Copyright ©
2022- basebox GmbH, all rights reserved.
Licensed to be used in conjunction with basebox, only.
Licensed to be used in conjunction with basebox, only.
basebox Compliance Documents - Overview
Introduction
Basebox is an Off-the-shelf Software (OTS) which does provide an effective and efficient solution for Medical Device manufacturers in building data bases to their own needs. Although most OTS Software manufacturer do not publish their technical documentation, basebox wants to establish trust and support compliance on customer side by being transparent. That's why the technical documentation of basebox is published as applicable for an OTS component. Documents which refer to intellectual property or which are of sensitive nature (like detailed security information) are not published but can be audited after consultation with the company.
The table below lists the content of a technical documentation file that a medical device manufacturer must submit to the authority before placing a Medical Device on the market. It is based on the "Document Roadmap TechDoc" as proposed by openregulatory.com (supplemented by some cybersecurity elements). This structure is used to provide a cross-reference to documents which are available for basebox; documents which are not applicable for the OTS Software are labeled N/A.
PHASE1: Planning and Feasibility
| Technical Document | Applicable for basebox? | Comment | basebox Document |
|---|---|---|---|
| Document Roadmap | Y | This table of content for the basebox Technical Documentation | None |
| Intended Use | Y | Although basebox is not a Medical Device this document provides some insight concerning the purpose and uniqueness of the basebox solution. Considered standards and Guidances are listed also. | basebox Intended Use |
| Medical Device Classification | N/A | basebox is not a Medical Device | None |
| Product Roadmap | N/A | Only relevant for management and resource planning | None |
| Software Development and Maintenance Plan | Y | Giving product-specific information on the tools, resources and methods to be used for software development. | (provided per customer request) |
| Change Evaluation List | N/A | First release of basebox | None |
| Risk Management Plan and Risk Acceptance Matrix | N/A | Since basebox is an OTS it has no Intended Use (which specifies the actual medical purpose, that is, which disease or injury a Medical Device can diagnose, treat or monitor). The risk analysis is focusing on the Intended Use of a medical device that's why a risk analysis cannot be created for basebox. | None |
| Clinical Evaluation Plan | N/A | See above | None |
PHASE 2: Specification
| Technical Document | Applicable for basebox? | Comment | basebox Document |
|---|---|---|---|
| User Needs | Y | The user needs are documented in the software specification and architecture document. | basebox User Needs, Software Requirements Specification and Architecture Description |
| Software Requirements | Y | The software requirements are derived from the user needs and specify how user needs will be incorporated in the software, describing the details of a feature. They are related to and kept along with the architecture of basebox, which does establish traceability amongst user needs, SW requirements and the functional architecture. | |
| Software Architecture | Y | ||
| Security Requirements | The Software requirements specification contains fundamental security requirements. The threat model identifies further detailed security requirements. | ||
| An overview of the cybersecurity concepts and methods which are applied during the design and development of the basebox is provided in this referenced document. | basebox Cybersecurity Overview and Guidance | ||
| Threat Model | Y | Provides a systematic security risk analysis based upon the architecture, potential vulnerabilities, threats and evaluates their impact on assets and risk. This document is not published due to its sensitive nature but can be audited after consultation with the company | basebox Threat Model (not published) |
| Risk Table | N/A | ref. to rational for Risk Management Plan and Risk Acceptance Matrix | no ref |
| Software Testing Overview | Y | This document provides an overview of the test concept and all test activities which are performed to verify basebox. | Basebox Testing Overview |
| Usability Test Plan | N/A | basebox does not provide an interface for end user of an Medical Device. | no ref |
PHASE 3: Development
| Technical Document | Applicable for basebox? | Comment | basebox Document |
|---|---|---|---|
| SOUP List / SBoM | Y | During each Integration run of a basebox version a SBOM is created automatically. The SBOM can be exported using formalized formats like SPDX can be delivered to customer per request. | (provided per customer request) |
| Known vulnerabilities | Y | Bases upon the analysis of known vulnerabilities for the components identified in the sBOM. This analysis is of sensitive nature but can be audited or will be provided after consultation with the company | (provided per customer request) |
PHASE 4: Verification and Validation
| Technical Document | Applicable for basebox? | Comment | basebox Document |
|---|---|---|---|
| Software Test Results | Y | Results of the Software Tests: passed or failed. | Basebox Testing Overview |
| Security test results | Y | Results of the Security tests (includes pen tests) as provide by an 3rd party test lab. | EXECUTIVE REPORT Pentest basebox |
| List of Known Anomalies | Y | All known bugs or anomalies are resolved before any release, that's why there is no list of known anomalies. | EXECUTIVE REPORT Pentest Basebox |
| Instructions For Use | Y | Instructions for Use | https://docs.basebox.io |
| Usability Test Protocol | N/A | basebox is not a Medical Device and has not User Interface for end user | no ref |
| Usability Test Report | N/A | basebox is not a Medical Device and has not User Interface for end user | no ref |
| Clinical Evaluation Report | N/A | basebox is not a Medical Device | no ref |
| Risk Management Report | N/A | basebox is not a Medical Device, Refer to rational in Risk Management Plan entry. | no ref |
PHASE 5: Product Release
| Technical Document | Applicable for basebox? | Comment | basebox Document |
|---|---|---|---|
| General Safety and Performance Requirements List | N/A | basebox is not a Medical Device | no ref |
| PMS (/PMCF) Plan | Y | Plan for the product-specific activities for Post-Market Surveillance. Customer complaints can be intaken by opening a ticket here: | basebox Contact Page |
| MDS2 Form | Y | The Manufacturer Disclosure Statement for Medical Device Security (MDS2) is used to communicate crucial security-related information to customers. | (provided per customer request) |
| Note: Security Guidance for customer is provided herein. | basebox Cybersecurity Overview and Guidance | ||
| Release Notes | Y | Description of features of the current release. Does include security requirements for customer and other stakeholder. | README.md CHANGES.md |
| Declaration of Conformity | N/A | basebox is not a Medical Device. To be provided by Medical Device Manufacturer. | no ref |
Template Copyright openregulatory.com