Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
  • Records
  • Legit.Health Plus Version 1.1.0.0
    • Index
    • Overview and Device Description
    • Information provided by the Manufacturer
    • Design and Manufacturing Information
    • GSPR
    • Benefit-Risk Analysis and Risk Management
    • Product Verification and Validation
      • Software
        • R-TF-012-023 Software Development Plan
        • R-TF-012-033 Software Test Plan
        • R-TF-012-034 — Software Test Description
        • R-TF-012-035 Software Test Report
        • R-TF-012-038 Verified Version Release
        • EN 62304 Checklist
        • EN 82304 Checklist
      • Artificial Intelligence
      • Cybersecurity
      • Usability and Human Factors Engineering
      • Clinical
      • Commissioning
    • Post-Market Surveillance
  • Legit.Health Plus Version 1.1.0.1
  • Legit.Health Utilities
  • Licenses and accreditations
  • Applicable Standards and Regulations
  • Pricing
  • Public tenders
  • Legit.Health Plus Version 1.1.0.0
  • Product Verification and Validation
  • Software
  • R-TF-012-033 Software Test Plan

R-TF-012-033 Software Test Plan

Change history​

VersionDateAuthorReviewerApproverSummary of change
0.12025-12-18Gerardo Fernández Moreno (JD-007)TBDTBDInitial draft aligned to TestRail-governed, requirements-driven verification.
0.22025-12-18Gerardo Fernández Moreno (JD-007)TBDTBDAudit-oriented strengthening: objective acceptance criteria, evidence/records rigor, change control clarifications, execution governance, and removal of ambiguous placeholders.

Purpose​

This Software Test Plan defines the verification strategy, governance, execution approach, and evidence records for the medical device exposed as a versioned HTTPS API. The plan is requirements-driven and provides complete traceability to the software requirements baseline, with execution evidence managed through TestRail and supporting CI/CD artifacts.

The objectives of this plan are to:

  • Define the verification approach (test levels, test types, gating, regression strategy) for the API medical device.
  • Specify how each software requirement is verified, including objective pass/fail criteria and required evidence.
  • Establish traceability from requirements to test cases and test execution records.
  • Define how test records are generated, reviewed, retained, and presented as regulated evidence.

Scope​

In scope​

  • Verification of all requirements in the approved requirements baseline (functional, security, performance, reliability, data integrity, and operational/commissioning requirements).
  • Verification of externally exposed API behaviors and contracts, including:
    • GET /device/health, GET /device/about
    • GET /clinical/severity-experts
    • POST /login
    • POST /clinical/diagnosis-support, POST /clinical/severity-assessment
  • Verification of security and cybersecurity controls such as TLS enforcement, authentication/authorization behaviors, rate limiting, and audit trail behaviors.
  • Performance verification under nominal load.

Out of scope​

  • Clinical validation or clinical performance claims of AI/ML outputs against ground truth datasets (handled under separate clinical evaluation/validation protocols).
  • UI-level testing (no UI is in scope for an API-only device).
  • Non-product tooling verification except where required to establish objective evidence capture (e.g., CI artifact generation, exports).

Test management system and governance​

Tool confidence (TestRail and CI evidence pipeline)​

The control of testing evidence is divided into distinct workflows to maintain a clear audit trail for version 1.1.0.0:

  • Development Verification (Unit & Integration): These tests are executed locally. The resulting logs and a generated manifest file are uploaded manually to the 01_development_verification/ folder in S3.
  • Software Verification: Test cases are defined and indexed in TestRail. Execution occurs on the Preproduction server, with results linked from TestRail to the 02_software_verification/ folder in S3.
  • Commissioning: These environment-specific tests are managed via TestRail and executed in the Production environment. Evidence is stored in the 03_commissioning/ folder in S3.

To ensure the integrity of the manual upload process and the completeness of the release, a Manual Manifest Check is performed before final sign-off. This check confirms that all logs are present in the versioned S3 repository, matched against the manifest files, and that all TestRail-indexed activities contain valid links to their corresponding S3 objects.

s3://legit-health-plus/software-tests/v1.1.0.0/
├── 01_development_verification/
│   ├── unit_tests/                 <-- Local run logs + Manifest
│   └── integration_tests/          <-- Local run logs + Manifest
├── 02_software_verification/
│   └── preproduction/
│       └── test_plan_13/           <-- Requirement-based tests (from TestRail)
│           └── test_run_105/
├── 03_commissioning/
│   └── production/
│       └── test_plan_15/           <-- Environment/Deployment tests (from TestRail)
│           ├── test_run_274/
│           └── test_run_276/
└── manifest.json                   <-- Root manifest indexing all 3 folders

TestRail project structure​

  • Project: Medical Device
  • Suite: single suite (regulated baseline)
  • Sections (as implemented):
    • API
      • System Info
    • Diagnosis Support
    • Clinical Signs
    • Image metadata
    • Security
    • Report builder
    • Performance
    • Audit
    • Commissioning

Stable identifiers​

  • Primary Requirement Id field is authoritative and shall match the requirement code in the requirements baseline.
  • Execution identity for a run is captured via:
    • version (TestRail run custom field)
    • Run naming convention including commit_sha
    • Evidence pack manifest including the immutable build identity tuple (release tag, commit SHA and image digest when applicable)

version follows the four-digit scheme (W.X.Y.Z) defined in GP-012: X is the major increment (W is reserved for exceptional, fundamental changes), Y is the minor increment, and Z captures bug fixes and patches.

Custom fields (as implemented)​

Note on field naming

The field identifiers used in this plan (e.g., requirement_ids, primary_requirement_id, evidence_required) refer to the internal field names/keys in TestRail. The human-readable labels in the TestRail UI/export may differ. Where needed for audit/readability, a mapping between internal keys and UI labels is maintained in the TestRail administration configuration.

Test Cases​

  • requirement_ids (one per line; may include multiple; must include the authoritative RequirementID(s))
  • primary_requirement_id (single primary RequirementID for reporting)
  • test_level (Unit / Integration-Service / System-API / Commissioning)
  • test_type (Functional / Security / Performance / Reliability / Data Integrity / Installation-Maintenance)
  • automation (Automated / Manual / Hybrid)
  • nrt (Non-Regression Test membership)
  • risk_link (link to hazard/risk control IDs; if available)
  • evidence_required (explicit evidence expectations; minimum evidence is defined in “Test execution, data recording, and evidence pack”)
  • expected_results (objective pass/fail criteria; must be specific and measurable)
  • preconditions (list that must be met before execution)

Test results​

  • version (four-digit tag, e.g., vW.X.Y.Z)

Naming conventions​

Test Cases​

  • Title states what is going to be verified.
  • The requirement_ids and primary_requirement_id fields must include RequirementIDs exactly as in the requirements baseline.

Test Runs​

Test Plans vs Test Runs (TestRail)
  • A "Test plan" is a container that groups multiple "Test Runs" under a single controlled verification activity for a specific build and environment (e.g., a given {release_version}, {commit_sha}, and {env_id}).
  • A "Test Run" is the execution record where test case results (pass/fail/blocked), execution notes, and evidence are recorded for a defined scope and purpose (e.g., {run_purpose} such as Smoke, Regression, Performance, Commissioning).
  • In this test process, the "Plan" represents the overall verification campaign for a build/environment, and each "Run" represents one execution slice within that campaign.
  • Plan name: Medical Device API {release_version} (sha:{commit_sha}) — Verification Plan — {env_id}
  • Run name: Medical Device API {release_version} (sha:{commit_sha}) — {run_purpose} — {env_id}
  • {env_id} is one of: Dev / Pre / Pro.

Minimum required metadata to be present (either as run fields, run name, or in the evidence pack manifest):

  • release version
  • commit SHA
  • environment ID

Change control for test cases​

Test cases are treated as regulated records; any edits to approved cases must be controlled, traceable, and justified. To ensure the integrity of the verification process for version 1.1.0.0, the following controls are enforced:

  • Reviewer Assignment: Every test case includes a dedicated Reviewer field and a Review Status (Draft, In Review, Approved). No test case may be executed for regulated evidence until its status is set to Approved.
  • Independence of Review: To mitigate bias, the Reviewer assesses the test steps for accuracy and alignment with software requirements. For small-team configurations, the technical lead (CTO) may perform this review, provided the justification is documented in the final report to acknowledge the team-size constraint while maintaining clinical safety oversight.
  • Freezing during execution: During an active verification campaign, test cases are frozen. Fixes for minor errors in test steps are handled as controlled updates and require a recorded justification in TestRail.
  • Substantive Changes: Modifications that change the test objective, pass/fail criteria, or requirement coverage require a formal revision and a new Reviewer approval before execution.
  • Evidence Consistency: Evidence requirements (evidence_required) are mandatory acceptance criteria. These must be strictly mapped to the S3 Evidence Pack structure (folders 01 through 03) and verified against the root manifest file to ensure a complete and untampered record of results.

Requirements taxonomy and verification strategy​

Test levels (where executed)​

  • Unit: Development Environment. Fast verification of pure functions and internal logic. Logs are manually uploaded to S3 (01_development_verification/unit_tests/).
  • Integration-Service: Development Environment. Service-to-service and persistence integration. Logs are manually uploaded to S3 (01_development_verification/integration_tests/).
  • System-API: Preproduction Environment. End-to-end API contract, workflows, security controls, and response schema verification. Results are indexed in TestRail and evidence is stored in S3 (02_software_verification/).
  • Commissioning (Production)
    • Purpose: Operational verification of the deployed production release (installation, readiness, and security controls).
    • Inputs: Controlled, non-identifying test data only.
    • Execution: Restricted to approved personnel.
    • Record: Commissioning outcomes are documented in controlled commissioning records:
      • R-TF-029-001 (Deployment & Configuration)
      • R-TF-029-002 (Functional & Interface)
      • R-TF-029-003 (Clinical Workflow & Operational Readiness)
    • Indexing: A dedicated TestRail Run with test_level = Commissioning is used to index execution results and provide direct links to evidence in S3 (03_commissioning/)

Entry and exit criteria (minimum)​

Entry (before executing regulated evidence runs):

  • Requirements baseline is approved and versioned.
  • Test cases are reviewed and set to Approved status in TestRail.
  • Target environment and build identity are defined (Release Version: 1.1.0.0, Commit SHA).

Exit (release verification complete):

  • All required runs for the release/environment are executed (Unit/Integration + Preproduction Verification + Production Commissioning).
  • Any failed cases have linked defect records, disposition, and documented re-test where applicable.
  • Evidence Pack Integrity: S3 Evidence Pack is complete (Folders 01, 02, and 03) and includes the root manifest.json binding all results to the build identity.

Commissioning records (R-TF-029-001/002/003)​

Commissioning in Production follows the structure of the R-TF-029 records to ensure regulatory compliance.

  • Granularity rule: TestRail commissioning test cases are defined to match the main verification sections of the R-TF-029 records (e.g., “AI/ML Model Runtime Availability”).
  • Evidence rule: Each TestRail result links to the relevant section of the R-TF-029 record and the corresponding S3 object.
  • Baseline identification: Baseline identity is recovered from the manifest.json and includes the release version, commit SHA, and local container image IDs built via Bazel.

Test types (how classified)​

  • Functional: API behavior, workflow orchestration, report content.
  • Security: TLS, JWT Authentication, and Audit controls.
  • Performance: API latency verification (e.g., p95 latency < 10s under nominal load per Case C416).
  • Reliability: Availability and operational readiness checks.
  • Data Integrity: Schema constraints, EXIF stripping, and audit completeness.
  • Installation: Deployment environment verification and model loading.

Gating and regression strategy​

  • Development Gate:
    • Unit and Integration tests pass locally.
    • Logs and local manifest are uploaded to S3 Folder 01.
  • Release Candidate (Preproduction):
    • Execute System-API verification runs in TestRail (Folder 02).
    • Verify performance requirements (p95 latency).
  • Production Commissioning:
    • Execute the Commissioning run in TestRail (Folder 03) before enabling clinical traffic.
    • Commissioning confirms environment-specific readiness and is governed by R-TF-029-001/002/003.

Test environment​

Environment IDs and use​

  • Dev: Local workstation environment used for Unit and Integration test execution. Results are manually captured and uploaded to S3 folder 01_development_verification/.
  • Pre: Dedicated Preproduction server used for System-API verification of release candidates. Results are indexed in TestRail and stored in S3 folder 02_software_verification/.
  • Pro: Production environment used for Commissioning and final operational verification before clinical release. Results are indexed in TestRail and stored in S3 folder 03_commissioning/.

Environment controls​

For each environment, the following identifiers must be versioned and referenced within the root manifest.json to maintain the software configuration baseline:

  • API Configuration: Base URL and active routing prefix (e.g., https://plus.legit.health/v1.0/).
  • Build Identity: The unique combination of Software Version (1.1.0.0) and the Git Commit SHA.
  • Container Baseline: For the Production environment, the local Image IDs (generated by the local Bazel build) must be recorded to ensure the deployed artifacts match the verified baseline.
  • Runtime Configuration: Reference to the configuration baseline identifier (SHA-256 of the redacted .env file).
  • Security & Secrets: Credentials, API keys, and secrets (e.g., AWS_SECRET_ACCESS_KEY) SHALL NOT be stored in TestRail or evidence packs. Verification is limited to confirming that secrets are externalized and managed via protected environment variables.

Operational constraints for Pro commissioning​

To ensure clinical safety and regulatory compliance during the final deployment phase:

  • Access Control: Commissioning execution is strictly restricted to approved technical personnel (e.g., CTO/Lead Engineer).
  • Data Privacy: Only non-identifying, synthetic, or anonymized test data (verified as PII-free via EXIF stripping) may be used in the Production environment.
  • Evidence Integrity: The evidence pack must capture sufficient logs and health snapshots to prove operational readiness without exposing sensitive infrastructure data or plaintext secrets.

Planned tests​

All requirement-driven verification test cases are defined and maintained in TestRail under the section structure defined above, and traced to requirements via requirement_ids / primary_requirement_id.

The traceability matrix is maintained as a controlled export.

Test execution, data recording, and evidence pack​

What constitutes “execution evidence”​

For each TestRail Run (e.g., R15, R16), the evidence pack includes:

  • TestRail Run Export: A CSV/PDF export containing run metadata (release version, environment), tester identity, execution timestamps, and per-case outcomes.
  • Test Case Definitions: A snapshot of the approved test case versions used during the run to ensure the pass/fail meaning is reconstructible.
  • Manual Execution Artifacts:
    • Unit/Integration: Local terminal logs and coverage reports (coverage.py).
    • Verification: Request/response transcripts and server logs captured during preproduction testing.
    • Commissioning: Signed R-TF-029 records (PDF), deployment/config snapshots, and CloudWatch Synthetics screenshots.

Evidence pack storage​

System of record: Amazon S3 serves as the immutable evidence store, with TestRail providing the execution index and direct artifact links.

S3 path convention (v1.1.0.0) Evidence is organized into the following controlled hierarchy:

  • s3://legit-health-plus/software-tests/v1.1.0.0/
    • 01_development_verification/ (Unit/Integration logs + manifest)
    • 02_software_verification/ (Preproduction TestRail exports + logs)
    • 03_commissioning/ (Production TestRail exports + R-TF-029 records)
    • manifest.json (Root integrity index for all folders)

Evidence pack protection​

  • Access Control: Storage is restricted to authorized technical leads via IAM least-privilege policies.
  • Immutability: Once the manifest.json is generated and uploaded, the pack is considered a frozen regulated record. Any necessary updates must be additive and require an updated manifest.
  • Integrity: The root manifest.json binds all artifacts to the release identity (Version 1.1.0.0 and Commit SHA) using cryptographic checksums (ETags/MD5) for every file.

Relationship to T-012-035 (Test Run record)​

The “Test Run record” required by the QMS is operationalized as the combined set of:

  1. The TestRail Run Export (documenting the who, when, and what of the results).
  2. The S3 Evidence Folder (containing the raw supporting artifacts).
  3. The manifest.json (providing the integrity binding between the results and the build).

The manifest.json contains, at minimum:

  • release_version (1.1.0.0).
  • commit_sha (The unique Git identifier for the build).
  • env_id (Dev / Pre / Pro).
  • generated_at (UTC timestamp of the evidence pack finalization).
  • Artifact Inventory: A complete list of files with their S3 URIs and MD5/SHA-256 checksums to support audit reconstruction.

Evidence pack completeness expectations​

  • Verification completeness: The 02_software_verification/ folder must contain logs for all System-API cases executed in TestRail.
  • Commissioning completeness: The 03_commissioning/ folder must include the finalized and signed R-TF-029-001/002/003 records and supporting snapshots (e.g., DynamoDB audit entries, TLS certificates).
  • Validation: The manifest.json inventory must match the stored artifacts exactly; any mismatch indicates a failure in the evidence collection process.

Traceability and coverage​

Traceability mechanism​

  • Requirements baseline is the authoritative list of RequirementIDs.
  • Traceability is achieved by:
    • Storing RequirementIDs in TestRail test cases (requirement_ids, primary_requirement_id)
    • Maintaining a controlled traceability matrix export (RequirementID → Test Case ID(s) → Evidence)
  • Coverage rule: every RequirementID maps to at least one test case, or is explicitly justified as not applicable with documented rationale.

Coverage completeness​

The requirements baseline and coverage status are defined by the controlled traceability matrix export included as Annex A. Coverage is considered complete when each requirement in the export is mapped to at least one planned test case (or has a documented verification rationale where testing is not applicable).

Defect management (GitHub Issues)​

  • Defects are tracked as GitHub Issues.
  • Defect linkage rule:
    • Any failed test that indicates a product nonconformance to a requirement requires a linked GitHub Issue in the TestRail result comment.
    • Failures due to environmental issues (e.g., infrastructure outage) must be explicitly labeled as such in the test result comment, with objective evidence, and re-tested once the environment is restored.
  • Required defect fields (minimum):
    • Fix version
    • Labels
    • Priority
    • Severity

Records retention​

  • Test evidence packs and exports (including TestRail Plan/Run exports, per-case results, CI artifacts such as JUnit XML/logs/coverage reports, performance reports and raw results, commissioning evidence, and the evidence pack manifest) are retained for 10 years.
  • The system of record for test evidence packs is S3 using a release-scoped folder structure. Evidence integrity is supported by S3 bucket versioning and by storing an evidence pack manifest containing an inventory of artifacts and cryptographic checksums.
  • TestRail is used as the execution record and index. For each regulated verification campaign, TestRail exports are generated and stored in the corresponding S3 evidence pack.
  • Audit trail retention: Audit trail records are retained indefinitely in DynamoDB (no time-based deletion). Retention is verified by confirming that no automated TTL/expiry policy is configured for audit records and that audit data remains retrievable for historical periods. Access to audit trail data is restricted to authorized roles; audit data is not modified post-write except by controlled administrative operations.
  • Disposal: test evidence packs and audit records are not deleted during the defined retention period. Any exceptional disposal (e.g., due to legal request or migration) is handled under controlled change with documented justification, approvals, and preservation of traceability and integrity.

References​

  • R-TF-029-001 Deployment and Configuration Commissioning Record
  • R-TF-029-002 Functional and Interface Commissioning Record
  • R-TF-029-003 Clinical Workflow and Operational Readiness Commissioning Record
  • Applicable standards for software verification planning, traceability, and records: ISO 62304 and ISO 82304-1.
  • EU MDR documentation retention expectations (used to define minimum evidence retention period).
  • Requirements baseline: Software Requirements (authoritative RequirementIDs).
  • Test management system: TestRail (project “Medical Device”).
  • CI system: GitHub Actions.
  • Defect tracker: GitHub Issues.

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: Team members involved
  • Reviewer: JD-003, JD-004
  • Approver: JD-001

Annexes​

  • Annex A: Traceability matrix
  • Annex B: TestRail case list export

Annex A: Controlled export — Traceability matrix​

SRS IdSRS NameTest Case IdTest Case TitleTest Case URLTest IdTest URLStatus
SRS-7PJNetwork Service ExposureC50Verify the API service accepts incoming HTTP requests on the designated network portViewT105ViewPassed
SRS-AQMStandard HTTP Status Code UsageC62Verify API returns 200 HTTP status codes for successful requestsViewT106ViewPassed
SRS-BYJJSON Data Interchange FormatC68Verify API processes JSON requests and returns JSON responses with correct Content-Type headersViewT107ViewPassed
SRS-DW0User Authentication Endpoint ImplementationC77Verify successful user authentication and token generation via the POST /auth/login endpointViewT109ViewPassed
SRS-D3NProvision of Clinical Parameter EndpointsC73Verify retrieval and filtering of clinical signs data via /clinical/severity-experts endpointViewT108ViewPassed
SRS-LBSURL-Based API VersioningC106Verify API endpoints are accessible via URL paths prefixed with the major and minor version identifierViewT110ViewPassed
SRS-MZCRequest Body Size LimitationC110Verify the API returns HTTP 413 when the request body exceeds the configured maximum sizeViewT111ViewPassed
SRS-Q9MClinical Signs Analysis Endpoint ImplementationC124Verify POST /clinical/severity-assessment returns quantified results for valid image and sign listViewT112ViewPassed
SRS-RXKDiagnostic Support Endpoint ImplementationC128Verify the diagnosis-support endpoint accepts valid images and returns diagnostic analysisViewT113ViewPassed
SRS-ZQOConcurrent API Version SupportC162Verify simultaneous availability and processing of requests across distinct API versionsViewT114ViewSkipped
SRS-ID7Input Data ValidationC330Verify API rejects malformed inputs with standardized 422 Unprocessable Entity responsesViewT115ViewPassed
SRS-EH4Security-Safe Error HandlingC331Verify API returns sanitized error responses with appropriate HTTP status codes and no internal detailsViewT116ViewPassed
SRS-AQMStandard HTTP Status Code UsageC454Verify API returns 401 HTTP status codes for wrong login requestsViewT272ViewPassed
SRS-AQMStandard HTTP Status Code UsageC455Verify API returns 422 HTTP status code when invalid data is submittedViewT273ViewPassed
SRS-GERSystem Behavior on Internal Component Failure.C456Verification of controlled 503 response and graceful degradation during downstream service failure.ViewT300ViewPassed
SRS-6KEAPI Health Check EndpointC169Verify health check endpoint returns unhealthy when some service is unavailableViewT121ViewPassed
SRS-6KEAPI Health Check EndpointC46Verify the public health endpoint returns HTTP 200 and status OK when operationalViewT118ViewPassed
SRS-BA6Display the legal information about this medical deviceC66Verify retrieval of mandatory legal information, UDI, and regulatory metadata via APIViewT119ViewPassed
SRS-Z24API Documentation EndpointC159Verify availability of OpenAPI specification and interactive documentation endpointsViewT120ViewPassed
SRS-Q3QGenerate an aggregated ICD probability distribution from a set of imagesC255Verify API returns aggregated ICD probability distribution with structured code details in studyAggregate arrayViewT122ViewPassed
SRS-0ABGenerate per-image ICD analysis with explainability heat mapC256Verify response includes per-image ICD probabilities and heat maps for the top five categoriesViewT123ViewPassed
SRS-58WInclude entropy score in reportC258Verify response includes normalized entropy score between 0 and 1 in findingsViewT125ViewPassed
SRS-71IInclude the indicator of needing a high priority referral in the reportC260Verify report response includes highPriorityReferral score within riskMetrics objectViewT127ViewPassed
SRS-8HYInclude the indicator of malignancy in the reportC261Verify report response includes malignantConditionProbability score within riskMetrics objectViewT128ViewPassed
SRS-D08Include the indicator of the image presenting a pigmented lesion in the reportC262Verify report response includes pigmentedLesion score within riskMetrics objectViewT129ViewPassed
SRS-JLMInclude the indicator of the presence of a condition in the reportC263Verify report response includes anyConditionProbability score within riskMetrics objectViewT130ViewPassed
SRS-KASInclude the indicator of needing an urgent referral in the reportC264Verify report response includes urgentReferral score within riskMetrics objectViewT131ViewPassed
SRS-K7MOrchestrate diagnosis support workflowC265Verify diagnosis workflow returns ranked ICD-11 codes, binary indicators, and explainability maps for valid imagesViewT132ViewPassed
SRS-A9FWound Bed Tissue - EpithelialC266Verify epithelial tissue classification returns right presence prediction and confidence scoreViewT133ViewPassed
SRS-B3ZInflammatory Pattern IdentificationC267Verify API returns Hurley stage and inflammatory status with associated probabilities for valid image inputViewT134ViewPassed
SRS-B6LWound Bed Tissue - NecroticC268Verify tissue wound bed necrotic classification returns right presence prediction and confidence scoreViewT135ViewPassed
SRS-B8NPustule Intensity QuantificationC269Verify pustule classification returns right intensity and confidenceViewT136ViewPassed
SRS-A4WInflammatory Nodular Lesion QuantificationC270Verify inflammatory nodular lesion detector return correct counts and bounding boxes for drainning tunnelsViewT137ViewPassed
SRS-A6TDelimited Wound Edges AssessmentC271Verify wound borders delimited classification returns right presence prediction and confidence scoreViewT138ViewPassed
SRS-C1RSerous Exudate AssessmentC272Verify wound exudation serous classification returns right presence prediction and confidence scoreViewT139ViewPassed
SRS-D7NPurulent Exudate AssessmentC274Verify wound exudation purulent classification returns right presence prediction and confidence scoreViewT141ViewPassed
SRS-D9TMaceration Surface QuantificationC275Verify wound maceration segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT142ViewPassed
SRS-E4RErythema Intensity QuantificationC276Verify erythema classification returns right intensity and confidenceViewT143ViewPassed
SRS-Y6FCrusting Intensity QuantificationC277Verify crusting classification returns right intensity and confidenceViewT144ViewPassed
SRS-F2KThickened Wound Edges AssessmentC278Verify thickened wound borders classification returns right presence prediction and confidence scoreViewT145ViewPassed
SRS-T3KInduration Intensity QuantificationC279Verify induration classification returns right intensity and confidenceViewT146ViewPassed
SRS-F6JHair Loss Surface QuantificationC280Verify hair loss segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT147ViewPassed
SRS-G3PWound Perilesional Erythema AssessmentC281Verify wound perilesional erythema classification returns right presence prediction and confidence scoreViewT148ViewPassed
SRS-G9RWound Stage ClassificationC282Verify wound stage classification returns right score and confidence metrics from a valid wound imageViewT149ViewPassed
SRS-H5KErythema Surface QuantificationC283Verify erythema segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT150ViewPassed
SRS-H9XLichenification Intensity QuantificationC284Verify lichenification classification returns right intensity and confidenceViewT151ViewPassed
SRS-I7TWound Affected Tissue - Intact SkinC285Verify wound affected tissues intact classification returns right presence prediction and confidence scoreViewT152ViewPassed
SRS-J5PHair Follicle QuantificationC286Verify API returns follicle count, bounding boxes, and confidence scores for a valid scalp imageViewT153ViewPassed
SRS-J9VIndistinguishable Wound Edges AssessmentC287Verify wound borders indistinguishable classification returns right presence prediction and confidence scoreViewT154ViewPassed
SRS-K3HWound Affected Tissue - SubcutaneousC288Verify wound affected tissues subcutaneous classification returns right presence prediction and confidence scoreViewT155ViewPassed
SRS-K4UOrthopedic Material Surface QuantificationC289Verify wound orthopedic material segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT156ViewPassed
SRS-L4WDamaged Wound Edges AssessmentC290Verify wound borders damaged classification returns right presence prediction and confidence scoreViewT157ViewPassed
SRS-L8YBiofilm and Slough Surface QuantificationC291Verify wound biofilm material segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT158ViewPassed
SRS-M2LXerosis Intensity QuantificationC292Verify xerosis classification returns right intensity and confidenceViewT159ViewPassed
SRS-M6PGranulation Tissue Surface QuantificationC293Verify wound granulation segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT160ViewPassed
SRS-N2CBone Surface SegmentationC294Verify wound bone segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT161ViewPassed
SRS-N5QSwelling Intensity QuantificationC295Verify swelling classification returns right intensity and confidenceViewT162ViewPassed
SRS-N8WWound Affected Tissue - Dermis-EpidermisC296Verify wound exudation serous classification returns right presence prediction and confidence scoreViewT163ViewPassed
SRS-O5MWound Affected Tissue - MuscleC297Verify wound affected tissues muscle classification returns right presence prediction and confidence scoreViewT164ViewPassed
SRS-L3XSkin Surface SegmentationC298Verify skin segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT165ViewPassed
SRS-Z5NHive Lesion QuantificationC299Verify hive detector return correct counts and bounding boxes for hivesViewT166ViewPassed
SRS-Z8PBiofilm-Compatible Tissue AssessmentC300Verify wound biofilm tissue classification returns right presence prediction and confidence scoreViewT167ViewPassed
SRS-P4XWound Bed Tissue - SloughC302Verify tissue wound bed slough classification returns right presence prediction and confidence scoreViewT169ViewPassed
SRS-P9WDesquamation Intensity QuantificationC303Verify desquamation classification returns right intensity and confidenceViewT170ViewPassed
SRS-Q1LHypopigmentation or Depigmentation Surface QuantificationC304Verify hypopigmentation segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT171ViewPassed
SRS-Q8ZDiffuse Wound Edges AssessmentC305Verify wound borders diffused classification returns right presence prediction and confidence scoreViewT172ViewPassed
SRS-R3WWound Bed Surface QuantificationC306Verify wound bed segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT173ViewPassed
SRS-R7COozing Intensity QuantificationC307Verify oozing classification returns right intensity and confidenceViewT174ViewPassed
SRS-S2VWound Affected Tissue - BoneC308Verify wound affected tissues bone classification returns right presence prediction and confidence scoreViewT175ViewPassed
SRS-S8MAcneiform Lesion Type QuantificationC309Verify acneiform detector return correct counts and bounding boxes for papules, pustules, spotsViewT176ViewPassed
SRS-T6HWound AWOSI Score QuantificationC310Verify AWOSI classification returns right score and confidence metrics from a valid wound imageViewT177ViewPassed
SRS-T9UWound Bed Tissue - ClosedC311Verify tissue wound bed closed classification returns right presence prediction and confidence scoreViewT178ViewPassed
SRS-U4MPerilesional Maceration AssessmentC312Verify wound perilesional maceration classification returns right presence prediction and confidence scoreViewT179ViewPassed
SRS-U8ZNail Lesion Surface QuantificationC313Verify nail lesion segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT180ViewPassed
SRS-V1DExcoriation Intensity QuantificationC314Verify excoriation classification returns right intensity and confidenceViewT181ViewPassed
SRS-V7QNecrosis Surface QuantificationC315Verify wound necrosis segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT182ViewPassed
SRS-W3RHyperpigmentation Surface QuantificationC316Verify hyperpigmentation segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT183ViewPassed
SRS-W9KBloody Exudate AssessmentC317Verify wound bloody exudation classification returns right presence prediction and confidence scoreViewT184ViewPassed
SRS-X5BFibrinous Exudate AssessmentC318Verify wound exudation fibrinous classification returns right presence prediction and confidence scoreViewT185ViewPassed
SRS-X8QFollicular and Inflammatory Pattern IdentificationC319Verify follicular and inflammatory pattern identification returns right resultViewT186ViewPassed
SRS-Y2EWound Bed Tissue - GranulationC320Verify wound tissue wound bed granulation classification returns right presence prediction and confidence scoreViewT187ViewPassed
SRS-W6TOrchestrate Clinical Signs Analysis WorkflowC321Verify generation of structured clinical assessment report with quantified results for requested signs via APIViewT188ViewPassed
SRS-E1VBody Surface SegmentationC325Verify body surface segmentation analysis returns segmentation masks and the right percentage of surface affectedViewT193ViewPassed
SRS-S8MAcneiform Lesion Type QuantificationC446Verify acneiform detector return correct counts and bounding boxes for nodules, pustules and scabsViewT264ViewPassed
SRS-S8MAcneiform Lesion Type QuantificationC447Verify acneiform detector return correct counts and bounding boxes for scabs, comedones, papules and pustulesViewT265ViewPassed
SRS-Z5NHive Lesion QuantificationC448Verify hive detector return correct counts and bounding boxes for hives (second image)ViewT266ViewPassed
SRS-A4WInflammatory Nodular Lesion QuantificationC449Verify inflammatory nodular lesion detector return correct counts and bounding boxes for non drainning tunnelsViewT267ViewPassed
SRS-A4WInflammatory Nodular Lesion QuantificationC450Verify inflammatory nodular lesion detector return correct counts and bounding boxes for nodulesViewT268ViewPassed
SRS-H2VHead DetectionC323Verify head detection returns right bounding boxes and heads count inside an imageViewT191ViewPassed
SRS-9ZTThe product classifies the image's modalityC327Verify API returns ""clinical"" for image modality category when a skin image is providedViewT195ViewPassed
SRS-O93The product checks the image's clinical domainC328Verify API returns image domain category equals to ""dermatological"" and confidence score for a skin imageViewT196ViewPassed
SRS-Y5WThe product checks the image quality with the Dermatological Image Quality Assessment (DIQA) algorithmC329Verify API returns dermatological image quality score, interpretation, and acquisition feedbackViewT197ViewPassed
SRS-9ZTThe product classifies the image's modalityC451Verify API returns ""dermoscopic"" for image modality category when a skin image is providedViewT269ViewPassed
SRS-O93The product checks the image's clinical domainC452Verify API returns image domain category equals to ""non_dermatological"" and confidence score for a dog imageViewT270ViewPassed
SRS-F05Generate FHIR DiagnosticReport Base StructureC453Verify FHIR DiagnosticReport base structure for a segmenterViewT271ViewPassed
SRS-1KWSecure Communication Protocol EnforcementC332Verify API accepts requests over HTTPS using TLS 1.2 or 1.3ViewT198ViewPassed
SRS-1KWSecure Communication Protocol EnforcementC333Verify API rejects or redirects unencrypted HTTP requestsViewT199ViewPassed
SRS-28XImplement progressive delays between failed login attemptsC335Verify progressive increase in enforced delay across consecutive failed authentication attemptsViewT201ViewPassed
SRS-28XImplement progressive delays between failed login attemptsC336Verify delay resets upon successful authenticationViewT202ViewPassed
SRS-A25Role-Based Access Control (RBAC) with Least Privilege Principle to restrict users to essential functionsC337Verify successful access to permitted endpoints for an authorized roleViewT203ViewPassed
SRS-A25Role-Based Access Control (RBAC) with Least Privilege Principle to restrict users to essential functionsC338Verify access denial for endpoints outside the assigned role scopeViewT204ViewPassed
SRS-A2BAPI Rate LimitingC339Verify HTTP 403 response when request volume exceeds defined thresholdViewT205ViewPassed
SRS-A2BAPI Rate LimitingC340Verify request acceptance after rate limit time window expirationViewT206ViewPassed
SRS-MM8Generated JWTs must have an expiration dateC341Verify generated authentication tokens include the expiration claimViewT207ViewPassed
SRS-MM8Generated JWTs must have an expiration dateC342Verify access denial for requests using an expired JWTViewT208ViewPassed
SRS-SDZUse hashed and salted passwordsC343Verify generation of authentication token using valid credentialsViewT209ViewPassed
SRS-SDZUse hashed and salted passwordsC344Verify rejection of authentication requests with invalid credentialsViewT210ViewPassed
SRS-SDZUse hashed and salted passwordsC345Verify password update functionality and subsequent authenticationViewT211ViewPassed
SRS-TPKLock accounts after five failed attemptsC346Verify account lockout enforcement after threshold reachedViewT212ViewPassed
SRS-TPKLock accounts after five failed attemptsC347Verify failed attempt counter reset on successful loginViewT213ViewPassed
SRS-TPKLock accounts after five failed attemptsC348Verify administrative manual account unlock capabilityViewT214ViewPassed
SRS-U8MEnforce strong password policies (min. 12 characters, complexity rules, expiration policies)C349Verify enforcement of password complexity and length constraintsViewT215ViewPassed
SRS-U8MEnforce strong password policies (min. 12 characters, complexity rules, expiration policies)C350Verify authentication behavior for expired passwordsViewT216ViewPassed
SRS-WEREndpoint Access ControlC351Verify protected endpoints allow access with a valid OAuth 2.0 Bearer tokenViewT217ViewPassed
SRS-WEREndpoint Access ControlC352Verify protected endpoints reject requests lacking a valid token with 401 UnauthorizedViewT218ViewPassed
SRS-WEREndpoint Access ControlC353Verify public endpoints are accessible without an Authorization headerViewT219ViewPassed
SRS-WGFAES-256 encryption for data at restC354Verify AES-256 encryption configuration for data storageViewT220ViewPassed
SRS-X9JConduct periodic access reviews to verify permissions align with job functionsC355Verify authorized administrator can retrieve current user information for reviewViewT221ViewPassed
SRS-X9JConduct periodic access reviews to verify permissions align with job functionsC356Verify authorized administrator can revoke permissions during access reviewViewT222ViewPassed
SRS-IC4Software and Configuration Integrity VerificationC357Verify successful execution and audit logging of system integrity checksViewT223ViewPassed
SRS-BK7Encrypted Backup and Integrity VerificationC363Verify backup generationViewT225ViewPassed
SRS-BK7Encrypted Backup and Integrity VerificationC364Verify automated backup generationViewT226ViewPassed
SRS-CCDIntrusion Prevention and Malicious Traffic DetectionC366Verify blocking of anomalous high-frequency request burstsViewT228ViewPassed
SRS-F05Generate FHIR DiagnosticReport Base StructureC368Verify FHIR DiagnosticReport base structure for a detectorViewT230ViewPassed
SRS-FMGRecord Analysis Duration in ReportC369Verify analysisDuration field population in DiagnosticReportViewT231ViewPassed
SRS-JC6The product provides a final image validity summaryC370Verify isAssessable is true when domain and quality criteria are metViewT232ViewPassed
SRS-JC6The product provides a final image validity summaryC371Verify isAssessable is false when image quality is unacceptableViewT233ViewPassed
SRS-JC6The product provides a final image validity summaryC372Verify isAssessable is false when image is non-dermatologicalViewT234ViewPassed
SRS-K6NMap Per-Image Analysis to a dedicated object in the reportC373Verify single image analysis maps to structured object in imageAnalyses arrayViewT235ViewPassed
SRS-K6NMap Per-Image Analysis to a dedicated object in the reportC374Verify multiple image analyses map to distinct objects in imagingAnalysis arrayViewT236ViewPassed
SRS-H3JDeterministic Response SchemasC375Verify response structure compliance with OpenAPI success schemaViewT237ViewPassed
SRS-H3JDeterministic Response SchemasC376Verify response structure compliance with OpenAPI error schemaViewT238ViewPassed
SRS-W5ZAssign DiagnosticReport IdentifierC377Verify Assignment of Official Identifier to DiagnosticReportViewT239ViewPassed
SRS-W5ZAssign DiagnosticReport IdentifierC378Verify Uniqueness of Generated DiagnosticReport IdentifiersViewT240ViewPassed
SRS-D6WAccurate Time SynchronizationC382Verify System Timestamp Accuracy via API Response HeadersViewT244ViewPassed
SRS-D6WAccurate Time SynchronizationC383Verify System Time Synchronization and Accuracy StatusViewT245ViewPassed
SRS-SI2Secure Audit Trail Access InterfaceC388Verify Role-Based Access Control for Audit Trail InterfaceViewT247ViewPassed
SRS-SI2Secure Audit Trail Access InterfaceC389Verify Audit Trail Search and Export CapabilitiesViewT248ViewPassed
SRS-T5PAudit Record Integrity ProtectionC391Verify audit records cannot be modified or deleted via APIViewT249ViewPassed
SRS-PU2Comprehensive Event AuditingC395Verify audit trail generation for authentication lifecycle and security anomaliesViewT251ViewPassed
SRS-U2PConsolidated Audit Record ContentC398Verify audit record completeness for successful API eventViewT252ViewPassed
SRS-U2PConsolidated Audit Record ContentC399Verify audit record completeness for failed API eventViewT253ViewPassed
SRS-PU2Comprehensive Event AuditingC410Verify audit trail generation for clinical data creation eventsViewT255ViewPassed
SRS-T95Audit System Failure HandlingC413Audit record preservation during database unavailabilityViewT258ViewPassed
SRS-BWBPerformance and LatencyC416Verify p95 API latency remains under 10 seconds during nominal loadViewT261ViewPassed

Annex B: TestRail Test Case Export​

Annex_B_TestRail_Test_Case_Export.csv

Previous
R-TF-012-023 Software Development Plan
Next
R-TF-012-034 — Software Test Description
  • Change history
  • Purpose
  • Scope
    • In scope
    • Out of scope
  • Test management system and governance
    • Tool confidence (TestRail and CI evidence pipeline)
    • TestRail project structure
    • Stable identifiers
    • Custom fields (as implemented)
      • Test Cases
      • Test results
    • Naming conventions
      • Test Cases
      • Test Runs
    • Change control for test cases
  • Requirements taxonomy and verification strategy
    • Test levels (where executed)
    • Entry and exit criteria (minimum)
    • Commissioning records (R-TF-029-001/002/003)
    • Test types (how classified)
    • Gating and regression strategy
  • Test environment
    • Environment IDs and use
    • Environment controls
    • Operational constraints for Pro commissioning
  • Planned tests
  • Test execution, data recording, and evidence pack
    • What constitutes “execution evidence”
    • Evidence pack storage
      • Evidence pack protection
    • Relationship to T-012-035 (Test Run record)
    • Evidence pack completeness expectations
  • Traceability and coverage
    • Traceability mechanism
    • Coverage completeness
  • Defect management (GitHub Issues)
  • Records retention
  • References
  • Annexes
    • Annex A: Controlled export — Traceability matrix
    • Annex B: TestRail Test Case Export
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI Labs Group S.L.)