Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
afe5a98474aaab3626200a086f8c5f83c420f2b5
breakpilot-compliance/backend-compliance/reference_scenarios/medical_stress_test.md
T
Benjamin Admin 80f2e2f619 feat: Medical stress test (safety+security coupled) + Missing Convergence report (Phase Ω #3) 
Medical before Payment: the harder scientific test (safety AND security coupled, full lifecycle,
deep risk/evidence demands). ISO 13485 runs through the SAME engine as ISO 27001 -> CRA, only new
data, 0 runtime. The key result: IEC 81001-5-1 (health-software security) pulls in the SAME security
MCAPs as the CRA, so Medical REUSES cyber capabilities (the safety/security coupling appears as
capability reuse) while adding 7 genuinely new medical caps (clinical evaluation, software safety
classification, ISO 14971 risk file, benefit-risk). rejected_assumptions intact.

Effect on the convergence core: secure_signed_update_distribution 18 -> 24 and
technical_vulnerability_management 17 -> 23, now spanning 3 domains (cyber + industrial + medical) —
the core visibly GROWS, exactly the convergence signal.

New 5th report: MISSING CONVERGENCE — deterministic (no ML) token-cluster detector for potential
structural duplications: a name token shared by >=3 MCAPs across >=2 distinct sources is flagged for
EXPERT REVIEW (never auto-merged). Surfaces e.g. the `risk` cluster (6 risk MCAPs across 6 sources)
and `security`/`software`; single-source decompositions are filtered out. Complements Suspicious by
looking at cross-source duplication, not single MCAPs.

Also records the durable modelling rule extracted from the frequency fix: evidence is attributed to
its ORIGIN; its value against a target is computed later (relevance(evidence,target)). Ledger now 8
sources, Architecture Stability 8/8 = 100%. Non-runtime -> no deploy. 29 tests pass, check-loc 0.
2026-06-28 12:09:52 +02:00

2.8 KiB
Raw Blame History

Medical Stress Test — Safety + Security gekoppelt, der härtere Test (Phase Ω #3)

Medical prüft erstmals gemeinsam: Safety UND Security gekoppelt, voller Produktlebenszyklus, sehr starke Risikomanagement-/Nachweispflichten, hohe regulatorische Tiefe. ISO 13485 als Company Profile durch DIESELBE Engine — nur neue Daten, 0 Runtime. Synthetisch, keine echten Namen.

1. ISO 13485 als Profil → Delta über dieselbe Engine

  • ISO 13485 liefert medizinische QMS-Disziplin (Welt-1): manage_document_control, operate_capa_process, conduct_design_controls, run_risk_management_process. …
  • Delta (fehlt): 11 Capabilities — über dieselbe assess_transition, 0 neue Runtime-Klassen.

2. Safety/Security-KOPPLUNG — Medical REUSED Cyber-MCAPs (IEC 81001-5-1 = CRA-Security)

  • Wiederverwendete Cyber-Capabilities (4): access_control_and_authentication, sbom_creation, secure_signed_update_distribution, technical_vulnerability_management.
  • → Genau das ist die Kopplung: die Gesundheitssoftware-Security (IEC 81001-5-1) fordert dieselben Fähigkeiten wie die CRA. Diese MCAPs wandern damit in eine dritte Domäne und werden im Convergence-Core noch zentraler.

3. Genuin neue, medizin-spezifische Capabilities

  • Neu (7): assign_unique_device_identification, classify_software_safety_iec62304, compile_medical_technical_documentation, conduct_clinical_evaluation, implement_software_lifecycle_iec62304, maintain_risk_management_file_iso14971, perform_benefit_risk_analysis.
  • Capabilities als Verben: conduct_clinical_evaluation, classify_software_safety_iec62304, maintain_risk_management_file_iso14971, perform_benefit_risk_analysis.

4. Was ISO 13485 typischerweise NICHT erzeugt (rejected_assumptions, Welt-1/Welt-2)

  • ISO 13485 does NOT produce clinical evidence or a clinical evaluation.
  • ISO 13485 does NOT produce the ISO 14971 risk management FILE (only the process).
  • ISO 13485 does NOT produce IEC 62304 software-lifecycle records or a software safety classification.
  • ISO 13485 does NOT establish health-software security (IEC 81001-5-1 = the same security caps as the CRA).

Befund

Die härteste Domäne bisher (Safety+Security gekoppelt, voller Lebenszyklus, tiefe Risiko-/Nachweispflicht) lief durch die unveränderte Pipeline — 0 neue Runtime-Klassen, nur ein Pattern-YAML. Das stärkste Einzelsignal: 4 Security-Capabilities werden aus dem Cyber-Bestand WIEDERVERWENDET (IEC 81001-5-1 = CRA), während 7 medizin-spezifische neu hinzukommen. Genau so wächst ein Kern: gemeinsame Fähigkeiten verbinden Cyber, Maschinenbau, Automotive UND Medizin; das Domänenspezifische bleibt am Rand. Architecture Stability bleibt stabil; der Engpass ist jetzt die Qualität der Wissensmodellierung, nicht die Architektur.

Reference in New Issue View Git Blame Copy Permalink