# Verixa — User Requirements Specification

# Module 9: Site & Facility Management

| Field | Value |
|---|---|
| Document ID | VRX-URS-09 |
| Version | 1.0 |
| Status | Final — ready for QA, Validation, Regulatory Affairs, Information Security, and Founder approval. URS approval is separate from validation execution. This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" only after signature capture in the Document Approval block. It becomes "Released for validation execution" only after the module migration evidence gate (URS-09-VAL-008) and validation evidence pack are satisfied. |
| Document Type | User Requirements Specification (URS) |
| GAMP 5 Category | Category 5 — Custom Application |
| Regulatory Classification | Master-data substrate — operates the canonical site catalogue (manufacturing, warehouse, distribution, laboratory, clinical, R&D, packaging, label-printing), the facility hierarchy (campus → site → building → area → room → equipment-area), the cleanroom classification register (ISO 14644 cleanliness class + EU GMP Annex 1 grade A/B/C/D), the site licence and certification linkage, the site lifecycle state machine, the per-site regulatory inspection register, the site contacts roster, and the site-bound regulated-record discovery surface that maps the canonical `site` scope dimension consumed by URS-03 / URS-05 / URS-07 to every regulated record across URS-12..URS-34. |
| Date of Issue | 2026-05-06 |
| Module Owner (Engineering) | Site / Master-Data Squad |
| Module Owner (Quality Validation) | CSV / CSA Lead — Site & Facility |
| Module Owner (Compliance) | Quality Assurance, Regulatory Affairs, Engineering / Facility Operations |
| Approving Authority | Founder / Chairman & MD; QA Head; Validation Head; RA Head; Information Security Head; Engineering / Facility Lead |

## Document Approval

| Role | Name | Signature | Date |
|---|---|---|---|
| Author — Platform Architecture | _____________________ | _____________________ | __________ |
| Reviewer — Engineering Lead | _____________________ | _____________________ | __________ |
| Reviewer — QA / Validation Lead | _____________________ | _____________________ | __________ |
| Reviewer — Information Security Lead | _____________________ | _____________________ | __________ |
| Reviewer — Regulatory Affairs Lead | _____________________ | _____________________ | __________ |
| Reviewer — Engineering / Facility Lead | _____________________ | _____________________ | __________ |
| Approving Authority — Founder, Chairman & MD | _____________________ | _____________________ | __________ |

## Version History

| Version | Date | Summary |
|---|---|---|
| 1.0 | 2026-05-06 | First issued user requirements specification for Module 9. |

---

## 0. Document Framing

### 0.1 Purpose of this document

This URS defines the target expected state for Verixa's Site & Facility Management module (Module 9). It is the binding contract between product, engineering, quality validation, regulatory affairs, information security, engineering / facility operations, and the executive authority for the design, implementation, validation, release, and on-going periodic review of the canonical site catalogue, the facility hierarchy (campus → site → building → area → room → equipment-area), the cleanroom classification register, the site licence and certification linkage, the site lifecycle state machine, the per-site regulatory inspection register, the site contacts and emergency / quality / regulatory roster, the site qualification and validation status, the cross-site relationship model, and the site-bound regulated-record discovery surface that maps the canonical `site` scope dimension to every regulated record across URS-12..URS-34. Compliance with this URS is mandatory.

### 0.2 Audience

Engineering, QA, Validation, Regulatory Affairs, Engineering / Facility Operations, Information Security, executive authority, the platform's Implementation team, internal and external auditors, and inspectors from regulatory bodies including the United States Food and Drug Administration, the European Medicines Agency / national competent authorities, the Medicines and Healthcare products Regulatory Agency, Health Canada, the Central Drugs Standard Control Organisation of India, and Pharmaceutical Inspection Co-operation Scheme members. The plain-language primer (§0.4) and worked examples (§3.5) make Module 9 accessible to non-domain engineers, product owners, validation engineers, and facility-operations leads who have not previously specified site-management substrates for regulated GxP platforms.

### 0.3 How to read this document

Each requirement has a unique identifier. "MUST" denotes a mandatory requirement; "SHOULD" denotes a strong recommendation; "MAY" denotes an option. The document is self-contained: front end (§5), back end (§6), data model (§6.2), application programming interface (§6.3), workflow (§6.4), business rules (§6.5), audit (§6.6), security (§12), regulatory mapping (§14), test cases (§16), and validation evidence (§17) are all in this single file.

### 0.4 Plain-language primer for non-domain readers

A **site** is a physical location where regulated activity happens — a manufacturing plant, a warehouse, a distribution centre, a laboratory, a clinical-trial site, an R&D facility, a packaging line, a label-printing facility. Every regulated record in Verixa is bound to a site (either directly because the activity occurred there, or through a study or workflow whose scope intersects the site). The site is the second-most-fundamental scope dimension after the tenant itself, and Module 9 owns the canonical catalogue.

A site is **not just an address**. It carries a regulatory classification (GMP / GLP / GCP / GDP / multi), a primary-use type (e.g., sterile injectable manufacturing vs blister-packaging), a jurisdiction, an inspection register, a licence portfolio, a contacts roster, a qualification status, and a hierarchy of internal areas — typically buildings, then floors, then rooms, then equipment areas. For sterile-manufacturing sites, every cleanroom area also carries a **cleanroom classification** under both ISO 14644 (the operational cleanliness class) and EU GMP Annex 1 (the GMP grade A/B/C/D), because regulators read both. The classification drives downstream environmental-monitoring requirements, gowning protocols, batch-release expectations, and inspection cadence.

A site has a **lifecycle**. New sites enter as `planned` while construction or build-out is happening; move to `in_qualification` once construction is complete and IQ/OQ/PQ activities begin; move to `operational` after the qualification package is signed and the site is licensed for production / clinical / laboratory use; can be `suspended` (e.g., during a major repair, a regulatory hold, or a quality investigation); and ultimately `decommissioned` when the site is permanently retired (every regulated record for the site is closed; the licence is surrendered or transferred; the site assets are disposed of according to GxP retirement procedures). Every transition is electronically signed and audited. High-risk site types (sterile injectable manufacturing, controlled-substance sites, clinical sites) require executive authority co-sign at activation per DEC-09-15.

The **site licence and certification register** captures every regulatory authorisation held by the site: FDA establishment registration, FDA drug master file references, EMA marketing authorisation site references, MHRA manufacturing authorisation, India CDSCO drug manufacturing licence (Form 25/28 Schedule M), Health Canada DEL site listing, US DEA registration for controlled substances, ISO 13485 / 9001 certifications where applicable, GMP certificates from competent authorities (EU CEP, MRA-recognised), USP / EP / BP / IP method-validation references, ISO 14644 cleanroom certificates, ISO 17025 laboratory accreditation, ANSI / ASTM E2500 commissioning evidence. Each entry has effective dates, evidence link to URS-12, and re-verification cadence.

The **site contacts** roster names the people with named accountability at the site: the site head, the QA contact, the QP / RP for batch release (where applicable), the regulatory affairs contact, the data-protection officer (where applicable), the emergency contact for regulators / customers, the security incident contact. URS-30 routes site-relevant notifications through this roster.

The **per-site regulatory inspection register** captures every regulatory inspection of the site: pre-approval inspections, routine GMP inspections, for-cause inspections, customer audits, internal audits, mock inspections, ISO certification audits, OECD-MAD GLP inspections (for non-clinical), FDA bioresearch monitoring inspections (for clinical). Each inspection has dates, inspector / auditor identity, scope, regulatory authority, observations register, response register, classification of findings (FDA 483 observation, EU Annex 1 finding, OECD-MAD non-compliance, etc.). The inspection register is study-bound (URS-07 audit-study type can wrap a planned mock inspection or response to a regulatory inspection).

The **site-bound regulated-record discovery** surface is the read-only view that surfaces every regulated record (deviation, CAPA, OOS, batch record, URS-13 record, validation finding, etc.) whose URS-03 active scope intersects this site over a configurable window. This makes the site a **first-class navigation entry point** for inspections — an inspector arrives, opens the site detail view, clicks discovery, sees every active and recent regulated record at the site without having to query each domain module separately.

Module 9 is consumed by every other module that has any site-bound activity. URS-03 active-scope intersection consumes the `site` scope dimension defined here. URS-07 study scope can include sites from this catalogue. URS-05 Authority Profile assignments scope-bind to sites. URS-04 workflows can be site-aware (e.g., a different deviation workflow for sterile-manufacturing sites vs warehousing sites). URS-12..URS-34 regulated records are bound to sites at creation. Module 9 is the single source of truth for "where did this happen?"

### 0.5 Site lifecycle diagram

```mermaid
stateDiagram-v2
  [*] --> planned : Tenant administrator creates site
  planned --> in_qualification : IQ/OQ/PQ activities begin (linked URS-07 validation study)
  in_qualification --> operational : Qualification package signed; licences in place
  operational --> suspended : Controlled hold (regulatory, quality, infrastructure)
  suspended --> operational : Hold released; resolution evidence logged
  operational --> decommissioned : Decommissioning workflow signed
  suspended --> decommissioned : Decommissioning from suspended state
  planned --> withdrawn : Site cancelled before qualification (terminal)
  withdrawn --> [*]
  decommissioned --> [*]
```

Diagram 0.5-A — Site lifecycle. Activation (`in_qualification → operational`) requires the qualification package signed by the validation lead and quality lead. High-risk site types require executive authority co-sign at activation per DEC-09-15. Suspension reasons categorised; decommissioning preserves all historical records and seals the site's URS-06 chain references for ongoing inspection use.

### 0.6 Glossary of key terms used in this document

| Term | Definition |
|---|---|
| Annex 1 grade | The EU GMP Annex 1 cleanroom grade (A, B, C, D) for sterile-manufacturing facilities, defined by particulate and microbiological limits at-rest and in-operation. |
| Area | A physical sub-division of a building (e.g., dispensing area, granulation area, packaging hall, microbiology lab). Each area carries its own GxP classification and (where applicable) cleanroom classification. |
| Building | A physical structure within a site (e.g., Building 1: API manufacturing; Building 2: solid dosage; Building 3: warehouse). |
| Campus | A logical grouping of physically adjacent sites (e.g., a multi-building manufacturing campus with shared utilities); useful for inspection planning. Optional. |
| Cleanroom classification | The ISO 14644 cleanliness class (e.g., ISO 5, ISO 7, ISO 8) AND/OR the EU GMP Annex 1 grade (A/B/C/D) assigned to an area or room. |
| Decommissioning | The terminal lifecycle workflow that retires a site: closes every regulated record bound to the site, surrenders or transfers licences, disposes of assets per GxP retirement procedures, signs decommissioning attestation. |
| Emergency contact | A named site role that receives regulator-emergency, customer-emergency, and security-incident notifications. |
| Equipment area | A specific zone within a room dedicated to a piece of major equipment (e.g., the area around a tablet-press; the area around a freeze-dryer). Used for environmental monitoring and qualification scope. |
| Facility hierarchy | The campus → site → building → area → room → equipment-area tree maintained for each site. |
| GxP classification | The regulatory classification of the site or area: `gmp` (manufacturing), `glp` (non-clinical safety), `gcp` (clinical), `gdp` (distribution), `multi` (multiple). |
| In-qualification state | Site state during IQ/OQ/PQ activities; linked to a URS-07 validation or equipment-qualification study; site is not yet operational for production. |
| Inspection | An on-site regulatory or audit visit (FDA, EMA, MHRA, CDSCO, Health Canada, customer, internal QA, ISO certification). |
| Licence | A regulatory authorisation held by the site (FDA establishment registration, EMA MA reference, MHRA MA, CDSCO Form 25/28, Health Canada DEL, etc.). |
| Operational state | Site state during normal regulated activity; the predominant state for active sites. |
| Planned state | Site state during construction / build-out; the site exists in the catalogue but no regulated activity is permitted. |
| Qualification package | The signed-off IQ/OQ/PQ documentation that demonstrates the site (or area, or equipment) is fit for its intended GxP purpose; produced under URS-07 validation / equipment-qualification studies. |
| Site | A physical location where regulated activity happens; a first-class object in the canonical scope dimension registry. |
| Suspended state | Controlled-hold state; regulated activity blocked; reads continue for inspection. |
| Decommissioned state | Terminal state; site is permanently retired; historical records preserved. |

### 0.7 Module 9 architectural picture

```mermaid
graph LR
  subgraph M9 [Module 9 — Site & Facility Management]
    CAT[Site Catalogue]
    HIER[Facility Hierarchy]
    CLEAN[Cleanroom Classification]
    LIC[Licences and Certifications]
    INSP[Inspection Register]
    CON[Contacts Roster]
    LCY[Lifecycle]
  end

  M3[URS-03 Active Scope] <--> CAT
  M4[URS-04 Workflow / E-Sign] --> LCY
  M5[URS-05 Authority] --> CAT
  M6[URS-06 Audit Substrate] --> LCY
  M7[URS-07 Study] <--> CAT
  M8[URS-08 Tenant Lifecycle] --> CAT
  M12[URS-12 Document Control] <--> LIC
  M28[URS-28 Training Management & Qualification] --> CON
  M30[URS-30 Notifications] --> INSP
  M30 --> LCY
  CAT --> M14[URS-14..URS-34 Domain modules]
```

Diagram 0.7-A — Module 9 sits at the master-data layer. URS-03 active-scope intersection consumes the `site` scope dimension and the per-site facility hierarchy. URS-07 study scope can include sites from this catalogue. URS-12 holds the licence evidence documents. URS-28 owns the qualifications of the personnel named in the contacts roster. URS-30 routes site-bound notifications through the contacts roster.

---

## 1. Module Purpose

Module 9 establishes Site & Facility Management as the canonical master-data substrate for "where did this happen" in Verixa. It owns the per-tenant site catalogue, the facility hierarchy (campus → site → building → area → room → equipment-area), the cleanroom classification register (ISO 14644 + EU GMP Annex 1), the site licence and certification register, the per-site regulatory inspection register, the site contacts roster, the site lifecycle state machine, the cross-site relationship model, and the site-bound regulated-record discovery surface. Module 9 is consumed by URS-03 to compute active-scope intersection on the `site` scope dimension; by URS-04 to drive site-aware workflow firing; by URS-05 to scope-bind Authority Profile assignments to sites; by URS-06 to attribute audit rows to site scope; by URS-07 to compose study scope including sites; by URS-12..URS-34 to bind regulated records to sites at creation.

Module 9 is the **first-class navigation entry point for inspections** — when a regulator arrives, the site detail view plus its discovery surface is the single screen that surfaces the entire regulatory posture for the site.

---

## 2. Scope

### 2.1 In scope

- The site catalogue per DEC-09-01: per-tenant registry of every site with `id`, `tenant_id`, `name`, `display_id`, `site_type` (per the launch type list), `gxp_classification`, `legal_address_jsonb`, `geolocation_jsonb` (latitude / longitude), `jurisdiction`, `time_zone`, `primary_use`, `parent_campus_id` (nullable), `lifecycle_state`, `created_by`, `created_at`, `activated_at` (operational entry), `decommissioned_at`, `vertical_classification_jsonb` (e.g., sterile_injectable, oral_solid_dosage, biologic, controlled_substance, clinical_phase_1).
- Site types at launch (DEC-09-01): `manufacturing` (further sub-classified as `api`, `oral_solid_dosage`, `liquid_oral`, `topical`, `sterile_injectable_aseptic`, `sterile_injectable_terminal`, `biologic`, `controlled_substance`), `warehouse`, `distribution_centre`, `packaging`, `label_printing`, `laboratory` (sub-classified as `analytical`, `microbiological`, `method_development`, `bioassay`), `clinical_site` (sub-classified by phase per DEC-09-15), `r_and_d`, `compounding_pharmacy`, `other`.
- The facility hierarchy (DEC-09-02): campus → site → building → area → room → equipment-area; each level immutable per-version; changes through controlled amendment with electronic signature.
- The cleanroom classification register (DEC-09-04) per area / room: `iso_14644_class` (ISO 5..ISO 9), `eu_gmp_annex1_grade` (A / B / C / D), `at_rest_particle_limits_jsonb`, `in_operation_particle_limits_jsonb`, `microbiological_limits_jsonb`, `last_certification_date`, `next_certification_due`, `certification_evidence_document_id` (FK URS-12). For non-cleanroom areas, the classification is `not_applicable` with a documented rationale.
- The site licence and certification register (DEC-09-05): per-licence record with `licence_type` (FDA establishment registration / FDA DMF reference / EMA MA reference / MHRA MA / CDSCO Form 25 / CDSCO Form 28 Schedule M / Health Canada DEL / DEA registration / ISO 9001 / ISO 13485 / ISO 17025 / EU CEP / GMP certificate / etc.), `licence_number`, `issuing_authority`, `effective_from`, `effective_to`, `evidence_document_id` (FK URS-12), `re_verification_cadence`, `last_verified_at`, `current_status`. Re-verification scheduling per URS-30 with the site's RA contact and tenant administrator.
- The per-site regulatory inspection register (DEC-09-08): per-inspection record with `inspection_type` (`fda_pre_approval` / `fda_routine_gmp` / `fda_for_cause` / `fda_bioresearch_monitoring` / `ema_routine_gmp` / `ema_pre_authorisation` / `mhra_inspection` / `cdsco_inspection` / `health_canada_inspection` / `customer_audit` / `internal_audit` / `mock_inspection` / `iso_certification_audit` / `oecd_mad_glp_inspection`), `inspecting_authority`, `dates_jsonb`, `lead_inspector_identity`, `scope_jsonb`, `findings_count_by_classification_jsonb` (e.g., {"483_critical": 0, "483_major": 2, "483_minor": 5} for FDA), `findings_register_document_id` (FK URS-12), `response_register_document_id`, `closure_state`, `final_outcome`. Inspection records can be linked to URS-07 audit-study records.
- The site qualification and validation status (DEC-09-09): per-site computed status derived from linked URS-07 validation / equipment-qualification studies; `iq_signed_at`, `oq_signed_at`, `pq_signed_at`, `requalification_due_at`, `qualification_status` (`fully_qualified` / `partial` / `expired` / `pending`).
- Site contacts roster (DEC-09-10): per-site role assignments with `contact_type` (`site_head` / `quality_lead` / `qp` / `responsible_person` / `regulatory_contact` / `data_protection_contact` / `emergency_contact` / `security_incident_contact` / `cleanroom_certifier`), `user_id` (where the contact is a Verixa user) or `external_contact_jsonb` (where the contact is an external person — e.g., a contracted consultant), `effective_from`, `effective_to`, qualification linkage to URS-28 where applicable.
- The site lifecycle state machine (DEC-09-03): `planned` → `in_qualification` → `operational` → `suspended` ↔ `operational` → `decommissioned`; plus terminal pre-activation `withdrawn`.
- High-risk site activation (DEC-09-15): site types in the high-risk list (`sterile_injectable_aseptic`, `sterile_injectable_terminal`, `biologic`, `controlled_substance`, `clinical_phase_1`, `compounding_pharmacy`) require executive authority co-sign at `in_qualification → operational` plus `validation_approver` co-sign and `regulatory_oversight_admin` co-sign.
- Cross-site relationships (DEC-09-12): `parent_campus`, `related_site` (e.g., a packaging site that handles output from this manufacturing site), `qualification_dependent_site` (e.g., a backup site that uses the same qualified water system), `regulatory_alternate_site` (formal regulatory backup); each relationship is electronically signed and audited.
- Sites within studies (DEC-09-13): URS-07 study scope can include sites from this catalogue; cross-tenant studies (URS-07) reference partner-tenant sites through the collaboration grant; partner-tenant sites are visible within the per-grant scope; never beyond.
- Site-level access overlay (DEC-09-14): for sites that handle sensitive content (e.g., controlled substances, clinical sites with subject identifiers, R&D sites with confidential novel methods), tenant administrators MAY apply a site-level access overlay restricting access to a designated `site_member` roster on top of base roles and Authority Profiles.
- Site-bound regulated-record discovery (DEC-09-07): for every site, the platform computes the set of regulated records whose URS-03 active scope intersects the site's identifier within a configurable window (default rolling 24 months for active discovery; full lifetime for inspection / archive surface).
- Equipment area hierarchy (DEC-09-17): per-room sub-zones for major equipment (tablet press, freeze-dryer, lyophiliser, blister machine, capsule filler, vial filler, autoclave, depyrogenation tunnel, etc.); each equipment area carries its own qualification status referencing forward equipment-management module at launch; Module 9 owns the area definition; a forward equipment-management module owns equipment qualification records; exact module number is an external program dependency.
- Cleanroom certification re-verification (DEC-09-04): scheduled re-certification cadence (typically every 6-12 months for sterile manufacturing per Annex 1; per ISO 14644 cycle for non-sterile cleanrooms); URS-30 reminders; failures escalate to `regulatory_concern` site suspension.
- Site decommissioning workflow (DEC-09-11): pre-decommissioning gate (every regulated record bound to the site is closed; every URS-07 study with the site in scope is closed; licences surrendered or transferred); decommissioning attestation electronically signed by site head, quality lead, regulatory affairs lead, executive authority co-sign for high-risk sites; URS-06 captures.
- Reports and dashboards: per-tenant site catalogue, per-site dashboard, per-site discovery view, cross-site relationships graph, inspection register, licence expiry timeline, qualification status dashboard, cleanroom certification timeline, site contacts directory.
- Front-end: site catalogue browser, site creation wizard, per-site detail (overview / hierarchy / cleanroom / licences / inspections / contacts / qualification / discovery / relationships / lifecycle), site qualification dashboard, decommissioning surface, cross-site relationship management.
- Cross-module wiring: URS-03 consumes site scope; URS-04 fires site-aware workflows; URS-05 scope-binds Authority Profiles; URS-06 audits every Module 9 lifecycle event; URS-07 references sites in study scope; URS-08 tenant lifecycle gates Module 9 mutations; URS-12 holds licence and inspection evidence; URS-28 owns site-contact qualification records; URS-30 delivers notifications; URS-35 owns long-term archive.

### 2.2 Out of scope

- Authentication, multi-factor authentication, password policy, session lifecycle (URS-01).
- Permission matrix and base role catalogue (URS-02).
- Active-context resolution and approval-scope check (URS-03; Module 9 provides the site-scope content).
- Workflow templates, runtime, e-signature ceremony, HITL lifecycle (URS-04).
- Authority Profile catalogue, assignments, delegations, SoD (URS-05; Module 9 layers a site-level overlay where applicable).
- Audit substrate (URS-06; Module 9 is a major writer).
- Study management (URS-07; Module 9 is consumed for study scope).
- Tenant lifecycle (URS-08; Module 9 mutations gated by tenant `active` state).
- Document control implementation (URS-12; Module 9 holds linkages).
- Equipment qualification record content is owned by a forward equipment-management module; Module 9 owns the equipment-area definition only.
- Environmental monitoring data (forward module; Module 9 owns the cleanroom classification only).
- Domain-specific record semantics (every domain module owns its own state model).
- AI-driven decision-making (explicitly prohibited; AI suggestion paths are advisory only).

### 2.3 Closed launch decisions

| Identifier | Closed launch decision |
|---|---|
| DEC-09-01 | Site types at launch are exactly the enumerated list in §2.1 with sub-classifications for `manufacturing`, `laboratory`, and `clinical_site`. Adding a top-level type or a sub-classification is a Class 1 change. The `clinical_site` sub-classifications mirror URS-07 clinical types (`clinical_phase_1` / `2` / `3`) and inherit the per-tenant clinical-type activation gate per URS-08 DEC-08-09. |
| DEC-09-02 | The facility hierarchy is exactly `campus → site → building → area → room → equipment_area`. Campus is optional; site is the first required level for any regulated activity. Adding a level is a Class 1 change. Each level carries its own `id`, `display_id`, `parent_id`, `name`, lifecycle metadata, and (for area / room / equipment-area) cleanroom classification. |
| DEC-09-03 | Site identity fields are exactly: `name`, `display_id` (tenant-unique short identifier), `site_type` + sub-classification, `gxp_classification` (`gmp` / `glp` / `gcp` / `gdp` / `multi`), `legal_address_jsonb` (street, city, region, postal code, country), `geolocation_jsonb` (latitude / longitude; optional), `jurisdiction`, `time_zone`, `primary_use`, `vertical_classification_jsonb`, `parent_campus_id`. Adding a field is a Class 1 change. |
| DEC-09-04 | Cleanroom classification fields per area / room: `iso_14644_class` (ISO 5..ISO 9 or `not_applicable`), `eu_gmp_annex1_grade` (A / B / C / D or `not_applicable`), `at_rest_particle_limits_jsonb`, `in_operation_particle_limits_jsonb`, `microbiological_limits_jsonb`, `last_certification_date`, `next_certification_due`, `certification_evidence_document_id`, `certifying_organisation`, `re_certification_cadence` (default 12 months for non-sterile, 6 months for Grade A/B per Annex 1, configurable to shorter intervals; not extendable beyond default without approved change control). Re-certification scheduling and reminders per URS-30; failure escalates to `regulatory_concern` site suspension. |
| DEC-09-05 | Site licence and certification register fields per-licence: `licence_type` (per launch list), `licence_number`, `issuing_authority`, `effective_from`, `effective_to`, `evidence_document_id` (FK URS-12), `re_verification_cadence` (default annual; quarterly for high-risk types like FDA establishment registration; monthly for DEA registration), `last_verified_at`, `current_status` (`current` / `expired` / `pending_renewal` / `revoked` / `surrendered` / `transferred`). Adding a launch-list licence type is a Class 2 change. Per URS-08 DEC-08-13, the corresponding tenant-level KYC pack receives the same evidence at onboarding for cross-correlation. |
| DEC-09-06 | Sites are tenant-scoped; a single site cannot belong to more than one tenant. Cross-tenant studies (URS-07) reference partner-tenant sites through the collaboration grant per URS-07 DEC-07-07; partner-tenant sites are visible to the lead-tenant's study members only within the per-grant scope. Cross-tenant joint-venture sites (where two tenants legitimately share a physical location) are forward roadmap; at launch they are modelled as two separate site records (one per tenant) with cross-site `related_site` linkage. |
| DEC-09-07 | Site-bound regulated-record discovery is computed by URS-03 active-scope intersection on the `site` scope dimension over a configurable window. Default window for the active discovery view is rolling 24 months; the inspection / archive surface uses the full lifetime from site creation. The discovery is read-only; it does not assign records to sites; it reports what URS-03 observed during the window with overlapping scope. |
| DEC-09-08 | Per-site regulatory inspection register: every regulatory inspection, audit, or mock inspection of the site is recorded with the fields enumerated in §2.1; the record links to the URS-07 audit-study record where the inspection was planned / response-managed as a study; findings register and response register link to URS-12 controlled documents; final outcome captured (`closed_no_action` / `closed_with_capa` / `pending_response` / `escalated`). |
| DEC-09-09 | Site qualification and validation status is computed from linked URS-07 validation / equipment-qualification studies; the site cannot transition `in_qualification → operational` until the qualification package is signed by the validation lead, the quality lead, and (for high-risk site types per DEC-09-15) executive authority. Re-qualification cadence is per regulatory framework (typically every 5 years for major equipment; every 10 years for buildings; sooner where regulatory framework requires) configured per site in `requalification_due_at`. |
| DEC-09-10 | Site contacts roster captures named accountability per role per DEC-09-04 contact types. `qp` / `responsible_person` and `quality_lead` MUST link to URS-28 qualifications appropriate to the site's GxP classification and jurisdiction; missing returns `SITE_CONTACT_QUALIFICATION_MISSING`. URS-30 routes site-relevant notifications through the roster; emergency contacts receive priority routing. |
| DEC-09-11 | Site decommissioning workflow: pre-decommissioning gate requires (a) every regulated record bound to the site is closed or formally accepted (per URS-12..URS-34 close-out flows), (b) every URS-07 study with the site in scope is closed or amended to remove the site, (c) every URS-05 Authority Profile assignment scoped to the site is revoked or migrated, (d) site licences are surrendered or transferred (each transfer recorded with the receiving entity), (e) qualification packages are archived, (f) physical assets disposition is recorded per GxP retirement procedures. Decommissioning attestation electronically signed by site head, quality lead, regulatory affairs lead; executive authority co-sign for high-risk site types. URS-06 captures. |
| DEC-09-12 | Cross-site relationships at launch: `parent_campus`, `related_site` (functional dependency), `qualification_dependent_site` (e.g., shared utility qualification), `regulatory_alternate_site` (formal regulatory backup), `successor_of_site_id` (where a new site replaces a decommissioned site). Each relationship row is electronically signed at creation and at modification. Adding a relationship type is a Class 2 change. |
| DEC-09-13 | Sites within studies: URS-07 study scope MAY include sites from this catalogue; for cross-tenant studies, the partner-tenant sites are accessible only via the URS-07 collaboration grant per URS-07 DEC-07-07 and only within the per-grant scope. Module 9's per-site discovery view, when accessed by a partner-tenant member, shows only the records within the per-grant scope. |
| DEC-09-14 | Site-level access overlay: tenant administrators MAY apply a site-level access overlay for high-sensitivity sites (controlled substance, clinical sites with subject identifiers, R&D with confidential novel methods); the overlay restricts access to a designated `site_member` roster on top of base roles and Authority Profile assignments; non-members are denied with `403 SITE_CONFIDENTIAL_NOT_MEMBER`. The overlay is opt-in per site at the tenant administrator's electronic signature. |
| DEC-09-15 | High-risk site type activation: site types `sterile_injectable_aseptic`, `sterile_injectable_terminal`, `biologic`, `controlled_substance`, `clinical_phase_1`, `clinical_phase_2`, `clinical_phase_3`, `compounding_pharmacy` require executive authority co-sign at `in_qualification → operational` plus `validation_approver` co-sign and `regulatory_oversight_admin` co-sign. The high-risk list is platform-managed; adding to the list is a Class 2 change. Tenants whose declared posture intersects the URS-08 DEC-08-12 high-risk vertical list typically also have high-risk sites — the two lists are independent but consistent. |
| DEC-09-16 | Cleanroom monitoring linkage: Module 9 owns the cleanroom classification definitions and per-area limits; environmental monitoring data is owned by URS-25 Environmental Monitoring which references Module 9's cleanroom classification at every reading. At launch, Module 9's cleanroom classification register is consumed read-only by the equipment-qualification studies in URS-07 (`equipment_qualification` study type) so that qualification packages reference the site's classification baseline. |
| DEC-09-17 | Equipment area hierarchy is the bottommost level of the facility hierarchy (DEC-09-02). Each equipment area has `equipment_class` (e.g., `tablet_press`, `freeze_dryer`, `vial_filler`, `autoclave`, `depyrogenation_tunnel`, `lyophiliser`, `blister_machine`, `capsule_filler`, `mixer`, `granulator`, `bioreactor`, `chromatography_column`); a forward equipment-management module will own the per-equipment record, qualification, calibration, and maintenance; exact module number is an external program dependency; Module 9 owns the area definition only. At launch, equipment areas exist as definitions in Module 9 and are referenced by URS-07 equipment-qualification studies. |
| DEC-09-18 | Site lifecycle and tenant lifecycle interaction (URS-08): site mutations (creation, lifecycle transition, decommissioning) are blocked while tenant is in `suspended`, `in_offboarding`, or `offboarded` state per URS-08 BR-08-20. Tenant offboarding pre-gate (URS-08 DEC-08-08) considers any site that is not in `decommissioned` or `withdrawn` state as a blocker — but at launch, the gate accepts `operational` and `suspended` sites because tenants typically retain physical sites after Verixa offboarding (the tenant doesn't lose the building when they leave Verixa); the gate captures the site state for the export bundle. |
| DEC-09-19 | Forward roadmap deferred capabilities: per-equipment records owned by a forward equipment-management module (exact module number is an external program dependency); environmental monitoring continuous data owned by URS-25 Environmental Monitoring (with any continuous-monitoring extension tracked as a program dependency); utility qualification details owned by a forward utility/equipment qualification module where applicable; Module 9 at launch supports their integration through the equipment-area definitions and the cleanroom classification register, leaving the run-time data to those modules when delivered. |
| DEC-09-20 | Site licence expiry handling: when a site licence approaches `effective_to`, URS-30 alerts the site's RA contact at T-90, T-30, T-7, T-1 days; if the licence is not renewed by `effective_to`, the site automatically transitions to `suspended` state with reason `regulatory_concern` and triggers `LICENCE_EXPIRED_SITE_SUSPENDED`. Renewal restores the site to `operational` per the standard return-to-active flow with `regulatory_oversight_admin` + executive authority co-sign per DEC-09-15. |

---

## 3. User Roles and Permissions

### 3.1 Architecture

Module 9 consumes Layer 1 (base role) and Layer 2 (permission matrix) from URS-02; consumes the Authority Profile catalogue and resolver from URS-05; consumes the active scope from URS-03; consumes the qualification register from URS-28. Module 9 owns three administrative surfaces: (a) the per-tenant site catalogue and creation wizard, (b) the per-site detail and management surface, (c) the cross-site relationship management surface. Module 9 owns the **site-level access overlay** that enforces site-confidential access for high-sensitivity sites.

### 3.2 Role definitions

The five tenant-level base roles defined by URS-02 (`admin`, `quality_lead`, `reviewer`, `auditor`, `viewer`) and the two cross-tenant platform identities (`platform_admin`, `super_admin`) apply unchanged. Module 9 introduces three **site-level roles** that overlay the base roles per DEC-09-14:

| Site role | Description | Cardinality per site |
|---|---|---|
| `site_member` | A user with explicit access to a high-sensitivity site under the access overlay (DEC-09-14). Required only for sites where the overlay is enabled. | 0 or more |
| `site_head` | The named accountable user for the site; approves member additions, lifecycle transitions, and decommissioning. | Exactly 1 (when site is `in_qualification` or beyond) |
| `site_quality_lead` | The named QA accountable user for the site; co-signs licences, certifications, qualification packages, and inspection responses. | Exactly 1 (when site is `in_qualification` or beyond) |

`site_head` and `site_quality_lead` are also tenant base-role `admin` or `quality_lead` users; the site-level role is an overlay assigning per-site accountability.

### 3.3 Authority Profiles consumed by Module 9

| Authority Profile (consumed) | Module 9 action gated |
|---|---|
| `tenant_admin_authority` | Read site catalogue; create sites (non-high-risk types); configure site fields during planning; assign site contacts; manage site-level access overlay. |
| `validation_approver` | Co-sign site activation `in_qualification → operational` (the qualification package). |
| `regulatory_oversight_admin` | Co-sign site licence registration; co-sign site activation for high-risk types per DEC-09-15; co-sign site decommissioning. |
| `final_quality_approver` | Co-sign cleanroom certification and re-certification; co-sign decommissioning attestation. |
| `final_regulatory_approver` | Co-sign site inspection response submissions to regulators. |
| executive authority | Co-sign activation for high-risk site types (DEC-09-15); co-sign decommissioning of high-risk sites; co-sign return-to-active for licence-expiry suspension. |
| `cross_tenant_collaboration_authority` | Visibility of partner-tenant sites within URS-07 collaboration grants; consumed read-only via Module 7. |

### 3.4 Segregation-of-Duties rules consumed by Module 9

| SoD rule (consumed from URS-05) | Module 9 application |
|---|---|
| `AUTHOR_NEQ_APPROVER` | The user who created a site cannot also activate it; activation approver MUST be a different user. |
| `REVIEWER_NEQ_FINAL_APPROVER` | A reviewer of a site qualification package cannot also be the validation_approver who signs activation. |
| `SITE_HEAD_NEQ_QUALITY_LEAD` (Tier 1, site-specific) | The `site_head` and `site_quality_lead` MUST be distinct users; a single user cannot occupy both roles for the same site. |
| `INSPECTION_RESPONSE_INDEPENDENT_REVIEWER` (Tier 1, site-specific) | A user named in the inspection findings cannot be the sole signer of the inspection response submission; an independent reviewer is mandatory. |

### 3.5 Worked examples

#### Worked example A — Sterile injectable manufacturing site activation

PharmaCorp opens a new sterile injectable manufacturing site at their Delaware facility. The QA Director (with `tenant_admin_authority`) creates the site (state `planned`) with `site_type = manufacturing.sterile_injectable_aseptic`, `gxp_classification = gmp`, US jurisdiction, the legal address, and assigns herself as `site_head` and a peer QA Lead as `site_quality_lead`. Construction completes; the site moves to `in_qualification` (an electronic-signed transition with reason). A URS-07 equipment-qualification study is created covering the site's IQ/OQ/PQ activities; the linked URS-12 documents include the URS, FDS, DS, IQ protocols, OQ protocols, PQ protocols. Cleanroom areas are defined in the facility hierarchy: filling room (Grade A unidirectional flow), background room (Grade B), gowning area (Grade C), bulk preparation (Grade C). Each area's cleanroom classification is registered with at-rest and in-operation particle limits per Annex 1. ISO 14644 cleanroom certification provider runs the smoke study and particle counts; certificates uploaded to URS-12. After all qualification activities complete, the qualification package is signed by the validation_approver. The site is ready for activation. Executive authority receives the activation request via URS-30, reviews the activation pack (qualification evidence + ISO 14644 certificates + Annex 1 readiness assessment + FDA establishment registration + State of Delaware pharmacy licence), opens the Controlled Approval Modal with multi-factor step-up, electronically co-signs. The `regulatory_oversight_admin` also co-signs. Site moves to `operational`. URS-06 captures `SITE_ACTIVATED` with `site_type = sterile_injectable_aseptic` and the high-risk co-sign chain.

#### Worked example B — Quarterly cleanroom re-certification

Six months after activation, the Grade A filling room is due for re-certification. URS-30 alerts the `site_head` and `site_quality_lead` at T-30, T-7, T-1. The certifying organisation runs the re-certification; particle counts and microbiological excursions are within Annex 1 limits; certificate uploaded to URS-12 via a controlled change request to update the cleanroom classification record. The `final_quality_approver` co-signs. URS-06 captures `CLEANROOM_RECERTIFIED` with the new `last_certification_date` and `next_certification_due`.

#### Worked example C — FDA pre-approval inspection inspection register entry

PharmaCorp submits an ANDA for a new generic; the FDA schedules a pre-approval inspection of the sterile injectable site. The site head opens the inspection register; creates a record with `inspection_type = fda_pre_approval`, scheduled dates, lead inspector identity (recorded if known at scheduling; if not known, system stores `scheduled_lead_inspector_unknown = true` and requires contemporaneous update when identity is confirmed), scope (the ANDA-specific manufacturing process). On the inspection day, the lead inspector is recorded; the inspection runs over five days; observations are issued (one Form 483 with two minor observations). The findings register is uploaded to URS-12 (the actual Form 483); the response register is also linked. The site quality lead drafts the response; an independent reviewer (`INSPECTION_RESPONSE_INDEPENDENT_REVIEWER`) signs review; the `final_regulatory_approver` signs the submission. The response is submitted to the FDA within 15 working days per FDA guidance. After FDA acceptance, `closure_state = closed_with_capa` and the linked CAPAs are tracked.

#### Worked example D — Site-level access overlay for clinical site

A new tenant onboards a clinical-trial-sponsor posture and creates a Phase 1 clinical site. Per DEC-09-14, the site contains subject-identifiable data; the tenant administrator enables the site-level access overlay; assigns a `site_member` roster of the clinical research team only; non-member access is denied with `SITE_CONFIDENTIAL_NOT_MEMBER`. URS-04 workflows that touch the site emit the access denial as a forensic event for any attempted access by non-members. The auditor base-role can still read the site (audit access has its own surface).

#### Worked example E — Site decommissioning

After fifteen years of operation, an aging warehouse site is decommissioned per a tenant business decision. The `site_head` opens the decommissioning workflow. The pre-decommissioning gate runs: every regulated record bound to the site is checked — three open finding records remain on closed batch records that need formal acceptance; the gate surfaces the remediation list. The site head closes them. Two URS-07 studies still have the site in their scope; the studies' leads execute amendments to remove the site from scope (URS-07 substantial amendments with the regulatory affairs co-sign). One URS-05 Authority Profile assignment for `qa_release_us` was scoped to this site; it's revoked. The site licences are surrendered (FDA establishment registration removal letter; state pharmacy licence surrender). The qualification packages for the site's equipment are archived. Asset-disposal records are captured per GxP retirement procedures. The decommissioning attestation is signed by the `site_head`, the `site_quality_lead`, the `regulatory_oversight_admin`. State moves to `decommissioned`. URS-06 captures `SITE_DECOMMISSIONED`. The site's records remain query-accessible for inspection / litigation; URS-30 announces the decommissioning to relevant tenant administrators.

#### Worked example F — Cross-tenant study reference to partner-tenant clinical site

A sponsor (tenant A) commissions a CRO (tenant B) to run a Phase 2 clinical trial. The CRO's clinical site (in tenant B) is part of the study scope per URS-07. The cross-tenant collaboration grant per URS-07 DEC-07-07 includes the CRO's clinical site in the per-grant scope. Sponsor-tenant study members can see the CRO's clinical site listed in the URS-07 study scope view, but only within the per-grant scope; sponsor-tenant members cannot see the CRO's other sites or the CRO's site licence portfolio outside the grant. Module 9's per-site discovery view, when accessed by a sponsor-tenant member, surfaces only records within the grant scope. Cross-tenant access is audited as `CROSS_TENANT_STUDY_ACCESS_USED` per URS-07 BR-07-08.

#### Worked example G — Site licence expires; auto-suspension and renewal

A laboratory site's ISO 17025 accreditation expires. The site has not renewed in time. Per DEC-09-20, the auto-suspension fires: the site moves to `suspended` with reason `regulatory_concern`; URS-30 alerts the `site_head`, the `site_quality_lead`, and the tenant administrator; mutations on the site are blocked. Two days later, the laboratory submits the renewed accreditation; the site quality lead opens the return-to-active surface; uploads the renewed certificate to URS-12; the `regulatory_oversight_admin` co-signs; the executive authority co-signs (per DEC-09-15 high-risk-or-not, return-to-active from regulatory-concern always requires executive authority co-sign at site level given the seriousness); the site returns to `operational`.

#### Worked example H — Cross-site relationship: regulatory alternate

PharmaCorp operates two sterile injectable sites, one primary and one as a `regulatory_alternate_site`. The relationship is captured in Module 9 with electronic signature; the alternate site is qualified to manufacture the same product portfolio under the same DMF; if the primary site enters `suspended` state due to a quality issue, the alternate site can pick up production within the validated scope. The relationship is referenced in URS-07 manufacturing-campaign studies that span the two sites. Inspection plans cover both sites jointly.

### 3.6 Role-permission matrix (Module 9 administrative surface only)

| Action (within Module 9) | viewer | reviewer | quality_lead | auditor | admin | platform_admin | super_admin | Founder | Authority Profile / Site role |
|---|:-:|:-:|:-:|:-:|:-:|:-:|:-:|:-:|---|
| Read site catalogue (own tenant) | — | ✓ | ✓ | ✓ | ✓ | support / break-glass only | support / break-glass only | ✓ | — |
| Read partner-tenant site (within URS-07 grant) | — | study-role overlay | study-role overlay | study-role overlay | study-role overlay | — | — | — | URS-07 collaboration grant |
| Create site (non-high-risk type) | — | — | ✓ + sign | — | ✓ + sign | support / break-glass only | support / break-glass only | — | `tenant_admin_authority` |
| Create site (high-risk type per DEC-09-15) | — | — | ✓ + sign | — | ✓ + sign | support / break-glass only | support / break-glass only | — | `tenant_admin_authority` (system flags the site as high-risk; executive authority co-sign is required only at activation, return-to-operational from regulatory-concern suspension, and high-risk decommissioning — not at creation) |
| Configure facility hierarchy (during planned) | — | — | site_head | — | site_head | — | — | — | `site_head` |
| Configure cleanroom classification | — | — | site_quality_lead + sign | — | site_quality_lead + sign | — | — | — | `site_quality_lead` + `final_quality_approver` for re-certification |
| Register / update site licence | — | — | — | — | site_head + sign + RA co-sign | — | — | — | `site_head` + `regulatory_oversight_admin` |
| Add site contact | — | — | site_head + sign | — | site_head + sign | — | — | — | `site_head`; URS-28 qualification check |
| Submit site for in-qualification | — | — | site_head + sign | — | site_head + sign | — | — | — | `site_head` |
| Sign site qualification package | — | — | — | — | — | — | — | — | `validation_approver` (and `final_quality_approver` for cleanroom areas) |
| Activate site (non-high-risk) | — | — | independent of creator + sign | — | independent of creator + sign | — | — | — | `site_head` (independent of creator); `validation_approver` co-sign |
| Activate site (high-risk per DEC-09-15) | — | — | — | — | — | — | — | ✓ + sign + MFA (executive authority co-sign) | `site_head` + `validation_approver` + `regulatory_oversight_admin` + executive authority |
| Place site on hold (suspended) | — | — | site_head + sign | — | site_head + sign | — | — | ✓ + sign for regulatory-concern returns | `site_head` (+ executive authority for re-activation if regulatory) |
| Release site hold (return to operational) | — | — | site_head + sign + RA co-sign | — | site_head + sign + RA co-sign | — | — | ✓ + sign for regulatory-concern | `site_head` + `regulatory_oversight_admin` + executive authority for regulatory |
| Initiate inspection register entry | — | — | site_head | — | site_head | — | — | — | `site_head` |
| Sign inspection response submission | — | — | site_quality_lead + sign + independent reviewer | — | site_quality_lead + sign + independent reviewer | — | — | — | `final_regulatory_approver` + independent reviewer per `INSPECTION_RESPONSE_INDEPENDENT_REVIEWER` |
| Configure site-level access overlay | — | — | — | — | ✓ + sign | ✓ + sign | ✓ + sign | — | `tenant_admin_authority` |
| Add / remove site_member (when overlay enabled) | — | — | site_head + sign | — | site_head + sign | — | — | — | `site_head` |
| Initiate site decommissioning | — | — | site_head + sign | — | site_head + sign | — | — | — | `site_head` |
| Sign decommissioning attestation | — | — | site_head + site_quality_lead + RA + executive authority for high-risk | — | site_head + site_quality_lead + RA | — | — | ✓ + sign for high-risk | `site_head` + `site_quality_lead` + `regulatory_oversight_admin` + executive authority for high-risk |
| Manage cross-site relationships | — | — | site_head + sign | — | site_head + sign | — | — | — | `site_head` (both sites) |
| Read per-site discovery view | — | site-role overlay | site-role overlay | ✓ | site-role overlay or `audit:read` | ✓ | ✓ | ✓ | site-role overlay |
| Export per-site discovery | — | — | — | — | site_head + sign + `audit:export` | ✓ + sign | ✓ + sign | — | `site_head` + `audit:export` |

External identities (URS-01 §3.2.3) MAY be added as `site_observer`-equivalent (read of non-confidential content only); they cannot hold site_head, site_quality_lead, or site_member-with-overlay roles.

#### 3.6.1 Platform-identity tenant actions — controlled support / break-glass posture

Per URS-02 §3.6.1 and URS-08 §3.6.1, platform identities (`platform_admin`, `super_admin`) MAY perform tenant-scoped Module 9 actions only under a controlled support / break-glass posture: target tenant identifier, business-justification reason, support-ticket / customer-reference identifier, electronic signature, `PLATFORM_TENANT_ACCESS_USED` audit emit (URS-06 global chain) plus `PLATFORM_TENANT_ACCESS_NOTIFIED` in the target tenant chain, Security Operations Centre alert, customer notification within 24 hours per privacy policy. Use outside the envelope returns `PLATFORM_TENANT_ACCESS_DENIED`.

---

## 4. End-to-End User Journeys

### J-01 — Site creation (non-high-risk type)

- Trigger: tenant administrator initiates a new site.
- Steps: opens site catalogue; creates site with type, sub-classification, legal address, jurisdiction, GxP classification, primary use; system places site in `planned` state; URS-30 notifies tenant administrators.
- Audit: `SITE_CREATED`.

### J-02 — Site creation (high-risk type per DEC-09-15)

- Trigger: tenant administrator initiates a sterile injectable / biologic / controlled-substance / clinical / compounding-pharmacy site.
- Steps: standard creation flow; system flags the high-risk type at activation; activation will require Founder + `validation_approver` + `regulatory_oversight_admin` co-signs.
- Audit: `SITE_CREATED` with `high_risk_flag = true`.

### J-03 — Configure facility hierarchy

- Trigger: site head opens the hierarchy editor during `planned` state.
- Steps: defines campus (optional), buildings, floors, areas, rooms, equipment areas; each level signed; cleanroom classification configured per applicable area / room.
- Audit: `FACILITY_HIERARCHY_PUBLISHED`, `CLEANROOM_CLASSIFICATION_REGISTERED`.

### J-04 — Register site licences

- Trigger: site head registers the regulatory licences held by the site.
- Steps: per-licence form (FDA establishment, EMA, MHRA, CDSCO, Health Canada, DEA, ISO, etc.); evidence document linked to URS-12; effective dates; `regulatory_oversight_admin` co-signs each registration.
- Audit: `SITE_LICENCE_REGISTERED`.

### J-05 — Submit site for in-qualification

- Trigger: site head moves site to `in_qualification` after construction is complete.
- Steps: opens lifecycle surface; reviews qualification readiness checklist; signs through Controlled Approval Modal; URS-07 equipment-qualification study is created (linked); state moves to `in_qualification`.
- Audit: `SITE_MOVED_TO_IN_QUALIFICATION`.

### J-06 — Site qualification package signed

- Trigger: URS-07 equipment-qualification study completes.
- Steps: validation_approver signs the qualification package; site quality lead signs; the qualification status updates to `fully_qualified`.
- Audit: `SITE_QUALIFICATION_PACKAGE_SIGNED`.

### J-07 — Site activation (non-high-risk)

- Trigger: qualification package signed; standard site type.
- Steps: site head (independent of creator per `AUTHOR_NEQ_APPROVER`) signs activation; `validation_approver` co-signs; site moves to `operational`; URS-03 begins computing site-bound discovery; URS-06 captures.
- Audit: `SITE_ACTIVATED`.

### J-08 — Site activation (high-risk per DEC-09-15)

- Trigger: high-risk site type qualification package signed.
- Steps: standard activation flow plus `regulatory_oversight_admin` co-sign + executive authority co-sign with multi-factor step-up; Executive authority reviews the high-risk activation pack (qualification evidence, cleanroom certificates, licences, vertical-specific risk register from URS-08 if applicable); state moves to `operational`.
- Audit: `SITE_ACTIVATED` with `high_risk_cosigns_recorded`.

```mermaid
flowchart TD
  A([Site qualification package signed]) --> B{Site type high-risk?}
  B -- no --> C[Site head signs activation independent of creator]
  C --> D[validation_approver co-signs]
  D --> E[SITE_ACTIVATED]
  B -- yes --> F[Site head + validation_approver + regulatory_oversight_admin + executive authority co-sign]
  F --> G[SITE_ACTIVATED with high_risk_cosigns_recorded]
```

### J-09 — Cleanroom re-certification

- Trigger: scheduled re-certification due (default 12 months; 6 months for Annex 1 Grade A/B).
- Steps: certifying organisation runs particle counts and microbiological tests; certificate uploaded to URS-12 via controlled change request; `final_quality_approver` co-signs the updated cleanroom classification record; cleanroom record's `last_certification_date` and `next_certification_due` updated.
- Audit: `CLEANROOM_RECERTIFIED`.

### J-10 — Site licence expiry alert and renewal

- Trigger: site licence approaching `effective_to`.
- Steps: URS-30 alerts site RA contact at T-90, T-30, T-7, T-1; site RA contact submits renewal application to authority; authority issues renewed licence; site head registers renewed licence; `regulatory_oversight_admin` co-signs; previous licence record marked `superseded`; new licence record `current`.
- Audit: `SITE_LICENCE_RENEWED`.

### J-11 — Site licence expiry without renewal — auto-suspension

- Trigger: site licence `effective_to` passed without renewal.
- Steps: scheduled job detects expiry; auto-issues site suspension with reason `regulatory_concern`; URS-30 alerts site head, site quality lead, RA contact, tenant administrator; mutations on the site blocked; cross-site activities affecting this site flagged.
- Audit: `LICENCE_EXPIRED_SITE_SUSPENDED`.

### J-12 — Return to operational from licence-expiry suspension

- Trigger: licence renewed.
- Steps: site head submits renewal evidence; `regulatory_oversight_admin` co-signs; executive authority co-signs; site returns to `operational`.
- Audit: `SITE_RETURNED_TO_OPERATIONAL` with reason `regulatory_concern_resolved`.

### J-13 — Inspection register entry (FDA pre-approval)

- Trigger: regulatory inspection scheduled.
- Steps: site head creates inspection register entry; populates type, dates, lead inspector, scope; URS-30 informs site head, site quality lead, RA contact.
- Audit: `INSPECTION_REGISTER_ENTRY_CREATED`.

### J-14 — Inspection findings logged

- Trigger: inspection completes with findings.
- Steps: site quality lead uploads findings register (e.g., FDA Form 483) to URS-12; populates findings count by classification; CAPAs are opened in URS-12..URS-34 referencing the inspection.
- Audit: `INSPECTION_FINDINGS_LOGGED`.

### J-15 — Inspection response submission

- Trigger: response prepared.
- Steps: site quality lead drafts response; independent reviewer reviews per `INSPECTION_RESPONSE_INDEPENDENT_REVIEWER`; `final_regulatory_approver` signs; submission record created with timestamp and evidence linkage; submitted to authority.
- Audit: `INSPECTION_RESPONSE_SUBMITTED`.

### J-16 — Inspection closure with CAPA

- Trigger: authority acknowledges response and accepts CAPA plan.
- Steps: site head updates inspection record `closure_state = closed_with_capa`; linked CAPAs continue under URS-12..URS-34 closure flows.
- Audit: `INSPECTION_CLOSED` with closure-state.

### J-17 — Site contacts roster update

- Trigger: site head adds / removes a site contact.
- Steps: opens contacts surface; selects contact type and user; system checks URS-28 qualifications appropriate to the role; if missing returns `SITE_CONTACT_QUALIFICATION_MISSING`; if present, signs.
- Audit: `SITE_CONTACT_ADDED` / `SITE_CONTACT_REMOVED`.

### J-18 — Site-level access overlay enabled

- Trigger: tenant administrator enables overlay for a high-sensitivity site.
- Steps: opens site detail, enables overlay; defines `site_member` roster; non-member access subsequently denied with `SITE_CONFIDENTIAL_NOT_MEMBER`.
- Audit: `SITE_ACCESS_OVERLAY_ENABLED`.

### J-19 — Site placed on hold (operational issue)

- Trigger: equipment failure or environmental excursion requires immediate site halt.
- Steps: site head opens hold surface; provides reason; signs; state moves to `suspended`; URS-30 informs tenant administrator and any open URS-07 studies referencing the site.
- Audit: `SITE_SUSPENDED` with reason category.

### J-20 — Site decommissioning initiated

- Trigger: business decision or end-of-life for the site.
- Steps: site head opens decommissioning workflow; system runs pre-decommissioning gate per DEC-09-11.
- Audit: `SITE_DECOMMISSIONING_INITIATED`.

### J-21 — Pre-decommissioning gate blocks

- Trigger: open records / studies / assignments / licences exist.
- Steps: gate returns specific blocker codes with deep-links to URS-12..URS-34, URS-07, URS-05; tenant resolves each.
- Audit: one of `OPEN_RECORDS_BLOCK`, `OPEN_STUDIES_BLOCK`, `OPEN_DELEGATIONS_BLOCK`, or `OPEN_LICENCES_BLOCK` per blocker category.

### J-22 — Site decommissioning completion

- Trigger: gate cleared.
- Steps: site_head, site_quality_lead, regulatory_oversight_admin sign decommissioning attestation; executive authority co-signs for high-risk site types; URS-06 captures `SITE_DECOMMISSIONED`; site moves to `decommissioned`; historical records remain query-accessible.
- Audit: `SITE_DECOMMISSIONED`.

### J-23 — Cross-site relationship registered

- Trigger: site head registers a `regulatory_alternate_site` relationship between two sites.
- Steps: opens relationship surface on site A; selects site B; relationship type; rationale; signs; site B's site head receives URS-30 notification; site B's site head co-signs to accept the relationship; relationship becomes active.
- Audit: `CROSS_SITE_RELATIONSHIP_REGISTERED`.

### J-24 — Site-bound regulated-record discovery

- Trigger: any user with site-role overlay (or auditor) opens the site discovery view.
- Steps: system intersects URS-03 active scope by `site` dimension over the configured window; returns paginated list with type, state, owning module; cross-tenant grant scope respected for partner-tenant viewers.
- Audit: read; `SITE_DISCOVERY_VIEW_OPENED` once per session.

### J-25 — Auditor reads site discovery as inspection-ready evidence

- Trigger: regulatory inspection requests a per-site evidence pack.
- Steps: auditor opens site discovery view; runs full lifetime range; exports through Controlled Approval Modal; receives PDF + JSON bundle with integrity manifest covering every URS-06 chain referenced by the site over the lifetime.
- Audit: `SITE_DISCOVERY_EXPORTED`.

### J-26 — Equipment area definition

- Trigger: site head defines an equipment area (e.g., tablet-press area) within a room.
- Steps: opens hierarchy editor; selects parent room; creates equipment area with `equipment_class`; signs; URS-07 future equipment-qualification studies will reference this area.
- Audit: `EQUIPMENT_AREA_DEFINED`.

### J-27 — executive break-glass site hold

- Trigger: serious quality signal across multiple regulated records at a site (e.g., Annex 1 finding suggesting widespread issue).
- Steps: Founder uses `global_quality_oversight` per URS-05 to issue immediate site hold; URS-04 override-use ceremony executes; URS-30 alerts site head and tenant administrator; site moves to `suspended` with override reference recorded.
- Audit: `SITE_SUSPENDED` with `override_authority_profile_used = global_quality_oversight`.

### J-28 — Site successor for replacement build

- Trigger: tenant builds a successor site to replace a decommissioning site.
- Steps: tenant administrator creates new site referencing decommissioned site's `successor_of_site_id`; standard creation flow; URS-06 captures the linkage; cross-site relationship `successor_of_site_id` automatically registered.
- Audit: `SITE_CREATED` with `successor_of_site_id` populated.

---

## 5. Front-End Expected State

### 5.1 Routes

| Route | Surface | Role / Authority gate | Notes |
|---|---|---|---|
| `/sites` | Site catalogue browser | tenant base role + `audit:read` | filterable by type, lifecycle, jurisdiction, vertical |
| `/sites/new` | Site creation wizard | `tenant_admin_authority` | type-aware wizard; high-risk flag visible |
| `/sites/:id` | Per-site detail (Overview / Hierarchy / Cleanroom / Licences / Inspections / Contacts / Qualification / Discovery / Relationships / Lifecycle) | site-role overlay | tabbed |
| `/sites/:id/hierarchy` | Facility hierarchy editor | `site_head` for write; auditor for read | campus → site → building → area → room → equipment-area |
| `/sites/:id/cleanroom` | Cleanroom classification register | `site_quality_lead` for write; auditor for read | per area / room |
| `/sites/:id/licences` | Site licence and certification register | `site_head` + `regulatory_oversight_admin` | re-verification cadence shown |
| `/sites/:id/inspections` | Inspection register | `site_head` for write; auditor for read | linked to URS-07 audit-study where applicable |
| `/sites/:id/contacts` | Site contacts roster | `site_head` for write; auditor for read | URS-28 qualification linkage |
| `/sites/:id/discovery` | Site-bound regulated-record discovery view | site-role overlay or `audit:read` | rolling 24m default; full lifetime for inspection |
| `/sites/:id/relationships` | Cross-site relationships | `site_head` (both sides) | requires bilateral signature |
| `/sites/:id/lifecycle` | Lifecycle transitions | `site_head` + co-signers per state | high-risk sites require executive authority co-sign |
| `/sites/:id/decommission` | Decommissioning workflow | `site_head` + `site_quality_lead` + RA + executive authority for high-risk | gate, attestation |
| `/sites/:id/access-overlay` | Site-level access overlay management | `tenant_admin_authority` | enable/disable + roster |
| `/admin/sites/equipment-areas` | Cross-site equipment-area inventory | tenant administrator | summary report |
| `/admin/sites/inspection-calendar` | Cross-site inspection schedule and history | tenant administrator | calendar view |
| `/admin/sites/licence-expiry-timeline` | Cross-site licence expiry timeline | tenant administrator + RA | timeline report |
| `/admin/sites/qualification-status` | Cross-site qualification status dashboard | tenant administrator + validation | dashboard |

### 5.2 Component requirements

- **Site catalogue browser** — high-density list with type chips, lifecycle badges, jurisdiction flags, vertical chips, qualification status; filters by type, lifecycle, jurisdiction, vertical, qualification status, last-inspection-date, licence-expiry-window.
- **Site creation wizard** — multi-step: identity (name, display id, type, sub-classification) → GxP classification → legal address + geolocation → jurisdiction + time zone → primary use → vertical classification → parent campus (optional) → review → submit. The wizard surfaces high-risk flag prominently when relevant.
- **Per-site detail (tabbed)** — Overview, Hierarchy, Cleanroom, Licences, Inspections, Contacts, Qualification, Discovery, Relationships, Lifecycle. Lifecycle banner across the top. High-risk site warning where applicable.
- **Hierarchy editor** — drag-and-drop tree editor for campus → site → building → area → room → equipment-area; each level read / write per role; cleanroom classification badges where applicable.
- **Cleanroom classification register** — table per area / room with ISO 14644 class + Annex 1 grade + at-rest / in-operation limits; certificate timeline; next-due indicator; re-certification scheduling.
- **Licence and certification register** — table with licence type, number, authority, dates, evidence link; expiring-soon highlights; re-verification cadence shown; renewal workflow.
- **Inspection register** — chronological list with type, dates, scope, findings count by classification, closure state; deep-links to URS-12 evidence and URS-07 audit-study.
- **Contacts roster** — per role (site_head, site_quality_lead, qp, etc.); URS-28 qualification status badge per contact.
- **Discovery view** — paginated list of records intersecting site scope; module / type / state columns; manual-label badges; export with electronic signature.
- **Relationships graph** — visual graph of cross-site relationships; edge labels show relationship type and date.
- **Lifecycle transitions** — per-transition surface with the appropriate co-sign requirements; Controlled Approval Modal.
- **Decommissioning surface** — pre-decommissioning gate; remediation list deep-links; attestation wizard with co-signatures.
- **Site-level access overlay** — toggle + member roster management.

### 5.3 Accessibility and internationalisation

- WCAG 2.1 Level AA across every Module 9 surface.
- Site type names, GxP classifications, lifecycle states translated; `display_id` and identifiers remain canonical.
- Date / time displayed in user time zone; stored UTC; ISO 8601.
- Cleanroom classification visualised with both ISO 14644 and Annex 1 references where applicable.
- Cross-tenant content (visible via URS-07 grant) clearly distinguished.

---

## 6. Back-End Expected State

### 6.1 Domain entities

- `sites` — the canonical site record per DEC-09-03.
- `site_facility_hierarchy` — campus / building / area / room / equipment-area entries per DEC-09-02.
- `site_cleanroom_classifications` — per-area cleanroom classification records per DEC-09-04.
- `site_licences` — site licence and certification register per DEC-09-05.
- `site_inspections` — per-site regulatory inspection register per DEC-09-08.
- `site_contacts` — per-site contacts roster per DEC-09-10.
- `site_qualification_status` — computed per-site qualification posture per DEC-09-09.
- `cross_site_relationships` — relationships per DEC-09-12.
- `site_lifecycle_events` — append-only lifecycle transition log.
- `site_member_roster` — site-level access overlay membership per DEC-09-14.
- `site_decommissioning_runs` — per-decommissioning workflow record.

### 6.1.1 Diagram 6.1-A — Module 9 entity-relationship overview

```mermaid
erDiagram
  SITES ||--o{ SITE_FACILITY_HIERARCHY : has
  SITE_FACILITY_HIERARCHY ||--o{ SITE_CLEANROOM_CLASSIFICATIONS : classified_by
  SITES ||--o{ SITE_LICENCES : holds
  SITES ||--o{ SITE_INSPECTIONS : inspected_by
  SITES ||--o{ SITE_CONTACTS : contacts
  SITES ||--o| SITE_QUALIFICATION_STATUS : qualifies_via
  SITES ||--o{ CROSS_SITE_RELATIONSHIPS : related_to
  SITES ||--o{ SITE_LIFECYCLE_EVENTS : lifecycle_log
  SITES ||--o| SITE_MEMBER_ROSTER : access_overlay
  SITES ||--o| SITE_DECOMMISSIONING_RUNS : decommissioned_via
  SITE_INSPECTIONS }o--o| URS_07_STUDIES : may_link_to_audit_study
  SITE_LICENCES }o--|| URS_12_DOCUMENTS : evidence_in
  SITE_INSPECTIONS }o--|| URS_12_DOCUMENTS : findings_register_in
  SITE_CONTACTS }o--o| URS_28_QUALIFICATIONS : qualified_via
  CROSS_SITE_RELATIONSHIPS }o--|| SITES : references_target
```

### 6.1.2 Diagram 6.1-B — Site lifecycle state machine

```mermaid
stateDiagram-v2
  [*] --> planned : SITE_CREATED
  planned --> in_qualification : SITE_MOVED_TO_IN_QUALIFICATION
  planned --> withdrawn : SITE_WITHDRAWN
  in_qualification --> operational : SITE_ACTIVATED
  operational --> suspended : SITE_SUSPENDED
  suspended --> operational : SITE_RETURNED_TO_OPERATIONAL
  operational --> decommissioned : SITE_DECOMMISSIONED
  suspended --> decommissioned : SITE_DECOMMISSIONED
  withdrawn --> [*]
  decommissioned --> [*]
```

### 6.1.3 Diagram 6.1-C — Site scope feeds URS-03 active scope intersection

```mermaid
flowchart LR
  M9[Module 9 site identifier + active window] --> U3[URS-03 active scope resolver]
  R[Regulated record with site in scope] --> U3
  U3 --> I{Intersection within site active window?}
  I -- yes --> D[Discoverable from site]
  I -- no --> ND[Not discoverable]
```

### 6.1.4 Diagram 6.1-D — Cleanroom certification re-verification cycle

```mermaid
flowchart TD
  A[Cleanroom classification active] --> B[next_certification_due watched by URS-30]
  B --> C[Reminders T-30 T-7 T-1]
  C --> D{Re-certification performed?}
  D -- yes --> E[CLEANROOM_RECERTIFIED with new evidence and dates]
  D -- no by due date --> F[CLEANROOM_CERTIFICATION_LAPSED escalates to regulatory_concern site suspension]
  E --> A
```

### 6.2 Data model requirements

| Entity | Purpose | Key fields | Required | Unique | Tenant isolation | Versioning | Retention | Soft-delete | Audit | E-sig link |
|---|---|---|---|---|---|---|---|---|---|---|
| `sites` | Canonical site record per DEC-09-03 | `id`, `tenant_id`, `name`, `display_id`, `site_type`, `site_subtype`, `gxp_classification`, `legal_address_jsonb`, `geolocation_jsonb`, `jurisdiction`, `time_zone`, `primary_use`, `parent_campus_id` (nullable), `vertical_classification_jsonb`, `lifecycle_state`, `created_by`, `created_at`, `activated_at` (operational entry), `decommissioned_at`, `successor_of_site_id` (nullable), `high_risk_flag` | per-state per DEC-09-02 | unique(`tenant_id`, `display_id`); unique(`tenant_id`, `name`) | RLS on `tenant_id` | stateful + append-only audit | per regulatory framework retention (typically 25 years for GMP sites; 10 years for warehouses) | yes (decommissioned / withdrawn preserved) | yes (per state) | yes (per state) |
| `site_facility_hierarchy` | Campus / building / area / room / equipment-area entries | `id`, `tenant_id`, `site_id`, `level` (`campus` / `building` / `area` / `room` / `equipment_area`), `parent_id` (nullable for top), `name`, `display_id`, `equipment_class` (only for equipment_area), `gxp_subclassification`, `created_at`, `created_by`, `created_e_sig_id`, `withdrawn_at` (nullable; for retired areas) | core required | unique(`site_id`, `parent_id`, `name`) | RLS via site | append-only with retirement | per site retention | yes (retirement preserves) | yes | yes |
| `site_cleanroom_classifications` | Per-area cleanroom classification | `id`, `tenant_id`, `site_id`, `hierarchy_id` (FK area / room), `iso_14644_class`, `eu_gmp_annex1_grade`, `at_rest_particle_limits_jsonb`, `in_operation_particle_limits_jsonb`, `microbiological_limits_jsonb`, `last_certification_date`, `next_certification_due`, `certification_evidence_document_id`, `certifying_organisation`, `re_certification_cadence_months`, `current_status` (`current` / `expired` / `pending_recertification`), `published_e_sig_id` | core required | unique active(`site_id`, `hierarchy_id`); unique(`record_hash`) where applicable | RLS via site | versioned (immutable per certification cycle) | per site retention | not applicable | yes | yes |
| `site_licences` | Site licence and certification register | `id`, `tenant_id`, `site_id`, `licence_type`, `licence_number`, `issuing_authority`, `effective_from`, `effective_to`, `evidence_document_id`, `re_verification_cadence_months`, `last_verified_at`, `current_status`, `superseded_by_licence_id` (nullable), `created_e_sig_id`, `ra_co_sign_e_sig_id` | all | unique active(`site_id`, `licence_type`, `licence_number`) | RLS via site | stateful | retain (long-term) | yes (revoked / surrendered preserved) | yes | yes |
| `site_inspections` | Per-site regulatory inspection register | `id`, `tenant_id`, `site_id`, `inspection_type`, `inspecting_authority`, `dates_jsonb`, `lead_inspector_identity`, `scope_jsonb`, `findings_count_by_classification_jsonb`, `findings_register_document_id`, `response_register_document_id`, `closure_state`, `final_outcome`, `linked_audit_study_id` (URS-07; nullable), `created_e_sig_id`, `closed_e_sig_id` (nullable) | core required | unique(`site_id`, `id`) | RLS via site | stateful | retain (long-term) | not applicable | yes | yes (per stage) |
| `site_contacts` | Per-site contacts roster | `id`, `tenant_id`, `site_id`, `contact_type`, `user_id` (nullable; for Verixa user), `external_contact_jsonb` (nullable; for external), `qualification_evidence_link_ids_jsonb`, `effective_from`, `effective_to` (nullable), `assigned_e_sig_id`, `removed_at` (nullable), `removed_e_sig_id` (nullable) | core required | unique active(`site_id`, `contact_type`) | RLS via site | stateful | per site retention | yes | yes | yes |
| `site_qualification_status` | Computed per-site qualification posture | `site_id`, `iq_signed_at`, `oq_signed_at`, `pq_signed_at`, `qualification_status`, `requalification_due_at`, `linked_validation_study_ids_jsonb` (URS-07), `last_computed_at` | all | unique(`site_id`) | RLS via site | re-computed on URS-07 study close-out | per site retention | not applicable | yes | not applicable |
| `cross_site_relationships` | Cross-site relationship records | `id`, `tenant_id`, `from_site_id`, `to_site_id`, `relationship_type` (per DEC-09-12), `rationale`, `effective_from`, `effective_to` (nullable), `from_site_signed_e_sig_id`, `to_site_signed_e_sig_id`, `revoked_at` (nullable), `revoked_e_sig_id` (nullable), `revocation_reason` (nullable) | core required | unique active(`from_site_id`, `to_site_id`, `relationship_type`) | RLS via either side | stateful | retain (long-term) | yes (revoked preserved) | yes | yes |
| `site_lifecycle_events` | Append-only lifecycle transition log | `id`, `tenant_id`, `site_id`, `from_state`, `to_state`, `event_code`, `signature_set_jsonb` (derived read snapshot only), `reason_jsonb`, `audit_log_id` (FK URS-06), `triggered_at`, `previous_hash`, `record_hash` | all | unique(`site_id`, `id`); unique(`record_hash`) | RLS via site | append-only | retain (long-term) | not applicable | yes | yes |
| `site_member_roster` | Site-level access overlay roster per DEC-09-14 | `id`, `tenant_id`, `site_id`, `user_id`, `effective_from`, `effective_to` (nullable), `assigned_e_sig_id`, `removed_at` (nullable), `removed_e_sig_id` (nullable) | core required | unique active(`site_id`, `user_id`) | RLS via site | stateful | per site retention | yes | yes | yes |
| `site_decommissioning_runs` | Per-decommissioning workflow record | `id`, `tenant_id`, `site_id`, `initiated_at`, `gate_check_results_jsonb`, `gate_cleared_at`, `attestation_signed_e_sig_ids_jsonb` (site_head, site_quality_lead, regulatory_oversight_admin, founder for high-risk — derived read snapshot only; authoritative multi-signature evidence is stored in the module signature-slot table), `state`, `decommissioned_at` | per-state | unique(`site_id`) | RLS via site | stateful | retain (long-term) | not applicable | yes | yes (per stage) |

### 6.3 API requirements

#### 6.3.1 Site catalogue and lifecycle

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| GET | `/sites` | tenant-scoped | filters | `Site[]` | tenant base role + `audit:read` | `SITE_CATALOGUE_VIEW_OPENED` once per session | none |
| GET | `/sites/:id` | tenant-scoped or partner-tenant per URS-07 grant | none | full site detail | site-role overlay or grant scope | none | `NOT_FOUND` |
| POST | `/sites` | administrator | site identity (electronic-signed) | `201` (state `planned`) | `tenant_admin_authority` (system flags the site as high-risk where applicable; executive authority co-sign is required only at activation, return-to-operational, or high-risk decommissioning — not at creation) | `SITE_CREATED` | `STATE_NOT_ALLOWED`, validation |
| POST | `/sites/:id/move-to-in-qualification` | site head | reason (electronic-signed) | `200` | `site_head` | `SITE_MOVED_TO_IN_QUALIFICATION` | `STATE_NOT_PLANNED` |
| POST | `/sites/:id/activate` | site head (independent of creator) + co-signers per type | reason (electronic-signed + MFA + co-signs) | `200` | `site_head` (independent) + `validation_approver` (+ executive authority + `regulatory_oversight_admin` for high-risk) | `SITE_ACTIVATED` | `STATE_NOT_IN_QUALIFICATION`, `APPROVER_IS_CREATOR`, `MISSING_FOUNDER_COSIGN`, `MISSING_RA_COSIGN`, `MISSING_VALIDATION_COSIGN`, `QUALIFICATION_PACKAGE_NOT_SIGNED` |
| POST | `/sites/:id/suspend` | site head | `{reason}` (electronic-signed) | `200` | `site_head` | `SITE_SUSPENDED` | `STATE_NOT_OPERATIONAL` |
| POST | `/sites/:id/return-to-operational` | site head + co-signers per reason | resolution evidence (electronic-signed + co-signs) | `200` | `site_head` + per-reason | `SITE_RETURNED_TO_OPERATIONAL` | `STATE_NOT_SUSPENDED`, `RESOLUTION_EVIDENCE_MISSING` |
| POST | `/sites/:id/withdraw` | site head | reason (electronic-signed) | `200` | `site_head` | `SITE_WITHDRAWN` | `STATE_NOT_PLANNED` |

#### 6.3.2 Facility hierarchy and cleanroom

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| GET | `/sites/:id/hierarchy` | tenant-scoped | none | hierarchy tree | site-role overlay | none | none |
| POST | `/sites/:id/hierarchy/:level` | site head | hierarchy node fields (electronic-signed) | `201` | `site_head` | `FACILITY_HIERARCHY_NODE_CREATED` | `STATE_NOT_PLANNED_OR_OPERATIONAL`, validation |
| POST | `/sites/:id/hierarchy/:nodeId/retire` | site head | reason (electronic-signed) | `200` | `site_head` | `FACILITY_HIERARCHY_NODE_RETIRED` | `STATE_NOT_ACTIVE` |
| GET | `/sites/:id/cleanroom` | tenant-scoped | none | cleanroom records by area | site-role overlay | none | none |
| POST | `/sites/:id/cleanroom/:hierarchyId` | site quality lead + final quality approver | classification fields + evidence (electronic-signed + co-sign) | `201` | `site_quality_lead` + `final_quality_approver` | `CLEANROOM_CLASSIFICATION_REGISTERED` | validation |
| POST | `/sites/:id/cleanroom/:hierarchyId/recertify` | site quality lead + final quality approver | new certificate (electronic-signed + co-sign) | `200` | `site_quality_lead` + `final_quality_approver` | `CLEANROOM_RECERTIFIED` | `RECERTIFICATION_NOT_DUE` (warning), `EVIDENCE_MISSING` |

#### 6.3.3 Licences and inspections

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| GET | `/sites/:id/licences` | tenant-scoped | none | `SiteLicence[]` | site-role overlay or `audit:read` | none | none |
| POST | `/sites/:id/licences` | site head + RA co-sign | licence fields + evidence (electronic-signed + co-sign) | `201` | `site_head` + `regulatory_oversight_admin` | `SITE_LICENCE_REGISTERED` | validation |
| POST | `/sites/:id/licences/:licenceId/renew` | site head + RA co-sign | new licence + evidence (electronic-signed + co-sign) | `200` | `site_head` + `regulatory_oversight_admin` | `SITE_LICENCE_RENEWED` | validation |
| POST | `/sites/:id/licences/:licenceId/surrender` | site head + RA co-sign | reason (electronic-signed + co-sign) | `200` | `site_head` + `regulatory_oversight_admin` | `SITE_LICENCE_SURRENDERED` | `STATE_NOT_CURRENT` |
| GET | `/sites/:id/inspections` | tenant-scoped | filters | `SiteInspection[]` | site-role overlay or `audit:read` | none | none |
| POST | `/sites/:id/inspections` | site head | inspection identity fields (electronic-signed) | `201` | `site_head` | `INSPECTION_REGISTER_ENTRY_CREATED` | validation |
| POST | `/sites/:id/inspections/:inspId/log-findings` | site quality lead | findings register link (electronic-signed) | `200` | `site_quality_lead` | `INSPECTION_FINDINGS_LOGGED` | validation |
| POST | `/sites/:id/inspections/:inspId/submit-response` | site quality lead + independent reviewer + final regulatory approver | response submission (electronic-signed + reviewer + approver) | `200` | `site_quality_lead` + independent reviewer + `final_regulatory_approver` | `INSPECTION_RESPONSE_SUBMITTED` | `MISSING_INDEPENDENT_REVIEWER`, `INVALID_RESPONSE_AUTHORITY` |
| POST | `/sites/:id/inspections/:inspId/close` | site head | closure metadata (electronic-signed) | `200` | `site_head` | `INSPECTION_CLOSED` | `STATE_NOT_RESPONDED` |

#### 6.3.4 Contacts, members, relationships

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| GET | `/sites/:id/contacts` | tenant-scoped | none | roster | site-role overlay | none | none |
| POST | `/sites/:id/contacts` | site head | `{contactType, userId or externalContact}` (electronic-signed) | `201` | `site_head` | `SITE_CONTACT_ADDED` | `SITE_CONTACT_QUALIFICATION_MISSING` |
| POST | `/sites/:id/contacts/:contactId/remove` | site head | reason (electronic-signed) | `200` | `site_head` | `SITE_CONTACT_REMOVED` | validation |
| GET | `/sites/:id/access-overlay` | tenant-scoped | none | roster + state | `tenant_admin_authority` | none | none |
| POST | `/sites/:id/access-overlay/enable` | tenant administrator | initial roster (electronic-signed) | `200` | `tenant_admin_authority` | `SITE_ACCESS_OVERLAY_ENABLED` | validation |
| POST | `/sites/:id/access-overlay/members` | site head | `{userId}` (electronic-signed) | `201` | `site_head` | `SITE_MEMBER_ADDED` | validation |
| POST | `/sites/:id/access-overlay/members/:memberId/remove` | site head | reason (electronic-signed) | `200` | `site_head` | `SITE_MEMBER_REMOVED` | validation |
| GET | `/sites/:id/relationships` | tenant-scoped | none | `CrossSiteRelationship[]` | site-role overlay | none | none |
| POST | `/sites/:id/relationships` | site head (from-site) | `{toSiteId, type, rationale}` (electronic-signed) | `201` | `site_head` (from-site) + `site_head` (to-site, accept) | `CROSS_SITE_RELATIONSHIP_PROPOSED` | validation |
| POST | `/sites/:id/relationships/:relId/accept` | site head (to-site) | reason (electronic-signed) | `200` | `site_head` (to-site) | `CROSS_SITE_RELATIONSHIP_REGISTERED` | `STATE_NOT_PROPOSED` |
| POST | `/sites/:id/relationships/:relId/revoke` | site head (either side) | reason (electronic-signed) | `200` | `site_head` (either side) | `CROSS_SITE_RELATIONSHIP_REVOKED` | `STATE_NOT_ACTIVE` |

#### 6.3.5 Discovery, qualification, decommissioning

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| GET | `/sites/:id/discovery` | tenant-scoped or partner-tenant per grant | filters | `DiscoveryRecord[]` | site-role overlay or `audit:read` | `SITE_DISCOVERY_VIEW_OPENED` once per session | none |
| POST | `/sites/:id/discovery/export` | site head + `audit:export` | filters + format (electronic-signed) | signed download URL + integrity manifest | `site_head` + `audit:export` | `SITE_DISCOVERY_EXPORTED` | none |
| GET | `/sites/:id/qualification-status` | tenant-scoped | none | qualification status | site-role overlay | none | none |
| POST | `/sites/:id/decommission/initiate` | site head | reason (electronic-signed) | `200` | `site_head` | `SITE_DECOMMISSIONING_INITIATED` | one of `OPEN_RECORDS_BLOCK`, `OPEN_STUDIES_BLOCK`, `OPEN_DELEGATIONS_BLOCK`, `OPEN_LICENCES_BLOCK` per blocker category |
| GET | `/sites/:id/decommission/gate-status` | site head / auditor | none | gate result | `site_head` / `audit:read` | none | none |
| POST | `/sites/:id/decommission/sign-attestation` | site head + site_quality_lead + RA + executive authority for high-risk | attestation (electronic-signed + co-signs) | `200` | site_head + site_quality_lead + `regulatory_oversight_admin` + executive authority for high-risk | `SITE_DECOMMISSIONED` | `MISSING_COSIGN`, `GATE_NOT_CLEARED` |

### 6.4 Workflow / lifecycle requirements

| Workflow | Step | Time-to-live or timer | Auto-action | Reminder |
|---|---|---|---|---|
| Cleanroom re-certification | per cadence | continuous | escalate to `regulatory_concern` site suspension if lapsed | T-30, T-7, T-1 |
| Site licence renewal | per `effective_to` | continuous | auto-suspend on expiry per DEC-09-20 | T-90, T-30, T-7, T-1 |
| Re-qualification | per cadence | continuous | URS-30 alert; URS-07 study creation prompt | T-90, T-30, T-7 |
| Inspection response | per regulatory framework SLA (typically 15 working days for FDA 483) | per type | escalate to `regulatory_oversight_admin` + executive authority | T-7, T-3, T-1 |
| Decommissioning gate watch | none | continuous | surfaces remediation list when blockers exist | none |
| KYC re-verification correlation (URS-08) | annual | continuous | cross-correlate site licences with tenant pharma licences | per URS-08 schedule |

### 6.5 Business rules

- **BR-09-01** — Site activation requires the activator to be **independent of the site creator** per `AUTHOR_NEQ_APPROVER`; bypass returns `403 APPROVER_IS_CREATOR`.
- **BR-09-02** — High-risk site type activation requires executive authority co-sign + `validation_approver` co-sign + `regulatory_oversight_admin` co-sign per DEC-09-15.
- **BR-09-03** — Cleanroom classification configuration requires `site_quality_lead` + `final_quality_approver` co-sign; re-certification requires the same co-sign.
- **BR-09-04** — Site licence registration requires `regulatory_oversight_admin` co-sign; site licence renewal preserves history (previous record marked `superseded`).
- **BR-09-05** — Site licence expiry without renewal triggers auto-suspension with reason `regulatory_concern` per DEC-09-20.
- **BR-09-06** — Cleanroom certification lapse (past `next_certification_due` without re-certification) escalates to site `regulatory_concern` suspension.
- **BR-09-07** — Site contacts MUST link to URS-28 qualifications appropriate to their role and the site's GxP classification; missing returns `SITE_CONTACT_QUALIFICATION_MISSING`.
- **BR-09-08** — `site_head` and `site_quality_lead` MUST be distinct users per `SITE_HEAD_NEQ_QUALITY_LEAD`.
- **BR-09-09** — Inspection response submission requires an **independent reviewer** per `INSPECTION_RESPONSE_INDEPENDENT_REVIEWER`; the reviewer cannot be named in the inspection findings.
- **BR-09-10** — Pre-decommissioning gate per DEC-09-11 MUST clear all blockers before decommissioning attestation can be signed.
- **BR-09-11** — Decommissioning attestation requires `site_head` + `site_quality_lead` + `regulatory_oversight_admin` co-signs; high-risk site types additionally require executive authority co-sign.
- **BR-09-12** — Cross-site relationships require bilateral signatures (both sites' site heads).
- **BR-09-13** — Site-level access overlay enabled per DEC-09-14 enforces `403 SITE_CONFIDENTIAL_NOT_MEMBER` for non-members.
- **BR-09-14** — Site-bound regulated-record discovery is computed by URS-03 active-scope intersection on the `site` scope dimension.
- **BR-09-15** — Module 9 mutations are blocked when tenant lifecycle (URS-08) is anything other than `active` per URS-08 BR-08-20.
- **BR-09-16** — Cross-tenant site visibility (partner-tenant sites) is restricted to URS-07 collaboration grant scope; outside the grant, partner-tenant sites are not visible.
- **BR-09-17** — Audit-log writes are atomic with the originating action per URS-04 BR-04-15 / URS-06 BR-06-01.
- **BR-09-18** — Site lifecycle events emit dual audit per URS-08 DEC-08-18 (tenant chain + global chain).
- **BR-09-19** — Successor sites preserve linkage to decommissioned predecessors via `successor_of_site_id`; URS-06 captures the linkage.
- **BR-09-20** — Equipment areas at launch are definitions only; runtime equipment data is the responsibility of a forward equipment-management module; exact module number is an external program dependency.

### 6.6 Audit trail requirements

Module 9 governance event vocabulary (canonical launch list; every code MUST have at least one writer and one regression test; adding a code is a Class 3 change):

`SITE_CREATED`, `SITE_MOVED_TO_IN_QUALIFICATION`, `SITE_QUALIFICATION_PACKAGE_SIGNED`, `SITE_ACTIVATED`, `SITE_SUSPENDED`, `SITE_RETURNED_TO_OPERATIONAL`, `SITE_DECOMMISSIONING_INITIATED`, `SITE_DECOMMISSIONING_BLOCKED_BY_OPEN_RECORDS`, `SITE_DECOMMISSIONING_BLOCKED_BY_OPEN_STUDIES`, `SITE_DECOMMISSIONING_BLOCKED_BY_OPEN_DELEGATIONS`, `SITE_DECOMMISSIONING_BLOCKED_BY_OPEN_LICENCES`, `SITE_DECOMMISSIONED`, `SITE_WITHDRAWN`, `FACILITY_HIERARCHY_NODE_CREATED`, `FACILITY_HIERARCHY_NODE_RETIRED`, `CLEANROOM_CLASSIFICATION_REGISTERED`, `CLEANROOM_RECERTIFIED`, `CLEANROOM_CERTIFICATION_LAPSED`, `SITE_LICENCE_REGISTERED`, `SITE_LICENCE_RENEWED`, `SITE_LICENCE_SURRENDERED`, `SITE_LICENCE_TRANSFERRED`, `LICENCE_EXPIRED_SITE_SUSPENDED`, `INSPECTION_REGISTER_ENTRY_CREATED`, `INSPECTION_FINDINGS_LOGGED`, `INSPECTION_RESPONSE_SUBMITTED`, `INSPECTION_CLOSED`, `SITE_CONTACT_ADDED`, `SITE_CONTACT_REMOVED`, `SITE_ACCESS_OVERLAY_ENABLED`, `SITE_ACCESS_OVERLAY_DISABLED`, `SITE_MEMBER_ADDED`, `SITE_MEMBER_REMOVED`, `SITE_CONFIDENTIAL_ACCESS_DENIED` (forensic), `CROSS_SITE_RELATIONSHIP_PROPOSED`, `CROSS_SITE_RELATIONSHIP_REGISTERED`, `CROSS_SITE_RELATIONSHIP_REVOKED`, `EQUIPMENT_AREA_DEFINED`, `EQUIPMENT_AREA_RETIRED`, `SITE_QUALIFICATION_RECOMPUTED`, `SITE_DISCOVERY_VIEW_OPENED` (coarse; once per session), `SITE_DISCOVERY_EXPORTED`, `SITE_CATALOGUE_VIEW_OPENED` (coarse), `SUCCESSOR_SITE_CREATED`, `PLATFORM_TENANT_ACCESS_USED`, `PLATFORM_TENANT_ACCESS_DENIED`.

### 6.7 Record versioning and class-of-change governance

- Versioned (immutable per published version): `site_cleanroom_classifications` (per certification cycle), `site_lifecycle_events`.
- Stateful with append-only audit history: `sites`, `site_facility_hierarchy` (additions append; retirements preserve), `site_licences`, `site_inspections`, `site_contacts`, `cross_site_relationships`, `site_member_roster`, `site_decommissioning_runs`.
- Append-only: nothing exclusive (most are stateful).
- Soft-delete: `sites` (decommissioned / withdrawn preserved), facility hierarchy nodes (retirement preserves), `cross_site_relationships` (revoked preserved).

---

## 7. Cross-Module Wiring and Change-Impact

### 7.1 Cross-module wiring

#### Diagram 7-A — Module 9 in the suite

```mermaid
graph LR
  subgraph M9 [Module 9 — Site & Facility Management]
    CAT[Site Catalogue]
    HIER[Facility Hierarchy]
    CLEAN[Cleanroom Classification]
    LIC[Licences]
    INSP[Inspections]
    CON[Contacts]
    LCY[Lifecycle]
    DEC[Decommissioning]
  end

  M3[URS-03 Active Scope] <--> CAT
  M4[URS-04 Workflow / E-Sign] --> LCY
  M5[URS-05 Authority] --> CAT
  M6[URS-06 Audit Substrate] --> LCY
  M7[URS-07 Study] <--> CAT
  M8[URS-08 Tenant Lifecycle] --> CAT
  M12[URS-12 Document Control] <--> LIC
  M28[URS-28 Training Management & Qualification] --> CON
  M30[URS-30 Notifications] --> INSP
  M30 --> LCY
  CAT --> M14[URS-14..URS-34 Domain modules]
  M14 --> CAT[Records bind to sites at creation]
```

URS-03 active-scope intersection consumes the `site` scope dimension; URS-07 study scope can include sites; URS-05 Authority Profile assignments can scope-bind to sites; URS-06 audits every Module 9 lifecycle event in dual chains per URS-08 DEC-08-18; URS-08 tenant lifecycle gates Module 9 mutations; URS-12 holds licence and inspection evidence; URS-28 owns site-contact qualifications; URS-30 routes site notifications. Every regulated record across URS-12..URS-34 binds to a site at creation and contributes to the site's discovery view.

### 7.2 Change-Impact Matrix (CIM)

| Change | Class | Impact on (modules) | Required revalidation |
|---|---|---|---|
| Add site type or sub-classification (DEC-09-01) | 1 | URS-04 templates referencing the type; URS-12 master-file templates | Full regression |
| Add facility hierarchy level (DEC-09-02) | 1 | URS-03 scope intersection; forward equipment-management integration | Full regression |
| Add cleanroom classification standard | 1 | regulatory mapping; certification flows | Full regression |
| Add high-risk site type to list (DEC-09-15) | 2 | activation flow | Targeted regression |
| Add licence type to launch list (DEC-09-05) | 2 | URS-08 KYC correlation; URS-30 reminders | Targeted regression |
| Add inspection type | 3 | URS-30 routing | Unit regression |
| Change cleanroom certification cadence default | 3 | URS-30 schedule | Unit regression |
| Change auto-suspend window for licence expiry | 3 | URS-30 schedule | Unit regression |
| Add audit event code | 3 | URS-06 | Writer-presence regression |
| Add contact type (DEC-09-10) | 3 | URS-30 routing; URS-28 qualification rule | Unit regression |
| Add cross-site relationship type (DEC-09-12) | 2 | UI relationship graph | Targeted regression |
| UI copy or layout change | 4 | none | Visual regression |

### 7.3 Cross-module dependencies (consumed by Module 9)

| Dependency | Source | Impact | Blocking? |
|---|---|---|---|
| Authentication, MFA step-up | URS-01 | Substrate | Blocking |
| Effective permissions | URS-02 | Base role gate | Blocking |
| Active scope | URS-03 | Discovery, scope binding | Blocking |
| Workflow / e-sig ceremony | URS-04 | Lifecycle signatures | Blocking |
| Authority resolver, scope dimensions registry | URS-05 | Site role overlay; executive authority | Blocking |
| Audit substrate | URS-06 | Audit | Blocking |
| Study management | URS-07 | Equipment-qualification studies; cross-tenant grants | Blocking |
| Tenant lifecycle | URS-08 | Mutation gating | Blocking |
| Document control | URS-12 | Licence and inspection evidence | Blocking |
| Qualification register | URS-28 | Site contact qualification | Blocking |
| Notifications | URS-30 | Reminders, escalations | Non-blocking (direct e-mail fallback) |
| Backup / restore / cold storage | URS-35 | Long-term archive | Blocking for PQ |
| Forward roadmap: Equipment Management | forward equipment-management module — exact module number is an external program dependency | Equipment record binding to areas | Forward (post-launch) |
| Forward roadmap: Environmental Monitoring | URS-25 Environmental Monitoring (with any continuous-monitoring extension tracked as a program dependency) | Cleanroom continuous monitoring | Forward |

---

## 8. AI / Automation / Human-in-the-Loop Controls

Module 9 contains **no AI / ML components** in the catalogue, hierarchy, cleanroom, licence, inspection, contacts, lifecycle, or discovery paths. AI suggestions in URS-32 / MIRA that inform site management (e.g., recommending a cleanroom classification based on intended use, surfacing inspection-pattern insights) are advisory only and MUST set `ai_advisory = true` per URS-06 DEC-06-15.

The HITL lifecycle is owned by URS-04. Module 9 consumes the Controlled Approval Modal for every electronic signature. Static analysis MUST verify zero references to LLM SDKs in Module 9 source per CLAUDE.md QS-21.

---

## 9. Reports, Dashboards, and Exports

| Report | Purpose | Audience | Format |
|---|---|---|---|
| Per-tenant site catalogue | Inventory and lifecycle posture | Tenant administrator, auditor | CSV + PDF |
| Per-site dashboard | Lifecycle, hierarchy, cleanroom, licences, contacts, qualification, inspections | Site members, auditor | PDF + JSON |
| Site-bound regulated-record discovery | Inspection-ready list per site | Site head, auditor, inspector | PDF + JSON + integrity manifest |
| Cleanroom certification timeline | Per-tenant per-site re-certification calendar | Site quality leads, auditor | Calendar + CSV |
| Site licence expiry timeline | Per-tenant per-site licence renewal calendar | Site RA contacts, tenant admin | Timeline + CSV |
| Inspection register | Per-tenant cross-site inspection history | Tenant administrator, auditor | CSV + PDF |
| Cross-site relationships graph | Visual relationship map | Tenant administrator | Graph |
| Qualification status dashboard | Per-tenant cross-site qualification posture | Validation lead, auditor | Dashboard |
| Decommissioning register | Past decommissionings | Tenant administrator, auditor | CSV + PDF |
| Site contacts directory | Per-tenant directory of named site contacts | Tenant administrator, RA | CSV + PDF |
| Equipment-area inventory | Per-tenant cross-site equipment area listing | Engineering | CSV |
| Founder activation high-risk-site register | High-risk site activations with executive authority co-signs | Founder, QA, RA | PDF |

Every export routes through the Controlled Approval Modal, carries an electronic signature, a signed download URL with 15-minute TTL unless a stricter TTL is specified, and an integrity manifest accompanies every export per URS-06 DEC-06-10.

---

## 10. Notifications and Queues

| Trigger | Recipient | Channel | Latency |
|---|---|---|---|
| Site created | tenant administrators | URS-30 in-app + e-mail | within 60 seconds |
| Site moved to in-qualification | site head, validation lead | URS-30 in-app + e-mail | within 60 seconds |
| Site activated | tenant administrators, site members, executive authority for high-risk | URS-30 in-app + e-mail | within 60 seconds |
| Site suspended | site head, tenant administrators, cross-site related sites | URS-30 in-app + e-mail | within 60 seconds |
| Site returned to operational | site head, tenant administrators | URS-30 in-app + e-mail | within 60 seconds |
| Site decommissioned | tenant administrators, related-site contacts | URS-30 in-app + e-mail | within 60 seconds |
| Cleanroom re-certification due | site quality lead, certifying organisation contact | URS-30 in-app + e-mail | T-30, T-7, T-1 |
| Cleanroom certification lapsed | site quality lead, site head, RA contact, tenant admin | URS-30 in-app + e-mail; SOC chat | within 60 seconds |
| Licence renewal approaching | site RA contact, site head, tenant admin | URS-30 in-app + e-mail | T-90, T-30, T-7, T-1 |
| Licence expired | site RA contact, site head, tenant admin, executive authority | URS-30 in-app + e-mail; SOC chat | within 60 seconds |
| Inspection scheduled | site head, site quality lead, RA contact | URS-30 in-app + e-mail | within 60 seconds |
| Inspection findings logged | site quality lead, RA contact | URS-30 in-app + e-mail | within 60 seconds |
| Inspection response due | site quality lead, RA contact | URS-30 in-app + e-mail | T-7, T-3, T-1 |
| Cross-site relationship proposed | to-site head | URS-30 in-app + e-mail | within 60 seconds |
| Site-level access overlay enabled | site members | URS-30 in-app + e-mail | within 60 seconds |
| Re-qualification due | site head, validation lead | URS-30 in-app + e-mail | T-90, T-30, T-7 |
| Decommissioning gate failure | site head | URS-30 in-app + e-mail (synchronous response) | immediate |

---

## 11. Error Handling and Negative Paths

### 11.1 Error envelope

Standard envelope (human message, machine code in upper-snake-case, optional structured details, correlation identifier).

### 11.2 Error-code catalogue

| Code | HTTP | Path | UI behaviour |
|---|---|---|---|
| HIGH_RISK_TYPE_REQUIRES_FOUNDER | 401 | site activate / decommission | open executive authority co-sign request |
| MISSING_FOUNDER_COSIGN | 401 | high-risk site lifecycle | open executive authority co-sign request |
| MISSING_RA_COSIGN | 401 | site licence registration / activation / decommissioning | open RA co-sign request |
| MISSING_VALIDATION_COSIGN | 401 | site activation | open `validation_approver` co-sign request |
| QUALIFICATION_PACKAGE_NOT_SIGNED | 409 | site activation | inline error citing the missing qualification |
| APPROVER_IS_CREATOR | 403 | site activation | inline error citing AUTHOR_NEQ_APPROVER |
| SITE_HEAD_NEQ_QUALITY_LEAD | 403 | site role assignment | inline error |
| INSPECTION_RESPONSE_INDEPENDENT_REVIEWER_REQUIRED | 401 | inspection response submit | open independent reviewer route |
| MISSING_INDEPENDENT_REVIEWER | 401 | inspection response submit | inline error |
| SITE_CONTACT_QUALIFICATION_MISSING | 400 | site contact add | inline error citing required URS-28 evidence |
| RECERTIFICATION_NOT_DUE | 200 (warning) | cleanroom recertify | warning banner |
| EVIDENCE_MISSING | 400 | cleanroom recertify / licence registration | inline error |
| RESOLUTION_EVIDENCE_MISSING | 400 | site return to operational | inline error |
| OPEN_RECORDS_BLOCK | 409 | decommissioning initiation | inline list with deep-links |
| OPEN_STUDIES_BLOCK | 409 | decommissioning initiation | inline list with deep-links |
| OPEN_DELEGATIONS_BLOCK | 409 | decommissioning initiation | inline list with deep-links |
| OPEN_LICENCES_BLOCK | 409 | decommissioning initiation | inline list with deep-links |
| GATE_NOT_CLEARED | 409 | decommissioning attestation | inline message |
| MISSING_COSIGN | 401 | various | open co-signer route |
| STATE_NOT_PLANNED | 409 | lifecycle endpoints | inline error |
| STATE_NOT_IN_QUALIFICATION | 409 | lifecycle endpoints | inline error |
| STATE_NOT_OPERATIONAL | 409 | lifecycle endpoints | inline error |
| STATE_NOT_SUSPENDED | 409 | lifecycle endpoints | inline error |
| STATE_NOT_PROPOSED | 409 | lifecycle endpoints | inline error |
| STATE_NOT_ACTIVE | 409 | lifecycle endpoints | inline error |
| STATE_NOT_RESPONDED | 409 | lifecycle endpoints | inline error |
| STATE_NOT_CURRENT | 409 | lifecycle endpoints | inline error |
| SITE_CONFIDENTIAL_NOT_MEMBER | 403 | site-confidential read by non-member | inline error |
| TENANT_NOT_ACTIVE | 403 | any Module 9 mutation when tenant not `active` | banner |
| LICENCE_EXPIRED | 422 | licence registration / verification | inline error |
| AUDIT_TRAIL_WRITE_FAILED | 500 | any state-changing action | toast; the originating action did NOT commit |
| PLATFORM_TENANT_ACCESS_DENIED | 403 | platform identity outside support envelope | inline error; SOC alert |

### 11.3 Negative-path catalogue

| Scenario | Detection | Response | UI behaviour |
|---|---|---|---|
| Site activation by creator | back end | `403 APPROVER_IS_CREATOR` | inline error |
| High-risk site activation without executive authority co-sign | back end | `401 HIGH_RISK_TYPE_REQUIRES_FOUNDER` | open executive authority co-sign |
| Site activation without qualification package | back end | `409 QUALIFICATION_PACKAGE_NOT_SIGNED` | inline error |
| `site_head` and `site_quality_lead` same user | back end | `403 SITE_HEAD_NEQ_QUALITY_LEAD` | inline error |
| Inspection response without independent reviewer | back end | `401 INSPECTION_RESPONSE_INDEPENDENT_REVIEWER_REQUIRED` | open reviewer route |
| Site contact missing URS-28 qualification | back end | `400 SITE_CONTACT_QUALIFICATION_MISSING` | inline error |
| Cleanroom certification lapsed | scheduled | `CLEANROOM_CERTIFICATION_LAPSED`; auto-suspend; SOC alert | banner |
| Licence expired | scheduled | `LICENCE_EXPIRED_SITE_SUSPENDED`; auto-suspend | banner; URS-30 to RA |
| Decommissioning with open records / studies / delegations / licences | back end | one of `409 OPEN_RECORDS_BLOCK`, `409 OPEN_STUDIES_BLOCK`, `409 OPEN_DELEGATIONS_BLOCK`, `409 OPEN_LICENCES_BLOCK` per blocker category | inline list |
| Mutation when tenant not `active` | back end | `403 TENANT_NOT_ACTIVE` | banner |
| Site-confidential read by non-member | back end | `403 SITE_CONFIDENTIAL_NOT_MEMBER` | inline error |
| Audit-write failure mid-decision | back end | `500 AUDIT_TRAIL_WRITE_FAILED` | toast; the regulated decision did NOT commit |

---

## 12. Security, Privacy, and Tenant Isolation

### 12.1 Authentication dependency

URS-09 is reached only through an authenticated session per URS-01. Every Module 9 mutation goes through the URS-04 Controlled Approval Modal with electronic signature; high-risk lifecycle transitions (high-risk site activation, decommissioning, return-to-operational from regulatory-concern, licence registration / surrender / transfer, cleanroom re-certification of Annex 1 Grade A/B) require multi-factor step-up.

### 12.2 Authorisation pipeline

`authenticate hook → tenant hook → rbac hook → context gate hook → site-membership overlay hook → esigService.createSignature where applicable → module9 surface action`. Module 9 owns the site-membership overlay hook position.

### 12.3 Tenant isolation

Every site query routes through TDAL with tenant context bound. RLS on `sites.tenant_id`. Cross-tenant visibility is restricted to URS-07 collaboration grant scope. Cross-tenant access emits `CROSS_TENANT_STUDY_ACCESS_USED` per URS-07.

### 12.4 Encryption

At rest: legal addresses, geolocations, contact PII, licence numbers, inspection findings may contain regulated content; protected by RLS plus KMS at the storage layer; tenant residency per URS-08. In transit: TLS 1.2 or higher.

### 12.5 Logging hygiene

Logs scrub passwords, MFA tokens, contact PII fields where applicable. Structured logs carry the correlation identifier on every request.

### 12.6 Privacy and data residency

Inherits tenant data-residency configuration from URS-08. Site contacts roster may contain personal data subject to privacy regulation (GDPR for EU sites, DPDP for India sites, etc.); Module 9 respects the residency.

### 12.7 Periodic access review

Per URS-05 §12.7: site role overlays (`site_head`, `site_quality_lead`, `site_member`) are reviewed annually; reviewer attests continuation per role; rejections trigger removal.

### 12.8 Periodic audit-trail review

Per URS-06 DEC-06-14: high-risk Module 9 events triaged within one business day: `SITE_ACTIVATED` for high-risk types; `SITE_SUSPENDED` for `regulatory_concern`; `LICENCE_EXPIRED_SITE_SUSPENDED`; `CLEANROOM_CERTIFICATION_LAPSED`; `SITE_DECOMMISSIONED` for high-risk types; `INSPECTION_RESPONSE_SUBMITTED`.

### 12.9 Security-operations alert thresholds

| Pattern | Threshold | Severity | Channel |
|---|---|---|---|
| `LICENCE_EXPIRED_SITE_SUSPENDED` | any single event | critical | SOC chat + RA Lead + executive authority |
| `CLEANROOM_CERTIFICATION_LAPSED` | any single event | high | SOC chat + Site Quality Lead + executive authority for sterile sites |
| `SITE_SUSPENDED` reason `regulatory_concern` | any single event | high | SOC chat + RA Lead + executive authority |
| `SITE_ACTIVATED` for high-risk type | any single event | informational (real-time) | SOC chat + executive authority |
| `SITE_DECOMMISSIONED` for high-risk type | any single event | informational (real-time) | SOC chat + executive authority |
| `SITE_CONFIDENTIAL_ACCESS_DENIED` cluster | five per user per hour | medium | SOC e-mail digest |
| `INSPECTION_RESPONSE_SUBMITTED` | any single event | informational (real-time) | SOC chat + RA Lead |
| `PLATFORM_TENANT_ACCESS_USED` for Module 9 | any single event | informational (real-time) | SOC chat |

### 12.10 Self-modification block

A user MUST NOT activate a site they themselves created (`AUTHOR_NEQ_APPROVER`). A user MUST NOT occupy both `site_head` and `site_quality_lead` for the same site (`SITE_HEAD_NEQ_QUALITY_LEAD`). A user named in inspection findings MUST NOT be the sole signer of the inspection response submission (`INSPECTION_RESPONSE_INDEPENDENT_REVIEWER`).

### 12.11 Secure export

Every export routes through the Controlled Approval Modal. Signed download URLs with 15-minute TTL. Integrity manifest accompanies every export per URS-06.

### 12.12 Cross-tenant confidentiality envelope

Sites are tenant-scoped. Cross-tenant visibility through URS-07 collaboration grants is restricted to the per-grant scope. A partner-tenant member cannot see lead-tenant sites outside the grant scope; a lead-tenant member cannot see partner-tenant sites outside the grant scope. URS-06 audits every cross-tenant access in BOTH chains.

---

## 13. Data Integrity and ALCOA+ Controls

| Principle | Module 9 control | Requirement | Verification |
|---|---|---|---|
| Attributable | Every site lifecycle event records the signing user(s); contacts attributable to assigner | URS-09-AUD-001 | Integration test |
| Legible | Site detail rendered structured; exports in PDF + JSON | URS-09-REP-001 | Export test |
| Contemporaneous | Server-set timestamps; client-supplied dropped | URS-09-AUD-002 | Integration test |
| Original | Immutable cleanroom classifications per certification cycle; lifecycle events append-only | URS-09-AUD-003 | Validation test |
| Accurate | Three-cosign gates at high-risk activations; pre-decommissioning gate; URS-28 qualification linkage | URS-09-DATA-001 | Validation test |
| Complete | Every event in §6.6 has at least one writer | URS-09-AUD-004 | Validation test |
| Consistent | URS-08 dual-chain audit; URS-07 study-scope linkage | URS-09-AUD-005 | Concurrency test |
| Enduring | Per-regulatory-framework retention; decommissioned sites preserved | URS-09-DATA-002 | Migration test |
| Available | Decommissioned sites query-accessible; cold-tier supported | URS-09-REP-002 | End-to-end test |

---

## 14. Regulatory Mapping

| Identifier | Control | Regulation / Guidance | Clause | Applicable | Implementation expectation |
|---|---|---|---|---|---|
| RG-09-001 | Premises and equipment | EU GMP Chapter 3 | applicable | Yes | Facility hierarchy + cleanroom classification |
| RG-09-002 | Sterile manufacturing facilities | EU GMP Annex 1 (revised 2023) | applicable | Yes (sterile types) | Annex 1 grades A/B/C/D + at-rest / in-operation limits |
| RG-09-003 | Cleanroom classifications | ISO 14644 | Part 1, Part 2 | Yes (cleanrooms) | ISO 14644 class registration; certification cadence |
| RG-09-004 | Qualification and validation | EU GMP Annex 15 | applicable | Yes | Site qualification package via URS-07 |
| RG-09-005 | US manufacturing CGMP | 21 CFR Part 211 | §211.42-46 (premises) | Yes (US manufacturing) | Site catalogue + facility hierarchy + GMP classification |
| RG-09-006 | FDA establishment registration | 21 CFR Part 207 | §207.49 | Yes (US sites) | Site licence record (FDA establishment registration) |
| RG-09-007 | India manufacturing site licensing — D&C Act 1940 + Drugs Rules 1945 + Revised Schedule M (GMP); Schedule M-III / applicable GDP distribution expectations where distribution sites are in scope; CDSCO GCP guidance where clinical site oversight is in scope; New Drugs and Clinical Trials Rules 2019 where clinical / study site operations are in scope; Medical Devices Rules 2017 where device / combination-product site scope exists | India Drugs and Cosmetics Act 1940; Drugs Rules 1945; Revised Schedule M; Schedule M-III; New Drugs and Clinical Trials Rules 2019; Medical Devices Rules 2017; CDSCO Form 25 / Form 28 (where manufacturing site licensing in scope) | Applicable per India tenant operation and jurisdictional regulatory assessment | Yes (India sites — manufacturing / distribution / clinical / device per applicable scope) | Site licence record (CDSCO Form 25 / Form 28 captured in `site_licences`); cleanroom / Schedule M GMP classification; distribution-site Schedule M-III evidence; clinical-site CDSCO GCP qualification; device-site Medical Devices Rules 2017 evidence; external jurisdictional legal / RA confirmation required for clause / form applicability per India site scope |
| RG-09-008 | UK manufacturing | UK Human Medicines Regulations 2012 | applicable | Yes (UK sites) | Site licence record (MHRA MA) |
| RG-09-009 | EU MA holder site listing | EU Directive 2001/83/EC | applicable | Yes (EU sites) | Site licence record (EMA MA reference) |
| RG-09-010 | Health Canada DEL | Canadian Food and Drugs Act | applicable | Yes (CA sites) | Site licence record (Health Canada DEL) |
| RG-09-011 | DEA registration (controlled substance sites) | 21 CFR Parts 1300-1316 | applicable | Yes (US controlled-substance sites) | Site licence record (DEA registration) |
| RG-09-012 | GLP facilities | 21 CFR Part 58 / OECD GLP Principles | applicable | Yes (`glp` sites) | Site catalogue + GLP classification |
| RG-09-013 | Clinical site oversight | ICH GCP E6(R3) / 21 CFR Parts 50/56/312 | applicable | Conditional (clinical types) | Site licence + member qualification |
| RG-09-014 | Audit trail | 21 CFR Part 11 | §11.10(e) | Yes | URS-06 substrate |
| RG-09-015 | Validation of computerised systems | EU GMP Annex 11 | §4 | Yes | CSV / CSA pack per §17 |
| RG-09-016 | Records retention | EU GMP Annex 11 | §17 | Yes | Per regulatory framework retention |
| RG-09-017 | Risk-based assurance | FDA Computer Software Assurance for Production and Quality Management System Software, Final Guidance, February 2026 | applicable | Yes | Risk classification per validation pack |
| RG-09-018 | ALCOA+ data integrity | MHRA Data Integrity Guidance (2018) | nine principles | Yes | §13 mapping |
| RG-09-019 | EU AI Act applicability | Regulation (EU) 2024/1689 | Article 3(1) | Not applicable to this module | No AI; documented exclusion |
| RG-09-020 | EU GMP Annex 22 (Draft 2025) | EU GMP Annex 22 | applicable forward-looking | Forward-looking only | No Annex-22-dependent control |
| RG-09-021 | ISO 13485 (medical device QMS) | applicable | Conditional (device tenants) | site licence record |
| RG-09-022 | ISO 17025 (laboratory accreditation) | applicable | Conditional (laboratory sites) | site licence record |

### 14.1 Predicate-rule applicability matrix

| Record / artifact | Predicate-rule basis | Part 11 applicable? | Retention | Owner | Evidence |
|---|---|---|---|---|---|
| Site record (lifecycle states) | Premises evidence | Yes | per regulatory framework | QA / Engineering | Lifecycle audit chain |
| Facility hierarchy node | Premises layout evidence | Yes | per site retention | Engineering / QA | Hierarchy node row + audit |
| Cleanroom classification | Sterile / clean operations evidence | Yes | per site retention | QA / Engineering | Classification row + URS-12 certificate |
| Site licence | Regulated-activity authorisation evidence | Yes | per licence retention | RA | Licence row + URS-12 evidence |
| Site inspection record | Regulatory-inspection evidence | Yes | retain (long-term) | QA / RA | Inspection row + URS-12 findings + response |
| Site contacts roster | Personnel-accountability evidence | Yes | per site retention | QA | Contacts row + URS-28 qualification linkage |
| Site qualification status | Qualification evidence | Yes | per site retention | Validation | Computed status + URS-07 study linkage |
| Cross-site relationship | Operational relationship evidence | Yes (operational) | retain (long-term) | QA | Relationship row + bilateral signatures |
| Site decommissioning record | Site retirement evidence | Yes | retain (long-term) | QA / executive authority for high-risk | Decommissioning row + signatures |

---

## 15. URS Requirements Register

### 15.1 Front-end (FE)

- URS-09-FE-001 — Site catalogue browser MUST surface filters by type, lifecycle, jurisdiction, vertical, qualification status, last-inspection-date, licence-expiry. Priority MUST. Risk MEDIUM.
- URS-09-FE-002 — Per-site detail MUST present a tabbed view per §5.2. Priority MUST. Risk LOW.
- URS-09-FE-003 — Site creation wizard MUST flag high-risk types prominently and surface required co-signs. Priority MUST. Risk HIGH.
- URS-09-FE-004 — Hierarchy editor MUST enforce parent / child relationships at each level. Priority MUST. Risk MEDIUM.
- URS-09-FE-005 — Cleanroom classification register MUST surface re-certification due dates and lapsed warnings. Priority MUST. Risk HIGH.
- URS-09-FE-006 — Licence register MUST surface expiring-soon highlights at T-90, T-30, T-7 windows. Priority MUST. Risk HIGH.
- URS-09-FE-007 — Inspection register MUST surface findings count by classification with deep-links to URS-12. Priority MUST. Risk MEDIUM.
- URS-09-FE-008 — Discovery view MUST surface the records intersecting site scope with manual-label badges. Priority MUST. Risk HIGH.
- URS-09-FE-009 — Decommissioning surface MUST run pre-decommissioning gate at open and surface remediation list. Priority MUST. Risk HIGH.
- URS-09-FE-010 — Cross-tenant content (via URS-07 grants) MUST be visually distinguished. Priority MUST. Risk MEDIUM.
- URS-09-FE-011 — Every route in §5.1 MUST be registered in the application router before release. Priority MUST. Risk LOW.
- URS-09-FE-012 — All Module 9 surfaces MUST meet WCAG 2.1 Level AA. Priority MUST. Risk MEDIUM.

### 15.2 Back-end (BE)

- URS-09-BE-001 — Site activation MUST require activator independent of creator (`AUTHOR_NEQ_APPROVER`). Priority MUST. Risk HIGH.
- URS-09-BE-002 — High-risk site activation MUST require Founder + `validation_approver` + `regulatory_oversight_admin` co-signs. Priority MUST. Risk CRITICAL.
- URS-09-BE-003 — Cleanroom classification MUST require `site_quality_lead` + `final_quality_approver` co-sign. Priority MUST. Risk HIGH.
- URS-09-BE-004 — Site licence registration MUST require `regulatory_oversight_admin` co-sign. Priority MUST. Risk HIGH.
- URS-09-BE-005 — Site licence expiry MUST trigger auto-suspension per DEC-09-20. Priority MUST. Risk HIGH.
- URS-09-BE-006 — Cleanroom certification lapse MUST escalate to site `regulatory_concern` suspension. Priority MUST. Risk HIGH.
- URS-09-BE-007 — Site contacts MUST link to URS-28 qualifications appropriate to role and GxP classification. Priority MUST. Risk HIGH.
- URS-09-BE-008 — `site_head` and `site_quality_lead` MUST be distinct users (`SITE_HEAD_NEQ_QUALITY_LEAD`). Priority MUST. Risk HIGH.
- URS-09-BE-009 — Inspection response MUST require independent reviewer (`INSPECTION_RESPONSE_INDEPENDENT_REVIEWER`). Priority MUST. Risk HIGH.
- URS-09-BE-010 — Pre-decommissioning gate MUST clear all blockers per DEC-09-11. Priority MUST. Risk HIGH.
- URS-09-BE-011 — Decommissioning attestation MUST require `site_head` + `site_quality_lead` + `regulatory_oversight_admin` + executive authority for high-risk. Priority MUST. Risk HIGH.
- URS-09-BE-012 — Cross-site relationships MUST require bilateral signatures. Priority MUST. Risk HIGH.
- URS-09-BE-013 — Site-level access overlay MUST enforce `403 SITE_CONFIDENTIAL_NOT_MEMBER`. Priority MUST. Risk HIGH.
- URS-09-BE-014 — Site-bound discovery MUST be computed by URS-03 active-scope intersection. Priority MUST. Risk CRITICAL.
- URS-09-BE-015 — Module 9 mutations MUST be blocked when tenant is not `active` per URS-08 BR-08-20. Priority MUST. Risk CRITICAL.
- URS-09-BE-016 — Cross-tenant site visibility MUST be restricted to URS-07 collaboration grant scope. Priority MUST. Risk CRITICAL.
- URS-09-BE-017 — Audit-log writes MUST be atomic with the originating action. Priority MUST. Risk CRITICAL.
- URS-09-BE-018 — Site lifecycle events MUST emit dual audit (tenant + global chains) per URS-08 DEC-08-18. Priority MUST. Risk HIGH.
- URS-09-BE-019 — Successor-site linkage MUST preserve via `successor_of_site_id`. Priority MUST. Risk MEDIUM.
- URS-09-BE-020 — Equipment areas at launch are definitions only; detailed equipment runtime and qualification records are owned by a forward equipment-management module. Exact module number is an external program dependency. Priority MUST. Risk LOW.

### 15.3 Workflow (WF)

- URS-09-WF-001 — Site lifecycle state machine per Diagram 6.1-B. Priority MUST. Risk CRITICAL.
- URS-09-WF-002 — Cleanroom certification cycle per Diagram 6.1-D. Priority MUST. Risk HIGH.
- URS-09-WF-003 — Licence renewal workflow with reminders T-90 / T-30 / T-7 / T-1. Priority MUST. Risk HIGH.
- URS-09-WF-004 — Inspection response workflow with regulatory SLA reminders. Priority MUST. Risk MEDIUM.
- URS-09-WF-005 — Decommissioning gate watch with remediation list. Priority MUST. Risk HIGH.

### 15.4 Data (DATA)

- URS-09-DATA-001 — Snapshot pinning (cleanroom certificate at decision time) MUST preserve. Priority MUST. Risk HIGH.
- URS-09-DATA-002 — Per-regulatory-framework retention. Priority MUST. Risk HIGH.
- URS-09-DATA-003 — Scope JSONB compatibility with URS-05 §6.2.1 canonical registry. Priority MUST. Risk HIGH.

### 15.5 Security (SEC)

- URS-09-SEC-001 — Tenant isolation via TDAL + RLS. Priority MUST. Risk CRITICAL.
- URS-09-SEC-002 — Multi-factor step-up for high-risk transitions. Priority MUST. Risk HIGH.
- URS-09-SEC-003 — Self-modification block (`AUTHOR_NEQ_APPROVER`, `SITE_HEAD_NEQ_QUALITY_LEAD`, `INSPECTION_RESPONSE_INDEPENDENT_REVIEWER`). Priority MUST. Risk HIGH.
- URS-09-SEC-004 — Cross-tenant access governed by URS-07 grant scope. Priority MUST. Risk CRITICAL.

### 15.6 Audit (AUD)

- URS-09-AUD-001 — Every Module 9 mutation produces audit row through URS-06. Priority MUST. Risk CRITICAL.
- URS-09-AUD-002 — Server-set timestamps. Priority MUST. Risk HIGH.
- URS-09-AUD-003 — Append-only protocol versions, scope versions, master-file linkages, lifecycle events. Priority MUST. Risk HIGH.
- URS-09-AUD-004 — Every event in §6.6 has at least one writer. Priority MUST. Risk HIGH.
- URS-09-AUD-005 — Dual-chain emission per URS-08 DEC-08-18. Priority MUST. Risk HIGH.

### 15.7 AI / HITL (AI)

- URS-09-AI-001 — No AI / ML in core path; static analysis MUST find zero LLM SDK references. Priority MUST. Risk HIGH.
- URS-09-AI-002 — AI suggestions in URS-32 set `ai_advisory = true`. Priority MUST. Risk HIGH.

### 15.8 Integration (INT)

- URS-09-INT-001 — URS-03 active-scope intersection on `site` dimension. Priority MUST. Risk CRITICAL.
- URS-09-INT-002 — URS-04 e-sig ceremony for every signed action. Priority MUST. Risk CRITICAL.
- URS-09-INT-003 — URS-05 site role overlay; executive authority for high-risk. Priority MUST. Risk HIGH.
- URS-09-INT-004 — URS-06 dual-chain audit. Priority MUST. Risk CRITICAL.
- URS-09-INT-005 — URS-07 study scope inclusion; cross-tenant grants. Priority MUST. Risk HIGH.
- URS-09-INT-006 — URS-08 tenant lifecycle gating. Priority MUST. Risk CRITICAL.
- URS-09-INT-007 — URS-12 licence and inspection evidence. Priority MUST. Risk HIGH.
- URS-09-INT-008 — URS-28 site contact qualifications. Priority MUST. Risk HIGH.
- URS-09-INT-009 — URS-30 notifications. Priority MUST. Risk MEDIUM.
- URS-09-INT-010 — Forward equipment-management integration via equipment-area definitions. Exact equipment-management module number is an external program dependency. Priority SHOULD. Risk LOW.

### 15.9 Reporting (REP)

- URS-09-REP-001 — Reports per §9 exportable with electronic signature. Priority MUST. Risk MEDIUM.
- URS-09-REP-002 — Discovery export integrity manifest end-to-end across chains. Priority MUST. Risk HIGH.
- URS-09-REP-003 — Signed download URL TTL 15 minutes. Priority MUST. Risk MEDIUM.

### 15.10 Notifications (NOTIF)

- URS-09-NOTIF-001 — Notifications per §10 delivered through URS-30. Priority MUST. Risk MEDIUM.
- URS-09-NOTIF-002 — Cross-tenant notifications reach both tenants where applicable. Priority MUST. Risk HIGH.

### 15.11 Validation (VAL)

- URS-09-VAL-001 — Test execution covers IQ (schema, RLS, indexes, lifecycle bootstrap, scope-intersection bootstrap), OQ (per URS-09-VAL-002), PQ (per URS-09-VAL-003), regression (per URS-09-VAL-004).
- URS-09-VAL-002 — OQ validates every API endpoint, every error code, every state transition, every audit event writer.
- URS-09-VAL-003 — PQ validates discovery view under representative tenant volume (e.g., 1000 records per site) with acceptable latency.
- URS-09-VAL-004 — Regression on every Class 1 / Class 2 change.
- URS-09-VAL-005 — Requirements-to-test traceability per §16.4.
- URS-09-VAL-006 — Supplier qualification pack per §17.1.
- URS-09-VAL-007 — Inspection-ready evidence index per §17.2.
- URS-09-VAL-008 — Migration evidence gate: schema migrations idempotent; lifecycle bootstrap creates valid `planned` site; restore drill verifies chain HEAD equality.

---

## 16. Acceptance Criteria and Test Cases

### 16.1 Plain-language test cases

- TC-PLAIN-001 — A non-high-risk site (warehouse, oral solid dosage) requires only the standard activation flow with site-head and validation-approver signatures.
- TC-PLAIN-002 — A sterile injectable site requires the standard flow plus executive authority co-sign plus regulatory-oversight-admin co-sign at activation.
- TC-PLAIN-003 — The user who created a site cannot also activate it; a different user must sign activation.
- TC-PLAIN-004 — `site_head` and `site_quality_lead` cannot be the same user.
- TC-PLAIN-005 — A cleanroom area's classification (ISO 14644 + Annex 1 grade) is signed by the site quality lead and final quality approver and re-certified on cadence.
- TC-PLAIN-006 — When a site licence expires, the site is automatically suspended.
- TC-PLAIN-007 — Decommissioning cannot complete while open records, studies, delegations, or licences remain on the site.
- TC-PLAIN-008 — A user named in inspection findings cannot be the sole signer of the inspection response.
- TC-PLAIN-009 — A site's regulated records are discoverable through the site detail view by URS-03 active-scope intersection.
- TC-PLAIN-010 — A high-sensitivity site can opt-in to a site-level access overlay restricting access to a designated member roster.
- TC-PLAIN-011 — Cross-tenant studies (URS-07) reference partner-tenant sites only within the per-grant scope.
- TC-PLAIN-012 — Successor sites preserve linkage to decommissioned predecessors.
- TC-PLAIN-013 — Cleanroom certification lapse triggers regulatory-concern suspension.
- TC-PLAIN-014 — Site mutations are blocked when the tenant is not `active`.

### 16.2 Technical test cases

- TC-TECH-001 — Site activation by creator returns `403 APPROVER_IS_CREATOR`.
- TC-TECH-002 — High-risk site activation without executive authority co-sign returns `401 HIGH_RISK_TYPE_REQUIRES_FOUNDER`.
- TC-TECH-003 — Site activation without qualification package returns `409 QUALIFICATION_PACKAGE_NOT_SIGNED`.
- TC-TECH-004 — `site_head` equal to `site_quality_lead` returns `403 SITE_HEAD_NEQ_QUALITY_LEAD`.
- TC-TECH-005 — Cleanroom registration without `final_quality_approver` co-sign returns `401 MISSING_COSIGN`.
- TC-TECH-006 — Site licence expiry triggers auto-suspension and emits `LICENCE_EXPIRED_SITE_SUSPENDED`.
- TC-TECH-007 — Cleanroom certification past `next_certification_due` triggers auto-suspension with reason `regulatory_concern`.
- TC-TECH-008 — Site contact add without URS-28 qualification returns `400 SITE_CONTACT_QUALIFICATION_MISSING`.
- TC-TECH-009 — Inspection response without independent reviewer returns `401 INSPECTION_RESPONSE_INDEPENDENT_REVIEWER_REQUIRED`.
- TC-TECH-010 — Decommissioning while open records exist returns `409 OPEN_RECORDS_BLOCK`.
- TC-TECH-011 — Decommissioning while open studies exist returns `409 OPEN_STUDIES_BLOCK`.
- TC-TECH-012 — Decommissioning attestation without executive authority co-sign for high-risk site returns `401 MISSING_FOUNDER_COSIGN`.
- TC-TECH-013 — Cross-site relationship without `to_site` accept returns `409 STATE_NOT_ACCEPTED`.
- TC-TECH-014 — Site-confidential read by non-member returns `403 SITE_CONFIDENTIAL_NOT_MEMBER`.
- TC-TECH-015 — Module 9 mutation when tenant is `suspended` returns `403 TENANT_NOT_ACTIVE`.
- TC-TECH-016 — Schema migrations idempotent; RLS enabled on every Module 9 tenant-scoped table.
- TC-TECH-017 — Penetration test: cross-tenant site query without active URS-07 grant returns RLS-empty.
- TC-TECH-018 — Discovery view computes intersection correctly across multiple scope dimensions.
- TC-TECH-019 — Discovery export integrity manifest includes Merkle proofs per URS-06 BR-06-10.
- TC-TECH-020 — Static analysis finds zero LLM SDK references in Module 9 source.
- TC-TECH-021 — Site lifecycle event emits dual audit per URS-08 DEC-08-18.
- TC-TECH-022 — Successor site creation preserves `successor_of_site_id` linkage; URS-06 captures.
- TC-TECH-023 — `SITE_CATALOGUE_VIEW_OPENED` and `SITE_DISCOVERY_VIEW_OPENED` emit once per session.
- TC-TECH-024 — Cleanroom recertification preserves prior version; new record references prior via cross-version chain.
- TC-TECH-025 — Site licence renewal preserves prior record marked `superseded`.

### 16.3 Acceptance criteria (Given / When / Then)

- AC-09-FUN-01 — Given site creator attempts activation, When called, Then `403 APPROVER_IS_CREATOR`.
- AC-09-FUN-02 — Given high-risk site type, When activation submitted without executive authority co-sign, Then `401 HIGH_RISK_TYPE_REQUIRES_FOUNDER`.
- AC-09-FUN-03 — Given cleanroom certification lapsed, When the lapse-detection job runs, Then site auto-suspends with reason `regulatory_concern`.
- AC-09-FUN-04 — Given a site licence expired, When the expiry-detection job runs, Then site auto-suspends and emits `LICENCE_EXPIRED_SITE_SUSPENDED`.
- AC-09-FUN-05 — Given site contact missing URS-28 qualification, When add attempted, Then `400 SITE_CONTACT_QUALIFICATION_MISSING`.
- AC-09-FUN-06 — Given decommissioning blockers exist, When decommissioning attempted, Then `409` with one of `OPEN_RECORDS_BLOCK`, `OPEN_STUDIES_BLOCK`, `OPEN_DELEGATIONS_BLOCK`, `OPEN_LICENCES_BLOCK` per blocker category.
- AC-09-FUN-07 — Given decommissioning attestation submitted without executive authority co-sign for high-risk, Then `401 MISSING_FOUNDER_COSIGN`.
- AC-09-FUN-08 — Given mutation when tenant not `active`, Then `403 TENANT_NOT_ACTIVE`.
- AC-09-PERM-01 — Given non-member, When site-confidential read attempted on overlay-enabled site, Then `403 SITE_CONFIDENTIAL_NOT_MEMBER`.
- AC-09-PERM-02 — Given non-`tenant_admin_authority`, When attempting Module 9 administrative mutation, Then `403`.
- AC-09-AUD-01 — Every Module 9 mutation produces audit row through URS-06 in both tenant chain and global chain.
- AC-09-AUD-02 — Audit-write failure rolls back originating action.
- AC-09-DI-01 — Cleanroom classification immutable per certification cycle.
- AC-09-DI-02 — Backup-restore drill produces same site lifecycle history and chain HEAD as source.
- AC-09-INT-01 — URS-03 active-scope intersection produces correct discovery.
- AC-09-INT-02 — URS-08 tenant lifecycle gates Module 9 mutations.
- AC-09-INT-03 — URS-28 qualification linkage at site contact add.
- AC-09-REP-01 — Every export carries integrity manifest + electronic signature.
- AC-09-AI-01 — Static analysis finds zero LLM SDK references in Module 9.
- AC-09-NEG-01 — Every error code in §11.2 reachable by automated test.
- AC-09-PERF-01 — Discovery view p95 ≤ 2 s for 1000-record site.
- AC-09-SEC-01 — Penetration test: cross-tenant query without active URS-07 grant returns RLS-empty.
- AC-09-MIG-01 — Module 9 migrations idempotent.
- AC-09-MIG-02 — Migrations bootstrap valid `planned` site fixture; restore drill reproducible.

### 16.4 Requirements-to-test traceability

| Requirement | Plain-language | Technical | Given / When / Then |
|---|---|---|---|
| URS-09-FE-001 | — | (UI test) | — |
| URS-09-FE-002 | — | (UI test) | — |
| URS-09-FE-003 | TC-PLAIN-002 | TC-TECH-002 | AC-09-FUN-02 |
| URS-09-FE-004 | — | (hierarchy editor test) | — |
| URS-09-FE-005 | TC-PLAIN-005, TC-PLAIN-013 | TC-TECH-007 | AC-09-FUN-03 |
| URS-09-FE-006 | TC-PLAIN-006 | TC-TECH-006 | AC-09-FUN-04 |
| URS-09-FE-007 | TC-PLAIN-008 | TC-TECH-009 | — |
| URS-09-FE-008 | TC-PLAIN-009 | TC-TECH-018 | AC-09-INT-01 |
| URS-09-FE-009 | TC-PLAIN-007 | TC-TECH-010, TC-TECH-011 | AC-09-FUN-06 |
| URS-09-FE-010 | TC-PLAIN-011 | TC-TECH-017 | AC-09-SEC-01 |
| URS-09-FE-011 | — | TC-TECH-016 | — |
| URS-09-FE-012 | — | (accessibility test) | — |
| URS-09-BE-001 | TC-PLAIN-003 | TC-TECH-001 | AC-09-FUN-01 |
| URS-09-BE-002 | TC-PLAIN-002 | TC-TECH-002 | AC-09-FUN-02 |
| URS-09-BE-003 | TC-PLAIN-005 | TC-TECH-005 | — |
| URS-09-BE-004 | — | (licence registration test) | — |
| URS-09-BE-005 | TC-PLAIN-006 | TC-TECH-006 | AC-09-FUN-04 |
| URS-09-BE-006 | TC-PLAIN-013 | TC-TECH-007 | AC-09-FUN-03 |
| URS-09-BE-007 | — | TC-TECH-008 | AC-09-FUN-05 |
| URS-09-BE-008 | TC-PLAIN-004 | TC-TECH-004 | — |
| URS-09-BE-009 | TC-PLAIN-008 | TC-TECH-009 | — |
| URS-09-BE-010 | TC-PLAIN-007 | TC-TECH-010, TC-TECH-011 | AC-09-FUN-06 |
| URS-09-BE-011 | — | TC-TECH-012 | AC-09-FUN-07 |
| URS-09-BE-012 | — | TC-TECH-013 | — |
| URS-09-BE-013 | TC-PLAIN-010 | TC-TECH-014 | AC-09-PERM-01 |
| URS-09-BE-014 | TC-PLAIN-009 | TC-TECH-018 | AC-09-INT-01 |
| URS-09-BE-015 | TC-PLAIN-014 | TC-TECH-015 | AC-09-FUN-08 |
| URS-09-BE-016 | TC-PLAIN-011 | TC-TECH-017 | AC-09-SEC-01 |
| URS-09-BE-017 | — | TC-TECH-016 | AC-09-AUD-02 |
| URS-09-BE-018 | — | TC-TECH-021 | AC-09-AUD-01 |
| URS-09-BE-019 | TC-PLAIN-012 | TC-TECH-022 | — |
| URS-09-BE-020 | — | (forward equipment-management module stub test) | — |
| URS-09-WF-001 | — | (state machine test) | — |
| URS-09-WF-002 | TC-PLAIN-005 | TC-TECH-024 | — |
| URS-09-WF-003 | TC-PLAIN-006 | TC-TECH-025 | — |
| URS-09-WF-004 | TC-PLAIN-008 | TC-TECH-009 | — |
| URS-09-WF-005 | TC-PLAIN-007 | TC-TECH-010 | AC-09-FUN-06 |
| URS-09-DATA-001 | — | TC-TECH-024 | AC-09-DI-01 |
| URS-09-DATA-002 | — | TC-TECH-016 | — |
| URS-09-DATA-003 | — | TC-TECH-018 | AC-09-INT-01 |
| URS-09-SEC-001 | — | TC-TECH-016, TC-TECH-017 | AC-09-SEC-01 |
| URS-09-SEC-002 | TC-PLAIN-002 | TC-TECH-002 | — |
| URS-09-SEC-003 | TC-PLAIN-003, TC-PLAIN-004, TC-PLAIN-008 | TC-TECH-001, TC-TECH-004, TC-TECH-009 | — |
| URS-09-SEC-004 | TC-PLAIN-011 | TC-TECH-017 | AC-09-SEC-01 |
| URS-09-AUD-001 | — | TC-TECH-021, TC-TECH-023 | AC-09-AUD-01 |
| URS-09-AUD-002 | — | (server timestamp test) | — |
| URS-09-AUD-003 | — | TC-TECH-016 | — |
| URS-09-AUD-004 | — | (writer-presence test) | — |
| URS-09-AUD-005 | — | TC-TECH-021 | AC-09-AUD-01 |
| URS-09-AI-001 | — | TC-TECH-020 | AC-09-AI-01 |
| URS-09-AI-002 | — | (URS-32 integration test) | — |
| URS-09-INT-001 | TC-PLAIN-009 | TC-TECH-018 | AC-09-INT-01 |
| URS-09-INT-002 | — | (URS-04 integration test) | — |
| URS-09-INT-003 | TC-PLAIN-002 | TC-TECH-002 | — |
| URS-09-INT-004 | — | TC-TECH-021 | AC-09-AUD-01 |
| URS-09-INT-005 | TC-PLAIN-011 | TC-TECH-017 | AC-09-INT-02 |
| URS-09-INT-006 | TC-PLAIN-014 | TC-TECH-015 | AC-09-FUN-08 |
| URS-09-INT-007 | — | (URS-12 integration test) | — |
| URS-09-INT-008 | — | TC-TECH-008 | AC-09-INT-03 |
| URS-09-INT-009 | — | (notification test) | — |
| URS-09-INT-010 | — | (forward equipment-management module stub test) | — |
| URS-09-REP-001 | — | TC-TECH-019 | AC-09-REP-01 |
| URS-09-REP-002 | — | TC-TECH-019 | — |
| URS-09-REP-003 | — | (TTL test) | — |
| URS-09-NOTIF-001 | — | (notification delivery test) | — |
| URS-09-NOTIF-002 | TC-PLAIN-011 | (cross-tenant notification test) | — |
| URS-09-VAL-001 | — | TC-TECH-016 | — |
| URS-09-VAL-002 | All applicable | All applicable | All applicable |
| URS-09-VAL-003 | — | (PQ test) | AC-09-PERF-01 |
| URS-09-VAL-004 | — | full TC-TECH suite | — |
| URS-09-VAL-005 | — | this table is the seed | — |
| URS-09-VAL-006 | — | (supplier qualification) | — |
| URS-09-VAL-007 | — | (evidence index) | — |
| URS-09-VAL-008 | — | TC-TECH-016 | AC-09-MIG-01, AC-09-MIG-02 |

---

## 17. Validation and CSV/CSA Evidence Expectations

| Item | Required evidence |
|---|---|
| URS traceability | Per §16.4 |
| Risk assessment | GAMP 5 risk register; risk-based assurance per FDA CSA |
| Configuration specification | Documented seed of high-risk site type list; Tier 1 cleanroom standard registry; launch licence type list |
| Functional specification | Matches §6 |
| Design specification | Matches §6.1–§6.4 |
| Test protocols | IQ (schema, RLS, indexes, constraints, lifecycle bootstrap, scope-intersection bootstrap), OQ per URS-09-VAL-002, PQ per URS-09-VAL-003, regression per URS-09-VAL-004 |
| Test evidence | Pass / fail per protocol step, traced to requirement |
| Defect log | Defects mapped to URS requirements |
| Requirements traceability matrix | Per §16.4 |
| Release approval | Electronically signed by Quality Lead, Validation Lead, Information Security Lead, Regulatory Affairs Lead, Engineering / Facility Lead, executive authority |
| Training record | Engineering, QA, validation, operations, facility-operations leads trained on Module 9 |
| Periodic review | Annual per Annex 11 §11; trigger reviews on every Class 1 / Class 2 change |
| Data migration evidence | Backfill of high-risk site type list; cleanroom standard registry; restore drill verifies site integrity |

### 17.1 Supplier and service-provider qualification pack

| Category | Required evidence |
|---|---|
| Cloud hosting provider | Inherited from URS-01 §17.1 |
| Document control provider (URS-12) | Right-to-audit; retention compliance |
| Qualification register provider (URS-28) | Right-to-audit; data residency |
| Cleanroom certification organisations | Provider qualification: ISO 14644 accreditation, Annex 1 expertise, jurisdictional coverage, right-to-audit |
| Notification provider (URS-30) | Inherited from URS-01 §17.1 |
| Backup / restore provider (URS-35) | Restore drill preserving site lifecycle and chain HEAD |
| Security-operations / SIEM | Alert routing per §12.9 |

### 17.2 Inspection-ready evidence index

| Evidence item | Owner | Location / system of record | Retention | Linked requirement | Inspection use |
|---|---|---|---|---|---|
| Site record (lifecycle states) | QA / Engineering | `sites` + `site_lifecycle_events` + URS-06 | per regulatory framework | URS-09-WF-001 | demonstrate premises governance |
| Facility hierarchy | Engineering / QA | `site_facility_hierarchy` + audit | per site retention | URS-09-FE-004 | demonstrate physical layout |
| Cleanroom classifications | QA / Engineering | `site_cleanroom_classifications` + URS-12 certificates | per site retention | URS-09-DATA-001 | demonstrate clean / sterile operations baseline |
| Site licences | RA | `site_licences` + URS-12 evidence | per licence retention | URS-09-INT-007 | demonstrate regulated-activity authorisation |
| Inspection records | QA / RA | `site_inspections` + URS-12 findings + responses | retain (long-term) | URS-09-WF-004 | demonstrate inspection history and responses |
| Site contacts roster | QA | `site_contacts` + URS-28 qualification linkage | per site retention | URS-09-INT-008 | demonstrate personnel accountability |
| Qualification status | Validation | `site_qualification_status` + URS-07 study linkage | per site retention | URS-09-WF-001 | demonstrate qualification baseline |
| Cross-site relationships | QA | `cross_site_relationships` + bilateral signatures | retain (long-term) | URS-09-BE-012 | demonstrate operational relationships |
| Decommissioning records | QA / executive authority for high-risk | `site_decommissioning_runs` + signatures | retain (long-term) | URS-09-BE-011 | demonstrate site retirement governance |
| Site-bound discovery exports | QA / Auditor | URS-06 chain referenced | retain (long-term) | URS-09-REP-002 | demonstrate per-site regulatory record posture |
| Validation evidence pack (IQ / OQ / PQ) | Validation | testing system of record | retain per release | URS-09-VAL-001..008 | release approval |
| Release approval (electronically signed) | Founder, QA, RA, Validation, IS, Engineering / Facility | URS-12 | retain per release | URS-09-VAL-007 | demonstrate authority chain for release |

---

## 18. Closed Decision and Dependency Register

### 18.1 Closed Launch Decisions Register

| Closed decision | Spec reference |
|---|---|
| Site types and sub-classifications | DEC-09-01 |
| Facility hierarchy levels | DEC-09-02 |
| Site identity fields | DEC-09-03 |
| Cleanroom classification register | DEC-09-04 |
| Site licence and certification register | DEC-09-05 |
| Sites are tenant-scoped (cross-tenant via URS-07 grant) | DEC-09-06 |
| Discovery via URS-03 active-scope intersection | DEC-09-07 |
| Per-site regulatory inspection register | DEC-09-08 |
| Qualification status from URS-07 study linkage | DEC-09-09 |
| Site contacts roster with URS-28 qualification | DEC-09-10 |
| Site decommissioning workflow | DEC-09-11 |
| Cross-site relationships | DEC-09-12 |
| Sites within studies (URS-07 scope) | DEC-09-13 |
| Site-level access overlay | DEC-09-14 |
| High-risk site activation executive authority co-sign | DEC-09-15 |
| Cleanroom monitoring linkage (URS-25 Environmental Monitoring) | DEC-09-16 |
| Equipment area hierarchy linked to forward equipment-management module | DEC-09-17 |
| Site / tenant lifecycle interaction (URS-08) | DEC-09-18 |
| Forward roadmap deferred capabilities (equipment-management + environmental monitoring) | DEC-09-19 |
| Site licence expiry handling (auto-suspend) | DEC-09-20 |

### 18.2 Dependencies

| ID | Dependency | Source | Impact | Blocking? | Mitigation |
|---|---|---|---|---|---|
| DEP-09-01 | URS-01 authentication, MFA | URS-01 | Substrate | Blocking | none |
| DEP-09-02 | URS-02 base roles | URS-02 | Site role overlay | Blocking | none |
| DEP-09-03 | URS-03 active scope | URS-03 | Discovery | Blocking | none |
| DEP-09-04 | URS-04 e-sig ceremony | URS-04 | Lifecycle / amendment signatures | Blocking | none |
| DEP-09-05 | URS-05 authority resolver, scope dimensions | URS-05 | Site role gating | Blocking | none |
| DEP-09-06 | URS-06 audit substrate | URS-06 | Audit | Blocking | none |
| DEP-09-07 | URS-07 study scope and cross-tenant grants | URS-07 | Sites within studies | Blocking | none |
| DEP-09-08 | URS-08 tenant lifecycle | URS-08 | Mutation gating | Blocking | none |
| DEP-09-09 | URS-12 document control | URS-12 | Licence and inspection evidence | Blocking | none |
| DEP-09-10 | URS-28 qualification register | URS-28 | Site contact qualification | Blocking | none |
| DEP-09-11 | URS-30 notifications | URS-30 | Reminders, escalations | Non-blocking | direct e-mail fallback |
| DEP-09-12 | URS-35 backup / restore / cold storage | URS-35 | Long-term archive | Blocking for PQ | DR drill |
| DEP-09-13 | Forward equipment-management module | External program dependency | Equipment runtime data | Forward (post-launch) | equipment-area definitions only |
| DEP-09-14 | URS-25 Environmental Monitoring | URS-25 (with any continuous-monitoring extension tracked as a program dependency) | Cleanroom continuous monitoring | Forward (post-launch) | classification register only |
| DEP-09-15 | External cleanroom certification organisations | external | ISO 14644 / Annex 1 certifications | Blocking | provider qualification |

---

## 19. Completeness Checklist

| Item | Yes / No | Evidence |
|---|---|---|
| Controlled-document metadata complete? | Yes | front matter |
| Approval block complete? | Yes (signatures pending) | Document Approval section |
| Version history complete? | Yes | Version History |
| Glossary complete? | Yes | §0.6 |
| Scope complete? | Yes | §2 |
| Roles and permissions complete? | Yes | §3 |
| User journeys complete? | Yes | §4 (28 journeys) |
| Front-end complete? | Yes | §5 |
| Backend complete? | Yes | §6 |
| Data model complete? | Yes | §6.2 |
| APIs complete? | Yes | §6.3 |
| Workflow / lifecycle complete? | Yes | §6.4 |
| Business rules complete? | Yes | §6.5 |
| Audit trail complete? | Yes | §6.6 |
| AI / Human-in-the-Loop complete? | Yes (no AI in core) | §8 |
| Reports complete? | Yes | §9 |
| Notifications complete? | Yes | §10 |
| Cross-module wiring complete? | Yes | §7 |
| Change-impact matrix complete? | Yes | §7.2 |
| Negative paths complete? | Yes | §11 |
| Security / privacy / tenant isolation complete? | Yes | §12 |
| ALCOA+ complete? | Yes | §13 |
| Regulatory mapping complete? | Yes | §14 |
| Predicate-rule applicability matrix complete? | Yes | §14.1 |
| Requirements register complete? | Yes | §15 |
| Acceptance tests complete? | Yes | §16 |
| Requirements-to-test traceability complete? | Yes | §16.4 |
| Validation evidence complete? | Yes | §17 |
| Supplier and service-provider qualification pack complete? | Yes | §17.1 |
| Decisions and dependencies registered (no internal decisions outstanding)? | Yes | §18.1, §18.2 |
| Final quality gate answered? | Yes | §20 |

---

## 20. Final Module Output Quality Gate

**URS approval is separate from validation execution.** This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" upon signature capture in the Document Approval block; it becomes "Released for validation execution" only after URS-09-VAL-008 (Migration Evidence Gate) and the §17 validation evidence pack are satisfied. **No Module 9 internal open questions remain.**

- **Specification ready for engineering review?** Yes — every MUST requirement is declarative, atomic, and testable.
- **Specification ready for quality validation review?** Yes — IQ/OQ/PQ scope specified; traceability matrix in §16.4.
- **Specification ready for compliance review?** Yes — ALCOA+ table, regulatory mapping (Part 11, Annex 11, Annex 1, Annex 15, ISO 14644, Part 211, Part 207, Part 58, GCP, jurisdictional licensing), predicate-rule applicability matrix populated.
- **Specification ready for inspector / client review?** Yes — every regulated assertion traces to a regulatory clause and a test case; no internal item remains open.
- **Specification ready for Founder approval?** Yes.
- **Blocking gaps?** None internal. Cross-module dependencies (§18.2) are owned by their named companion modules and tracked at the program level. The Installation Qualification gate URS-09-VAL-008 and the §17 evidence pack govern only the transition to "Released for validation execution".
- **Two-step release path:**
  1. **Approved Controlled URS — released for engineering implementation and validation planning.** Reached upon signature capture.
  2. **Released for validation execution.** Reached after URS-09-VAL-008 is satisfied and the §17 evidence pack is complete.

---

## Appendix A — Site Lifecycle Composite

```mermaid
flowchart TD
  A([Tenant administrator creates site]) --> B[SITE_CREATED state planned]
  B --> C[Configure facility hierarchy + cleanroom classification + licences + contacts]
  C --> D[Site head submits for in-qualification]
  D --> E[SITE_MOVED_TO_IN_QUALIFICATION state in_qualification]
  E --> F[URS-07 equipment-qualification study runs]
  F --> G[Qualification package signed by validation_approver]
  G --> H{High-risk site type?}
  H -- yes --> I[executive authority co-sign + RA co-sign + validation co-sign]
  H -- no --> J[Site head signs activation independent of creator + validation co-sign]
  I --> K[SITE_ACTIVATED state operational]
  J --> K
  K --> L[URS-03 active-scope intersection begins]
  L --> M[Records bind to site at creation; discovery surface populates]
  M --> N{Lifecycle event?}
  N -- suspended --> O[SITE_SUSPENDED with reason category; cross-site impact handled]
  O --> P{Resolved?}
  P -- yes --> Q[SITE_RETURNED_TO_OPERATIONAL]
  Q --> N
  P -- no, prolonged --> R[Decommissioning initiation]
  N -- decommission --> R
  R --> S[Pre-decommissioning gate: records, studies, delegations, licences]
  S --> T{Blockers?}
  T -- yes --> U[Surface remediation list]
  U --> S
  T -- no --> V[Decommissioning attestation: site_head + site_quality_lead + RA + executive authority for high-risk]
  V --> W[SITE_DECOMMISSIONED state decommissioned]
  W --> X[Historical records preserved; queries continue for inspection]
```

— End of Module 9 User Requirements Specification —




