it on demand? Make privacy a feature, not a footnote. Involve legal teams early and treat requirements like product features. And most importantly, don’t wait for a complaint to test what should’ve been tested from day one. Compliance is not a final step — it’s baked into every release. #GDPR #PDPA #QualityAssurance #DataPrivacy #SoftwareTesting #QACommunity

🚨 Salesforce SELA Contracts – Don’t Fall for the Bundling Trap If you're negotiating a Salesforce SELA (Salesforce Enterprise License Agreement), beware: 👉 Bundled pricing might look like a discount—but it often locks you into shelfware and unnecessary products. We’ve seen too many CIOs realize—too late—that their “custom deal” was just a pre-packed bundle with inflated baseline costs. In our latest breakdown, we cover: ✅ How to secure decoupled pricing and maintain flexibility ✅ What to push back on during SELA negotiations ✅ Real-world tactics to avoid overcommitting on products you don’t need 🎥 Watch: Salesforce SELA – Avoiding Bundling Traps and Securing Decoupled Pricing If you're entering renewal talks or facing a multi-cloud lock-in risk, this is essential viewing. #Salesforce #SELA #CloudNegotiation #Procurement #CIO #SaaSContracts #EnterpriseSoftware #VendorManagement #RedressCompliance

Great devices ship when RA and engineering build together 🤝 Regulatory can feel like a moving target for tech teams. The cure is not more paperwork. It is shared structure. Treat compliance as a product feature: clear intended use, clean design inputs, linked risks, and evidence that matches what you claim. When RA sits inside the build loop, teams move faster and avoid late surprises from NBs or FDA. Practical moves that work: ↳ Embed an RA partner in sprint planning and backlog grooming. ↳ Write design inputs with acceptance criteria that cite the rule or standard. ↳ Keep a simple trace matrix that links user needs, risks, tests, and GSPR or 21 CFR clauses. ↳ Schedule quick risk check-ins at every design review. ↳ Freeze claims and IFU language before verification starts. ↳ Run a pre-submission file skim together and fix gaps early.

Last week, a stakeholder asked me ? “Can we track software license usage in real-time… without buying another tool?” It’s a question I hear a lot as a ServiceNow Architect. So I showed them what we could do using Software Asset Management (SAM) within ServiceNow. We connected to SCCM and Azure AD, normalized the software data using the ServiceNow Content Library, and enabled reclamation rules to automatically free up unused licenses. 🎯 The result? We identified $87K worth of underutilized licenses—in 2 days—without any third-party tools. It wasn't just about cost savings. It was about: Enforcing license compliance Automating reclaim processes Giving Procurement real-time insights 💬 Have you used SAM to reclaim unused licenses? What’s your biggest challenge with license optimization? #ServiceNow #SAM #ITAM #DigitalTransformation #LicenseManagement #ITOperations #TechLeadership

💸 𝗟𝘆𝗼𝗻 (𝟮𝗻𝗱 𝗹𝗮𝗿𝗴𝗲𝘀𝘁 𝗰𝗶𝘁𝘆 𝗶𝗻 𝗙𝗿𝗮𝗻𝗰𝗲) 𝗶𝘀 𝘀𝗮𝘃𝗶𝗻𝗴 €𝟭.𝟲𝟱 𝗺𝗶𝗹𝗹𝗶𝗼𝗻 𝗮 𝘆𝗲𝗮𝗿 𝗯𝘆 𝗯𝗿𝗲𝗮𝗸𝗶𝗻𝗴 𝗳𝗿𝗲𝗲 𝗳𝗿𝗼𝗺 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁. Yes, it’s real. And no, it didn’t happen overnight. Jean-Marie Séguret, CIO of Lyon, is leading a radical shift: • 80% of users off Microsoft Office by March 2026 • Replaced with OnlyOffice, Nextcloud, Jitsi, Zimbra • Hosted locally via Territoire Numérique Ouvert • Licensing costs: from €335/user ➝ down to €60 “It took 2 to 3 years of deep work to unbundle the Microsoft stack,” says Séguret. 💡 But this isn’t just about cost savings. It’s about 𝗿𝗲𝗰𝗹𝗮𝗶𝗺𝗶𝗻𝗴 𝗹𝗲𝘃𝗲𝗿𝗮𝗴𝗲. Because when you depend on hyperscalers like Microsoft or Oracle, you don’t negotiate — you renew. Smaller or open-source vendors won’t work 𝘦𝘷𝘦𝘳𝘺𝘸𝘩𝘦𝘳𝘦. Some tools are too embedded. Some use cases too niche. But every time you break away — even just for productivity, hosting, or messaging — you gain: • Room to maneuver • Better roadmap alignment • Actual negotiation power Especially when the next renewal comes with a surprise +30%. 𝗧𝗵𝗶𝘀 𝗶𝘀𝗻’𝘁 𝗮 𝘁𝗲𝗰𝗵 𝘀𝘄𝗶𝘁𝗰𝗵. 𝗜𝘁’𝘀 𝗮 𝗺𝗶𝗻𝗱𝘀𝗲𝘁 𝘀𝗵𝗶𝗳𝘁. Because when a vendor says, “You can’t leave…” That’s often the best time to try. If you’re still signing renewals without comparison, you’re not in control. 𝗪𝗵𝗮𝘁’𝘀 𝘁𝗵𝗲 𝗹𝗮𝘀𝘁 𝗿𝗲𝗻𝗲𝘄𝗮𝗹 𝘆𝗼𝘂 𝗮𝗰𝘁𝘂𝗮𝗹𝗹𝘆 𝗯𝗲𝗻𝗰𝗵𝗺𝗮𝗿𝗸𝗲𝗱 — 𝗮𝗻𝗱 𝗱𝗶𝗱 𝗶𝘁 𝗰𝗵𝗮𝗻𝗴𝗲 𝘁𝗵𝗲 𝗼𝘂𝘁𝗰𝗼𝗺𝗲?

Finally! The EU MDCG has delivered the regulatory clarity we've been waiting for Digital Health and Apps Stores in the EU. The new MDCG 2025-4 Guidance on Medical Device Software Apps officially confirms what many of us have been advocating: Apple and Google are now explicitly classified as Medical Device Software Distributors under EU MDR & IVDR Article 14 because of their Apps Stores. This means both tech giants bear legal liability for medical device software apps distributed through their platforms. No more regulatory grey zone. 𝐖𝐡𝐚𝐭 𝐓𝐡𝐢𝐬 𝐂𝐡𝐚𝐧𝐠𝐞𝐬: For Platform Operators: - Legal responsibility to ensure proper MDR/IVDR compliance before allowing medical device apps on their stores - Obligation to verify manufacturer compliance documentation - Potential liability for non-compliant medical device software distribution For SaMD Developers: - Clearer regulatory pathway with defined distributor responsibilities - no loss of connection to their patients - Reduced compliance uncertainty when launching digital therapeutics - should they use app stores or not? - Platform operators now share accountability in the medical device supply chain - closing the gap on traceability to better protect people from harmful and faulty Digital Health apps. The guidance specifically addresses section 3.2, establishing that major app stores cannot simply act as neutral platforms when distributing medical device software. They're now active participants in the regulatory framework. This development fundamentally shifts how digital health solutions reach patients. Every digital therapeutics company, SaMD developer, and health app creator now operates under a framework where Apple and Google must actively ensure medical device compliance. 𝐓𝐡𝐞 𝐑𝐞𝐚𝐥𝐢𝐭𝐲 𝐂𝐡𝐞𝐜𝐤: While this provides much-needed clarity, implementation will be complex. How will these platforms verify compliance? What review processes will they establish? The next 12 months will be critical as both sides adapt to these new obligations. Would we see the same interpretation in the EU, UK, or AUS? At Complear, we've been preparing for this regulatory evolution. We're developing digital tools to help both platforms and manufacturers navigate these new distributor obligations efficiently. We are witnessing a new era of software accountability, with even Big Tech platforms having to comply with everyone else's rules, and assume their critical role in medical device distribution of Digital Health. #MDCG #MedicalDevices #SaMD #DigitalHealth #MDR #IVDR #RegulatoryCompliance

🚫 Stop Over-Validating Software in Medical Device Quality Systems I continue to see medical device manufacturers struggling with an overly complex approach to software validation. All too often, GAMP® 5—a framework designed primarily for pharmaceutical manufacturing systems—is applied by default. The result? 🔹 Excessive documentation 🔹 Long validation timelines 🔹 High costs with limited added compliance value 👉 Software validation for medical devices should be risk-based. There are established, regulator-recognized tools specifically designed for medical device quality management systems (QMS), including: ISO/TR 80002-2 (software validation for medical devices) and FDA Computer Software Assurance (CSA) guidance. These approaches align with ISO 13485, 21 CFR Part 820, and FDA expectations—while enabling a far more efficient and pragmatic validation strategy. Are these methods as exhaustive as GAMP® 5? No. Are they appropriate, defensible, and compliant for many medical device software applications? Yes. 📊 Recently, I used these approaches to validate: Temperature monitoring system → validation planning completed in 6 hours. Mid-sized ERP system → validation planning completed in 14 hours. The outcome: compliant software validation, reduced effort, and faster deployment—without compromising patient safety or regulatory expectations. If you’re working in Quality Assurance, Regulatory Affairs, CSV, or Digital Transformation and want to modernize your software validation approach, feel free to connect or reach out.