System Requirements

UID: DOC-SYS

SYS-001

reviewed 1. First-launch readiness for local enrolment

UID: SYS-001

RELATIONS (Child):

• SRS-001 First-launch database initialisation (derivedFrom)
• ST-001 Local clinic visible in Patients menu (verifies)

STATEMENT:

When the device is opened on a workstation that has no pre-existing BioFlow data directory, a default local clinic shall be present and immediately available for the clinician to attach newly-enrolled patient records, without requiring the clinician to first create or configure a clinic record manually.

RATIONALE:

Stakeholder commitment: clinicians installing the device on a fresh workstation expect to enrol their first patient within minutes of starting the application, without learning a separate clinic-management workflow as a prerequisite. Auto-provisioning a default local clinic removes that friction.

TYPE:

functional

ACTIVE:

true

REVIEWED_HASH:

c22a517f428da0e422be230bae3d28a2b6c6f69e823c99a130b08e26cedb6c22

REVIEWED_BY:

@DougYoungberg

SYS-002

unreviewed 2. Confidentiality of patient data at rest

UID: SYS-002

RELATIONS (Child):

• SRS-002 Local database confidentiality at rest (derivedFrom)

STATEMENT:

The device shall keep clinic, patient, clinical-user, recording, and audit-log data stored on the local workstation confidential against any party gaining access to the workstation's filesystem without the operator's BioFlow credentials.

RATIONALE:

BioFlow workstations are deployed in clinical environments where multiple staff and IT roles share physical access, and the local data store carries identifiable patient records. HIPAA Security Rule §164.312(a)(2)(iv) (encryption of ePHI at rest) and GDPR Art. 32(1)(a) (encryption as appropriate technical safeguard) require that filesystem-level access does not yield readable PHI on its own.

TYPE:

regulatory

STANDARD_REF:

45 CFR §164.312(a)(2)(iv); GDPR Art. 32(1)(a)

ACTIVE:

true