Proof of Capability Requirements

Supplier records and Supplier Users Accounts

POC-UM001

Create Supplier record

Create a Supplier record which includes Supplier information and metadata (e.g. Supplier name, address, primary contact).

NHS/Supplier

MUST

POC-UM002

View Supplier record

View the Supplier record.

NHS/Supplier

MUST

POC-UM003

Create Supplier User

Create a user account for a Supplier user.

• The Supplier User must only be able to view information relating to the Supplier record with which they are paired, in order to preserve data confidentiality.

NHS

MUST

NHS User Accounts

POC-UM004

Create NHS User

Create a user account for an NHS user.

• By default, the NHS user should be able to see information relating to any and all Suppliers.

NHS

MUST

Manage Capabilities available to select

POC-FRM001

Add new Capabilities

Create a new Capability and Epic(s).

• Capabilities must include 1+ MUST Epics.

• Capabilities may include 0+ MAY Epics.

• Newly added Capabilities are reflected in Solutions' Capabilities and Epics selection.

NHS

MUST

POC-FRM002

Update Capabilities

Epic can be added to/removed from Capabilities.

• Epics must be given a level of MUST or MAY.

• Epics added to/removed from a Capability are reflected in Solutions' Capabilities and Epics selection.

NHS

MUST

Manage Frameworks available to select

POC-FRM003

Create Frameworks

Create new Framework which can be selected and applied to Solutions.

Creating a Framework involves defining its content:

• Capabilities which are mandatory for the Framework must be specified.

NHS

MUST

POC-FRM004

Update Framework content

Update a Framework’s content:

• Capabilities which are mandatory to the Framework can be amended.

NHS

MUST

POC-FRM005

Enable/disable Frameworks

Enable/disable a Framework as a selection available to Solutions.

• Disabling a Framework must not “deselect” it for Solutions which have already selected the Framework.

NHS

MUST

Add new Products (Solutions and Additional Services)

POC-SR001

Add new Solutions

Add a new Solution to a Supplier record.

• A Solution must always have a Parent Supplier.

• Details for the Solution can be added.

• Details enters are subject to validation rules.

NHS/Supplier

MUST

POC-SR002

Add Additional Services to a Solution

Add 0+ Additional Services to a Solution.

• An Additional Service must always have a Parent Solution.

• Details for the Additional Service can be added.

• Details enters are subject to validation rules.

NHS/Supplier

MUST

POC-SR003

View Solutions and Additional Services

View the Solutions and Additional Services registered with a Supplier.

NHS/Supplier

MUST

POC-SR004

Track Progress

View any tasks which are outstanding that are associated with the Supplier record or Solutions.

NHS/Supplier

MUST

Select Frameworks for Solutions

POC-SR005

Select Frameworks for a Solution

Select a Framework for a Solution.

Frameworks determine the Capabilities and Standards that must be delivered by the Solution.

Supplier

MUST

POC-SR006

View Capabilities and Epics in Frameworks

View the Capabilities and Epics that are within the scope of the selected Framework.

Supplier

MUST

Select Capabilities and Epics for Products (Solutions and Additional Services)

POC-SR007

Select Capabilities and Epics for Solutions

Select the Capabilities and Epics that the Solution, and any Associated Services, will be assessed against.

• 1+ Capabilities must be selected for the Solution.

  • Any Capabilities which are mandatory for the selected Framework will be pre-selected and cannot be deselected.

• 1+ Capabilities must be selected for each Additional Service.

• All MUST Epics in the Capability are pre-selected and cannot be deselected.

• 0+ MAY Epics in each Capability can be selected.

  • Any MAY Epics which are mandatory for the selected Framework will be pre-selected and cannot be deselected.

Additional Services are expected to provide additional functionality over and above that provided by the Parent Solution. If the same Capability and/or Epic is selected for both the Solution and for an Additional Service, this will be reviewed internally and queried - the only circumstances this would be permitted is if the same functionality is delivered in different ways.

Supplier

MUST

POC-SR008

View Selected Capabilities & Epics

View the Capabilities and Epics that are selected for the Solution and any Additional Services.

NHS/Supplier

MUST

Respond to Preliminary Assurance Requirements

POC-SR009

Record responses to Preliminary Assurance requirements

Questions will be presented to the user that they can respond to.

Supplier

MUST

POC-SR010

Record additional responses based a preceding question

Additional questions may be displayed based on the response to a preceding question (e.g. dates, space-limited explanations).

Supplier

MUST

Requirement Response Types

POC-SR011

Restricted Selectable Options

Users can select from a limited number of options that encompass the possible responses to the requirement (e.g. does the Supplier have a Clinical Safety Officer, yes or no?).

Supplier

MUST

POC-SR012

Restricted Text Inputs

Users can input text in a short, controlled format (e.g. dates, document numbers, version numbers).

• Validation rules can be applied to restricted text inputs (e.g. letters only, numbers only, fixed length).

Supplier

MUST

POC-SR013

File Upload

Users can upload files as evidence.

• File type validation can be applied to the file upload (e.g. only accept certain file types such as .XLSX).

Supplier

MUST

Solution Registration submission and review

POC-SR014

Submit Solution Registrations for review and approval

Submit the Solution Registration information for review and approval.

• Submission includes…

  • All products (Core product and any Additional Services)

  • Framework selection

  • Capabilities and Epics selection

  • Preliminary Assurance

• All mandatory fields and selections must be complete in order to submit the Solution for review.

• Details for the Solution or Additional Services cannot be amended once submitted.

• Details for Preliminary Assurance cannot be amended once submitted.

• Capabilities and Epics selected cannot be amended once submitted.

Supplier

MUST

POC-SR015

View all Solution Registration review tasks

View all Solution Registration submissions that have not yet been approved or returned to the Supplier with feedback.

NHS

MUST

POC-SR016

View Solution Registration submission

View all Solution Registration submission information, including…

• All product information for the Solution.

• All product information for any Additional Services.

• All Capabilities selected, all Epics selected, and all allocations of Capabilities to products.

• All responses to Preliminary Assurance requirements, including uploaded files.

NHS/Supplier

POC-SR017

Record notes on Solution Registration submissions

Record notes for the submitted Solution Registration submission, including…

• All products (Core product and any Additional Services)

• Capabilities and Epics selection

• Preliminary Assurance

Notes may be captured for individual parts of the submission or to the submission as a whole.

NHS

MUST

POC-SR018

Approve or reject Solution Registration submissions

Approve or reject a Solution Registration submission.

• Approval or rejection may apply to individual parts of the submission or to the Solution as a whole.

NHS

MUST

POC-SR019

View reviewed Solution Registrations submissions

View the approval/rejection outcome and any notes for the submission.

NHS/Supplier

MUST

POC-SR020

Access uploaded files

Download uploaded files.

NHS/Supplier

MUST

Solution Registration amendments

POC-SR021

Amend rejected Solution Registrations

The Solution Registration can be amended if the submission is rejected.

• As standard, once a Solution Registration is submitted it must not be possible to make any amendments until the Solution Registration is rejected.

Supplier

MUST

POC-SR022

“Unlock” and “lock” approved Solution Registrations

Approved Solution Registrations can be unlocked to allow amendments, and locked to prevent further amendments.

• As standard, once a Solution Registration is approved, it must not be possible to make any amendments unless an authorised user “unlocks” the Solution for amendment.

NHS

MUST

Requirement ID

Requirement Name

Requirement Description

Actors

Priority

Look and Feel

POC-NFR001

Toolset interface clarity

The toolset will have a clean and professional appearance.

N/A

MUST

POC-NFR002

User IT proficiency

The toolset must be accessible to users with basic IT proficiency and who are not technically trained.

• Users who are administrators and other non-technical roles must be able to use the toolset without the “noise” or distraction of features that are not relevant or that require specialist training or knowledge.

N/A

MUST

Usability and Human-Centred Design

POC-NFR003

Prevent invalid data and file types

The toolset must prevent invalid data from being input and invalid file types from being uploaded.

• Validation rules and file type restrictions will be applied to inputs.

N/A

MUST

POC-NFR004

Accessibility

The toolset meets a range of accessibility needs.

• See https://w3.org/TR/WCAG22/ for guidance.

N/A

MUST

Performance & Capacity

POC-NFR005

Data backup and recovery

The toolset must back up all data to avoid data loss and include a recovery service to restore data from backups.

N/A

MUST

POC-NFR006

File storage

The toolset must EITHER provide file storage capabilities, OR facilitate reliable integrations with a file storage solution.

N/A

MUST

Operational

POC-NFR007

Web based

The toolset must be a web based solution.

N/A

MUST

POC-NFR008

Browser compatibility

The toolset must be usable on a range of web browsers (e.g. Internet Explorer, Chrome, Safari, Firefox).

N/A

MUST

POC-NFR009

Immediate publishing of submitted changes

The toolset must immediately publish any changes submitted by a user without delay, so that other authorised users can see the immediately see the changes.

N/A

MUST

POC-NFR010

Test Environment

The toolset must have a test environment in which changes to the content and order of activities can be tested before release.

N/A

MUST

Maintainability and Support

POC-NFR011

Regular Updates

The toolset will be capable of supporting regular changes to the content and order of onboarding activities, as required by a range of causes.

N/A

MUST

Security

POC-NFR012

User authentication

The toolset must require users to be authenticated against a unique user identity.

• Users must regularly re-authenticate themselves.

N/A

MUST

POC-NFR013

Password authentication

If authenticating through the use of a password, the toolset must include…

• Rules that govern the strength and lifetime of passwords.

• Password expiry.

• Secure storage of passwords in databases.

• Password reset functionality.

N/A

COULD

POC-NFR014

Role-based Access Control 

The toolset must deliver role-based access control to be used to enable and disable a user’s access to features and data in the toolset.

• Only allow authorised users to access data and functions.

• Store data securely and prevent access from unauthorised users.

• Allow customisation of permissions and roles for authorised users.

• A Supplier User must only be able to view information relating to the Supplier record with which they are paired, in order to preserve data confidentiality.

• By default, an NHS user should be able to see information relating to any and all Suppliers.

Note that the Programme may wish to prevent Supplier users from adding their own products (Solutions and Additional Services) and have these actions performed by NHS staff on the Suppliers' behalf.

N/A

MUST

POC-NFR015

Cyber Security

The toolset must be capable of protecting itself against malevolent software, cyber attacks and other hostile actions.

N/A

MUST

POC-NFR016

Data Integrity

The toolset must maintain the integrity of the data that is stores to ensure that it is protected from corruption and misuse, i.e. data must be stored as it was originally received.

N/A

MUST

POC-NFR017

Audit Trails

The toolset must keep a clear and easily understandable audit trail to allow complete verification of its operations and data.

• Audit trails must include login attempts (successful and unsuccessful) and password changes.

N/A

MUST

Legal

POC-NFR018

Data Protection and Internet Security

The toolset, and process for using the toolset must:

• Meet the Data Protection Act 2018.

• Meet all applicable data protection and Internet security standards established by the NHS.

  • See example guidance: https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/data-security-and-protection-toolkit-assessment-guides

N/A

MUST