Critical Incident Reporting Solution


Critical Incident Reporting Solution - Rackcdn.com000417b6df56f4ae5bbf-f6bd2cfeac0f4625637eac684e9e6a05.r25.cf1.rackcdn.com/...

2 downloads 199 Views 751KB Size

Department of Buildings and General Services

Agency of Administration

BGS Financial Operations Office of Purchasing & Contracting 10 Baldwin St Montpelier VT 05633-7501 http://bgs.vermont.gov/purchasing

[phone] [fax]

802-828-2211 802-828-2222

SEALED BID REQUEST FOR INFORMATION (RFI)

Critical Incident Reporting Solution ISSUE DATE: QUESTIONS DUE BY:

April 29, 2013 May 8, 2013

DUE DATE and TIME:

May 17, 2013 at 3:00 p.m.

LOCATION OF BID OPENING: 10 Baldwin St, Montpelier PLEASE BE ADVISED THAT ALL NOTIFICATIONS, RELEASES, AND AMENDMENTS ASSOCIATED WITH THIS RFI WILL BE POSTED AT: http://bgs.vermont.gov/purchasing/bids THE STATE WILL MAKE NO ATTEMPT TO CONTACT VENDORS WITH UPDATED INFORMATION. RESPONSES TO QUESTIONS WILL BE POSTED WITH THE BID MATERIAL AND WILL BE AVAILABLE ON MAY 12, 2013. IT IS THE RESPONSIBILITY OF EACH VENDOR TO PERIODICALLY CHECK http://bgs.vermont.gov/purchasing/bids FOR ANY AND ALL NOTIFICATIONS, RELEASES AND AMENDMENTS ASSOCIATED WITH THE RFI. PURCHASING AGENT: TELEPHONE: E-MAIL: FAX:

John McIntyre (802) 828-2210 [email protected] (802) 828-2222

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

Table of Contents 1.0 Introduction ....................................................................................................... 4 1.1 Purpose of the Request for Information (RFI) .......................................... 4 1.2 Vermont Agency of Human Services ....................................................... 5 2.0 High Level Requirements .................................................................................. 6 2.1 Current Systems Background .................................................................. 6 2.2 Vision for the Future .................................................................................. 6 2.3 Technical Requirements ........................................................................... 6 2.4 Application Functions ............................................................................... 7 2.5 Report Specifications ................................................................................ 8 2.6 Training ...................................................................................................... 8 2.7 Testing ........................................................................................................ 8 2.8 Deployment ................................................................................................ 8 3.0

RFI Process and Response Format ................................................................... 9

4.0 Vendor Questions ............................................................................................ 11 4.1 Vendor Profile .......................................................................................... 11 4.2 General Questions ................................................................................... 11 4.3 Implementation Approach and Plan ....................................................... 11 4.4 Pricing / High Level Time and Cost Estimates....................................... 11 4.5 Functional Components and Requirements .......................................... 12 4.6 Maintainability and System Upgrades .................................................... 12 4.7 Additional Functional Features............................................................... 12 4.8 Technology Questions ............................................................................ 12 4.9 Additional Input ....................................................................................... 13 Attachment A: Critical Incident Reporting Requirements Response Form

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 2

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

Request for Information Summary Sheet The Vermont Agency of Human Services is soliciting information to evaluate and price the current set of Critical Incident Reporting solutions on the market as well as different implementation approaches to achieving an integrated reporting system. The preferred architecture for this solution would be a three-tiered web based solution using SQL Server 2008 R2 as the data repository. The solution may involve one fully integrated reporting system, or a combination of modules that can integrate seamlessly. This RFI contains preliminary information to be used for discussion purposes with the vendor community.

Name

Critical Incident Reporting Solution

Issue Date

April 29, 2013

Closing Date and Time

3:00 pm EST, May 17, 2013

Issuing Office

Agency of Human Services/BGS

Procurement Officer

John McIntyre

E-mail Questions

[email protected]

Deadline to Submit Questions

3:00 pm EST, May 8, 2013

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 3

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

1.0 Introduction The Vermont Agency of Human Services (the Agency, hereafter) has numerous Departments which oversee care provided to the public, and with this comes the monitoring, documenting, reporting and evaluating of serious occurrences. Currently each Department has its own method of incident reporting in various forms. As new demands are placed on the Agency, it is becoming more and more difficult to effectively analyze reports from both a human services and IT perspective. The Agency seeks a solution which will allow all Departments to record incidents in the same manner, while still adhering to the non-function requirements regarding data sharing. The application would allow external partners to submit a standard XML file format to be imported into the application and still allow for direct data entry as well. The solution should provide a warehouse/ reporting database that will allow Departments to query and analyze aggregate data for the Agency, regions or specific programs. The system should be designed in such a way that allows for growth that encompasses various Department requirements and various incident types. This RFI is for information and planning purposes only to serve as a platform to elicit information from the vendor community. The requirements in this RFI are in no way final nor represent what may be contained in a Request for Proposal (RFP). This issuance does not constitute a commitment to issue a bid, award a contract, or pay any costs incurred in preparation of a response to this request. Any future contract that may be awarded based on information received or derived from this RFI will be the outcome of the competitive process.

1.1 Purpose of the Request for Information (RFI) The Vermont Agency of Human Services (the Agency, hereafter) is in the process of evaluating products to achieve their strategic goal of enhancement of program effectiveness and accountability through an effective, integrated Critical Incident Reporting system which will allow the Agency to better promote the health, well-being and safety of Vermont individuals, families and communities. The key goals for Vermont in issuing this RFI are to determine: o o o o o o

The high level features and functions available in today’s commercial off the shelf (COTS) based integrated Critical Incident Reporting solutions; A realistic cost estimate for achieving an integrated reporting system; The Agency’s level of effort and duration for implementation; The long term commitment and level of investment in the product by the COTS vendors. An industry tested solution which offers internal business flows and processes which can be configured to make the Agency more effective; Requirements for ongoing staffing levels and skill sets for the Agency as well as the vendor to support the product.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 4

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

1.2 Vermont Agency of Human Services The Agency includes six departments in addition to the Office of the Secretary: Department of Vermont Health Access; Vermont Department of Health; Department of Mental Health; Department for Children and Family Services; Department of Disabilities, Aging and Independent Living; and Department of Corrections. Through its six member Departments and a network of community partners and providers, it is responsible for the implementation and delivery of all human service programs within the Agency. Each Department has a distinct area of focus and responsibility and contributes to the creation and sustenance of an entire system of human service supports. As a single entity, the Agency builds a continuum of care that protects and supports vulnerable Vermonters, addresses individual, family and regional crises as they arise, develops and promotes whole population approaches to physical and behavioral health, works to build economic self-sufficiency and keeps Vermont communities safe. Each Department operates independently and utilizes its own mechanisms for gathering, analyzing and reporting critical incidents to a variety of entities both within and outside of State government.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 5

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

2.0 High Level Requirements 2.1 Current Systems Background Currently each Department has its own method of incident reporting in various forms. Some are paper based, so any analysis requires staff to go through each paper report and track the information they wish to evaluate. Another Department has entered their reports into Microsoft Excel; this allows them to analyze data faster and easier. Neither way allows the Agency as a whole to analyze incident reporting data across all Departments.

2.2 Vision for the Future The Agency’s vision is to have an Integrated Critical Reporting System that: o o o o o o

Merges all major reporting types into a single solution or an integrated set of modules as soon as possible Allows all Departments to record incidents in the same manner, while still adhering to the non-function requirements regarding data sharing ; Provides a robust web interface for users to record incidents, submit reports, and analyze data. Allows external partners to submit a standard XML file format to be imported into the application and still allow for direct data entry as well. Provides a warehouse/ reporting database that will allow Departments to query and analyze aggregate data for the state, regions or specific programs. Uses a well-tested product that has a long term future and can be easily expanded and allows for growth that encompasses various Department requirements and various incident types;

2.3 Technical Requirements The preferred architecture for this solution will be a three tiered web based solution using SQL Server 2008 R2 as the data repository. The database development will adhere to the Agency SQL Server Environment Policies and Standards. The application severely limits hard coded values to those that are security related or approved by the entire project team (Agency IT, Program Staff and Vendor). The application will have a “configuration file” that allows for the setting of various parameters such as database server and database name, file path locations and other values that would otherwise be hard coded in the application. There will need to be separate analytical data warehouse and transactional database created for this project. There will need to be an extract, transform, and load (ETL) routine designed and developed to port the data from the transactional database to the data warehouse. Design documents will be submitted for the application, transactional database and the data warehouse and will need to be approved before development of the solution begins. There will be Critical Incident Reporting Database Architecture Document (DAD) created that details the proposed SQL database schema that allows for replication and query performance.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 6

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

There will be a Critical Incident Reporting Data Warehouse Architecture Document (DAD) created that details the proposed SQL database schema that allow for the normalization of deidentified data to be used for analytical purposes. The DADs will be submitted to the Agency Director of Data Services for approval. There will be a Critical Incident Reporting Software Architecture Document (SAD) created that details all objects necessary to fulfill the application functional requirements. Be sure to include where specific business requirements are met, how objects interact and a process narrative for major functionality. The SAD will be submitted to the Agency IT Manager for approval. There will be a Database Deployment Plan (DDP) created for designated databases to be migrated to between test and production environments. Submit DDP to Agency Director of Data Services for approval. There will be Software Deployment Plan (SDP) created for designated application to be migrated to between the test and production environments. Submit SDP to Agency IT Manager for approval.

2.4 Application Functions The solution must allow for distinct access to data by Departments for which the incident was reported. The solution must also include a user friendly way to allow program staff to set permissions for new users. The application should involve network groups for database transactions. The application will ensure users from respective department see only the incidents reported for each relative program(s). The application will allow the Departments to share the basic person data fields name and date of birth. These features will be applied to all department programs added after the initial release. The application will allow for the importing of incident data by Designed Agencies (DA) and Specialized Services Agencies (SSA). The application will use a standard XML format for each report. Each file will contain a single incident. The Agency will use its implementation of GlobalSCAPE to allow its external partners to submit files securely. Since over time servers and directories change names, the application must have a configuration file that allows Agency IT staff to set parameters such as database server, location of import file and threshold for scoring matches. The application will verify the XML format before attempting to load the file. If the schema is not correct the system will notify the submitting DA/SSA by email that the file was not in the correct format and therefore was not loaded. The application will perform checks on the data to ensure that field values are correct and within agreed upon ranges (see the data dictionary attachment 4). If the data within the file is not within the agreed upon range the file will not be loaded. The system will notify the DA/SSA about the fields that were not acceptable by email. Emails sent to DA/SSA should contain the date and time of the import attempt as well as the incident tracking number assigned. The application will copy the email to the appropriate Department group based on the Program and Incident Type fields within the file, when an incident is loaded into the system. The application will automatically assign an incident tracking number to each incident. This number should be used in any email communication about the incident and become part of the incident record within the database.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 7

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

The application will not allow users to data enter a new incident without performing a search for the person first. The search fields will include the persons first and last names and the date of birth. The application will also allow the user to search for a record by agency and client number combinations. The application will allow for wild care searches on the names fields but will ensure that the last name always has at least a partial value for searching. The application will return results by phonetic matching and nickname recognition. The application should also allow the Agency to determine the threshold for scoring matches. When loading a file the application will first attempt to match the person by agency and client number combination, than by name and date of birth fields. If more than one match is found the file will be rejected and reported back through the email process described above. The application will have a method for allowing users to maintain values for drop downs/ lookup fields. The application will ensure that users cannot “reuse” codes, but codes can be expired from use. The application should display expired values when a record is called up but the user should not be able to select expired values. This function will allow users to incorporate new programs from departments not identified in this statement of work in the future. The application will also allow for a one time data load from the DMH spreadsheet of historical data.

2.5 Report Specifications The solution should provide reports that can be accessed from within the application. Besides the DMH report for Deaths by program, the application should provide reports on the number of incidents by agency, type of incident, by program and dates. The solution will provide a data warehouse/ reporting database that allows qualified users to create ad hoc reports for trend and statistical analysis. This database will not include fields that identify individuals.

2.6 Training The Agency seeks a solution provider who conducts hands-on training for Department staff on a solution, as well as a user manual that allows the Agency to train additional staff in the future as needed.

2.7 Testing The Agency will require that a solution be deployed in a test environment within the State of Vermont network. Agency staff would engage in testing the system to ensure all requirements have been successfully implemented.

2.8 Deployment The Agency will seek a deployment package which contains the deployment document, installation files and supporting configuration file. The deployment document would have instructions that Agency IT staff could follow to install and configure the application in both a test and production environment. The deployment document will also include any environmental constraints/requirements of the system.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 8

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

3.0 RFI Process and Response Format The solutions provided by vendors are for informational purposes only, for the purpose of determining potential solutions and recommendations to be possibly included in a future RFP. This Request for Information does not indicate that the Agency is engaged in a pre-selection process for an Implementation Vendor or COTS software package. All questions and responses shall be submitted in writing to: Name: John McIntyre E-mail: [email protected] All communications concerning this Request for Information (RFI) are to be addressed in writing to the attention of: John McIntyre, Purchasing Agent, State of Vermont, Office of Purchasing & Contracting, 10 Baldwin St - Montpelier, Montpelier, VT 05633-7501. John McIntyre, Purchasing Agent, is the sole contact for this proposal. Actual contact with any other party or attempts by bidders to contact any other party could result in the rejection of their proposal. Any contractor requiring clarification of any section of this RFI or wishing to comment or take exception to any requirements or other portion of this RFI must submit specific questions in writing no later than May 8, 2013 at 3:00 PM. Questions may be e-mailed to [email protected]. VENDOR RESPONSE CONTENT AND FORMAT: The content and format requirements listed below are the minimum required for our evaluation. They are not intended to limit the content of the proposals; vendors may include additional information or offer alternative solutions which may be considered. NUMBER OF COPIES: Submit three original bids and 1 copy on CD. 3. SUBMISSION INSTRUCTIONS: 3.1. CLOSING DATE: The closing date for the receipt of proposals is May 17, 2013 at 3:00 p.m. 3.2. The bid opening will be held at 10 Baldwin St, Montpelier, VT and is open to the public. 3.3. SEALED BID INSTRUCTIONS: All bids must be sealed and must be addressed to the State of Vermont, Office of Purchasing & Contracting, 10 Baldwin St - Montpelier, VT 05633-7501. BID ENVELOPES MUST BE CLEARLY MARKED ‘SEALED BID’ AND SHOW THE REQUISITION NUMBER AND/OR PROPOSAL TITLE, OPENING DATE AND NAME OF BIDDER. 3.3.1.All bidders are hereby notified that sealed bids must be received and time stamped by the Office of Purchasing & Contracting located at 10 Baldwin St - Montpelier, VT 05633-7501by the time of the bid opening. Bids not in possession of the Office of Purchasing & Contracting at the time of the bid opening will be returned to the vendor, and will not be considered. 3.3.2.Office of Purchasing & Contracting may, for cause, change the date and/or time of bid openings or issue an addendum. If a change is made, the State will make a reasonable effort to inform all bidders by posting at: http://bgs.vermont.gov/purchasing/bids. 3.3.3.All bids will be publically opened. Typically, the Office of Purchasing & Contracting will open the bid, read the name and address of the bidder, and read the bid amount. However, the Office of Purchasing & Contracting reserves the right to limit the information disclosed at the bid opening to the name and address of the bidder when, in its sole discretion, the Office of Purchasing & Contracting determines that the nature, type, or size of the bid is such that the Office of Purchasing & Contracting cannot immediately (at the opening) determine that the bids are in compliance with the RFI. As such, there will be cases in which the bid amount will not be read at the bid opening. Bid openings are open to

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 9

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

members of the public. Bid results are a public record however, the bid results are exempt from disclosure to the public until the award has been made and the contract is executed. 3.4. DELIVERY METHODS: 3.4.1.U.S. MAIL: Bidders are cautioned that it is their responsibility to originate the mailing of bids in sufficient time to ensure bids are received and time stamped by the Office of Purchasing & Contracting prior to the time of the bid opening. 3.4.2.EXPRESS DELIVERY: If bids are being sent via an express delivery service, be certain that the RFI designation is clearly shown on the outside of the delivery envelope or box. Express delivery packages will not be considered received by the State until the express delivery package has been received and time stamped by the Office of Purchasing & Contracting. 3.4.3.HAND DELIVERY: Hand carried bids shall be delivered to a representative of the Division prior to the bid opening. 3.4.4.ELECTRONIC: Electronic bids will not be accepted. 3.4.5.FAX BIDS: FAXED responses will not be acceptable.

Responses are to be submitted in MS Word 2007 and/or Adobe PDF format. The subject line in the transmission shall state: “Critical Incident Reporting Solution RFI Response”. In Section 4.0, answer all appropriate questions, as well as all items in Attachment A: Critical Incident Reporting Solution Requirements Response Form. The following sections shall be included with vendor’s responses: 1. Transmittal Letter named “Critical Incident Reporting Solution Transmittal Letter Vendor Name” 2. Vendor Response named “Critical Incident Reporting Solution Response Vendor Name” including vendor profile and responses to questions in Section 4.0 3. Vendor Response (addressing Attachment A) named: “Critical Incident Reporting Solution Requirements Response Form Vendor Name”. 4. Product Brochures named “Critical Incident Reporting Solution Brochures Vendor Name” including additional descriptive materials such as brochures and white papers. Responses that do not include all of the above items will not be considered. Any confidential materials should be marked “Confidential” and provided separately.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 10

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

4.0 Vendor Questions 4.1 Vendor Profile 1. Please provide necessary contact information including: o Company Name o Contact Person o Address, Telephone, E-mail Address 2. Please provide a brief company background. 3. Provide a list and brief description of up to three projects of similar size and scope for reporting systems successfully implemented for other States/agencies. Similarities with Vermont shall be highlighted. Provide reference and contact information for each of the similar projects.

4.2 General Questions 1. Describe the history of the product and plans for future enhancements. When and how often are you expecting a new major release for the COTS product? What new features or enhancements are you expecting to include? 2. Describe the solution that you propose including the use of COTS, configurable components and customizations, if required. 3.

Describe the types of customization/ configuration that can be performed and the skill level required for each.

Note: Answers to questions that are already provided in your reference materials should indicate the page and section in the reference materials rather than duplicating the answers.

4.3 Implementation Approach and Plan 1. Should the implementation be phased? If so, should the phases be by report type or component or some other way? 2. Is the product a module that can be integrated with other products to create a fully functional reporting system? If so, please describe in detail how a configuration would be designed.

4.4 Pricing / High Level Time and Cost Estimates 1. Describe the pricing model for software licenses or subscription, configuration, customization, implementation, etc. 2. Describe the recommended model for training staff on the solution.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 11

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

3. What is your current time estimate for implementation of an integrated reporting system for the Agency based on your past experience? You may cite similar examples and provide estimates by module. 4. What is your ballpark cost estimate for implementation of the integrated reporting system for the Agency based on your past experience and the reporting types and functionality as described in this RFI? You may cite similar examples and provide estimates by module.

4.5 Functional Components and Requirements Provide a description of the major functional components of your system that satisfies the technical requirements of the Agency as described in 2.3. Please include the level of configuration required for each feature (i.e., DB entry, scripting, custom coding, etc.)

4.6 Maintainability and System Upgrades 1. Describe your approach to maintenance. What is the level of external/internal staffing required to support the product? 2. Will a trained administrator be able to create and revise entry and report forms and templates easily? 3. How often are major releases issued? What is the typical effort to install a major release?

4.7 Additional Functional Features 1. Describe the Notes capability. 2. Describe how if the system can be integrated with email. 3. Does system handle amended reports? How? 4. Describe if the system handles noticing. If able, how are they tracked? Printed? Resent? 5. Describe any additional modules that might be relevant.

4.8 Technology Questions 1. Describe recent technological advances made in the industry which you now incorporate into your solution? 2. Describe the recommended technical architecture of t h e solution, including recommended hardware platform, operating systems, communications, database platform, application servers, web servers, development platforms, etc. 3. Describe any restrictions or limitations for the above recommended architecture components.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 12

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

4. What skills are required to maintain and support the system? 5. Describe your company’s approach to project management methodology? 6. Describe the approach to Service-Oriented Architecture (SOA)? 7. Describe the web components of your system approach, such as web services, XML usage, etc. 8. Describe any additional technology components that are planned on being incorporated in the future and when is implementation planned?

4.9 Additional Input Please provide any additional input to be considered by the Agency and any ideas relevant to a possible RFP for implementing an integrated critical reporting solution for the Agency of Human Services.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 13

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

ATTACHMENT A

CRITICAL INCIDENT REPORTING REQUIREMENTS RESPONSE FORM

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 14

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

CRITICAL INCIDENT REPORTING REQUIREMENTS RESPONSE INSTRUCTIONS The requirements set forth in this Appendix A (Critical Incident Reporting Requirements Response), for this RFI are grouped by functionality and are contained in a Microsoft Excel workbook designed to be a self-scoring matrix. The matrix has been designed to require a single response in the Response Code column for every numbered requirement within each respective section. Only one entry per numbered requirement is permitted. If a provided code requires clarification, please provide an explanation in the Comments section corresponding to the appropriate numbered requirement. IMPORTANT: Responders must not leave any numbered requirement response column blank within each respective section. Failure to provide a response to any numbered requirement will be deemed “Non-Responsive.” Multiple responses to any numbered requirement will also be deemed “Non-Responsive.” For each numbered requirement, place one entry in the Response Code column (Y, F, 3P, M, C, R, or N), the definitions of the columns are as follows: Y = Fully Provided "Out-of-the-Box” The functionality described in the requirement statement is fully available in the current release of the Vendor’s solution without modification or the use of Third Party Software.

F = Planned in a Future Version The functionality described in the requirement statement is not available in the current release of the Vendor’s solution but is under development and planned to be added to a future version to be released commercially. Please specify release version and projected date in the Comments column.

3P = Third Party Software Required The functionality described in the requirement statement is not available in the Vendor’s software without use of Third Party Software. Please list the Third Party Software in the Comments column.

M = Modification (Change Using Built-in Toolset) The functionality described in the requirement statement is not available within the Vendor’s solution “out of the box” but can be achieved with modification using a Built-in Toolset. No Third Party Software is required to provide the stated functionality.

C = Custom Development Required (Change in Code) The functionality described in the requirement statement is not available using the Vendor’s solution “out of the box” but can be achieved through custom programming. Please provide a brief cost estimate for adding this functionality in the Comments column.

R = Provided with Reporting Tool The functionality described in the requirement statement is provided in the Vendor’s solution with the use of a reporting tool.

N = Not Available The functionality described in the requirement statement cannot be met/is not available in the Vendor’s solution and is not planned for future release.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 15

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

ATTACHMENT A

Critical Incident Reporting Solution Requirements Response Form Matrix

Requirements Answer Key The following answer key must be used when responding to the requirements: F=Fully Provided "Out-of-the-Box” F=Planned in a Future Version 3P=Third Party Software Required

C=Custom Development Required (Change in Code) R=Provided with Reporting Tool N=Not Available

M=Modification (Change Using Built-in Toolset) Please interpret each numbered line as a question or requirement.

Service Oriented Architecture (SOA) Requirement Details

Response Comments Code

The Solution shall develop/integrate services using standardized Web Services formats. The Solution shall provide the capabilities for a RealTime (or near real-time) Integrated Enterprise where common data elements about the consumers served and services rendered are easily shared across organizational units with appropriate adherence to security and privacy restrictions. The Solution shall support creation and extension of service interfaces through the use of Web Services Description Language (WSDL) The Solution shall provide a Service Oriented Architecture based infrastructure (i.e. hub and spoke) for connecting to other Solutions using an Enterprise Service Bus infrastructure. The Solution's interfaces shall secure and protect the data and the associated infrastructure from a confidentiality, integrity and availability perspective. The Solution's interfaces must be scalable to accommodate changes in scale including changes in user population, transaction volume, throughput and geographical distribution. The Solution shall be capable of making any changes to the interface data elements/layouts easily, and to test those changes. The Solution shall provide the capability to detect and remediate errors caused by batch processing and real time processing via user defined rules

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 16

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

Scalability and Extensibility Requirement Details

Response Comments Code

The Solution shall be designed for ease of maintenance and readily allow future functional enhancements. This shall be accomplished through use of modern design principles for Service Oriented Architecture, applying principles of modularity, interface abstraction, and loose coupling. The Solution shall be adequately flexible to keep up with ever changing technology and regulatory changes. This shall be accomplished by separating workflow and business rules into their own separate tiers. The Solution shall be scalable and adaptable to meet future growth and expansion needs such that the Solution can be expanded and be able to retain its performance levels when adding additional users, functions, and data. The Solution shall provide the ability for on-line access by any site connected to the organization Wide Area Network (WAN). The Solution shall provide the capability for remote access in compliance with existing State / Federal connectivity/security policies.

Performance Requirement Details

Response Comments Code

The Solution response time during peak agency level operations shall be 3 seconds or less for 95 percent of the search and lookup queries (does not include adhoc queries and analytics). Maximum response time shall not exceed 15 seconds except for agreed to exclusions. Response time is defined as the time elapsed after depressing an ENTER key (or clicking on a button that submits the screen for processing) until a response is received back on the same screen. The Solution shall return a parameter-based report within 20 seconds or less. The Solution will give the highest priority to Search and Look up operations performance, conforming to the minimum acceptable performance standard of 5 seconds response time, for 95% of queries. The Solution shall be architected with no single point of failure, supporting a high-availability enterprise Hours of operations shall be 24 hours per day, 7 days per week, and 365 days a year. The Solution shall provide the ability to recover from data loss due to end user error and end application error.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 17

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

Regulatory / Policies Requirement Details

Response Comments Code

The Solution must provide a mechanism to comply with Solution security requirements and safeguards requirements of at least the following Federal agencies / entities: - United States Department of Agriculture (USDA) - Food & Nutrition Services (FNS) - Internal Revenue Service (IRS) - Social Security Administration (SSA) - Department of Health & Human Services (DAHS) Center for Medicare & Medicaid Services (CMS) - AHS Administration for Children & Families (ACF) - U.S. Department of Education (ED) - NIST 800-53 and DOD 8500.2 The Solution must provide a mechanism to comply with Solution security requirements and safeguards requirements of at least the following legislation: - Health Insurance Portability and Accountability Act (HIPAA)- Family Educational Rights and Privacy Act (FERPA)- Health Information Technology for Economic and Clinical Health (HITECH) Act The Solution shall conform with the sub-parts of Section 508 of the Americans with Disabilities Act (ADA), and any other appropriate State or Federal disability legislation. The Solution shall adhere to all legal, statutory, and regulatory requirements, as determined by Vermont leadership. The Solution shall comply with the Vermont (NITC) EGovernment Architecture standard: "Branding and Policy Consistency." The Solution shall comply with accessibility requirements described in 45 CFR 85 and with State of Vermont accessibility requirements located at http://cio.vermont.gov/policy_procedures. The Solution shall comply with the Vermont (ex. From other state – NITC) Security Architecture standard: "Identity and Access Management Standard for State Government Agencies." The State Information Technology Security Policy and Standards at: http://vermontarchives.org/records/standards/pdf/InformationSecurity BestPractice_Eff.20090501.pdf The State File Formats Policy and Guidelines at http://vermontarchives.org/records/standards/pdf/FileFormatsBestPra ctice_Eff.20071201.pdf and http://vermontarchives.org/records/standards/pdf/FileFormatsGuidelin e2008.pdf The State Metadata Guideline at http://vermontarchives.org/records/standards/pdf/MetadataGuideline2 008.pdf

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 18

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The State Protection Of Personal Information Statute (Title 9 of the Vermont Statutes) Agency Of Human Services Business Associate Agreement

Audit / Compliance Requirement Details

Response Comments Code

The Solution shall maintain a record (e.g. audit trail) of all additions, changes and deletions made to data in the system. This should be readily searchable by user ID. This must include but is not limited to: - The user ID of the person who made the change - The date and time of the change - The information that was changed - The outcome of the event - The data before and after it was changed, and which screens were accessed and used The Solution shall provide authorized administrators with the capability to read all audit information from the audit. The Solution shall prohibit all users read access to the audit records, except those users that have been granted explicit read access. The Solution shall protect the stored audit records from unauthorized deletion. The Solution shall prevent modifications to the audit records. The proposed Solution must provide logging, reporting and accessing errors and exceptions. Usability Requirement Details

Response Comments Code

The Solution will adhere to the accessibility standard as outlined in the web guidelines and based on the W3C level 2 accessibility guidelines: (http://www.w3.org/TR/WCAG10/full-checklist.html). The Solution shall adhere to all Federal and Vermont accessibility requirements, or their successors: (Section 508 of the Rehabilitation Act and detailed in section 1194.22 of the Code of Federal Regulations, “Web-based intranet and internet information and applications) The Solution shall provide a user interface that shall be simple and consistent throughout all areas and functions of the Solution. The Solution shall minimize the number of mouse clicks / user interaction to complete any action. The Solution shall preserve context by limiting abrupt transitions and redisplays in order to maximize and enhance the user experience and Solution usability.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 19

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Solution shall speak the users' language, with words, phrases and concepts familiar to the user, rather than Solution-oriented terms. The Solution shall follow real-world Vermont conventions, making information appear in a natural and logical order. The Solution shall allow the users to easily navigate to a variety of functions available to them without having to move sequentially through excessive menus and screens. The Solution shall support undo and redo, or provide onscreen confirmation/acceptance to the user to confirm a change that is permanent and cannot be "undone". The Solution shall follow standardized conventions and limit the use of words, situations, or actions that have multiple meanings. The Solution shall eliminate error-prone conditions or check for them and present users with a confirmation option before they commit to the action. The Solution shall minimize the user's memory load by making objects, actions, and options visible. The Solution shall provide all user instructions in a visible or easily retrievable location, when appropriate. The Solution's error messages shall be expressed in plain language, precisely indicate the problem, and constructively suggest a solution. The Solution shall use colors to enhance user experience and Solution usability while complying with all disability requirements notated elsewhere in these requirements. The Solution shall provide drop down and list boxes for all key entry, and text entry will display existing values for selection (auto fill). The Solution shall facilitate data entry and shall contain pop-up list boxes for all code fields in all processing windows and allow selection of the entry with use of hot keys. The Solution shall provide field level on-screen edits with limited user override capabilities. The Solution shall not show fields, not accessible to a given user based on access rights, nor shall the Solution show fields not in use. The Solution cursor shall automatically advance to the next logical input field when the maximum allowed numbers of characters have been entered for the keyed field. The Solution shall provide the option of having a selection from the drop down boxes automatically take the user to the next field. The Solution shall provide validation checks by methods described within policy, functional, and detailed requirements. The Solution shall identify invalid entries to the user as immediately as possible.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 20

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Solution shall be designed to include only the necessary information and functionality on screens and shall be based on the user's access level and the user's configuration. The Solution shall be designed to include logical transitions between screens and level of detail during navigation. The Solution shall provide screens for data entry with identified mandatory data fields. The Solution shall highlight and flag required and incomplete data fields. The Solution's web interface shall be aligned with Web 2.0 design principles and best practices. The Solution shall not require users to reenter data due to validation errors if the systems can auto-correct based on the entered data or the user can navigate to the entry error to correct the entry. The Solution shall have the capability to push messages to the intended workers without requiring them to specifically inquire for the data. Enterprise Service Bus (ESB) Requirement Details

Response Comments Code

The Solution shall provide reliable, once-only delivery of messages (guarantee of reliable and non-repetitive delivery). The Solution shall support the industry-standards messaging and interfaces relevant to health and human services organizations including, but not limited to: - Health Level Seven (HL7) Versions 2.x, 3.x, and CCD - Integrating the Healthcare Enterprise (IHE) XD* Profiles

Master Data Management Requirement Details

Response Comments Code

General Requirements The Solution shall track and maintain detailed records on all changes via interfaces and authoring to support audit requirements. Data Model Requirements The Solution's data model must be capable of handling at least the following categories of elements for clients: - Identification - Demographics - Incident Details The Solution shall include data modeling capabilities that will be configurable, customizable, extensible, and upgradable. The Solution's data model must be able to support Vermont standards for data content and coding where they exist.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 21

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Solution's data model must be expressed using commonly accepted logical data model conventions with associated metadata. Loading, Integration and Synchronization Requirements The Solution shall provide dynamically configurable rules for comparing and reconciling semantics across data sources, matching (both probabilistic and tunable) across changing demographic data structures, linking data, and managing the merging and unmerging of client records with full auditability and survivability. Where data is matched by a proxy rather than the actual identifier (e.g. client ID) the Solution shall load data no less quickly, efficiently or accurately. The Solution shall support integration with different latency characteristics and styles (e.g. real-time, batch). Security Requirements The Solution shall configure and manage differing visibility rules, providing different views for different roles. Technology and architecture considerations The Solution shall be based on up-to-date, mainstream technologies, and capable of flexible and effective integration with a wide range of other application and infrastructure platform components (whether from the same vendor or not) that will be deployed by Vermont. The Solution shall protect and complement the data layer with a layer of business services for accessing and manipulating the client data that is built for an SOA environment, by exposing web services interfaces. Security Requirement Details

Response Comments Code

The Solution shall comply with U.S. Department of Health & Human Services and U.S. Department of Education privacy and data security requirements, including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act provisions of the American Recovery and Reinvestment Act (ARRA) of 2009. The Solution shall comply with all applicable State security policies. The Solution shall implement security controls in accordance with all Federal and State security policy and regulations. The Solution shall allow for controlled access to participant records. Users will be able to view participant data at the State-defined levels of access based on user security privileges.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 22

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Solution shall provide for security concepts covering the following components: Virtual Private Network (VPN), firewall technology and Demilitarized Zone (DMZ), virus-/intrusion detection, mail/content filtering avoiding fault positives, encryption, Public Key Infrastructure (PKI). The Solution shall maintain a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of information. Information security shall be built into the Solution from its inception rather than “bolted on” after Solution has been implemented. The Solution shall support security at the object level (e.g. Table, View, Index). The Solution shall support security at the row and column level. The Solution shall support auditing at the object level (i.e. Table, Column). The Solution shall support a form of user authentication. The Solution upon detection of inactivity of an interactive session shall prevent further viewing and access to the Solution by that session by terminating the session, or by initiating a session lock that remains in effect until the user reestablishes access using appropriate identification and authentication procedures. The inactivity timeout shall be configurable. The Solution shall enforce a limit of (configurable) consecutive invalid access attempts by a user. The Solution shall protect against further, possibly malicious, user authentication attempts using an appropriate mechanism (e.g. locks the account/node until released by an administrator, locks the account/node for a configurable time period, or delays the next login prompt according to a configurable delay algorithm). The Solution shall provide the capability to prevent database administrators from seeing the data in databases they maintain. The Solution shall support grouping users by functional departments or other organization to simplify security maintenance. The Solution shall restrict access to summarized information according to organizational policy, scope of practice, and jurisdictional law. The Solution must be able to associate permissions with a user using one or more of the following access controls: 1) user-based (access rights assigned to each user)2) Role-Based Access Controls (RBAC; users are grouped by role and access rights assigned to these groups)3) context-based (role-based with additional access rights assigned or restricted based on the context of the transaction such as time-of-day, workstation-location, emergency-mode, etc.)

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 23

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Solution shall provide the ability to prevent specified user(s) or groups from accessing confidential information such as a patient's records. The Solution shall provide the ability to limit access to certain confidential information such as a patient's record to providers directly involved in service of the patient, or providers involved in review of the service. The Solution shall enforce the most restrictive set of rights/privileges or accesses needed by users/groups or processes acting on behalf of users, for the performance of specified tasks. The Solution shall support removal of a user’s privileges without deleting the user from the Solution to ensure history of user's identity and actions. The Solution shall be able to support RBAC in compliance with the HL7 Permissions Catalog. The Solution shall be capable of operating within an RBAC infrastructure conforming to ANSI INCITS 3592004, American National Standard for Information Technology – Role Based Access Control. The Solution shall provide more-advanced session management abilities such as prevention of duplicate logins, remote logout and location-specific session timeouts. The Solution shall provide the ability for concurrent users to simultaneously view the same record, documentation and/or template. The Solution shall provide protection to maintain the integrity of data during concurrent access. The software used to install and update the system, independent of the mode or method of conveyance, shall be certified free of malevolent software (“malware”). Vendor may self-certify compliance with this standard through procedures that make use of commercial malware scanning software. The Solution shall be configurable to prevent corruption or loss of data already accepted into the Solution in the event of a Solution failure (e.g. integrating with a UPS, etc.). The Solution shall support protection of confidentiality of all Protected Health Information (PHI) delivered over the Internet or other known open networks via encryption using triple-DES (3DES) or the Advanced Encryption Standard (AES) and an open protocol such as Transport Layer Security (TLS), Secure Sockets Layer (SSL), Internet Protocol Security (IPsec), XML encryptions, or Secure/Multipurpose Internet Mail Extensions(S/MIME) or their successors. The system, prior to access to any PHI, shall display a configurable warning or login banner (e.g. "The Solution should only be accessed by authorized users"). In the event that a Solution does not support pre-login capabilities, the Solution shall display the banner immediately following authorization.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 24

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Solution shall provide the ability to perform Solution administration functions such as reference table maintenance and adding / removing users from the system. The Solution shall allow users access based on their roles irrespective of their geographical location. The Solution shall provide the capability to conform to the relevant principles of NIST Special Publication 80053. The Solution shall provide the capability to create temporary and emergency accounts and terminate those accounts automatically after a user defined period of time. The Solution shall provide the capability to override a role and restrict access to information by users or groups of users. The Solution shall provide the capability to identify and report on inappropriate access to information in the system, based on user defined criteria.

Consent Management Requirement Details

Response Comments Code

The Solution shall be interoperable / vendor agnostic. The Solution shall provide an alert mechanism for privacy breaches. The Solution shall be SOA-based The Solution shall audit all access to protected information in real time The Solution shall be highly flexible to meet changing requirements

Business Intelligence / Reporting Requirement Details

Response Comments Code

The Solution shall provide the ability to impose graduated access to reports based on user role and agency requirements/permissions to better analyze program data. The Solution's business intelligence and reporting capabilities must be scalable to accommodate changes in Solution scale including changes in user population, transaction volume, throughput and geographical distribution while maintaining the agreed service levels. The Solution shall have a mechanism to share specific data (e.g. limited data sets, detailed data at the level of the individual but with the data anonymous and completely de-identified, etc.) in a controllable fashion with other State and local agencies.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 25

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Solution shall be extensible and have a scalable data architecture incorporating State and external data. The Solution shall provide the ability for user to create and customize reports, queries, and dashboards. Data Quality Requirement Details

Response Comments Code

The Solution shall support data verification and consistency checks. The Solution shall support the selection of business process path The Solution shall support seamless and easy user interaction The Solution shall provide context sensitive help and extensive documentation The Solution will include the capability to save and retrieve partial user sessions. Portal Requirement Details

Response Comments Code

The Solution shall provide a portal UI framework that separates content from logic and is robust, scalable and interoperable with W3C Web-based standards. The Solution shall provide session management capabilities to support user sessions and coordinated back-end application functionality. The Solution shall support access from multiple channels and devices. The Solution shall provide XHTML e-form capabilities. The Solution shall provide the capability to consume externally available mapping Web services. The Solution must allow for user analytics to be captured and reported Database Management Server Requirement Details

Response Comments Code

The System shall lock database records based on various parameters (e.g., at row level, field level, or at the application level). The System shall accommodate separate instances of databases. The System shall support online modifications to database structures with minimal user downtime. The System shall provide standard data extraction APIs to allow import and export of data. The System shall provide documented best practices including, but not limited to optimum database configuration, client maintenance and change control.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 26

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The System supports advanced configurations for data caching (e.g., support of client/application caching, support of server caching, etc) The System shall have the ability to optimize performance in transaction processing versus report processing The System shall use history tracking within the database and logging options (e.g., transaction auditing) The System shall be fully ACID (Atomicity, Consistency, Isolation, Durability)- compliant so as to ensure it handles transaction rollbacks, validity and referential integrity checks, etc. The System shall handle record locking (e.g., row, field, other) and record updating/committing. The System shall support indexing technology (multiple types of Indexing shall be available to tune performance of SQL statements). The System must have the ability to support a variety of data model constructs including complex entity relationships and complex many-to-many relationships The System shall manage multiple query queue entries in parallel. The System must have the ability to maintain security based upon appropriate roles The Offeror shall assist the State in developing procedures to ensure that specified data is archived and protected from loss, unauthorized access, or destruction. The System shall include the capability to maintain all data according to state defined records retention guidelines (i.e. record schedule). Application/Transaction Monitoring and Logging Requirement Details

Response Comments Code

The Solution shall log all system transactions and keep them easily retrievable and sortable. The Solution shall detect less than desirable application performance, such as degraded servlet, database or other back end resource response times. The Solution shall have safeguards designed to ensure that configuration variables affecting the application and the back end resources remain at some predetermined configuration settings. The Solution shall detect intrusion attempts by unauthorized system users. The Solution shall provide information on the bottleneck in the system. The Solution shall allow for different roles for Users including Operators, Administrators, Managers etc Identity Management & Single Sign-on Requirement Details

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Response Comments Code

Page 27

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

The Solution shall support single sign-on capability for all users. The Solution shall provide APIs/Connectors to integrate with a variety of 3rd party/custom applications to provide single sign-on. The Solution shall enforce a limit of (configurable) consecutive invalid access attempts by a user. The Solution shall protect against further, possibly malicious, user authentication attempts using an appropriate mechanism (e.g. locks the account/node until released by an administrator, locks the account/node for a configurable time period, or delays the next login prompt according to a configurable delay algorithm). When passwords are used, the Solution shall provide an administrative function that resets passwords. When passwords are used, the Solution shall not display passwords while being entered. The Solution shall provide only limited feedback information to the user during the authentication. The Solution shall support case-insensitive usernames that contain typeable alpha-numeric characters in support of ISO-646/ECMA-6 (aka US ASCII). When passwords are used, the Solution shall allow an authenticated user to change their password, automatically when possible, consistent with password strength rules. When passwords are used, the Solution shall support password strength rules that allow for minimum number of characters, and inclusion of alpha-numeric complexity. When passwords are used, the Solution shall support case-sensitive passwords that contain typeable alphanumeric characters in support of ISO-646/ECMA-6 (aka US ASCII). When passwords are used, the Solution shall use either standards-based encryption, e.g., 3DES, AES, or standards-based hashing, e.g., SHA1 to store or transport passwords. When passwords are used, the Solution shall prevent the reuse of passwords previously used within a specific (configurable) timeframe, or shall prevent the reuse of a specific (configurable) number of the most recently used passwords. The Solution shall provide the capabilities to support two-factor authentication in alignment with NIST 800-63 Level 3 Authentication for appropriate use cases. (e.g. Support the 21 CFR Parts 1300, 1304, et al. Electronic Prescriptions for Controlled Substances; Proposed Rule published on Friday, June 27, 2008, Federal Register / Vol. 73, No. 125.F11.)

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 28

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Solution shall re-authenticate the user before any access to Protected Health Information (PHI) or other sensitive or confidential information is allowed, including when not connected to a network (e.g. on unconnected mobile devices). The Solution shall encrypt all storage of all passwords using a one-way hash or other equivalent functionality to minimize damage from a security breach. Integration Architecture/Design Requirement Details

Response Comments Code

The Shared Analytics Infrastructure (SAI) Solution shall provide scalable architecture and support designs that will provide flexibility to add more data fields and change granularity level efficiently as analytic demand matures and expands. The SAI Solution shall support designs that facilitate a single view of business data. The SAI Solution shall support Online Analytical Processing (OLAP) database structure for use in analytics and business intelligence to include ROLAP or MOLAP processing. The SAI Solution shall support hierarchical drill up/down; ad-hoc query; multi-dimensional tables and views. The SAI Solution shall provide the ability to support data mining functions. The SAI Solution shall provide the ability to perform indatabase analytics. The SAI Solution shall offer options to use Database Management Solution (DBMS)-integrated data integration tool and/or third party vendor integration tool. The SAI Solution shall support fast large volume data loading and shall have the ability to capture real-time data. The SAI Solution shall provide the ability to capture and load data via Service Oriented Architecture (SOA)based services and the ability to schedule data integration and load jobs. The SAI Solution shall include the ability to facilitate design and construction of data integration processes. The SAI Solution shall provide the ability to create custom transformations and the ability to group and reuse mapping and transformation operations.

Metadata and Quality Requirement Details

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Response Comments Code

Page 29

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The SAI Solution shall provide comprehensive metadata management from source to target. The SAI Solution shall provide single repository for metadata, such as mappings of business concepts to underlying data structures, business glossary, data lineage, reference data, and objects (e.g. view, table, join) and reports from source to target. The SAI Solution shall provide the ability to import metadata from tools and data sources. The SAI Solution shall provide data quality tools and/or support 3rd party data quality tools for data profiling, cleansing and monitoring. The SAI Solution shall produce metadata and/or data data dictionaries in a format that the State can consume, e.g., Word, Excel, PDF, OF, etc. Availability, Connectivity, Scalability, & Compliance Requirement Details

Response Comments Code

Availability, Connectivity, Scalability, & Compliance The SAI Solution shall support reorganization of databases, indexes and configurations online without the need for the Solution to shut down. The SAI Solution shall allow data loading to support 24/7 environments with small or no window where system is down when loading data. Connectivity The SAI Solution shall provide standards based connectivity including Open Database Connectivity (ODBC), Java Database Connectivity (JDBC), Web Services (WS) and others. Scalability The SAI Solution shall provide scalable architecture. The SAI Solution shall have no limit on the size of data types (including CHAR, NUM, CLOB, BLOB and XML) that are less than that of the manufacturer-known and published limits of the underlying DBMS. The SAI Solution shall have no limits on the size of tables, indexes and other database-level objects that are less than that of the manufacturer-known and published limits of the underlying DBMS. The SAI Solution shall support both horizontal and vertical scaling. Compliance The SAI Solution shall be American National Standards Institute (ANSI) Structured Query Language (SQL) Compliant. (Vendor needs to specify version of SQL compliance – e.g. 2003, 2006, 2008). The SAI Solution shall be Xquery 1.0 standard compliant.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 30

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The SAI Solution shall support industry standards for electronic data exchange.

Deployment & Application Support Requirement Details

Response Comments Code

Deployment The SAI Solution shall run on and be portable across multiple vendors’ hardware and operating systems (e.g. IBM, HP, and Dell hardware, AIX, Linux, and Windows Operating Systems and VMware) The SAI Solution shall make an underlying DBMS available as a data warehouse appliance so it is also available as a standalone query-able DBMS. Application Support The SAI Solution shall support major application development interfaces (e.g. .NET interface, Java 2 Platform, Enterprise Edition [J2EE]). The SAI Solution shall support stored procedures and extensions. The SAI Solution shall not employ triggers or cursors. Environment Installation and Configuration Requirement Details

Response Comments Code

The Offeror shall submit to the State as part of their proposal, specifications for all necessary hardware, software and tools for the five (5) Platform environments listed here. The Offeror can propose to combine certain environments, where appropriate. The five (5) environments include: 1. Production2. QA/Staging3. Development4. Test5. Training6. Disaster RecoveryOfferor shall submit as a component of proposal specifications for all software, hardware, and tools that would be inclusive of a full SDLC, including environment to support the following needs: Prod, QA, Staging, Dev, Test, Training, DR. The Offeror shall develop a technical infrastructure document which describes all of the hardware, system software and tools necessary for each of the Platform environments proposed. The Offeror shall develop an environment configuration manual that describes the environment installation and configuration necessary for each of the Platform environments. The Offeror is responsible for installing and configuring all hardware, software and tools purchased under the contract until Platform Solution acceptance for the proposed Platform environments.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 31

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Offeror shall provide the State with readable source code and object (executable) code, documentation for all functionality developed by the Offeror outside of COTS configuration, licenses to readable source code and object (executable) code, and documentation for all COTS functionality and escrow of source code for the custom developed or integration related code. All new software functionality built on top of COTS software shall be owned by the State. The Offeror shall provide a data dictionary and data model for the State.

Knowledge Transfer & Training Requirement Details

Response Comments Code

The Offeror shall provide train-the-trainer and end user training documentation (including user manuals, online content, reference cards, etc.). The Offeror shall provide the State a training course outline for review and acceptance at least thirty (30) calendar days prior to the beginning of scheduled training. The Offeror shall submit all training packages to the State for review and acceptance at least twenty-one (21) calendar days prior to the beginning of scheduled training. The Offeror shall provide (customized as required) training manuals for all classroom training they provide. The Offeror shall provide electronic copies of all training materials (end-user, technical, trainee and instructor) in a format that can be easily accessed, updated and printed by State staff using software for which the State owns licenses. This includes but not limited to CDs/DVDs, and online. The Offeror shall schedule all training during regular work hours as approved by the State, unless the Offeror receives advance approval from the State for specific training at other times. The Offeror shall provide all training within the State of Vermont at locations convenient to the attendees of the training, unless the Offeror receives advance approval from the State for specific training at other locations. The Offeror shall schedule staff training in a manner that is least disruptive to the normal business operations. The Offeror shall provide instructions to the State on Offeror tools and procedures used to support the training. The Offeror shall ensure that Offeror staff members are not assigned to train State staff and work on critical path development tasks concurrently. The Offeror shall provide both end-user classroom training/Train-the-trainer sessions and on-line training as agreed with the State for all end-users.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 32

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Offeror shall develop and perform train-the-trainer training sessions, as appropriate. The Offeror shall identify the number of staff necessary for maintenance and operations of the Solution as well as the skill sets necessary. The Offeror shall develop and provide training for the technical support staff including State staff and contractors. For the duration of the contract, the Offeror shall continue to provide training to the technical staff if system upgrades have been installed and there is a change in Solution components functionality. Offeror shall create a training approach and needs analysis early in each project cycle which will determine the training requirements Solution Design, Development & Customization Requirement Details

Response Comments Code

The State utilizes a structured Software Development Life Cycle (SDLC) that is consistent with industrystandard best practices as well as State requirements for Information Technology projects. The Offeror must use a structured SDLC process, including an iterative software development methodology and incremental deployment of functionality to the production environment. This includes software and database design, Solution configuration management plan and procedures, and user interface standards. The Offeror must submit a narrative describing the design and development approach and methodology with their proposal. The Offeror shall incorporate the design and development approach into a comprehensive Design and Development Plan. The Offeror shall apply consistent development standards for all development works as described in offertory's SDLC such as coding convention, database and field naming convention. The Offeror shall provide the State access to both source/object codes for software components and documentation. The Offeror shall acquire authorization from the State for the use of production Solution resources (legacy data or source files), or data derived from the State's production resources. The Offeror shall describe the overall testing approach and methodology used for the Project.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 33

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Offeror shall incorporate the testing approach into a comprehensive Test Plan. The Test Plan shall include the procedures for documenting the completion of each test phase, test scripts, test conditions, test cases, and test reports. Detailed test plans shall be created for the following testing areas: Unit Testing - Functional Testing - Integration Testing - Security Testing - Regression Testing - Stress/Load Testing - Performance Testing (high availability or redundancy testing) - User Acceptance Testing - Operations Acceptance Testing The Test Plan must, at a minimum, include the following areas: - Test philosophy (including objectives, required levels or types of testing, and basic strategy (developing, testing and release of major subsystems/components). - Procedures and approach to ensure the testing will satisfy specific objectives and demonstrate that the requirements are met. - Procedures and approach to ensure that each phase of the testing is complete, and how formal reports/debriefings will be conducted for each phase of testing. - Approach to define tested workload types (performance testing) and test data - Overview of testing facilities, environment and specific testing tools to be used. - Overview of processes and procedures that shall be used by the Offeror for releasing testing results and review of test results. - Process and procedures for tracking and reporting for results/variances/defects shall be tracked and reported. - State resources required for testing during the development lifecycle for each testing area. - Method for review of test cases and procedures - Configuration management of the test environment - Describe User Acceptance Testing and User Sign-Off - Plan and deliverables for each testing area described above The Test Plan shall provide a detailed description of each test required to ensure that all of the Solution, interfaces, and components comply with the requirements and specifications. Testing and Development shall have their own environments, separate from Production. Testing or development shall not be performed in the production environment. The Offeror shall repeat the test lifecycle when a failure occurs at any stage of testing (e.g., a failure in Acceptance Testing that necessitates a code change will require the component to go back through Unit Testing, Integration Testing, and so forth).

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 34

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Offeror shall be responsible for building test plans, executing test plans, and creating reports. The State will evaluate the Offeror test plans, and Offeror test results, and will validate the testing done by augmenting it with State testing. The Offeror shall document the testing tools, test configurations and related documentation. The Offeror shall provide the State with the test scripts, test results and quality reports. The Offeror shall provide staff to the State to answer questions and address any problems that may arise during testing conducted by the State. The Offeror shall refine the technical and test documents, procedures, and scripts throughout development and through full Solution acceptance to reflect the as-built design and current requirements. The Offeror shall allow the State to run validation and testing software against externally facing Internet applications to help identify potential security issues, and must agree to repair any deficiencies found during this testing. The Offeror must develop a comprehensive Defect Resolution Management Plan that describes the approach to be taken in managing all problems discovered during any testing phase and in production. The Offeror shall install and test a single Defect Resolution Tracking Solution that the Offeror and the State shall use collaboratively for the tracking of Solution defects, security, and Solution issues. The Defect Resolution Tracking Solution must, at a minimum, include: 1. Critical - Results in a complete Solution outage and/or is detrimental to the majority of the development and/or testing efforts. There is no workaround. 2. Serious - Solution functionality is degraded with severe adverse impact to the user and there is not an effective workaround. 3. Moderate - Solution functionality is degraded with a moderate adverse impact to the user but there is an effective workaround. 4. Minor - No immediate adverse impact to the user. - The Offeror shall allow the State full access to the Defect Resolution Tracking System. - The Defect Resolution Tracking Solution shall be designed in a manner to allow for the transfer of ownership to the State following contract completion. - The processes and management of the Defect Resolution Tracking Solution shall be addressed as part of the Quality Management Plan. - The Offeror shall address defect as such: Critical and serious defects shall require remediation and retesting before the Solution enters production. Moderate and Minor defects shall be fixed and tested to the State' satisfaction prior to Solution acceptance.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 35

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution All components of the Solution shall accommodate leap year processing and daylight savings time start/end dates.

Deployment Requirement Details

Response Comments Code

The Offeror shall describe the implementation approach and methodology used for the project. The Offeror shall incorporate the implementation approach into a comprehensive Implementation Plan. The State requires incremental deliveries of functionality to the production environment. The State anticipates considerable collaboration with the Offeror in the plan’s construction, with particular attention to high complexity components of the existing the State systems as well as the proposed Solution. The Implementation Plan must include information on technical challenges, deployment schedule phasing. The Implementation Plan shall: Deliver Solutions that include a significant portion of the technical infrastructure early in the schedule, without compromising the quality or inherent security of the Solution. This should also validate the design and architecture. - Expose technically challenging areas of the project as soon as possible. - Deliver customized functionality to the State in incremental pieces that are in logical business application sequence. The Offeror shall validate that each interface is working correctly. The Offeror will repair all interface-related problems caused by Offeror-developed interfaces. The Offeror shall develop a Software Configuration Management Plan. The Offeror must use a widely used "industry standard" software configuration management tool. The Offeror shall describe the requirements management approach and methodology used for the Project.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 36

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution

The Offeror shall incorporate the requirements management approach into a comprehensive Requirements Management Plan. The Requirements Management Plan will be used by the project to assure that requirements are met. The Requirements Management Plan shall, at a minimum, address the following areas: - Establishment of a baseline for existing requirements.- Management of versions of requirements.- Establish and maintain the State’s requirements traceability matrix that will be used for requirements management, and will map where in the software a given requirement is implemented. - A requirements change control process.- A methodology for managing requirements in an iterative development lifecycle.- Procurement, installation, and administration of requirements management tools.- A description of the relationship between the requirements management role and the other roles (i.e. test management, quality assurance management) on the project.- Publishing of standard reports related to requirements management. When functionality is ready to be delivered to the State for User Acceptance Testing (UAT), it shall be delivered in the form of a pre-production release (defined as ready for production in every respect but just not yet in production). Since the State will approve all releases into production, a pre-production release is equivalent to a production release and requires the rigor associated with a production release. Upon successful completion of UAT, the State will schedule a release to be moved to the production environment. Each pre-production release shall include the following: - Release-specific hardware and software Solution components. - Release description including architecture or design updates, new functionality introduced, defects fixed, modifications to interfaces with other systems, other changes to existing code, and any software and hardware configuration changes. - Release contents including a description of the release structure and contents and instructions for assembling and/or configuring the components of the release. - Test Plan and test execution results. - Detailed hardware and software configuration information including any software and hardware dependencies and instructions at a level of detail that will enable State administration staff to rebuild and configure the hardware environment without outside assistance. - Database documentation conforming to industry standards. - Detailed configuration information for any 3rd party hardware and software. The Offeror shall provide updated documentation when Solution upgrades to software or equipment occurs through the life of the contract. Deployment shall be iterative from both a business process and applied technology perspective and will be accepted by the State through application of the acceptance criteria in testing plans.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 37

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Offeror shall deliver to the State a requirements traceability matrix for all delivered functionality, showing all testing activities tracing to delivered functionality, and all delivered functionality tracing to requirements in the requirements repository. The Offeror shall assist the State with testing and release preparation in the pre-production environment. The Offeror must produce and execute an Implementation Support Plan. The Offeror must provide support staffing information such as the proposed number, ratios, duration, and roles/responsibilities for on-going support (as identified in previously submitted implementation approach and plan). Upon successful completion of the pre-production testing, the Offeror shall, in coordination with the State, create a Production Release Plan that shall consist of an updated Pre-Production Release notification to assist the State in successfully releasing and maintaining the Solution in the Production environment. It must include, but not be limited to, the following components: - Updated Configuration Information required satisfying the Solution production configuration management requirements. - Updated Solution Architecture. - Updated Detailed Design, including detailed system, technical, and user documentation. - Deployment schedule - Blackout plan (complete/incremental) Quality Management Requirement Details

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Response Comments Code

Page 38

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Offeror shall develop a Quality Management Plan to describe the approach they will use to ensure the quality of the Solution and they work they perform. The Plan will include at least the following items: • The State’s management of the requirements. This includes the identification of inconsistencies between the requirements, and the project's plans and work products. • The State’s requirements traceability matrix that will be used for requirements management, and will map where in the software a given requirement is implemented. • The State’s configuration management activities that include: baseline control, and monitoring the software library. Approved changes to baseline software and/or documentation should be made properly and consistently in all products, and no unauthorized changes are to be made. • The practices and procedures that will be followed for reporting, tracking, and resolving problems or issues identified in software development, Solution transition, and Solution maintenance. • The business process changes resulting from environmental hardware or software changes. • The quality of work products developed and delivered by Offeror’s sub-Offerors/partners, if applicable. • A metrics process that describes how measurements will be identified, collected, and analyzed to ensure that quality goals, including management and Solution goals, are being met. It should also describe the types of project metrics used. • The Offeror’s organizational structure, and the roles and responsibilities of Offeror staff as they relate to quality management. • Description of the processes and management of the Defect and Issue Tracking Solution for resolution of items and, if applicable, how corrective action plans will be developed to address more significant issues.

Production Support & Transition Requirement Details

Response Comments Code

The Offeror shall identify the root cause of corrupted data, identify Solution for fix and repair corrupted data that is associated with a problem in the Solution.

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 39

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution Upon completion of any maintenance call, the Offeror shall furnish a maintenance activity report to the State within 24 hours and provide any clarification to the questions as needed, which shall include, at minimum, the following: - Date and time notified. - Date and time of arrival. - If hardware, type and serial number(s) of machine(s). - If software, the module or component name of the affected software code. - Time spent for repair. - List of parts replaced and/or actions taken. - Description of malfunction or defect. - Description of root cause of malfunction or defects - Description of fixes The Offeror shall provide documentation that describes the procedures for Solution administrators to add, update or remove user IDs and passwords.

Solution Administration Requirement Details

Response Comments Code

The Solution shall provide an auto archive/purge of the log files to prevent uncontrolled growth of the log and historical records storage using administrator-set parameters. The Solution shall provide version control capabilities to ensure the integrity of all software releases. The Solution shall provide logging and reporting for accessing errors and exceptions. The Solution shall monitor and provide reports on any unauthorized access. All Solution communications shall be protected by at least 128-bit encryption. The Solution shall be supported by public key/private key encryption Secure Socket Layer (SSL) certificates. The Solution shall provide admin tools and maintenance routines to change access rights quickly. The Solution shall use firewalls and Demilitarized Zones (DMZs) for external access and remote access. The Solution shall allow Solution administrators to create and manage user accounts. The Solution shall allow Solution administrators to assign status and permissions to user accounts. The Solution shall allow Solution administrators to create and manage user roles.

Solution Management Requirement Details

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Response Comments Code

Page 40

State of Vermont Agency of Human Services RFI for Critical Incident Reporting Solution The Solution shall provide Service Level Agreement (SLA) monitoring and reporting capabilities. Service Level definitions will be drafted into a single document provided as an attachment. The Solution shall provide event management and monitoring functionality according to Information Technology Infrastructure Library version 3 (ITIL v3) or equivalent best practices. The Solution shall provide transaction tracking and log consolidation capabilities across all tiers of the application

STATE OF VERMONT AGENCY OF HUMAN SERVICES

Page 41