R-TF-029-001 — Deployment & Configuration Commissioning Record
Document Control
- Record ID: R-TF-029-001
- Template Reference: T-029-001 — Deployment & Configuration Commissioning
- Device: Legit.Health Plus
- Record Type: Commissioning Record
- Lifecycle Phase: Release / Commissioning
- Standard(s): ISO 62304, ISO 82304-1
Release and Identification
Regulatory objective: Establish traceability between the approved software release baseline and the deployed production instance (ISO 62304 §5.8).
| Item | Value |
|---|---|
| Device name | Legit.Health Plus |
| Software version | 1.1.0.0 |
| Internal release identifier | 1.1.0.0 |
| Deployment date | Pending |
| AWS region | eu-west-3 |
| AWS account identifier | 949243942475 |
Deployment Environment Verification
Regulatory objective: Confirm that the software has been deployed in the intended and controlled production environment and that the deployment boundary matches the approved deployment model (ISO 82304-1 §7.3 intent).
Declared production environment (as commissioned):
- Compute environment: EC2 instance
- Instance name: Legit.Health Plus
- Instance type: g4dn.xlarge
- Deployment type: Production-only
Commissioning verification performed:
- Confirmed that the production environment identifiers (AWS account + region) match the approved production target.
- Confirmed that the services required for device operation were deployed in the declared production environment.
Evidence reference(s): EV-001 (environment identifiers), EV-002 (service status snapshot)
Container Image Verification
Regulatory objective: Confirm that the deployed software corresponds exactly to the released software baseline (ISO 62304 §5.8).
Verification method (controlled):
- Container images were sourced exclusively from approved Amazon ECR repositories.
- Deployed image identity was confirmed using immutable identifiers (image digests) or equivalent release-lock mechanism.
| Service / component | ECR repository | Image tag | Image digest (sha256) | Verification result | Evidence reference |
|---|---|---|---|---|---|
| API | Pending | Pending | Pending | Pending | EV-003 |
| Control Plane | Pending | Pending | Pending | Pending | EV-003 |
| Report Builder | Pending | Pending | Pending | Pending | EV-003 |
| Report Exporter | Pending | Pending | Pending | Pending | EV-003 |
| Expert services | Pending | Pending | Pending | Pending | EV-003 |
Execution note: Image digests and repositories are filled at deployment execution time and become part of the release evidence set.
Configuration Baseline Verification
Regulatory objective: Confirm that runtime configuration is complete, controlled, and appropriate for production use (ISO 82304-1 §7.3 intent), establishing a baseline for maintenance.
Configuration management mechanisms:
- Environment variables
- AWS Systems Manager Parameter Store
- AWS Secrets Manager
Configuration assertions (verified):
- No hard-coded credentials exist in application code or container images.
- All secrets are externalized and injected at runtime.
- No feature flags are enabled for this release; regulated product scope is fully active.
Baseline reference (to be used for reproducibility):
- Configuration baseline identifier: Pending (e.g., parameter path/version, secrets version, IaC reference, or release manifest reference)
Evidence reference(s): EV-004 (configuration baseline reference), EV-005 (secrets externalization confirmation)
Security Configuration Verification
Regulatory objective: Confirm that safety-relevant security controls required for intended operation are active in the production environment (ISO 82304-1 §5.6 intent; operational environment readiness).
Security controls verified:
- TLS termination enabled via CloudFront using ACM-managed certificate.
- Authentication enforced on protected endpoints using JWT bearer tokens.
- Service-to-AWS access controlled via IAM roles associated with the execution environment; no embedded AWS keys in code.
Evidence reference(s):
- EV-006 (TLS/CloudFront configuration reference)
- EV-007 (auth enforcement confirmation)
- EV-008 (IAM role assignment reference)
External Dependency Availability
Regulatory objective: Confirm availability of external dependencies required for intended operation at commissioning time.
Verified at commissioning time:
- S3 model artifact buckets reachable and readable by execution roles.
- DynamoDB tables reachable and writable by execution roles for audit logging.
- ECR repositories reachable for image retrieval.
Evidence reference(s): EV-009 (dependency reachability checks), EV-010 (permission confirmation)
Deployment Deviations
Regulatory objective: Ensure transparency of deviations identified during commissioning.
☑ No deviations were identified during deployment and configuration commissioning.
(If deviations occur: record deviation ID, impact assessment, resolution, and evidence reference.)
Deployment Acceptance
Regulatory objective: Formally confirm that deployment and configuration commissioning requirements have been satisfied.
Acceptance statement: The deployed software instance corresponding to release 1.1.0.0 has been verified to be correctly installed, configured, and secured in the intended production environment and is accepted for operational use.
Record Status
This commissioning record establishes the deployed configuration baseline for maintenance and future releases in accordance with ISO 62304 and ISO 82304-1.
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003, JD-004
- Approver: JD-001