| Field | Value |
|---|---|
| RFC ID | 003 |
| Title | ROSIE Evidence Standard: Schema for Automated Qualification Evidence |
| Version | 1.1.0 |
| Status | Draft |
| Focus | 21 CFR Part 11 compliance, evidence schemas, immutable logs |
1. Scope
This RFC defines the structure of the gxp-execution.json artifact. It ensures that automated test outputs (OQ/PQ) are captured in a format that satisfies regulatory requirements for electronic records, including environment state, visual evidence, and execution telemetry.
2. Evidence Package Structure
The evidence package is a JSON-LD compliant object that aggregates execution metadata.
2.1 gxp-execution.json Schema
{
"execution_id": "uuid-v4",
"timestamp": "ISO-8601",
"commit_sha": "git-sha",
"environment": {
"os": "ubuntu-22.04",
"runtime": "node-v18.1.0",
"container_digest": "sha256:...",
"sbom_ref": "path/to/sbom.json"
},
"results": [
{
"gxp_id": "AL-OQ-AUTH-01",
"status": "PASS",
"duration_ms": 120,
"logs": ["..."],
"attachments": [
{
"type": "screenshot",
"hash": "sha256:...",
"uri": "s3://bucket/evidence/PQ-05.png"
}
]
}
],
"signature": {
"signed_by": "BuildAgent-01",
"hash_method": "SHA-256",
"value": "..."
}
}
3. Schema Field Definitions
3.1 Root Fields
| Field | Type | Required | Description |
|---|---|---|---|
execution_id | UUID v4 | Yes | Unique identifier for this test run |
timestamp | ISO-8601 | Yes | UTC timestamp when execution completed |
commit_sha | string | Yes | Git commit SHA being tested |
environment | object | Yes | Execution environment details |
results | array | Yes | Array of test results |
signature | object | Yes | Cryptographic signature of the package |
3.2 Environment Object
| Field | Type | Required | Description |
|---|---|---|---|
os | string | Yes | Operating system and version |
runtime | string | Yes | Language runtime and version |
container_digest | string | No | Docker image digest if containerized |
sbom_ref | string | No | Path to Software Bill of Materials |
3.3 Result Object
| Field | Type | Required | Description |
|---|---|---|---|
gxp_id | string | Yes | The @gxp-id of the test |
status | enum | Yes | PASS, FAIL, SKIP, ERROR |
duration_ms | number | Yes | Execution time in milliseconds |
logs | array | No | Captured stdout/stderr |
attachments | array | No | Evidence files (screenshots, exports) |
4. Evidence Collection Rules
4.1 Visual Evidence (MUST)
For PQ tests involving a UI, capture at least one screenshot of the terminal state or success criteria.
4.2 Log Sanitization (SHOULD)
Scrub PII or secrets from logs before attachment. The engine should support configurable redaction patterns:
redaction_patterns:
- "password=.*"
- "api_key=.*"
- "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b"
4.3 Immutability (MUST)
Once generated, the evidence package must be hashed; the hash is sent to the SoR for permanent archival. The package must not be modified after generation.
5. Storage Requirements
5.1 Retention Period
Evidence packages must be retained for the duration required by applicable regulations:
| Regulation | Minimum Retention |
|---|---|
| 21 CFR Part 11 | Duration of product lifecycle + 2 years |
| EU Annex 11 | Duration of product lifecycle |
| ISO 13485 | Lifetime of device + 2 years minimum |
5.2 Integrity Verification
The SoR must be capable of verifying the stored hash matches the original submission at any point during the retention period.
Related RFCs
- RFC-001: Data Standard — Tag definitions referenced in results
- RFC-002: Engine Spec — Engine logic that triggers evidence capture
- RFC-004: API Interface — Evidence upload endpoint