# Verixa — User Requirements Specification

# Module 11: Supplier Management

| Field | Value |
|---|---|
| Document ID | VRX-URS-11 |
| Version | 1.0 |
| Status | Final — ready for QA, Validation, Regulatory Affairs, Information Security, Procurement, and Founder approval. URS approval is separate from validation execution. This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" only after signature capture in the Document Approval block. It becomes "Released for validation execution" only after the module migration evidence gate (URS-11-VAL-008) and validation evidence pack are satisfied. |
| Document Type | User Requirements Specification (URS) |
| GAMP 5 Category | Category 5 — Custom Application |
| Regulatory Classification | Master-data substrate — operates the canonical supplier catalogue, supplier types and sub-classifications (API / excipient / packaging / CMO / CDMO / CRO / CTL / sterilisation / equipment / calibration / distribution / transporter / IT service / cleaning / waste), supplier criticality classification (critical / major / minor), the supplier qualification and requalification lifecycle, the per-supplier audit register, the quality agreement linkage, the supplier change notification handling workflow, the supplier scorecard / performance metrics register, the supplier-product and supplier-site linkage registers, the supplier risk assessment, the disqualification workflow, and the supplier-bound regulated-record discovery surface that maps the canonical `supplier` scope dimension consumed by URS-03 / URS-05 / URS-07 to every regulated record across URS-12..URS-34. |
| Date of Issue | 2026-05-06 |
| Module Owner (Engineering) | Supplier Master-Data Squad |
| Module Owner (Quality Validation) | CSV / CSA Lead — Supplier Management |
| Module Owner (Compliance) | Quality Assurance, Regulatory Affairs, Procurement, Supply Chain |
| Approving Authority | Founder / Chairman & MD; QA Head; Validation Head; RA Head; Information Security Head; Supply Chain / Procurement Lead |

## Document Approval

| Role | Name | Signature | Date |
|---|---|---|---|
| Author — Platform Architecture | _____________________ | _____________________ | __________ |
| Reviewer — Engineering Lead | _____________________ | _____________________ | __________ |
| Reviewer — QA / Validation Lead | _____________________ | _____________________ | __________ |
| Reviewer — Information Security Lead | _____________________ | _____________________ | __________ |
| Reviewer — Regulatory Affairs Lead | _____________________ | _____________________ | __________ |
| Reviewer — Supply Chain / Procurement Lead | _____________________ | _____________________ | __________ |
| Approving Authority — Founder, Chairman & MD | _____________________ | _____________________ | __________ |

## Version History

| Version | Date | Summary |
|---|---|---|
| 1.0 | 2026-05-06 | First issued user requirements specification for Module 11. |

---

## 0. Document Framing

### 0.1 Purpose of this document

This URS defines the target expected state for Verixa's Supplier Management module (Module 11). It is the binding contract between product, engineering, quality validation, regulatory affairs, procurement, supply chain, information security, and the executive authority for the design, implementation, validation, release, and on-going periodic review of the canonical supplier catalogue, the supplier qualification and requalification lifecycle, the per-supplier audit register, the quality agreement and master service agreement linkage, the supplier change notification handling workflow, the supplier scorecard / performance metrics, the supplier-product and supplier-site linkage registers, the supplier risk assessment, the disqualification workflow with gate, the cross-tenant supplier visibility through URS-07 collaboration grants, the outsourced-activity management per EU GMP Chapter 7 / ICH Q10, and the supplier-bound regulated-record discovery surface consumed by URS-12..URS-34. Compliance with this URS is mandatory.

### 0.2 Audience

Engineering, QA, Validation, Regulatory Affairs, Procurement, Supply Chain, Information Security, executive authority, the platform's Implementation team, internal and external auditors, inspectors from regulatory bodies (FDA, EMA, MHRA, Health Canada, CDSCO, PIC/S), and supplier-quality auditors. The plain-language primer (§0.4) and worked examples (§3.5) make Module 11 accessible to non-domain engineers, product owners, validation engineers, procurement leads, and supplier quality auditors who have not previously specified supplier-management substrates for regulated GxP platforms.

### 0.3 How to read this document

Each requirement has a unique identifier. "MUST" denotes a mandatory requirement; "SHOULD" denotes a strong recommendation; "MAY" denotes an option. The document is self-contained: front end (§5), back end (§6), data model (§6.2), application programming interface (§6.3), workflow (§6.4), business rules (§6.5), audit (§6.6), security (§12), regulatory mapping (§14), test cases (§16), and validation evidence (§17) are all in this single file.

### 0.4 Plain-language primer for non-domain readers

A **supplier** is any external organisation that provides materials, services, or capabilities into a regulated pharmaceutical operation. The supplier catalogue covers an exceptionally wide range: **raw material suppliers** (drug substances / APIs, excipients, processing aids); **packaging material suppliers** (bottles, blisters, vials, stoppers, labels); **contract manufacturing organisations (CMOs)** that produce drug products on behalf of the marketing-authorisation holder; **contract development and manufacturing organisations (CDMOs)** that combine development and manufacturing; **contract research organisations (CROs)** that run clinical or non-clinical studies; **contract testing laboratories (CTLs)** that perform release or stability testing; **contract sterilisation providers**; **equipment vendors**; **calibration service providers**; **distribution and logistics providers**; **transporters with cold-chain capability**; **IT service providers** that host or operate GxP systems; **cleaning service providers** for cleanrooms; **waste-disposal services**; and many others. Module 11 owns the canonical registry across all these types.

Every supplier must be **qualified** before any material or service is accepted into the regulated operation. Qualification is risk-based per ICH Q9: critical suppliers (whose failure would directly affect product quality, safety, or efficacy — for example an API supplier or a sterile-fill CMO) require the most rigorous qualification (on-site audit, comprehensive quality agreement, frequent requalification); major suppliers (whose failure would indirectly affect quality — for example a packaging-material supplier) require lighter-touch qualification (questionnaire-based, periodic audit); minor suppliers (whose failure would have minimal impact — for example office cleaning service for non-GxP areas) require basic qualification only. Module 11 owns the criticality classification per supplier and drives the per-criticality qualification requirements.

Qualification is performed through a defined sequence: initial supplier identification (RFI / due diligence); supplier questionnaire response; supplier audit (on-site for critical, paper-based for non-critical, with regulator-accepted alternatives like postal audits during pandemic conditions); quality agreement negotiation and signature; master service agreement signature; provisional approval pending first-batch / first-service performance; full qualification after demonstrated compliance over a configurable evaluation period (typically 6-12 months). Each step is electronically signed; **critical suppliers** require executive authority co-sign at qualification per DEC-11-16.

After qualification, suppliers are **requalified periodically**. Per industry practice and FDA/EU expectations, critical suppliers are requalified annually, major suppliers every two years, minor suppliers every three years. Requalification can include a fresh audit, an updated questionnaire response, a review of scorecard performance metrics from the period, and a refreshed risk assessment. Failure to requalify on cadence triggers automatic suspension per DEC-11-10.

The **audit register** captures every audit performed against the supplier — audits initiated by the tenant, by the regulator, by certifying bodies (ISO 9001 / 13485 / 17025), or by other customers (for shared-resource auditing). Audit findings link to URS-12 documents and to URS-18 CAPAs.

The **quality agreement** (mandatory for critical suppliers per DEC-11-06) is a signed document defining the quality responsibilities of each party — who specifies, who manufactures, who tests, who approves changes, who handles deviations, who notifies recalls, who responds to inspection findings. Module 11 captures the quality agreement linkage and the master service agreement linkage to URS-12 documents.

**Supplier change notifications** are the regulated equivalent of vendor change notices: the supplier informs the tenant of an upcoming change to their material, process, site, or quality system; the tenant performs a change impact assessment; the impact may require regulatory submission, re-qualification, re-validation, batch impact assessment, or recall; resolution is electronically signed.

The **supplier scorecard** captures performance metrics over time: on-time delivery, quality reject rate, deviation count, audit findings count, change-notification frequency, response-time SLAs, complaint frequency. Scorecard data drives requalification decisions and supports the risk assessment.

The **supplier-bound regulated-record discovery** surface is the read-only view that surfaces every regulated record (deviation, OOS, batch record where this supplier provided material, complaint where this supplier's component is implicated, recall involving this supplier, URS-13 record referencing this supplier, validation finding affecting this supplier's qualification) whose URS-03 active scope intersects this supplier over a configurable window. This makes the supplier a **first-class navigation entry point** for supplier quality reviews, vendor performance reviews, and regulatory inspections focused on supplier qualification.

### 0.5 Supplier lifecycle diagram

```mermaid
stateDiagram-v2
  [*] --> under_evaluation : Tenant initiates supplier evaluation
  under_evaluation --> provisionally_qualified : Initial qualification signed (questionnaire + audit + QA agreement)
  provisionally_qualified --> qualified : Performance evaluation period passed; full qualification signed
  qualified --> suspended : Quality / regulatory / compliance event triggers hold
  suspended --> qualified : Hold released; resolution evidence logged
  qualified --> disqualified : Disqualification workflow signed
  suspended --> disqualified : Disqualification from suspended state
  under_evaluation --> rejected : Initial qualification fails (terminal)
  provisionally_qualified --> rejected : Performance period fails (terminal)
  rejected --> [*]
  disqualified --> [*]
```

Diagram 0.5-A — Supplier lifecycle. Critical suppliers require executive authority co-sign at `under_evaluation → provisionally_qualified` and at `provisionally_qualified → qualified`. Suspension and disqualification cascade to all open material / service orders where applicable.

### 0.6 Glossary of key terms used in this document

| Term | Definition |
|---|---|
| Audit | A systematic examination of a supplier against quality / regulatory standards; can be on-site, paper-based, postal, or remote. |
| Change notification | Written notice from a supplier of an upcoming change to their material, process, site, or quality system. |
| CMO | Contract Manufacturing Organisation. |
| CDMO | Contract Development and Manufacturing Organisation. |
| CRO | Contract Research Organisation. |
| CTL | Contract Testing Laboratory. |
| Critical supplier | A supplier whose failure would directly affect product quality, safety, or efficacy (e.g., API supplier, sterile-fill CMO). |
| Disqualification | The terminal lifecycle workflow that retires a supplier from approved use. |
| Major supplier | A supplier whose failure would indirectly affect product quality (e.g., packaging-material supplier). |
| Minor supplier | A supplier whose failure would have minimal impact (e.g., office cleaning for non-GxP areas). |
| Provisional qualification | The state between initial qualification and full qualification; supplier is approved pending performance evaluation. |
| Quality agreement (QA) | The signed document defining the quality responsibilities of each party; mandatory for critical suppliers. |
| Requalification | Periodic re-qualification at a defined cadence; annual for critical, biennial for major, triennial for minor. |
| Scorecard | Time-series performance metrics for the supplier (on-time delivery, quality reject rate, deviations, audit findings). |
| Supplier | Any external organisation providing materials, services, or capabilities into the regulated operation. |
| Supplier change notification (SCN) | The formal communication channel for supplier changes; enters the tenant's URS-13 system. |

### 0.7 Module 11 architectural picture

```mermaid
graph LR
  subgraph M11 [Module 11 — Supplier Management]
    CAT[Supplier Catalogue]
    QUAL[Qualification]
    AUDIT[Audit Register]
    QA[Quality Agreements]
    SCN[Change Notifications]
    SCORE[Scorecards]
    SP[Supplier-Product Linkage]
    SS[Supplier-Site Linkage]
    RISK[Risk Assessment]
    LCY[Lifecycle]
  end

  M3[URS-03 Active Scope] <--> CAT
  M4[URS-04 Workflow / E-Sign] --> LCY
  M5[URS-05 Authority] --> CAT
  M6[URS-06 Audit Substrate] --> LCY
  M7[URS-07 Study] <--> CAT
  M8[URS-08 Tenant Lifecycle] --> CAT
  M9[URS-09 Site] <--> SS
  M10[URS-10 Product] <--> SP
  M12[URS-12 Document Control] <--> QA
  M12 <--> AUDIT
  M28[URS-28 Training Management & Qualification] --> CAT
  M30[URS-30 Notifications] --> LCY
  CAT --> M14[URS-14..URS-34 Domain modules]
```

---

## 1. Module Purpose

Module 11 establishes Supplier Management as the canonical master-data substrate for "who provided what" in Verixa. It owns the per-tenant supplier catalogue across the full launch type list; the supplier criticality classification; the qualification and requalification lifecycle; the per-supplier audit register; the quality agreement and master service agreement linkage; the supplier change notification handling workflow; the supplier scorecard / performance metrics register; the supplier-product and supplier-site linkage registers; the supplier risk assessment; the disqualification workflow; and the supplier-bound regulated-record discovery surface. Module 11 is consumed by URS-03 to compute active-scope intersection on the `supplier` scope dimension; by URS-04 to drive supplier-aware workflow firing (e.g., raw-material acceptance workflows that branch on supplier criticality); by URS-05 to scope-bind Authority Profile assignments to suppliers; by URS-06 to attribute audit rows; by URS-07 to compose study scope (e.g., outsourced bioequivalence at a CRO); by URS-09 / URS-10 for supplier-site / supplier-product linkages; by URS-12..URS-34 to bind regulated records to suppliers at creation.

Module 11 is the **first-class navigation entry point for supplier quality reviews** (annual supplier reviews per ICH Q10), for outsourced-activity governance per EU GMP Chapter 7, and for supplier-related regulatory inspections.

---

## 2. Scope

### 2.1 In scope

- The supplier catalogue per DEC-11-01 covering: `raw_material_supplier` (commodity raw materials and processing aids), `api_supplier` (drug substance suppliers), `excipient_supplier`, `packaging_material_supplier`, `cmo` (contract manufacturing organisation), `cdmo` (contract development and manufacturing organisation), `cro` (contract research organisation; clinical and non-clinical), `ctl` (contract testing laboratory), `sterilisation_provider` (gamma, e-beam, EtO, steam), `equipment_vendor`, `calibration_provider`, `distribution_provider`, `transporter` (with cold-chain capability sub-flag), `it_service_provider_gxp` (suppliers operating GxP systems), `cleaning_service`, `waste_disposal`, `consultancy_gxp`, `printing_provider` (artwork / labels), `software_vendor_gxp`, `analytical_instrument_supplier`, `reference_standard_provider`, `media_provider` (microbiology), `gas_provider` (process gases — N2, CO2, O2, helium), `water_treatment_provider`, `pest_control_provider`, `other`. Adding a type is a Class 1 change.
- Supplier criticality classification per DEC-11-02: `critical`, `major`, `minor`; criticality is set at supplier qualification and re-evaluated at every requalification; criticality drives qualification rigor (DEC-11-04), requalification cadence (DEC-11-10), audit cadence (DEC-11-05), quality agreement requirement (DEC-11-06), and Founder-co-sign requirement (DEC-11-16).
- Per-supplier identity fields: `id`, `tenant_id`, `legal_name`, `display_name`, `display_id`, `legal_entity_jurisdiction`, `legal_entity_registration_number`, `pharma_licences_jsonb` (where applicable; mirrors the URS-08 tenant identity model adapted for suppliers), `parent_supplier_id` (nullable; for supplier conglomerates), `corporate_address_jsonb`, `primary_contact_jsonb`, `qa_contact_jsonb`, `regulatory_contact_jsonb`, `supplier_types_jsonb` (multi-select; a supplier may be both `api_supplier` and `cdmo`), `criticality_classification`, `lifecycle_state`, `vertical_classification_jsonb` (e.g., `controlled_substance_handler`, `sterile_capable`, `cold_chain_capable`).
- Qualification requirements per supplier type and criticality (DEC-11-04): launch matrix that defines per-(type × criticality) the required artifacts (questionnaire response, on-site audit, paper-based audit, ISO certification recognition, regulatory authority site approval recognition (e.g., FDA EIR), quality agreement, master service agreement, sample testing, capability assessment).
- Per-supplier audit register per DEC-11-05: audit type (`on_site_initial`, `on_site_periodic`, `on_site_for_cause`, `paper_based`, `postal`, `remote_video`, `customer_audit_shared`, `regulatory_inspection_observed`, `iso_certification_audit`), audit dates, lead auditor identity, scope, findings count by classification, findings register document linkage to URS-12, response register, closure state.
- Quality agreement and master service agreement linkage per DEC-11-06 / DEC-11-07: each linked to URS-12 with effective dates, URS-13 linkage on amendments, party signatures captured.
- Supplier change notification handling per DEC-11-08: inbound SCN from supplier; tenant impact assessment workflow (impact on product specification, regulatory dossier, batch release, re-qualification, re-validation); decision to accept, conditionally accept, reject; CAPA / URS-13 linkage.
- Supplier scorecard / performance metrics per DEC-11-09: time-series metrics (`on_time_delivery_rate`, `quality_reject_rate`, `deviations_count`, `complaints_count`, `audit_findings_count`, `change_notifications_count`, `response_time_sla_compliance_rate`, custom metrics per supplier type); roll-up dashboard.
- Periodic requalification cadence per DEC-11-10: critical = annual; major = biennial; minor = triennial; tenants may configure shorter intervals; tenants may not extend beyond the default without controlled regulatory justification and approved change control; failure to requalify on cadence triggers `regulatory_concern` supplier suspension.
- Supplier-product linkage per DEC-11-11: per-supplier per-product per-material-type linkage capturing which suppliers provide what for which products (used in URS-23 batch records to attribute material lots to suppliers).
- Supplier-site linkage per DEC-11-12: per-supplier supplier-side site identity; if Verixa tenant uses multiple sites of the same supplier (e.g., supplier has manufacturing in Site A and packaging in Site B), each is qualified separately with its own scope.
- Supplier risk assessment per DEC-11-13: per-supplier risk register applying ICH Q9 risk classification (severity / probability / detectability) for the supplier's failure scenarios; reviewed at every requalification.
- Disqualification workflow per DEC-11-14: pre-disqualification gate (every active material order is fulfilled / cancelled / transferred to alternate supplier; every active service contract is closed; every URS-07 study where the supplier is in scope is closed or amended; every URS-05 Authority Profile assignment scoped to the supplier is revoked); attestation electronically signed by procurement lead, QA lead, RA lead, executive authority for critical suppliers.
- Cross-tenant supplier visibility per DEC-11-15: through URS-07 collaboration grants; partner-tenant suppliers visible only within per-grant scope.
- executive authority co-sign for critical-supplier qualification per DEC-11-16.
- Supplier-bound regulated-record discovery per DEC-11-17: URS-03 active-scope intersection on `supplier` dimension over configurable window.
- Outsourced-activity management per EU GMP Chapter 7 (DEC-11-18): outsourced activities (manufacturing, testing, distribution, sterilisation) are governed by the quality agreement; the marketing-authorisation holder remains accountable; Module 11 captures the outsourced-activity scope per supplier.
- Supplier deviation / CAPA linkage per DEC-11-19: deviations and CAPAs raised against a supplier are bound to the supplier through URS-03 active-scope; the supplier's scorecard reflects them.
- Supply chain disruption / business continuity per DEC-11-20: per-supplier disruption-risk indicator and alternate-supplier identification; tenant administrator MAY register `qualification_dependent_supplier` and `regulatory_alternate_supplier` relationships per DEC-11-21.
- Cross-supplier relationships per DEC-11-21: `parent_supplier`, `qualification_dependent_supplier`, `regulatory_alternate_supplier`, `successor_of_supplier`.
- Reports and dashboards: per-tenant supplier catalogue, per-supplier dashboard, per-supplier discovery view, audit calendar and history, quality agreements register, scorecard dashboards, requalification due timeline, change notification register, risk assessment register, disqualification register, outsourced activity register.
- Front-end: supplier catalogue browser, supplier creation wizard, per-supplier detail (Overview / Qualification / Audits / QA Agreement / Change Notifications / Scorecard / Products / Sites / Risk / Discovery / Lifecycle / Disqualification), supplier qualification workflow surface, audit register surface, change notification handling workflow, scorecard dashboard, disqualification workflow.
- Cross-module wiring: URS-03 consumes supplier scope; URS-04 fires supplier-aware workflows; URS-05 scope-binds Authority Profiles; URS-06 audits every Module 11 lifecycle event; URS-07 references suppliers (CROs, CTLs) in study scope; URS-08 tenant lifecycle gate; URS-09 supplier-site linkage cross-references; URS-10 supplier-product linkage cross-references; URS-12 holds quality agreements, audit reports, change notifications; URS-28 owns supplier-personnel qualifications where applicable; URS-30 delivers notifications; URS-35 owns long-term archive.

### 2.2 Out of scope

- Authentication, MFA, password policy, session lifecycle (URS-01).
- Permission matrix and base role catalogue (URS-02).
- Active-context resolution and approval-scope check (URS-03).
- Workflow templates, runtime, e-signature ceremony, HITL lifecycle (URS-04).
- Authority Profile catalogue, assignments, delegations, SoD (URS-05).
- Audit substrate (URS-06; Module 11 is a major writer).
- Study management (URS-07).
- Tenant lifecycle (URS-08; Module 11 mutations gated by tenant `active` state).
- Site catalogue (URS-09).
- Product master data (URS-10; Module 11 references products through linkages).
- Document control (URS-12).
- Detailed batch record attributing materials to specific lots (forward URS-23).
- Procurement transactional system (purchase orders, invoicing, receipt — out of platform scope; Module 11 may receive event hooks from external procurement systems).
- Domain-specific record semantics (every domain module owns its own state model).
- AI-driven decision-making (explicitly prohibited; AI suggestion paths are advisory only).

### 2.3 Closed launch decisions

| Identifier | Closed launch decision |
|---|---|
| DEC-11-01 | Supplier types at launch are exactly the enumerated list in §2.1. Adding a top-level type or sub-classification is a Class 1 change. A single supplier MAY have multiple types (e.g., a supplier that is both `api_supplier` and `cdmo`); each type carries its own qualification requirements and the most stringent criticality applies. |
| DEC-11-02 | Supplier criticality classification is exactly three levels: `critical`, `major`, `minor`. Criticality is set at qualification per the criticality decision matrix derived from supplier type and supplied-material/service impact on product quality/safety/efficacy; criticality is re-evaluated at every requalification; a downgrade requires `regulatory_oversight_admin` co-sign; an upgrade is permitted with QA lead signature. |
| DEC-11-03 | Supplier lifecycle states are exactly six values: `under_evaluation`, `provisionally_qualified`, `qualified`, `suspended`, `disqualified`, plus terminal pre-qualified state `rejected` (initial qualification failed). Allowed transitions: `under_evaluation → provisionally_qualified | rejected`; `provisionally_qualified → qualified | rejected`; `qualified → suspended ↔ qualified`; `qualified → disqualified`; `suspended → disqualified`. All other transitions are forbidden. Missed requalification beyond the configured grace window sets `lifecycle_state = suspended` and `suspension_reason = requalification_missed_regulatory_concern` (per DEC-11-10). `qualification_status = expired` MAY be stored separately as a qualification status — not as a lifecycle state. Return-to-qualified requires requalification evidence, QA + RA co-sign, and executive authority co-sign for critical suppliers. |
| DEC-11-04 | Per-(supplier type × criticality) qualification requirements matrix: launch matrix specifies the required artifacts for each combination. For example, `critical api_supplier`: questionnaire + on-site audit (≤24 months stale at qualification) + quality agreement + master service agreement + sample testing + GMP certificate from competent authority + Type II DMF reference + executive authority co-sign. For `minor cleaning_service`: questionnaire + ISO 9001 certificate (where applicable) + master service agreement + provisional acceptance. The matrix is platform-managed; tenant administrators MAY tighten requirements for their tenant; tenants MAY NEVER loosen below the matrix. |
| DEC-11-05 | Per-supplier audit register: every audit performed against the supplier is captured with the fields enumerated in §2.1. Audit cadence: critical suppliers MUST have an on-site audit at least every 24 months (or paper-based with regulator-accepted alternative — for example postal audit during pandemic conditions, with documented justification); major suppliers at least every 36 months; minor suppliers at least every 60 months. ISO certification audits and regulator-observed audits MAY substitute where the audit scope is equivalent. |
| DEC-11-06 | Quality agreements are mandatory for `critical` and `major` supplier types where the supplier provides material or service that enters a regulated product (raw material, packaging material, contract manufacturing, contract testing, contract sterilisation, contract distribution). The QA agreement is linked to URS-12 with both-side signatures and effective dates; amendments require URS-13. For `minor` suppliers, a quality agreement is not mandatory but a master service agreement is recommended where the relationship is GxP-relevant. |
| DEC-11-07 | Master service agreement linkage: every supplier MUST have a signed master services agreement before `under_evaluation → provisionally_qualified`; the MSA is linked to URS-12 documents. |
| DEC-11-08 | Supplier change notification handling: inbound SCN creates a record in Module 11; the record triggers an impact assessment workflow that classifies the change (`no_impact`, `minor_impact`, `major_impact`, `critical_impact`); the impact classification routes to the appropriate URS-13; resolution states are `accepted`, `accepted_with_conditions`, `rejected`. Critical-impact changes MUST be linked to URS-13 before resolution; rejection of a critical change initiates supplier-suspension consideration. |
| DEC-11-09 | Supplier scorecard launch metrics: `on_time_delivery_rate`, `quality_reject_rate` (rejected lots / total lots received), `deviations_count` (raised against supplier per period), `complaints_count` (linked to supplier component), `audit_findings_count` (open findings from latest audit), `change_notifications_count` (per period), `response_time_sla_compliance_rate` (compliance with QA agreement response-time requirements). Tenant administrators MAY add custom metrics per supplier type; custom metrics are tracked but do not drive automated lifecycle actions at launch. |
| DEC-11-10 | Periodic requalification cadence: `critical` = annual minimum; `major` = biennial minimum; `minor` = triennial minimum. Tenant administrators MAY configure shorter (more frequent), never longer. Failure to complete requalification within the grace window (default 30 days past due) triggers automatic supplier suspension with `lifecycle_state = suspended` and `suspension_reason = requalification_missed_regulatory_concern` (per DEC-11-03); the supplier's `qualification_status` MAY independently be marked `expired` as a status, not as a lifecycle state. URS-30 reminds at T-90, T-30, T-7. |
| DEC-11-11 | Supplier-product linkage: per-(supplier × product × material-type) record capturing which suppliers provide which materials for which products; consumed by URS-23 (forward) for batch-record material attribution. Materials types include `api`, `excipient`, `packaging_primary`, `packaging_secondary`, `printing_artwork`, `processing_aid`. |
| DEC-11-12 | Supplier-site linkage: where a supplier operates from multiple sites, each site is registered separately with its own qualification scope (typical of CMOs / CDMOs with multiple manufacturing sites). The supplier-site has a `site_qualification_state` reflecting whether the site has been audited / qualified for the relevant scope. |
| DEC-11-13 | Supplier risk assessment per ICH Q9: per-supplier risk register with `risk_factor`, `severity` (1-5), `probability` (1-5), `detectability` (1-5), `risk_priority_number` (computed), `mitigation_actions`, `risk_owner`; reviewed at every requalification; risk priority numbers above tenant-configured threshold trigger Founder review. |
| DEC-11-14 | Disqualification workflow: pre-disqualification gate per DEC-11-14 specifies blockers; attestation requires procurement lead + QA lead + RA lead; executive authority co-sign for critical suppliers. Disqualified suppliers cannot be re-qualified directly; a re-engagement requires a new supplier record (with `successor_of_supplier` linkage to the disqualified predecessor) entering through full `under_evaluation`. |
| DEC-11-15 | Cross-tenant supplier visibility: through URS-07 collaboration grants; partner-tenant suppliers visible only within per-grant scope; outside the grant, partner-tenant suppliers are not visible. |
| DEC-11-16 | executive authority co-sign required at: critical-supplier `under_evaluation → provisionally_qualified`, critical-supplier `provisionally_qualified → qualified`, critical-supplier disqualification, return-to-qualified from regulatory-concern suspension. Multi-factor step-up required for every executive authority co-sign. |
| DEC-11-17 | Supplier-bound regulated-record discovery is computed by URS-03 active-scope intersection on the `supplier` scope dimension over a configurable window (default rolling 24 months for active discovery; full lifetime from supplier creation for inspection / archive). |
| DEC-11-18 | Outsourced-activity management per EU GMP Chapter 7: outsourced activities are captured per supplier with scope, quality agreement reference, marketing-authorisation-holder accountability statement, regulatory-authority notification status (where applicable). The Verixa tenant remains accountable for the outsourced activity per Chapter 7. |
| DEC-11-19 | Supplier deviation linkage to URS-16 and CAPA linkage to URS-18: deviations raised against a supplier (URS-16) and CAPAs raised against a supplier (URS-18) are bound to the supplier via the URS-03 `supplier` scope; supplier scorecard `deviations_count` aggregates them; supplier risk assessment is informed by them. |
| DEC-11-20 | Supply chain disruption / business continuity: per-supplier `disruption_risk_indicator` (low / medium / high) and `alternate_supplier_id` (nullable; FK to another qualified supplier providing equivalent capability); tenant administrators MAY register supply-chain risk events; chronic high-disruption-risk suppliers without alternates trigger Founder review. |
| DEC-11-21 | Cross-supplier relationships: `parent_supplier` (where the supplier is a subsidiary of a parent organisation), `qualification_dependent_supplier` (where two suppliers share qualification dependencies — e.g., same DMF holder), `regulatory_alternate_supplier` (formal regulatory backup approved through URS-13), `successor_of_supplier` (where a new supplier replaces a disqualified / decommissioned predecessor). Each relationship requires bilateral electronic signatures (both supplier records' tenant administrators or appropriate authorities). |

---

## 3. User Roles and Permissions

### 3.1 Architecture

Module 11 consumes Layer 1 (base role) and Layer 2 (permission matrix) from URS-02; consumes the Authority Profile catalogue and resolver from URS-05; consumes the active scope from URS-03. Module 11 owns three administrative surfaces: (a) the per-tenant supplier catalogue and creation wizard, (b) the per-supplier detail and qualification surface, (c) the cross-supplier relationship management surface. Module 11 layers a **supplier-level role overlay** (`supplier_owner`, `supplier_quality_lead`, `supplier_member`) for high-sensitivity supplier records.

### 3.2 Role definitions

The five tenant-level base roles defined by URS-02 (`admin`, `quality_lead`, `reviewer`, `auditor`, `viewer`) and the two cross-tenant platform identities apply unchanged. Module 11 introduces three **supplier-level roles**:

| Supplier role | Description | Cardinality per supplier |
|---|---|---|
| `supplier_owner` | The named accountable user (typically Procurement lead) for the supplier record; approves qualification, requalification, lifecycle transitions. | Exactly 1 (when `under_evaluation` or beyond) |
| `supplier_quality_lead` | The named QA accountable user for the supplier; co-signs qualification, audit closure, change-notification resolution. | Exactly 1 (when `provisionally_qualified` or beyond) |
| `supplier_member` | A user with explicit access to a high-sensitivity supplier record under access overlay. | 0 or more |

### 3.3 Authority Profiles consumed by Module 11

| Authority Profile | Module 11 action gated |
|---|---|
| `tenant_admin_authority` | Read supplier catalogue; create suppliers (non-critical); configure tenant-level supplier qualification matrix preferences (within DEC-11-04 minimums). |
| `procurement_lead_authority` (Tier 1; new in Module 11) | Manage `supplier_owner` overlay; sign supplier MSA / QA agreement linkage. |
| `final_quality_approver` | Co-sign critical-supplier qualification; co-sign quality agreement linkage; co-sign disqualification. |
| `regulatory_oversight_admin` | Co-sign critical-supplier qualification; co-sign supplier-licence verification; co-sign return-to-qualified from `regulatory_concern` suspension; co-sign critical-impact change notification resolution. |
| `validation_approver` | Co-sign supplier-site qualification (e.g., where audit covers a CMO's manufacturing site that produces a tenant's product). |
| executive authority | Co-sign critical-supplier qualification per DEC-11-16; co-sign critical-supplier disqualification; co-sign return-to-qualified from regulatory suspension. |
| `cross_tenant_collaboration_authority` | Visibility of partner-tenant suppliers within URS-07 collaboration grants. |

### 3.4 Segregation-of-Duties rules

| SoD rule | Module 11 application |
|---|---|
| `AUTHOR_NEQ_APPROVER` | The user who created a supplier record cannot also approve initial qualification; qualification approver MUST be a different user. |
| `REVIEWER_NEQ_FINAL_APPROVER` | A reviewer of a supplier audit cannot also be the audit closure signer if the workflow node requires both. |
| `SUPPLIER_OWNER_NEQ_QUALITY_LEAD` (Tier 1, supplier-specific) | The `supplier_owner` and `supplier_quality_lead` MUST be distinct users. |
| `AUDIT_FINDING_INDEPENDENT_REVIEWER` (Tier 1, supplier-specific) | A user named in a supplier audit finding cannot be the sole signer of the finding closure attestation. |

### 3.5 Worked examples

#### Worked example A — Critical API supplier qualification

PharmaCorp identifies a new API supplier for atorvastatin calcium. Procurement Lead (with `procurement_lead_authority`) creates the supplier record (state `under_evaluation`); types `api_supplier`; criticality `critical` (any API supplier is critical by policy); legal entity verified; FDA establishment registration confirmed; Type II DMF reference linked. Supplier completes the questionnaire response (linked to URS-12). On-site audit performed (≤24 months stale); audit findings recorded (one minor); response register linked; finding closed with CAPA. Quality agreement negotiated and signed by both parties (linked to URS-12). Master service agreement signed. Sample testing completed at 3 batches. The Procurement Lead submits the supplier for provisional qualification; QA lead, RA Lead, and executive authority co-sign per DEC-11-16. State moves to `provisionally_qualified`. After 12 months of demonstrated compliance (no critical deviations, no critical complaints, on-time delivery > 95%, scorecard reviewed), the QA Lead, RA Lead, and executive authority co-sign full qualification. State moves to `qualified`.

#### Worked example B — Annual requalification

A critical CMO is due for annual requalification (per DEC-11-10). URS-30 alerts at T-90, T-30, T-7. The QA team performs a fresh on-site audit; updates the questionnaire response; reviews the year's scorecard (delivery 96%, quality 99%, 2 minor deviations, 1 minor audit finding closed, 0 change notifications); updates the risk assessment (no significant change). The supplier is re-qualified through the re-qualification flow with QA Lead + RA Lead + executive authority co-sign. Audit register updated; risk assessment updated; scorecard cycle reset.

#### Worked example C — Supplier change notification (critical impact)

API supplier sends a change notification: they are moving the API manufacturing process from Site A to Site B. PharmaCorp's QA team opens the SCN record; classifies impact as `critical_impact` (site change = regulatory dossier amendment required). The change is routed to URS-13; impact assessment performed; regulatory notification to FDA filed; site B is qualified separately (new supplier-site relationship per DEC-11-12); the supplier's Type II DMF is updated by the supplier; PharmaCorp's tenant updates the DMF reference (URS-10). Resolution `accepted_with_conditions` signed by QA Lead + RA Lead + executive authority.

#### Worked example D — Supplier suspension for audit finding

A planned audit of a critical raw-material supplier reveals significant data-integrity issues in the supplier's quality system. The QA Lead opens supplier suspension with reason `regulatory_concern`; provides reason; signs; `regulatory_oversight_admin` co-signs; state moves to `suspended`; URS-30 alerts cross-tenant partners and tenant admin. All open material orders against this supplier are flagged; alternate supplier is engaged. Supplier returns evidence of remediation 60 days later; QA Lead + RA Lead + executive authority co-sign return-to-qualified after a follow-up audit; state returns to `qualified`.

#### Worked example E — Disqualification and successor supplier

A long-term packaging-material supplier (criticality `major`) is disqualified due to repeated quality issues. Pre-disqualification gate runs: every active material order is fulfilled; no open service contract; no URS-07 study with this supplier in scope (packaging suppliers typically don't participate in studies); no active Authority Profile assignments. Procurement Lead, QA Lead, RA Lead sign disqualification attestation. State moves to `disqualified`. A new packaging supplier is engaged under a new supplier record with `successor_of_supplier` linkage to the disqualified predecessor; the new supplier enters `under_evaluation`.

### 3.6 Role-permission matrix (Module 11 administrative surface only)

| Action | viewer | reviewer | quality_lead | auditor | admin | platform_admin | super_admin | Founder | Authority Profile / Supplier role |
|---|:-:|:-:|:-:|:-:|:-:|:-:|:-:|:-:|---|
| Read supplier catalogue | — | ✓ | ✓ | ✓ | ✓ | support / break-glass only | support / break-glass only | ✓ | — |
| Create supplier (non-critical) | — | — | ✓ + sign | — | ✓ + sign | — | — | — | `tenant_admin_authority` / `procurement_lead_authority` |
| Create supplier (critical) | — | — | ✓ + sign | — | ✓ + sign | — | — | — | `tenant_admin_authority` / `procurement_lead_authority` (system flags the supplier as critical; executive authority co-sign is required only at critical-supplier provisional qualification, full qualification, disqualification, and return-to-qualified from regulatory-concern suspension — not at creation) |
| Submit for provisional qualification | — | — | supplier_owner + sign | — | supplier_owner + sign | — | — | — | `supplier_owner` |
| Sign provisional qualification (non-critical) | — | — | independent of creator + sign + final_quality_approver co-sign | — | independent of creator + sign + final_quality_approver co-sign | — | — | — | `supplier_owner` (independent) + `final_quality_approver` |
| Sign provisional qualification (critical) | — | — | — | — | — | — | — | ✓ + sign + MFA | `supplier_owner` (independent) + `final_quality_approver` + `regulatory_oversight_admin` + executive authority |
| Sign full qualification (after performance period) | — | — | supplier_owner + sign + final_quality_approver | — | supplier_owner + sign + final_quality_approver | — | — | ✓ + sign for critical | `supplier_owner` + `final_quality_approver` (+ executive authority for critical) |
| Suspend supplier | — | — | supplier_owner + sign | — | supplier_owner + sign | — | — | — | `supplier_owner` (+ RA / IS for regulatory) |
| Return-to-qualified from suspension | — | — | supplier_owner + sign + RA co-sign | — | supplier_owner + sign + RA co-sign | — | — | ✓ + sign for regulatory | `supplier_owner` + `regulatory_oversight_admin` (+ executive authority for regulatory) |
| Initiate audit | — | — | supplier_quality_lead + sign | — | supplier_quality_lead + sign | — | — | — | `supplier_quality_lead` |
| Close audit findings | — | — | supplier_quality_lead + sign + independent reviewer | — | supplier_quality_lead + sign + independent reviewer | — | — | — | `supplier_quality_lead` + independent per `AUDIT_FINDING_INDEPENDENT_REVIEWER` |
| Sign quality agreement linkage | — | — | supplier_quality_lead + sign + final_quality_approver co-sign | — | supplier_quality_lead + sign + final_quality_approver co-sign | — | — | — | `supplier_quality_lead` + `final_quality_approver` |
| Resolve change notification (critical impact) | — | — | supplier_quality_lead + sign + final_quality_approver + RA co-sign + executive authority for critical | — | supplier_quality_lead + sign + co-signs | — | — | ✓ + sign for critical | `supplier_quality_lead` + `final_quality_approver` + `regulatory_oversight_admin` (+ executive authority for critical-impact) |
| Initiate periodic requalification | — | — | supplier_quality_lead + sign | — | supplier_quality_lead + sign | — | — | — | `supplier_quality_lead` |
| Update supplier scorecard metrics | — | — | supplier_quality_lead | — | supplier_quality_lead | — | — | — | `supplier_quality_lead` |
| Update supplier-product / supplier-site linkages | — | — | supplier_owner + sign + validation co-sign | — | supplier_owner + sign + validation co-sign | — | — | — | `supplier_owner` + `validation_approver` |
| Update supplier risk assessment | — | — | supplier_quality_lead + sign | — | supplier_quality_lead + sign | — | — | — | `supplier_quality_lead` |
| Initiate disqualification | — | — | supplier_owner + sign | — | supplier_owner + sign | — | — | — | `supplier_owner` |
| Sign disqualification attestation | — | — | supplier_owner + supplier_quality_lead + RA + executive authority for critical | — | supplier_owner + supplier_quality_lead + RA | — | — | ✓ + sign for critical | `supplier_owner` + `supplier_quality_lead` + `regulatory_oversight_admin` + executive authority for critical |
| Read per-supplier discovery view | — | supplier-role | supplier-role | ✓ | supplier-role or `audit:read` | support / break-glass only | support / break-glass only | ✓ | supplier-role overlay |
| Export per-supplier discovery | — | — | — | — | supplier_owner + sign + `audit:export` | support / break-glass only | support / break-glass only | — | `supplier_owner` + `audit:export` |
| Configure supplier-level access overlay | — | — | — | — | ✓ + sign | support / break-glass only | support / break-glass only | — | `tenant_admin_authority` |

External identities cannot reach Module 11 administrative surfaces.

#### 3.6.1 Platform-identity tenant actions — controlled support / break-glass posture

Per URS-02 §3.6.1 and URS-08 §3.6.1, platform identities MAY perform tenant-scoped Module 11 actions only under controlled support / break-glass posture: target tenant identifier, business-justification, support-ticket / customer-reference, electronic signature, `PLATFORM_TENANT_ACCESS_USED`, SOC alert, customer notification within 24 hours.

---

## 4. End-to-End User Journeys

### J-01 — Supplier creation (non-critical)

- Trigger: tenant administrator creates a new supplier.
- Steps: opens supplier catalogue; creates supplier with type, criticality, identity, contacts; signs; supplier enters `under_evaluation`.
- Audit: `SUPPLIER_CREATED`.

### J-02 — Supplier creation (critical) — system flags critical; downstream qualification gates apply

- Trigger: tenant administrator or `procurement_lead_authority` creates a new critical supplier.
- Steps: standard creation flow; system flags `criticality = critical`; creation does NOT require executive authority co-sign. Executive authority co-sign is required only at critical-supplier provisional qualification, critical-supplier full qualification, critical-supplier disqualification, and return-to-qualified from regulatory-concern suspension.
- Audit: `SUPPLIER_CREATED` with `criticality = critical`.

### J-03 — Initial qualification questionnaire

- Trigger: supplier responds to qualification questionnaire.
- Steps: supplier-quality-lead opens questionnaire surface; reviews supplier responses; uploads to URS-12; signs review.
- Audit: `SUPPLIER_QUESTIONNAIRE_REVIEWED`.

### J-04 — Initial supplier audit (on-site)

- Trigger: critical / major supplier audit scheduled.
- Steps: supplier-quality-lead opens audit register; creates audit record with type, dates, lead auditor, scope; performs audit; logs findings; uploads findings register to URS-12; closes audit findings with `AUDIT_FINDING_INDEPENDENT_REVIEWER`.
- Audit: `SUPPLIER_AUDIT_INITIATED`, `SUPPLIER_AUDIT_FINDINGS_LOGGED`, `SUPPLIER_AUDIT_CLOSED`.

```mermaid
sequenceDiagram
  autonumber
  participant SQL as Supplier Quality Lead
  participant API as Module 11 API
  participant U12 as URS-12 Document Control
  participant LOG as URS-06 Audit
  participant IR as Independent Reviewer

  SQL->>API: POST /suppliers/:id/audits initiate
  API->>LOG: SUPPLIER_AUDIT_INITIATED
  Note over SQL: On-site audit performed
  SQL->>U12: Upload findings register
  SQL->>API: POST /suppliers/:id/audits/:audId/log-findings
  API->>LOG: SUPPLIER_AUDIT_FINDINGS_LOGGED
  Note over SQL,IR: Findings closure with independent reviewer per AUDIT_FINDING_INDEPENDENT_REVIEWER
  SQL->>API: POST /suppliers/:id/audits/:audId/close
  IR->>API: independent reviewer co-sign
  API->>LOG: SUPPLIER_AUDIT_CLOSED
```

### J-05 — Quality agreement linkage signed

- Trigger: QA agreement negotiated.
- Steps: supplier_quality_lead opens QA agreement linkage; uploads signed QA agreement to URS-12; signs; `final_quality_approver` co-signs; effective dates set.
- Audit: `QUALITY_AGREEMENT_LINKED`.

### J-06 — Master service agreement linkage signed

- Trigger: MSA negotiated.
- Steps: supplier_owner opens MSA linkage; uploads signed MSA to URS-12; signs; `procurement_lead_authority` co-signs.
- Audit: `MASTER_SERVICE_AGREEMENT_LINKED`.

### J-07 — Provisional qualification

- Trigger: questionnaire / audit / QA / MSA all complete.
- Steps: supplier_owner submits for provisional qualification; system validates all required artifacts per DEC-11-04 matrix; if all present, `final_quality_approver` co-signs; for critical, `regulatory_oversight_admin` and Founder also co-sign with MFA; state moves to `provisionally_qualified`.
- Audit: `SUPPLIER_PROVISIONALLY_QUALIFIED`.

```mermaid
flowchart TD
  A([Supplier owner submits for provisional qualification]) --> B{Required artifacts per DEC-11-04 matrix present?}
  B -- no --> C[QUALIFICATION_ARTIFACTS_INCOMPLETE; surface missing]
  B -- yes --> D{Criticality}
  D -- non-critical --> E[supplier_owner signs independent of creator + final_quality_approver co-signs]
  D -- critical --> F[supplier_owner + final_quality_approver + regulatory_oversight_admin + executive authority co-signs with MFA]
  E --> G[SUPPLIER_PROVISIONALLY_QUALIFIED]
  F --> G
```

### J-08 — Full qualification (after performance period)

- Trigger: provisional qualification + performance evaluation period (default 12 months) elapsed.
- Steps: supplier_quality_lead reviews scorecard for the period; if pass criteria met (no critical deviations, on-time delivery within target, audit findings closed), submits for full qualification; co-signs per criticality (executive authority for critical); state moves to `qualified`.
- Audit: `SUPPLIER_FULLY_QUALIFIED`.

### J-09 — Supplier change notification handling (no impact)

- Trigger: supplier sends SCN.
- Steps: supplier_quality_lead opens SCN record; reviews; classifies `no_impact`; signs; resolution `accepted`.
- Audit: `SUPPLIER_CHANGE_NOTIFICATION_RECEIVED`, `SUPPLIER_CHANGE_NOTIFICATION_RESOLVED`.

### J-10 — Supplier change notification handling (critical impact)

- Trigger: supplier sends SCN with critical impact.
- Steps: supplier_quality_lead opens SCN; classifies `critical_impact`; routes to URS-13; impact assessment performed; resolution requires `final_quality_approver` + `regulatory_oversight_admin` + executive authority co-sign; state set per resolution.
- Audit: `SUPPLIER_CHANGE_NOTIFICATION_RECEIVED`, `SUPPLIER_CHANGE_NOTIFICATION_RESOLVED` (with classification `critical_impact`).

### J-11 — Periodic requalification due

- Trigger: requalification due per DEC-11-10 cadence.
- Steps: URS-30 alerts T-90, T-30, T-7; supplier_quality_lead initiates requalification; performs fresh audit / questionnaire / scorecard review / risk assessment update; submits; co-signs per criticality.
- Audit: `SUPPLIER_REQUALIFICATION_INITIATED`, `SUPPLIER_REQUALIFIED`.

### J-12 — Periodic requalification missed — auto-suspension

- Trigger: requalification not completed within grace window (default +30 days past due).
- Steps: scheduled job auto-suspends supplier with reason `regulatory_concern`; URS-30 alerts; mutations on supplier blocked.
- Audit: `SUPPLIER_REQUALIFICATION_MISSED_AUTO_SUSPENDED`.

### J-13 — Supplier suspension (quality finding)

- Trigger: significant quality issue identified at supplier.
- Steps: supplier_owner opens suspension; reason `quality_concern`; signs; `final_quality_approver` co-signs; state moves to `suspended`; URS-30 alerts.
- Audit: `SUPPLIER_SUSPENDED` with reason.

### J-14 — Supplier return-to-qualified

- Trigger: suspension reason resolved.
- Steps: supplier_owner submits resolution evidence; co-signers per reason (RA for regulatory; QA for quality); executive authority for regulatory-concern; state returns to `qualified`.
- Audit: `SUPPLIER_RETURNED_TO_QUALIFIED`.

### J-15 — Audit register: regulator-observed inspection

- Trigger: FDA inspects the supplier and the tenant attends.
- Steps: supplier_quality_lead opens audit register; creates record with `inspection_type = regulatory_inspection_observed`; logs findings; CAPAs created in URS-18.
- Audit: `SUPPLIER_AUDIT_INITIATED` with type.

### J-16 — Supplier scorecard updated

- Trigger: scheduled metric update or event-driven (deviation raised; complaint linked).
- Steps: scorecard automatically updates from event flow; `supplier_quality_lead` MAY adjust manual metrics with signature; threshold breaches trigger URS-30 alerts.
- Audit: `SUPPLIER_SCORECARD_UPDATED`.

### J-17 — Supplier-product linkage created

- Trigger: tenant procures material from supplier for a specific product.
- Steps: supplier_owner opens linkage register; selects supplier × product × material type; signs; `validation_approver` co-signs (where qualification evidence required).
- Audit: `SUPPLIER_PRODUCT_LINKAGE_CREATED`.

### J-18 — Supplier-site linkage created

- Trigger: tenant uses a specific supplier site (e.g., a CMO's manufacturing site B).
- Steps: supplier_owner opens supplier-site register; creates record; site qualification scope captured; signs; `validation_approver` co-signs.
- Audit: `SUPPLIER_SITE_LINKAGE_CREATED`.

### J-19 — Supplier risk assessment update

- Trigger: requalification or new event affects risk profile.
- Steps: supplier_quality_lead opens risk register; updates severity / probability / detectability; computed RPN updated; mitigation actions tracked; signs.
- Audit: `SUPPLIER_RISK_ASSESSMENT_UPDATED`.

### J-20 — Supplier disqualification initiated

- Trigger: business or quality decision to disqualify.
- Steps: supplier_owner opens disqualification; pre-disqualification gate runs.
- Audit: `SUPPLIER_DISQUALIFICATION_INITIATED`.

### J-21 — Pre-disqualification gate blocks

- Trigger: open material orders / service contracts / studies / delegations.
- Steps: gate returns blockers with deep-links; tenant resolves.
- Audit: one of `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_ORDERS`, `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_CONTRACTS`, `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_STUDIES`, `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_DELEGATIONS` per blocker category.

### J-22 — Disqualification attestation

- Trigger: gate cleared.
- Steps: supplier_owner + supplier_quality_lead + `regulatory_oversight_admin` + executive authority for critical sign; state moves to `disqualified`.
- Audit: `SUPPLIER_DISQUALIFIED`.

### J-23 — Successor supplier creation

- Trigger: tenant engages successor for disqualified or expired predecessor.
- Steps: tenant administrator creates new supplier referencing `successor_of_supplier_id`; new supplier enters `under_evaluation`.
- Audit: `SUCCESSOR_SUPPLIER_CREATED`.

### J-24 — Cross-supplier relationship registered

- Trigger: tenant registers `regulatory_alternate_supplier` between two suppliers.
- Steps: supplier_owner of supplier A opens relationship surface; selects supplier B; type; rationale; signs; supplier_owner of supplier B accepts; relationship active.
- Audit: `CROSS_SUPPLIER_RELATIONSHIP_REGISTERED`.

### J-25 — Supplier-bound regulated-record discovery

- Trigger: supplier-role member opens discovery view.
- Steps: system computes URS-03 active-scope intersection on `supplier` dimension; returns paginated list of records; cross-tenant grant scope respected.
- Audit: `SUPPLIER_DISCOVERY_VIEW_OPENED` once per session.

### J-26 — Auditor reads supplier discovery as inspection-ready

- Trigger: regulatory inspection focused on supplier governance.
- Steps: auditor opens discovery view full lifetime; exports through Controlled Approval Modal; receives PDF + JSON bundle with integrity manifest.
- Audit: `SUPPLIER_DISCOVERY_EXPORTED`.

### J-27 — Outsourced-activity register

- Trigger: outsourced activity with supplier (e.g., contract sterilisation).
- Steps: supplier_owner registers activity scope; quality agreement linkage required; marketing-authorisation-holder accountability statement captured; regulatory-authority notification status (where applicable).
- Audit: `OUTSOURCED_ACTIVITY_REGISTERED`.

### J-28 — executive break-glass supplier hold

- Trigger: serious supply-chain quality signal across products.
- Steps: Founder uses `global_quality_oversight` to issue immediate supplier hold; URS-04 override-use ceremony; URS-30 alerts; supplier moves to `suspended` with override reference.
- Audit: `SUPPLIER_SUSPENDED` with `override_authority_profile_used = global_quality_oversight`.

---

## 5. Front-End Expected State

### 5.1 Routes

| Route | Surface | Role / Authority gate |
|---|---|---|
| `/suppliers` | Supplier catalogue browser | tenant base role + `audit:read` |
| `/suppliers/new` | Supplier creation wizard | `tenant_admin_authority` / `procurement_lead_authority` |
| `/suppliers/:id` | Per-supplier detail (Overview / Qualification / Audits / QA Agreement / Change Notifications / Scorecard / Products / Sites / Risk / Discovery / Lifecycle) | supplier-role overlay |
| `/suppliers/:id/qualification` | Qualification workflow surface | `supplier_owner` + co-signers |
| `/suppliers/:id/audits` | Audit register | `supplier_quality_lead` for write |
| `/suppliers/:id/quality-agreements` | QA agreement linkage | `supplier_quality_lead` + `final_quality_approver` |
| `/suppliers/:id/change-notifications` | SCN handling | `supplier_quality_lead` |
| `/suppliers/:id/scorecard` | Scorecard dashboard | `supplier_quality_lead` for write; auditor for read |
| `/suppliers/:id/products` | Supplier-product linkage | `supplier_owner` + `validation_approver` |
| `/suppliers/:id/sites` | Supplier-site linkage | `supplier_owner` + `validation_approver` |
| `/suppliers/:id/risk-assessment` | Risk assessment register | `supplier_quality_lead` |
| `/suppliers/:id/discovery` | Supplier-bound discovery | supplier-role or `audit:read` |
| `/suppliers/:id/lifecycle` | Lifecycle transitions | `supplier_owner` + co-signers |
| `/suppliers/:id/disqualify` | Disqualification workflow | `supplier_owner` + co-signers + executive authority for critical |
| `/suppliers/:id/relationships` | Cross-supplier relationships | `supplier_owner` (both sides) |
| `/admin/suppliers/qualification-matrix` | Tenant-level qualification matrix preferences | `tenant_admin_authority` |
| `/admin/suppliers/requalification-calendar` | Cross-supplier requalification due timeline | `tenant_admin_authority` |
| `/admin/suppliers/disqualification-register` | Cross-supplier disqualifications | `tenant_admin_authority` |

### 5.2 Component requirements

- **Supplier catalogue browser** — high-density list with type chips, criticality badges, lifecycle states, jurisdiction flags, vertical chips (cold-chain, sterile-capable, controlled-substance-handler); filters by type, criticality, lifecycle, last-audit-date, requalification-due window.
- **Supplier creation wizard** — multi-step: identity → types (multi-select) → criticality → contacts → vertical classification → review → submit. Critical flag visible.
- **Per-supplier detail (tabbed)** — Overview, Qualification, Audits, QA Agreement, Change Notifications, Scorecard, Products, Sites, Risk, Discovery, Lifecycle, Disqualification. Lifecycle banner across top. Critical badge.
- **Qualification workflow** — checklist of required artifacts per DEC-11-04 matrix; live status; submit gates on complete.
- **Audit register** — chronological list with type, dates, scope, findings count by classification, closure state; deep-links to URS-12.
- **QA agreement linkage** — table with effective dates; amendments through URS-13.
- **SCN handling surface** — inbound queue; impact classification helper; URS-13 deep-link; resolution states.
- **Scorecard dashboard** — time-series charts for delivery, quality reject, deviations, audit findings, response-time SLA; threshold breaches highlighted.
- **Supplier-product matrix** — visual grid of suppliers × products × material types.
- **Supplier-site matrix** — supplier × site qualification states.
- **Risk register** — per-risk-factor severity / probability / detectability with computed RPN.
- **Discovery view** — paginated list of records intersecting supplier scope.
- **Disqualification surface** — pre-disqualification gate; remediation list; attestation wizard with co-signatures.

### 5.3 Accessibility and internationalisation

- WCAG 2.1 Level AA across all surfaces.
- Supplier names rendered as-is (legal); identifiers canonical.
- Date / time displayed in user time zone; stored UTC; ISO 8601.
- Cross-tenant content (via URS-07 grant) clearly distinguished.

---

## 6. Back-End Expected State

### 6.1 Domain entities

- `suppliers` — canonical supplier record per DEC-11-01..03.
- `supplier_qualification_artifacts` — per-supplier qualification artifact register (questionnaire, audit, QA agreement, MSA, sample testing, etc.).
- `supplier_audits` — per-supplier audit register per DEC-11-05.
- `supplier_audit_findings` — per-audit findings list.
- `supplier_quality_agreements` — QA agreement linkage to URS-12.
- `supplier_master_service_agreements` — MSA linkage to URS-12.
- `supplier_change_notifications` — inbound SCN with impact assessment per DEC-11-08.
- `supplier_scorecards` — time-series scorecard metrics per DEC-11-09.
- `supplier_product_linkages` — per supplier × product × material-type per DEC-11-11.
- `supplier_site_linkages` — per supplier × supplier-side-site per DEC-11-12.
- `supplier_risk_assessments` — per-supplier risk register per DEC-11-13.
- `supplier_lifecycle_events` — append-only lifecycle transition log.
- `supplier_member_roster` — supplier-level access overlay.
- `supplier_disqualification_runs` — per-disqualification workflow record.
- `supplier_outsourced_activities` — outsourced activity register per DEC-11-18.
- `cross_supplier_relationships` — relationships per DEC-11-21.
- `supplier_periodic_requalifications` — per-cycle requalification record.

### 6.1.1 Diagram 6.1-A — Module 11 entity-relationship overview

```mermaid
erDiagram
  SUPPLIERS ||--o{ SUPPLIER_QUALIFICATION_ARTIFACTS : qualified_via
  SUPPLIERS ||--o{ SUPPLIER_AUDITS : audited_by
  SUPPLIER_AUDITS ||--o{ SUPPLIER_AUDIT_FINDINGS : findings
  SUPPLIERS ||--o{ SUPPLIER_QUALITY_AGREEMENTS : signed_with
  SUPPLIERS ||--o{ SUPPLIER_MASTER_SERVICE_AGREEMENTS : signed_with
  SUPPLIERS ||--o{ SUPPLIER_CHANGE_NOTIFICATIONS : notifies
  SUPPLIERS ||--o{ SUPPLIER_SCORECARDS : tracked_by
  SUPPLIERS ||--o{ SUPPLIER_PRODUCT_LINKAGES : provides_to
  SUPPLIERS ||--o{ SUPPLIER_SITE_LINKAGES : operates_from
  SUPPLIERS ||--o{ SUPPLIER_RISK_ASSESSMENTS : assessed_via
  SUPPLIERS ||--o{ SUPPLIER_LIFECYCLE_EVENTS : lifecycle_log
  SUPPLIERS ||--o| SUPPLIER_MEMBER_ROSTER : access_overlay
  SUPPLIERS ||--o| SUPPLIER_DISQUALIFICATION_RUNS : disqualified_via
  SUPPLIERS ||--o{ SUPPLIER_OUTSOURCED_ACTIVITIES : outsources_to
  SUPPLIERS ||--o{ SUPPLIER_PERIODIC_REQUALIFICATIONS : requalified_via
  SUPPLIERS ||--o{ CROSS_SUPPLIER_RELATIONSHIPS : related_to
  SUPPLIER_QUALITY_AGREEMENTS }o--|| URS_12_DOCUMENTS : evidence
  SUPPLIER_AUDITS }o--|| URS_12_DOCUMENTS : findings_register
  SUPPLIER_PRODUCT_LINKAGES }o--|| URS_10_DRUG_PRODUCTS : product_reference
  SUPPLIER_SITE_LINKAGES }o--o| URS_09_SITES : tenant_side_site_reference
```

### 6.1.2 Diagram 6.1-B — Supplier lifecycle state machine

```mermaid
stateDiagram-v2
  [*] --> under_evaluation : SUPPLIER_CREATED
  under_evaluation --> provisionally_qualified : SUPPLIER_PROVISIONALLY_QUALIFIED
  under_evaluation --> rejected : SUPPLIER_REJECTED
  provisionally_qualified --> qualified : SUPPLIER_FULLY_QUALIFIED
  provisionally_qualified --> rejected : SUPPLIER_REJECTED_AT_PERFORMANCE_PERIOD
  qualified --> suspended : SUPPLIER_SUSPENDED
  suspended --> qualified : SUPPLIER_RETURNED_TO_QUALIFIED
  qualified --> disqualified : SUPPLIER_DISQUALIFIED
  suspended --> disqualified : SUPPLIER_DISQUALIFIED
  qualified --> suspended : requalification missed beyond grace (SUPPLIER_REQUALIFICATION_MISSED_AUTO_SUSPENDED; suspension_reason = requalification_missed_regulatory_concern)
  rejected --> [*]
  disqualified --> [*]
  expired --> [*]
```

### 6.1.3 Diagram 6.1-C — Supplier scope feeds URS-03 active scope intersection

```mermaid
flowchart LR
  M11[Module 11 supplier identifier + active window] --> U3[URS-03 active scope resolver]
  R[Regulated record with supplier in scope] --> U3
  U3 --> I{Intersection within supplier active window?}
  I -- yes --> D[Discoverable from supplier]
  I -- no --> ND[Not discoverable]
```

### 6.1.4 Diagram 6.1-D — Periodic requalification cycle

```mermaid
flowchart TD
  A[Supplier qualified] --> B[Requalification cadence per criticality]
  B --> C[URS-30 reminders T-90 T-30 T-7]
  C --> D{Requalification submitted?}
  D -- yes within window --> E[Audit / questionnaire / scorecard / risk update]
  E --> F[Co-signs per criticality including executive authority for critical]
  F --> G[SUPPLIER_REQUALIFIED; cycle reset]
  G --> A
  D -- no past grace --> H[SUPPLIER_REQUALIFICATION_MISSED_AUTO_SUSPENDED; lifecycle_state suspended; suspension_reason requalification_missed_regulatory_concern; qualification_status MAY be marked expired as a status, not a lifecycle state]
  H --> I[Re-engagement requires full qualification flow]
```

### 6.2 Data model requirements

| Entity | Purpose | Key fields | Required | Unique | Tenant isolation | Versioning | Retention | Soft-delete | Audit | E-sig link |
|---|---|---|---|---|---|---|---|---|---|---|
| `suppliers` | Canonical supplier record | `id`, `tenant_id`, `legal_name`, `display_name`, `display_id`, `legal_entity_jurisdiction`, `legal_entity_registration_number`, `pharma_licences_jsonb`, `parent_supplier_id` (nullable), `corporate_address_jsonb`, `primary_contact_jsonb`, `qa_contact_jsonb`, `regulatory_contact_jsonb`, `supplier_types_jsonb`, `criticality_classification`, `lifecycle_state`, `vertical_classification_jsonb`, `created_by`, `created_at`, `qualified_at` (nullable), `disqualified_at` (nullable), `successor_of_supplier_id` (nullable), `critical_flag` | per state | unique(`tenant_id`, `display_id`); unique(`tenant_id`, `legal_name`, `legal_entity_jurisdiction`, `legal_entity_registration_number`) | RLS on `tenant_id` | stateful + append-only audit | retain (long-term) | yes (disqualified / rejected preserved; expired qualification status preserved in qualification-status history) | yes | yes |
| `supplier_qualification_artifacts` | Per-supplier qualification artifact register | `id`, `supplier_id`, `artifact_type` (`questionnaire` / `audit` / `quality_agreement` / `msa` / `sample_testing` / `iso_certificate` / `gmp_certificate` / `dmf_authorisation_letter` / `capability_assessment`), `urs12_document_id`, `effective_from`, `effective_to` (nullable), `published_e_sig_id` | core required | unique(`supplier_id`, `artifact_type`, `effective_from`) | RLS via supplier | stateful | retain (long-term) | not applicable | yes | yes |
| `supplier_audits` | Per-supplier audit register | `id`, `supplier_id`, `audit_type`, `audit_dates_jsonb`, `lead_auditor_identity`, `scope_jsonb`, `findings_count_by_classification_jsonb`, `findings_register_document_id` (FK URS-12), `response_register_document_id` (nullable), `closure_state`, `closed_e_sig_id` (nullable), `created_e_sig_id` | core required | unique(`supplier_id`, `id`) | RLS via supplier | stateful | retain (long-term) | not applicable | yes | yes |
| `supplier_audit_findings` | Per-audit finding | `id`, `audit_id`, `finding_classification` (`critical` / `major` / `minor`), `finding_description_summary`, `capa_id` (FK URS-18 CAPA), `closure_state`, `closed_e_sig_id` (nullable; with independent reviewer per `AUDIT_FINDING_INDEPENDENT_REVIEWER`) | core required | unique(`audit_id`, `id`) | RLS via audit | stateful | retain (long-term) | not applicable | yes | yes |
| `supplier_quality_agreements` | QA agreement linkage | `id`, `supplier_id`, `qa_agreement_document_id` (FK URS-12), `effective_from`, `effective_to` (nullable), `signed_e_sig_id` (tenant side), `final_quality_approver_co_sign_e_sig_id`, `superseded_by_id` (nullable) | core required | unique active(`supplier_id`) | RLS via supplier | versioned | retain (long-term) | not applicable | yes | yes |
| `supplier_master_service_agreements` | MSA linkage | `id`, `supplier_id`, `msa_document_id`, `effective_from`, `effective_to` (nullable), `signed_e_sig_id`, `procurement_co_sign_e_sig_id`, `superseded_by_id` (nullable) | core required | unique active(`supplier_id`) | RLS via supplier | versioned | retain (long-term) | not applicable | yes | yes |
| `supplier_change_notifications` | Inbound SCN with impact assessment | `id`, `supplier_id`, `received_at`, `supplier_reference`, `description_summary`, `impact_classification`, `urs13_record_id` (nullable; FK URS-12 for major / critical impact), `resolution_state`, `resolved_at` (nullable), `resolved_e_sig_ids_jsonb` (derived read snapshot only; authoritative multi-signature evidence is stored in the module signature-slot table) | core required | unique(`supplier_id`, `supplier_reference`) | RLS via supplier | stateful | retain (long-term) | not applicable | yes | yes |
| `supplier_scorecards` | Time-series scorecard metrics | `id`, `supplier_id`, `metric_type`, `period_start`, `period_end`, `value`, `data_source` (event-driven / manual), `recorded_at` | core required | unique(`supplier_id`, `metric_type`, `period_end`) | RLS via supplier | append-only | retain (long-term) | not applicable | yes | not applicable |
| `supplier_product_linkages` | Per-supplier × product × material-type | `id`, `supplier_id`, `product_id` (FK URS-10), `material_type`, `effective_from`, `effective_to` (nullable), `qualification_evidence_id` (nullable), `created_e_sig_id`, `validation_co_sign_e_sig_id` | core required | unique active(`supplier_id`, `product_id`, `material_type`) | RLS via supplier | stateful | retain (long-term) | yes | yes | yes |
| `supplier_site_linkages` | Per-supplier × supplier-side-site | `id`, `supplier_id`, `supplier_side_site_identifier`, `site_qualification_state`, `qualification_audit_id` (FK supplier_audits), `effective_from`, `effective_to` (nullable), `created_e_sig_id`, `validation_co_sign_e_sig_id` | core required | unique active(`supplier_id`, `supplier_side_site_identifier`) | RLS via supplier | stateful | retain (long-term) | yes | yes | yes |
| `supplier_risk_assessments` | Per-supplier risk register | `id`, `supplier_id`, `risk_factor`, `severity`, `probability`, `detectability`, `risk_priority_number`, `mitigation_actions_jsonb`, `risk_owner`, `assessed_at`, `assessed_e_sig_id` | core required | unique(`supplier_id`, `risk_factor`, `assessed_at`) | RLS via supplier | append-only | retain (long-term) | not applicable | yes | yes |
| `supplier_lifecycle_events` | Append-only lifecycle log | `id`, `supplier_id`, `from_state`, `to_state`, `event_code`, `signature_set_jsonb` (derived read snapshot only), `reason_jsonb`, `audit_log_id` (FK URS-06), `triggered_at`, `previous_hash`, `record_hash` | all | unique(`supplier_id`, `id`); unique(`record_hash`) | RLS via supplier | append-only | retain (long-term) | not applicable | yes | yes |
| `supplier_member_roster` | Access overlay roster | `id`, `supplier_id`, `user_id`, `effective_from`, `effective_to` (nullable), `assigned_e_sig_id`, `removed_at` (nullable) | core required | unique active(`supplier_id`, `user_id`) | RLS via supplier | stateful | per supplier retention | yes | yes | yes |
| `supplier_disqualification_runs` | Per-disqualification workflow | `id`, `supplier_id`, `initiated_at`, `gate_check_results_jsonb`, `gate_cleared_at`, `attestation_signed_e_sig_ids_jsonb` (derived read snapshot only; authoritative multi-signature evidence is stored in the module signature-slot table), `state`, `disqualified_at` | per state | unique(`supplier_id`) | RLS via supplier | stateful | retain (long-term) | not applicable | yes | yes |
| `supplier_outsourced_activities` | Outsourced activity register per DEC-11-18 | `id`, `supplier_id`, `activity_type` (`outsourced_manufacturing` / `outsourced_testing` / `outsourced_distribution` / `outsourced_sterilisation`), `scope_jsonb`, `qa_agreement_id` (FK), `mah_accountability_statement_document_id` (FK URS-12), `regulatory_notification_state`, `effective_from`, `effective_to` (nullable), `created_e_sig_id` | core required | unique active(`supplier_id`, `activity_type`) | RLS via supplier | stateful | retain (long-term) | yes | yes | yes |
| `cross_supplier_relationships` | Cross-supplier relationships per DEC-11-21 | `id`, `from_supplier_id`, `to_supplier_id`, `relationship_type`, `rationale`, `effective_from`, `effective_to` (nullable), `from_signed_e_sig_id`, `to_signed_e_sig_id`, `revoked_at` (nullable) | core required | unique active(`from_supplier_id`, `to_supplier_id`, `relationship_type`) | RLS via either side | stateful | retain (long-term) | yes | yes | yes |
| `supplier_periodic_requalifications` | Per-cycle requalification record | `id`, `supplier_id`, `requalification_cycle_start`, `requalification_cycle_end`, `audit_id` (FK supplier_audits; nullable), `questionnaire_artifact_id` (nullable), `scorecard_review_summary_jsonb`, `risk_assessment_id`, `requalified_e_sig_ids_jsonb` (derived read snapshot only; authoritative multi-signature evidence is stored in the module signature-slot table), `outcome` (`requalified` / `requalified_with_conditions` / `failed_requalification`) | core required | unique(`supplier_id`, `requalification_cycle_start`) | RLS via supplier | stateful | retain (long-term) | not applicable | yes | yes |

### 6.3 API requirements

#### 6.3.1 Catalogue and lifecycle

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| GET | `/suppliers` | tenant-scoped | filters | `Supplier[]` | tenant base role + `audit:read` | `SUPPLIER_CATALOGUE_VIEW_OPENED` once per session | none |
| GET | `/suppliers/:id` | tenant-scoped or partner-tenant per URS-07 grant | none | full supplier detail | supplier-role overlay | none | `NOT_FOUND` |
| POST | `/suppliers` | administrator | supplier fields (electronic-signed; critical supplier creation records the criticality flag; executive authority co-sign is not required at creation) | `201` | `tenant_admin_authority` / `procurement_lead_authority` | `SUPPLIER_CREATED` | validation |
| POST | `/suppliers/:id/submit-for-provisional-qualification` | supplier owner | reason (electronic-signed) | `200` | `supplier_owner` | `SUPPLIER_SUBMITTED_FOR_PROVISIONAL_QUALIFICATION` | `STATE_NOT_UNDER_EVALUATION`, `QUALIFICATION_ARTIFACTS_INCOMPLETE` |
| POST | `/suppliers/:id/sign-provisional-qualification` | supplier owner (independent of creator) + co-signers | reason (electronic-signed + MFA + co-signs) | `200` | `supplier_owner` (independent) + `final_quality_approver` (+ `regulatory_oversight_admin` + executive authority for critical) | `SUPPLIER_PROVISIONALLY_QUALIFIED` | `STATE_NOT_SUBMITTED`, `APPROVER_IS_CREATOR`, `MISSING_FOUNDER_COSIGN`, `MISSING_RA_COSIGN` |
| POST | `/suppliers/:id/sign-full-qualification` | supplier owner + co-signers | scorecard summary + reason (electronic-signed + co-signs) | `200` | `supplier_owner` + `final_quality_approver` (+ executive authority for critical) | `SUPPLIER_FULLY_QUALIFIED` | `STATE_NOT_PROVISIONAL`, `PERFORMANCE_PERIOD_NOT_ELAPSED` |
| POST | `/suppliers/:id/suspend` | supplier owner | `{reason}` (electronic-signed + co-sign per reason) | `200` | `supplier_owner` (+ RA / QA per reason) | `SUPPLIER_SUSPENDED` | `STATE_NOT_QUALIFIED` |
| POST | `/suppliers/:id/return-to-qualified` | supplier owner + co-signers | resolution evidence (electronic-signed + co-signs + executive authority for regulatory) | `200` | `supplier_owner` + `regulatory_oversight_admin` (+ executive authority for regulatory) | `SUPPLIER_RETURNED_TO_QUALIFIED` | `STATE_NOT_SUSPENDED`, `RESOLUTION_EVIDENCE_MISSING` |
| POST | `/suppliers/:id/reject` | supplier owner | reason (electronic-signed) | `200` | `supplier_owner` | `SUPPLIER_REJECTED` | `STATE_NOT_PRE_QUALIFIED` |

#### 6.3.2 Qualification artifacts, audits, agreements

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| GET | `/suppliers/:id/qualification-artifacts` | tenant-scoped | none | artifact register | supplier-role | none | none |
| POST | `/suppliers/:id/qualification-artifacts` | supplier owner / quality lead | artifact fields + URS-12 reference (electronic-signed) | `201` | `supplier_owner` / `supplier_quality_lead` | `SUPPLIER_QUALIFICATION_ARTIFACT_REGISTERED` | validation |
| GET | `/suppliers/:id/audits` | tenant-scoped | filters | `Audit[]` | supplier-role or `audit:read` | none | none |
| POST | `/suppliers/:id/audits` | supplier quality lead | audit fields (electronic-signed) | `201` | `supplier_quality_lead` | `SUPPLIER_AUDIT_INITIATED` | validation |
| POST | `/suppliers/:id/audits/:audId/log-findings` | supplier quality lead | findings (electronic-signed) | `200` | `supplier_quality_lead` | `SUPPLIER_AUDIT_FINDINGS_LOGGED` | validation |
| POST | `/suppliers/:id/audits/:audId/close` | supplier quality lead + independent reviewer | closure attestation (electronic-signed + independent) | `200` | `supplier_quality_lead` + independent per `AUDIT_FINDING_INDEPENDENT_REVIEWER` | `SUPPLIER_AUDIT_CLOSED` | `MISSING_INDEPENDENT_REVIEWER`, validation |
| POST | `/suppliers/:id/quality-agreements` | supplier quality lead + final QA co-sign | QA agreement document + dates (electronic-signed + co-sign) | `201` | `supplier_quality_lead` + `final_quality_approver` | `QUALITY_AGREEMENT_LINKED` | validation |
| POST | `/suppliers/:id/master-service-agreements` | supplier owner + procurement co-sign | MSA document + dates (electronic-signed + co-sign) | `201` | `supplier_owner` + `procurement_lead_authority` | `MASTER_SERVICE_AGREEMENT_LINKED` | validation |

#### 6.3.3 Change notifications, scorecard, risk

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| POST | `/suppliers/:id/change-notifications` | supplier quality lead | SCN fields (electronic-signed) | `201` | `supplier_quality_lead` | `SUPPLIER_CHANGE_NOTIFICATION_RECEIVED` | validation |
| POST | `/suppliers/:id/change-notifications/:scnId/classify` | supplier quality lead | classification (electronic-signed) | `200` | `supplier_quality_lead` | `SUPPLIER_CHANGE_NOTIFICATION_CLASSIFIED` | validation |
| POST | `/suppliers/:id/change-notifications/:scnId/resolve` | supplier quality lead + co-signers per impact | resolution + URS-13 link (electronic-signed + co-signs + executive authority for critical-impact) | `200` | `supplier_quality_lead` + `final_quality_approver` + `regulatory_oversight_admin` for major / critical (+ executive authority for critical-impact) | `SUPPLIER_CHANGE_NOTIFICATION_RESOLVED` | validation |
| GET | `/suppliers/:id/scorecard` | tenant-scoped | filters | scorecard data | supplier-role or `audit:read` | none | none |
| POST | `/suppliers/:id/scorecard/manual-update` | supplier quality lead | metric (electronic-signed) | `201` | `supplier_quality_lead` | `SUPPLIER_SCORECARD_UPDATED` | validation |
| POST | `/suppliers/:id/risk-assessments` | supplier quality lead | risk fields (electronic-signed) | `201` | `supplier_quality_lead` | `SUPPLIER_RISK_ASSESSMENT_UPDATED` | validation |

#### 6.3.4 Linkages, requalification, outsourced activities, disqualification

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| POST | `/suppliers/:id/products` | supplier owner + validation co-sign | linkage fields (electronic-signed + co-sign) | `201` | `supplier_owner` + `validation_approver` | `SUPPLIER_PRODUCT_LINKAGE_CREATED` | validation |
| POST | `/suppliers/:id/sites` | supplier owner + validation co-sign | linkage fields (electronic-signed + co-sign) | `201` | `supplier_owner` + `validation_approver` | `SUPPLIER_SITE_LINKAGE_CREATED` | validation |
| POST | `/suppliers/:id/requalification/initiate` | supplier quality lead | reason (electronic-signed) | `200` | `supplier_quality_lead` | `SUPPLIER_REQUALIFICATION_INITIATED` | validation |
| POST | `/suppliers/:id/requalification/sign` | supplier quality lead + co-signers | requalification artifacts + reason (electronic-signed + co-signs) | `200` | `supplier_quality_lead` + `final_quality_approver` (+ executive authority for critical) | `SUPPLIER_REQUALIFIED` | `MISSING_FOUNDER_COSIGN`, validation |
| POST | `/suppliers/:id/outsourced-activities` | supplier owner + RA co-sign | activity fields + QA agreement + MAH accountability statement (electronic-signed + co-sign) | `201` | `supplier_owner` + `regulatory_oversight_admin` | `OUTSOURCED_ACTIVITY_REGISTERED` | validation |
| POST | `/suppliers/:id/disqualify/initiate` | supplier owner | reason (electronic-signed) | `200` | `supplier_owner` | `SUPPLIER_DISQUALIFICATION_INITIATED` | gate blockers |
| GET | `/suppliers/:id/disqualify/gate-status` | supplier owner / auditor | none | gate result | supplier-role / `audit:read` | none | none |
| POST | `/suppliers/:id/disqualify/sign-attestation` | supplier_owner + supplier_quality_lead + RA + executive authority for critical | attestation (electronic-signed + co-signs) | `200` | supplier_owner + supplier_quality_lead + `regulatory_oversight_admin` + executive authority for critical | `SUPPLIER_DISQUALIFIED` | `MISSING_COSIGN`, `GATE_NOT_CLEARED` |

#### 6.3.5 Discovery and relationships

| Method | Endpoint | Actor | Request | Response | Permission | Audit |
|---|---|---|---|---|---|---|
| GET | `/suppliers/:id/discovery` | tenant-scoped or partner-tenant per grant | filters | `DiscoveryRecord[]` | supplier-role or `audit:read` | `SUPPLIER_DISCOVERY_VIEW_OPENED` once per session |
| POST | `/suppliers/:id/discovery/export` | supplier owner + `audit:export` | filters + format (electronic-signed) | signed download URL + integrity manifest | `supplier_owner` + `audit:export` | `SUPPLIER_DISCOVERY_EXPORTED` |
| POST | `/suppliers/:id/relationships` | supplier owner (from-side) | `{toSupplierId, type, rationale}` (electronic-signed) | `201` | `supplier_owner` (from-side) | `CROSS_SUPPLIER_RELATIONSHIP_PROPOSED` |
| POST | `/suppliers/:id/relationships/:relId/accept` | supplier owner (to-side) | reason (electronic-signed) | `200` | `supplier_owner` (to-side) | `CROSS_SUPPLIER_RELATIONSHIP_REGISTERED` |
| POST | `/suppliers/:id/relationships/:relId/revoke` | supplier owner (either side) | reason (electronic-signed) | `200` | `supplier_owner` (either side) | `CROSS_SUPPLIER_RELATIONSHIP_REVOKED` |

### 6.4 Workflow / lifecycle requirements

| Workflow | Step | Time-to-live or timer | Auto-action | Reminder |
|---|---|---|---|---|
| Periodic requalification (critical) | annual | continuous | URS-30 reminders; auto-suspend at +30d grace | T-90, T-30, T-7 |
| Periodic requalification (major) | biennial | continuous | URS-30 reminders; auto-suspend at +30d grace | T-90, T-30, T-7 |
| Periodic requalification (minor) | triennial | continuous | URS-30 reminders; auto-suspend at +30d grace | T-90, T-30, T-7 |
| Performance period after provisional qualification | 6-12 months default per criticality | continuous | URS-30 reminder; supplier_owner reviews | T-30 |
| Audit cadence (critical) | ≤24 months | continuous | URS-30 reminder | T-90 |
| Audit cadence (major) | ≤36 months | continuous | URS-30 reminder | T-90 |
| Audit cadence (minor) | ≤60 months | continuous | URS-30 reminder | T-180 |
| Change notification resolution | per impact (critical = 5 business days; major = 15; minor = 30) | continuous | escalate per SLA | T-1 |
| Disqualification gate watch | none | continuous | surfaces remediation list | none |

### 6.5 Business rules

- **BR-11-01** — Supplier provisional qualification requires `supplier_owner` (independent of creator per `AUTHOR_NEQ_APPROVER`) + `final_quality_approver` co-sign; critical types require `regulatory_oversight_admin` + executive authority co-sign per DEC-11-16.
- **BR-11-02** — Required qualification artifacts per DEC-11-04 matrix MUST be present before `under_evaluation → provisionally_qualified`; missing returns `QUALIFICATION_ARTIFACTS_INCOMPLETE` with the specific missing item.
- **BR-11-03** — Quality agreement is mandatory for `critical` and `major` suppliers providing material/service that enters a regulated product per DEC-11-06.
- **BR-11-04** — Master service agreement is mandatory before `under_evaluation → provisionally_qualified` per DEC-11-07.
- **BR-11-05** — `supplier_owner` and `supplier_quality_lead` MUST be distinct users per `SUPPLIER_OWNER_NEQ_QUALITY_LEAD`.
- **BR-11-06** — Audit findings closure MUST require an independent reviewer per `AUDIT_FINDING_INDEPENDENT_REVIEWER`; reviewer cannot be named in the finding.
- **BR-11-07** — Critical-impact change notification resolution MUST require `final_quality_approver` + `regulatory_oversight_admin` + executive authority co-sign and a linked URS-13 per DEC-11-08.
- **BR-11-08** — Periodic requalification MUST be initiated within the cadence per DEC-11-10; failure within grace window auto-suspends the supplier with reason `regulatory_concern`.
- **BR-11-09** — Audit cadence per DEC-11-05 MUST be respected; missed audit triggers `regulatory_concern` suspension consideration.
- **BR-11-10** — Disqualification pre-gate per DEC-11-14 MUST clear all blockers before attestation.
- **BR-11-11** — Disqualification attestation requires `supplier_owner` + `supplier_quality_lead` + `regulatory_oversight_admin` + executive authority for critical co-signs.
- **BR-11-12** — Cross-supplier relationships require bilateral signatures.
- **BR-11-13** — Supplier-level access overlay enforces `403 SUPPLIER_CONFIDENTIAL_NOT_MEMBER`.
- **BR-11-14** — Supplier-bound discovery is computed by URS-03 active-scope intersection on `supplier` dimension per DEC-11-17.
- **BR-11-15** — Module 11 mutations are blocked when tenant lifecycle (URS-08) is anything other than `active`.
- **BR-11-16** — Cross-tenant supplier visibility is restricted to URS-07 collaboration grant scope.
- **BR-11-17** — Audit-log writes are atomic with the originating action.
- **BR-11-18** — Supplier lifecycle events emit dual audit per URS-08 DEC-08-18.
- **BR-11-19** — Successor supplier linkage preserved via `successor_of_supplier_id`; URS-06 captures.
- **BR-11-20** — Snapshot pinning: in-flight regulated decisions reference the supplier qualification state effective at decision time.
- **BR-11-21** — Supplier scorecard metrics drive automated alerts when thresholds breached (configurable per metric per supplier type); chronic threshold breaches trigger Founder review.
- **BR-11-22** — Outsourced activity registration per DEC-11-18 requires `regulatory_oversight_admin` co-sign + linked QA agreement + MAH accountability statement.

### 6.6 Audit trail requirements

Module 11 governance event vocabulary (canonical launch list):

`SUPPLIER_CREATED`, `SUPPLIER_REJECTED`, `SUPPLIER_SUBMITTED_FOR_PROVISIONAL_QUALIFICATION`, `SUPPLIER_PROVISIONALLY_QUALIFIED`, `SUPPLIER_FULLY_QUALIFIED`, `SUPPLIER_SUSPENDED`, `SUPPLIER_RETURNED_TO_QUALIFIED`, `SUPPLIER_DISQUALIFICATION_INITIATED`, `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_ORDERS`, `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_CONTRACTS`, `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_STUDIES`, `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_DELEGATIONS`, `SUPPLIER_DISQUALIFIED`, `SUPPLIER_REQUALIFICATION_INITIATED`, `SUPPLIER_REQUALIFIED`, `SUPPLIER_REQUALIFICATION_MISSED_AUTO_SUSPENDED`, `SUPPLIER_QUALIFICATION_ARTIFACT_REGISTERED`, `SUPPLIER_AUDIT_INITIATED`, `SUPPLIER_AUDIT_FINDINGS_LOGGED`, `SUPPLIER_AUDIT_CLOSED`, `QUALITY_AGREEMENT_LINKED`, `QUALITY_AGREEMENT_AMENDED`, `MASTER_SERVICE_AGREEMENT_LINKED`, `MASTER_SERVICE_AGREEMENT_AMENDED`, `SUPPLIER_CHANGE_NOTIFICATION_RECEIVED`, `SUPPLIER_CHANGE_NOTIFICATION_CLASSIFIED`, `SUPPLIER_CHANGE_NOTIFICATION_RESOLVED`, `SUPPLIER_SCORECARD_UPDATED`, `SUPPLIER_SCORECARD_THRESHOLD_BREACHED`, `SUPPLIER_PRODUCT_LINKAGE_CREATED`, `SUPPLIER_PRODUCT_LINKAGE_TERMINATED`, `SUPPLIER_SITE_LINKAGE_CREATED`, `SUPPLIER_SITE_LINKAGE_TERMINATED`, `SUPPLIER_RISK_ASSESSMENT_UPDATED`, `OUTSOURCED_ACTIVITY_REGISTERED`, `OUTSOURCED_ACTIVITY_TERMINATED`, `CROSS_SUPPLIER_RELATIONSHIP_PROPOSED`, `CROSS_SUPPLIER_RELATIONSHIP_REGISTERED`, `CROSS_SUPPLIER_RELATIONSHIP_REVOKED`, `SUPPLIER_ACCESS_OVERLAY_ENABLED`, `SUPPLIER_MEMBER_ADDED`, `SUPPLIER_MEMBER_REMOVED`, `SUPPLIER_CONFIDENTIAL_ACCESS_DENIED` (forensic), `SUPPLIER_DISCOVERY_VIEW_OPENED` (coarse), `SUPPLIER_DISCOVERY_EXPORTED`, `SUPPLIER_CATALOGUE_VIEW_OPENED` (coarse), `SUCCESSOR_SUPPLIER_CREATED`, `PLATFORM_TENANT_ACCESS_USED`, `PLATFORM_TENANT_ACCESS_DENIED`.

### 6.7 Record versioning and class-of-change governance

- Versioned (immutable per published version): `supplier_quality_agreements`, `supplier_master_service_agreements`, `supplier_lifecycle_events`.
- Stateful with append-only audit history: `suppliers`, `supplier_qualification_artifacts`, `supplier_audits`, `supplier_audit_findings`, `supplier_change_notifications`, `supplier_product_linkages`, `supplier_site_linkages`, `supplier_outsourced_activities`, `cross_supplier_relationships`, `supplier_member_roster`, `supplier_disqualification_runs`, `supplier_periodic_requalifications`.
- Append-only: `supplier_scorecards`, `supplier_risk_assessments`.
- Soft-delete: `suppliers` (rejected / disqualified / expired preserved).

---

## 7. Cross-Module Wiring and Change-Impact

### 7.1 Cross-module wiring

```mermaid
graph LR
  subgraph M11 [Module 11 — Supplier Management]
    CAT[Catalogue]
    QUAL[Qualification]
    AUDIT[Audits]
    QA[QA Agreements]
    SCN[SCNs]
    SCORE[Scorecards]
    LCY[Lifecycle]
  end
  M3[URS-03 Active Scope] <--> CAT
  M4[URS-04 Workflow / E-Sign] --> LCY
  M5[URS-05 Authority] --> CAT
  M6[URS-06 Audit Substrate] --> LCY
  M7[URS-07 Study] <--> CAT
  M8[URS-08 Tenant Lifecycle] --> CAT
  M9[URS-09 Site] <--> CAT
  M10[URS-10 Product] <--> CAT
  M12[URS-12 Document Control] <--> QA
  M28[URS-28 Training Management & Qualification] --> CAT
  M30[URS-30 Notifications] --> LCY
  CAT --> M14[URS-14..URS-34 Domain modules]
```

### 7.2 Change-Impact Matrix (CIM)

| Change | Class | Impact on (modules) | Required revalidation |
|---|---|---|---|
| Add supplier type / sub-classification (DEC-11-01) | 1 | URS-04 templates; qualification matrix | Full regression |
| Add criticality level (DEC-11-02) | 1 | qualification matrix; cadence | Full regression |
| Add lifecycle state (DEC-11-03) | 1 | every consuming module's tenant hook | Full regression |
| Change qualification matrix (DEC-11-04) | 2 | qualification flow | Targeted regression |
| Add audit type | 2 | audit register | Targeted regression |
| Change requalification cadence default (DEC-11-10) | 2 | URS-30 schedule | Targeted regression |
| Change scorecard metric / threshold | 3 | dashboard / alerts | Unit regression |
| Add cross-supplier relationship type (DEC-11-21) | 2 | UI relationship graph | Targeted regression |
| Add audit event code | 3 | URS-06 | Writer-presence regression |
| UI copy or layout change | 4 | none | Visual regression |

### 7.3 Cross-module dependencies (consumed by Module 11)

| Dependency | Source | Impact | Blocking? |
|---|---|---|---|
| Authentication, MFA | URS-01 | Substrate | Blocking |
| Effective permissions | URS-02 | Base role gate | Blocking |
| Active scope | URS-03 | Discovery | Blocking |
| Workflow / e-sig ceremony | URS-04 | Lifecycle / amendment signatures | Blocking |
| Authority resolver, scope dimensions | URS-05 | Supplier role gating; executive authority | Blocking |
| Audit substrate | URS-06 | Audit | Blocking |
| Study management | URS-07 | Outsourced studies (CRO/CTL); cross-tenant grants | Blocking |
| Tenant lifecycle | URS-08 | Mutation gating | Blocking |
| Site catalogue | URS-09 | Tenant-side site reference for outsourced manufacturing | Blocking |
| Product master data | URS-10 | Supplier-product linkage | Blocking |
| Document control | URS-12 | QA agreements, MSAs, audit findings, SCN | Blocking |
| Qualification register | URS-28 | Supplier-personnel qualifications (where applicable) | Blocking |
| Notifications | URS-30 | Reminders, escalations | Non-blocking (direct e-mail fallback) |
| Backup / restore / cold storage | URS-35 | Long-term archive | Blocking for PQ |
| Forward manufacturing BOM module | (forward — exact module-number is a program dependency) | Material attribution detail | Forward |
| Forward URS-23 (Batch Records) | URS-23 | Batch material attribution | Forward |
| Forward URS-26 (Recall Management) | URS-26 | Supplier-component recall | Forward |

---

## 8. AI / Automation / Human-in-the-Loop Controls

Module 11 contains **no AI / ML components** in the catalogue, qualification, audit, agreements, change notification, scorecard, linkages, risk, or discovery paths. AI suggestions in URS-32 / MIRA that inform supplier management (e.g., recommending a criticality classification, surfacing supplier-risk patterns) are advisory only and MUST set `ai_advisory = true` per URS-06 DEC-06-15.

The HITL lifecycle is owned by URS-04. Module 11 consumes the Controlled Approval Modal for every electronic signature. Static analysis MUST verify zero references to LLM SDKs in Module 11 source per CLAUDE.md QS-21.

---

## 9. Reports, Dashboards, and Exports

| Report | Purpose | Audience | Format |
|---|---|---|---|
| Per-tenant supplier catalogue | Inventory and lifecycle posture | Procurement, QA, RA | CSV + PDF |
| Per-supplier dashboard | Lifecycle, qualification, audits, scorecard, products, sites | Supplier members | PDF + JSON |
| Supplier-bound regulated-record discovery | Inspection-ready list | Procurement, QA, auditor, inspector | PDF + JSON + integrity manifest |
| Audit calendar and history | Per-tenant audit schedule | QA Lead | Calendar |
| Quality agreements register | Per-tenant QA agreement portfolio | QA Lead, Legal | CSV + PDF |
| Scorecard dashboards | Per-supplier and aggregated metrics | Procurement, QA | Dashboard |
| Requalification due timeline | Per-tenant requalification calendar | QA Lead | Timeline |
| Change notifications register | Inbound SCN tracking | QA Lead, RA | CSV |
| Risk assessment register | Per-tenant supplier risk roll-up | QA Lead, executive authority | CSV + PDF |
| Disqualification register | Past disqualifications | Procurement, QA, auditor | CSV + PDF |
| Outsourced activities register | Per-tenant outsourced-activity portfolio | QA, RA, executive authority | CSV + PDF |
| Founder critical-supplier qualification register | Critical-supplier qualifications with executive authority co-signs | Founder, QA, RA | PDF |

Every export routes through the Controlled Approval Modal, carries an electronic signature, a signed download URL with 15-minute TTL unless a stricter TTL is specified, and an integrity manifest per URS-06.

---

## 10. Notifications and Queues

| Trigger | Recipient | Channel | Latency |
|---|---|---|---|
| Supplier created (critical) | tenant administrators, executive authority | URS-30 in-app + e-mail | within 60 seconds |
| Supplier provisionally qualified | supplier members, procurement | URS-30 in-app + e-mail | within 60 seconds |
| Supplier fully qualified | supplier members, procurement, executive authority for critical | URS-30 in-app + e-mail | within 60 seconds |
| Supplier suspended | supplier members, procurement, cross-tenant partners | URS-30 in-app + e-mail | within 60 seconds |
| Supplier returned to qualified | supplier members | URS-30 in-app + e-mail | within 60 seconds |
| Supplier disqualified | tenant administrators, related suppliers | URS-30 in-app + e-mail | within 60 seconds |
| Audit due | supplier quality lead | URS-30 e-mail | T-90, T-30, T-7 |
| Audit findings logged | QA, RA, supplier owner | URS-30 in-app + e-mail | within 60 seconds |
| Audit closure ready | independent reviewer | URS-30 in-app + e-mail | within 60 seconds |
| Quality agreement amendment | supplier_quality_lead, Legal | URS-30 in-app + e-mail | within 60 seconds |
| Inbound SCN | supplier_quality_lead, QA Lead | URS-30 in-app + e-mail | within 60 seconds |
| Critical-impact SCN | supplier_quality_lead, QA Lead, RA Lead, executive authority | URS-30 in-app + e-mail | within 60 seconds |
| Scorecard threshold breached | supplier_quality_lead, supplier_owner, procurement | URS-30 in-app + e-mail | within 60 seconds |
| Periodic requalification due | supplier_quality_lead | URS-30 e-mail | T-90, T-30, T-7 |
| Periodic requalification missed | supplier_quality_lead, supplier_owner, tenant admin, executive authority | URS-30 in-app + e-mail | within 60 seconds (auto-suspend) |
| Cross-tenant supplier impact | both tenants' administrators | URS-30 in-app + e-mail | within 60 seconds |
| Pre-disqualification gate failure | supplier owner | URS-30 in-app + e-mail (synchronous) | immediate |

---

## 11. Error Handling and Negative Paths

### 11.1 Error envelope

Standard envelope (human message, machine code in upper-snake-case, optional details, correlation identifier).

### 11.2 Error-code catalogue

| Code | HTTP | Path | UI behaviour |
|---|---|---|---|
| CRITICAL_TYPE_REQUIRES_FOUNDER | 401 | supplier qualification | open executive authority co-sign request |
| MISSING_FOUNDER_COSIGN | 401 | critical lifecycle | open executive authority co-sign request |
| MISSING_RA_COSIGN | 401 | activation / regulatory hold release / critical SCN | open RA co-sign request |
| QUALIFICATION_ARTIFACTS_INCOMPLETE | 409 | submit for provisional qualification | inline list of missing artifacts |
| APPROVER_IS_CREATOR | 403 | qualification approval | inline error |
| SUPPLIER_OWNER_NEQ_QUALITY_LEAD | 403 | supplier role assignment | inline error |
| MISSING_INDEPENDENT_REVIEWER | 401 | audit closure | open independent-reviewer route |
| QUALITY_AGREEMENT_REQUIRED | 409 | qualification submit (critical / major) | inline error citing DEC-11-06 |
| MASTER_SERVICE_AGREEMENT_REQUIRED | 409 | qualification submit | inline error citing DEC-11-07 |
| AUDIT_CADENCE_EXPIRED | 409 | qualification submit | inline error citing DEC-11-05 |
| PERFORMANCE_PERIOD_NOT_ELAPSED | 409 | full qualification submit | inline error |
| SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_ORDERS | 409 | disqualification initiation | inline list with deep-links |
| SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_CONTRACTS | 409 | disqualification initiation | inline list with deep-links |
| SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_STUDIES | 409 | disqualification initiation | inline list with deep-links |
| SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_DELEGATIONS | 409 | disqualification initiation | inline list with deep-links |
| GATE_NOT_CLEARED | 409 | disqualification attestation | inline message |
| MISSING_COSIGN | 401 | various | open co-signer route |
| RESOLUTION_EVIDENCE_MISSING | 400 | return-to-qualified | inline error |
| STATE_NOT_UNDER_EVALUATION | 409 | lifecycle endpoints | inline error |
| STATE_NOT_PROVISIONAL | 409 | lifecycle endpoints | inline error |
| STATE_NOT_QUALIFIED | 409 | lifecycle endpoints | inline error |
| STATE_NOT_SUSPENDED | 409 | lifecycle endpoints | inline error |
| STATE_NOT_PRE_QUALIFIED | 409 | lifecycle endpoints | inline error |
| STATE_NOT_SUBMITTED | 409 | lifecycle endpoints | inline error |
| SUPPLIER_CONFIDENTIAL_NOT_MEMBER | 403 | confidential read by non-member | inline error |
| TENANT_NOT_ACTIVE | 403 | any Module 11 mutation when tenant not `active` | banner |
| AUDIT_TRAIL_WRITE_FAILED | 500 | any state-changing action | toast; the originating action did NOT commit |
| PLATFORM_TENANT_ACCESS_DENIED | 403 | platform identity outside support envelope | inline error; SOC alert |

### 11.3 Negative-path catalogue

| Scenario | Detection | Response | UI behaviour |
|---|---|---|---|
| Critical supplier qualification without executive authority co-sign | back end | `401 CRITICAL_TYPE_REQUIRES_FOUNDER` | open executive authority co-sign |
| Provisional qualification without complete artifacts | back end | `409 QUALIFICATION_ARTIFACTS_INCOMPLETE` | inline list |
| Quality agreement missing for critical / major | back end | `409 QUALITY_AGREEMENT_REQUIRED` | inline error |
| MSA missing | back end | `409 MASTER_SERVICE_AGREEMENT_REQUIRED` | inline error |
| Approver equals creator | back end | `403 APPROVER_IS_CREATOR` | inline error |
| Audit closure without independent reviewer | back end | `401 MISSING_INDEPENDENT_REVIEWER` | open reviewer route |
| Periodic requalification missed beyond grace | scheduler | `SUPPLIER_REQUALIFICATION_MISSED_AUTO_SUSPENDED` | banner; URS-30 alerts |
| Critical-impact SCN without executive authority co-sign | back end | `401 MISSING_FOUNDER_COSIGN` | open executive authority co-sign |
| Disqualification with blockers | back end | one of `409 SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_ORDERS`, `409 SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_CONTRACTS`, `409 SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_STUDIES`, `409 SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_DELEGATIONS` per blocker category | inline list |
| Mutation when tenant not `active` | back end | `403 TENANT_NOT_ACTIVE` | banner |
| Confidential read by non-member | back end | `403 SUPPLIER_CONFIDENTIAL_NOT_MEMBER` | inline error |
| Audit-write failure mid-decision | back end | `500 AUDIT_TRAIL_WRITE_FAILED` | toast; action did NOT commit |

---

## 12. Security, Privacy, and Tenant Isolation

### 12.1 Authentication dependency

URS-11 reached only through authenticated session per URS-01. Every Module 11 mutation goes through URS-04 Controlled Approval Modal with electronic signature; high-risk transitions (critical-supplier qualification, critical-impact SCN resolution, return-to-qualified from regulatory suspension, disqualification of critical supplier) require multi-factor step-up.

### 12.2 Authorisation pipeline

`authenticate hook → tenant hook → rbac hook → context gate hook → supplier-membership overlay hook → esigService.createSignature where applicable → module11 surface action`. Module 11 owns the supplier-membership overlay hook position.

### 12.3 Tenant isolation

Every supplier query routes through TDAL with tenant context bound. RLS on `suppliers.tenant_id`. Cross-tenant visibility restricted to URS-07 collaboration grant scope.

### 12.4 Encryption

At rest: supplier identity, contracts, audit findings, change notifications may contain commercially sensitive content; protected by RLS plus KMS at the storage layer; tenant residency per URS-08. In transit: TLS 1.2 or higher.

### 12.5 Logging hygiene

Logs scrub passwords, MFA tokens, supplier-confidential fields. Structured logs carry the correlation identifier on every request.

### 12.6 Privacy and data residency

Inherits tenant data-residency configuration from URS-08. Supplier contact PII respects residency.

### 12.7 Periodic access review

Per URS-05 §12.7: supplier role overlays (`supplier_owner`, `supplier_quality_lead`, `supplier_member`) reviewed annually.

### 12.8 Periodic audit-trail review

Per URS-06 DEC-06-14: high-risk Module 11 events triaged within one business day: `SUPPLIER_FULLY_QUALIFIED` for critical types; `SUPPLIER_SUSPENDED` for `regulatory_concern`; `SUPPLIER_DISQUALIFIED` for critical types; `SUPPLIER_REQUALIFICATION_MISSED_AUTO_SUSPENDED`; `SUPPLIER_CHANGE_NOTIFICATION_RESOLVED` with `critical_impact`.

### 12.9 Security-operations alert thresholds

| Pattern | Threshold | Severity | Channel |
|---|---|---|---|
| `SUPPLIER_REQUALIFICATION_MISSED_AUTO_SUSPENDED` | any single event | high | SOC chat + RA Lead |
| `SUPPLIER_SUSPENDED` reason `regulatory_concern` | any single event | high | SOC chat + RA Lead + executive authority |
| `SUPPLIER_DISQUALIFIED` for critical type | any single event | informational (real-time) | SOC chat + executive authority |
| `SUPPLIER_CHANGE_NOTIFICATION_RESOLVED` `critical_impact` | any single event | informational (real-time) | SOC chat + executive authority |
| `SUPPLIER_SCORECARD_THRESHOLD_BREACHED` chronic (3 within 6 months) | any single event | medium | SOC e-mail digest |
| `PLATFORM_TENANT_ACCESS_USED` for Module 11 | any single event | informational (real-time) | SOC chat |

### 12.10 Self-modification block

Creator cannot approve own supplier qualification. `supplier_owner` and `supplier_quality_lead` MUST be distinct. Audit-finding-named user cannot be sole signer of finding closure.

### 12.11 Secure export

Every export routes through Controlled Approval Modal. Signed download URLs with 15-minute TTL. Integrity manifest per URS-06.

### 12.12 Cross-tenant confidentiality envelope

Suppliers are tenant-scoped. Cross-tenant visibility through URS-07 collaboration grants is restricted to per-grant scope.

---

## 13. Data Integrity and ALCOA+ Controls

| Principle | Module 11 control | Requirement | Verification |
|---|---|---|---|
| Attributable | Lifecycle and audit events record signing user(s) | URS-11-AUD-001 | Integration test |
| Legible | Supplier detail rendered structured; exports in PDF + JSON | URS-11-REP-001 | Export test |
| Contemporaneous | Server-set timestamps | URS-11-AUD-002 | Integration test |
| Original | Immutable QA / MSA versions; lifecycle events append-only | URS-11-AUD-003 | Validation test |
| Accurate | Multi-cosign gates; pre-disqualification gate; URS-28 qualification linkage where applicable | URS-11-DATA-001 | Validation test |
| Complete | Every event in §6.6 has at least one writer | URS-11-AUD-004 | Validation test |
| Consistent | URS-08 dual-chain; cross-supplier relationship bilateral signature | URS-11-AUD-005 | Concurrency test |
| Enduring | Long-term retention; disqualified preserved | URS-11-DATA-002 | Migration test |
| Available | Disqualified suppliers query-accessible; cold-tier supported | URS-11-REP-002 | End-to-end test |

---

## 14. Regulatory Mapping

| Identifier | Control | Regulation / Guidance | Clause | Applicable | Implementation expectation |
|---|---|---|---|---|---|
| RG-11-001 | Audit trail | 21 CFR Part 11 | §11.10(e) | Yes | URS-06 substrate |
| RG-11-002 | Validation of computerised systems | EU GMP Annex 11 | §4 | Yes | CSV / CSA pack |
| RG-11-003 | Records retention | EU GMP Annex 11 | §17 | Yes | Per regulatory framework |
| RG-11-004 | Supplier qualification (raw materials) | 21 CFR Part 211 | §211.84 | Yes | Qualification matrix per DEC-11-04 |
| RG-11-005 | Packaging materials | 21 CFR Part 211 | §211.122 | Yes | Packaging supplier qualification |
| RG-11-006 | Outsourced activities | EU GMP Chapter 7 | applicable | Yes | Outsourced activity register per DEC-11-18; QA agreement mandatory |
| RG-11-007 | Outsourced activities and purchased materials | ICH Q10 | §2.7 | Yes | Quality agreement + audit + scorecard |
| RG-11-008 | Risk-based supplier qualification | ICH Q9 | applicable | Yes | Criticality classification + risk register |
| RG-11-009 | Sampling of starting and packaging materials | EU GMP Annex 8 | applicable | Yes | Linked through URS-23 forward |
| RG-11-010 | Risk-based assurance | FDA Computer Software Assurance for Production and Quality Management System Software, Final Guidance, February 2026 | applicable | Yes | Risk classification per validation pack |
| RG-11-011 | ALCOA+ data integrity | MHRA Data Integrity Guidance (2018) | nine principles | Yes | §13 mapping |
| RG-11-012 | Purchasing process (medical devices) | ISO 13485:2016 | §7.4 | Conditional (device tenants) | Applicable for combination products |
| RG-11-013 | EU AI Act applicability | Regulation (EU) 2024/1689 | Article 3(1) | Not applicable | No AI; documented exclusion |
| RG-11-014 | EU GMP Annex 22 (Draft 2025) | EU GMP Annex 22 | applicable forward-looking | Forward-looking only | No Annex-22-dependent control |
| RG-11-015 | DSCSA / FMD (track-and-trace; supplier traceability) | US DSCSA / EU FMD | applicable | Conditional (supply chain tenants) | Linked through URS-26 forward |
| RG-11-016 | OECD MAD GLP for outsourced testing | OECD Series on Principles of GLP and Compliance Monitoring | applicable | Conditional (CTL with non-clinical scope) | Audit register supports |
| RG-11-017 | Analytical instrument qualification | USP <1058> | applicable | Conditional (CTL / equipment vendors) | Linked qualification artifact |
| RG-11-018 | Sterilisation services | ISO 11137 / ISO 11135 / ISO 17665 | applicable | Conditional (sterilisation provider type) | Provider qualification artifact |
| RG-11-019 | India supplier qualification — D&C Act 1940 + Drugs Rules 1945 + Revised Schedule M (API / starting-material / packaging-material supplier expectations) + Schedule M-III / applicable GDP distribution expectations (where distribution-supplier scope) + Medical Devices Rules 2017 (where device / combination-product supplier scope) + CDSCO supplier manufacturing-licence references (Form 25 / Form 28 where supplier site licensing is in scope) | India Drugs and Cosmetics Act 1940; Drugs Rules 1945; Revised Schedule M; Schedule M-III; Medical Devices Rules 2017; CDSCO Form 25 / Form 28 (supplier-side) | Applicable per India tenant operation and jurisdictional regulatory assessment | Conditional (India-supplier scope per applicable supplier type — manufacturing API / starting / packaging / distribution / device) | Supplier qualification artifact + supplier-side CDSCO licence verification captured in `supplier_licences`; external jurisdictional legal / RA confirmation required for clause / form applicability per India supplier scope |

### 14.1 Predicate-rule applicability matrix

| Record / artifact | Predicate-rule basis | Part 11 applicable? | Retention | Owner | Evidence |
|---|---|---|---|---|---|
| Supplier record (lifecycle states) | Supplier oversight evidence | Yes | retain (long-term) | Procurement / QA | Lifecycle audit chain |
| Qualification artifacts | Qualification evidence | Yes | retain (long-term) | QA | Artifact rows + URS-12 evidence |
| Audit register | Supplier oversight evidence | Yes | retain (long-term) | QA | Audit row + findings + URS-12 |
| Quality agreement | Outsourced-activity governance | Yes | retain (long-term) | QA / Legal | QA agreement row + URS-12 evidence + bilateral signatures |
| Master service agreement | Commercial relationship evidence | Yes (operational) | retain (long-term) | Procurement / Legal | MSA row + URS-12 |
| Change notifications | URS-13 evidence | Yes | retain (long-term) | QA | SCN row + URS-13 |
| Scorecard | Performance evidence | Yes (operational) | retain (long-term) | Procurement / QA | Time-series rows |
| Risk assessment | Risk-based qualification evidence | Yes | retain (long-term) | QA | Risk register rows |
| Supplier-product linkage | Material attribution evidence | Yes | retain (long-term) | Procurement / QA | Linkage rows |
| Supplier-site linkage | Manufacturing scope evidence | Yes | retain (long-term) | QA | Linkage rows |
| Outsourced-activity register | Chapter 7 evidence | Yes | retain (long-term) | QA / RA | Activity rows + QA agreement |
| Disqualification record | Supplier retirement evidence | Yes | retain (long-term) | QA / Procurement / executive authority for critical | Disqualification row + signatures |
| Periodic requalification | Periodic-review evidence | Yes | retain (long-term) | QA | Requalification cycle rows |

---

## 15. URS Requirements Register

### 15.1 Front-end (FE)

- URS-11-FE-001 — Supplier catalogue browser MUST surface filters by type, criticality, lifecycle, jurisdiction, vertical, last-audit-date, requalification-due. Priority MUST. Risk MEDIUM.
- URS-11-FE-002 — Per-supplier detail tabbed view per §5.2. Priority MUST. Risk LOW.
- URS-11-FE-003 — Supplier creation wizard MUST flag critical types and surface required co-signs. Priority MUST. Risk HIGH.
- URS-11-FE-004 — Qualification workflow MUST present per-DEC-11-04 matrix checklist. Priority MUST. Risk HIGH.
- URS-11-FE-005 — Audit register MUST link findings to URS-12 documents. Priority MUST. Risk MEDIUM.
- URS-11-FE-006 — QA agreement linkage MUST capture bilateral signatures and effective dates. Priority MUST. Risk HIGH.
- URS-11-FE-007 — SCN handling MUST surface impact classification helper and URS-13 deep-link. Priority MUST. Risk HIGH.
- URS-11-FE-008 — Scorecard dashboard MUST highlight threshold breaches. Priority MUST. Risk MEDIUM.
- URS-11-FE-009 — Discovery view MUST surface records intersecting supplier scope. Priority MUST. Risk HIGH.
- URS-11-FE-010 — Disqualification surface MUST run pre-disqualification gate at open. Priority MUST. Risk HIGH.
- URS-11-FE-011 — Cross-tenant content (via URS-07 grant) MUST be visually distinguished. Priority MUST. Risk MEDIUM.
- URS-11-FE-012 — Every route in §5.1 MUST be registered. Priority MUST. Risk LOW.
- URS-11-FE-013 — All Module 11 surfaces MUST meet WCAG 2.1 Level AA. Priority MUST. Risk MEDIUM.

### 15.2 Back-end (BE)

- URS-11-BE-001 — Provisional qualification MUST require activator independent of creator. Priority MUST. Risk HIGH.
- URS-11-BE-002 — Critical-supplier qualification MUST require executive authority + RA + final QA co-signs per DEC-11-16. Priority MUST. Risk CRITICAL.
- URS-11-BE-003 — Qualification artifacts per DEC-11-04 matrix MUST be present before provisional qualification. Priority MUST. Risk HIGH.
- URS-11-BE-004 — QA agreement mandatory for critical / major suppliers per DEC-11-06. Priority MUST. Risk HIGH.
- URS-11-BE-005 — MSA mandatory before provisional qualification per DEC-11-07. Priority MUST. Risk HIGH.
- URS-11-BE-006 — `supplier_owner` and `supplier_quality_lead` MUST be distinct (`SUPPLIER_OWNER_NEQ_QUALITY_LEAD`). Priority MUST. Risk HIGH.
- URS-11-BE-007 — Audit findings closure MUST require independent reviewer per `AUDIT_FINDING_INDEPENDENT_REVIEWER`. Priority MUST. Risk HIGH.
- URS-11-BE-008 — Periodic requalification MUST follow DEC-11-10 cadence; missed beyond grace auto-suspends. Priority MUST. Risk HIGH.
- URS-11-BE-009 — Critical-impact SCN MUST require executive authority + RA + final QA co-sign + linked URS-13. Priority MUST. Risk HIGH.
- URS-11-BE-010 — Pre-disqualification gate MUST clear all blockers per DEC-11-14. Priority MUST. Risk HIGH.
- URS-11-BE-011 — Disqualification attestation MUST require `supplier_owner` + `supplier_quality_lead` + RA + executive authority for critical. Priority MUST. Risk HIGH.
- URS-11-BE-012 — Cross-supplier relationships MUST require bilateral signatures. Priority MUST. Risk MEDIUM.
- URS-11-BE-013 — Supplier-level access overlay MUST enforce `403 SUPPLIER_CONFIDENTIAL_NOT_MEMBER`. Priority MUST. Risk HIGH.
- URS-11-BE-014 — Supplier-bound discovery MUST be computed by URS-03 active-scope intersection. Priority MUST. Risk CRITICAL.
- URS-11-BE-015 — Module 11 mutations MUST be blocked when tenant not `active`. Priority MUST. Risk CRITICAL.
- URS-11-BE-016 — Cross-tenant supplier visibility MUST be restricted to URS-07 grant scope. Priority MUST. Risk CRITICAL.
- URS-11-BE-017 — Audit-log writes MUST be atomic. Priority MUST. Risk CRITICAL.
- URS-11-BE-018 — Lifecycle events MUST emit dual audit per URS-08 DEC-08-18. Priority MUST. Risk HIGH.
- URS-11-BE-019 — Successor supplier linkage MUST preserve via `successor_of_supplier_id`. Priority MUST. Risk MEDIUM.
- URS-11-BE-020 — Outsourced activity MUST require RA co-sign + QA agreement + MAH accountability statement. Priority MUST. Risk HIGH.
- URS-11-BE-021 — Audit cadence per DEC-11-05 MUST be respected; missed audit triggers `regulatory_concern` consideration. Priority MUST. Risk HIGH.
- URS-11-BE-022 — Scorecard threshold breaches MUST trigger configurable URS-30 alerts. Priority MUST. Risk MEDIUM.

### 15.3 Workflow (WF)

- URS-11-WF-001 — Supplier lifecycle state machine per Diagram 6.1-B. Priority MUST. Risk CRITICAL.
- URS-11-WF-002 — Periodic requalification cadence per Diagram 6.1-D. Priority MUST. Risk HIGH.
- URS-11-WF-003 — Audit register flow with findings closure. Priority MUST. Risk HIGH.
- URS-11-WF-004 — Change notification handling with impact classification. Priority MUST. Risk HIGH.
- URS-11-WF-005 — Disqualification gate watch with remediation list. Priority MUST. Risk HIGH.

### 15.4 Data (DATA)

- URS-11-DATA-001 — Snapshot pinning: in-flight regulated decisions reference supplier qualification state effective at decision time. Priority MUST. Risk CRITICAL.
- URS-11-DATA-002 — Long-term retention. Priority MUST. Risk HIGH.
- URS-11-DATA-003 — Scope JSONB compatibility with URS-05 §6.2.1. Priority MUST. Risk HIGH.

### 15.5 Security (SEC)

- URS-11-SEC-001 — Tenant isolation via TDAL + RLS. Priority MUST. Risk CRITICAL.
- URS-11-SEC-002 — Multi-factor step-up for critical-supplier transitions. Priority MUST. Risk HIGH.
- URS-11-SEC-003 — Self-modification block. Priority MUST. Risk HIGH.
- URS-11-SEC-004 — Cross-tenant access governed by URS-07 grant scope. Priority MUST. Risk CRITICAL.

### 15.6 Audit (AUD)

- URS-11-AUD-001 — Every Module 11 mutation produces audit row through URS-06. Priority MUST. Risk CRITICAL.
- URS-11-AUD-002 — Server-set timestamps. Priority MUST. Risk HIGH.
- URS-11-AUD-003 — Append-only lifecycle events; agreement versioning. Priority MUST. Risk HIGH.
- URS-11-AUD-004 — Every event in §6.6 has at least one writer. Priority MUST. Risk HIGH.
- URS-11-AUD-005 — Dual-chain emission per URS-08 DEC-08-18. Priority MUST. Risk HIGH.

### 15.7 AI / HITL (AI)

- URS-11-AI-001 — No AI / ML in core path; static analysis MUST find zero LLM SDK references. Priority MUST. Risk HIGH.
- URS-11-AI-002 — AI suggestions in URS-32 set `ai_advisory = true`. Priority MUST. Risk HIGH.

### 15.8 Integration (INT)

- URS-11-INT-001 — URS-03 active-scope intersection on `supplier` dimension. Priority MUST. Risk CRITICAL.
- URS-11-INT-002 — URS-04 e-sig ceremony for every signed action. Priority MUST. Risk CRITICAL.
- URS-11-INT-003 — URS-05 supplier role overlay; executive authority for critical. Priority MUST. Risk HIGH.
- URS-11-INT-004 — URS-06 dual-chain audit. Priority MUST. Risk CRITICAL.
- URS-11-INT-005 — URS-07 study scope (CRO/CTL); cross-tenant grants. Priority MUST. Risk HIGH.
- URS-11-INT-006 — URS-08 tenant lifecycle gating. Priority MUST. Risk CRITICAL.
- URS-11-INT-007 — URS-09 supplier-site linkage. Priority MUST. Risk HIGH.
- URS-11-INT-008 — URS-10 supplier-product linkage. Priority MUST. Risk HIGH.
- URS-11-INT-009 — URS-12 QA agreements / MSAs / audit findings / SCN. Priority MUST. Risk HIGH.
- URS-11-INT-010 — URS-28 supplier-personnel qualifications (where applicable). Priority MUST. Risk MEDIUM.
- URS-11-INT-011 — URS-30 notifications. Priority MUST. Risk MEDIUM.

### 15.9 Reporting (REP)

- URS-11-REP-001 — Reports per §9 exportable with electronic signature. Priority MUST. Risk MEDIUM.
- URS-11-REP-002 — Discovery export integrity manifest end-to-end across chains. Priority MUST. Risk HIGH.
- URS-11-REP-003 — Signed download URL TTL 15 minutes. Priority MUST. Risk MEDIUM.

### 15.10 Notifications (NOTIF)

- URS-11-NOTIF-001 — Notifications per §10 delivered through URS-30. Priority MUST. Risk MEDIUM.
- URS-11-NOTIF-002 — Cross-tenant notifications reach both tenants where applicable. Priority MUST. Risk HIGH.

### 15.11 Validation (VAL)

- URS-11-VAL-001 — Test execution covers IQ (schema, RLS, indexes, lifecycle bootstrap, scope-intersection bootstrap), OQ, PQ, regression.
- URS-11-VAL-002 — OQ validates every API endpoint, every error code, every state transition, every audit event writer.
- URS-11-VAL-003 — PQ validates discovery view under representative tenant volume.
- URS-11-VAL-004 — Regression on every Class 1 / Class 2 change.
- URS-11-VAL-005 — Requirements-to-test traceability per §16.4.
- URS-11-VAL-006 — Supplier qualification pack per §17.1.
- URS-11-VAL-007 — Inspection-ready evidence index per §17.2.
- URS-11-VAL-008 — Migration evidence gate: schema migrations idempotent; restore drill verifies supplier integrity.

---

## 16. Acceptance Criteria and Test Cases

### 16.1 Plain-language test cases

- TC-PLAIN-001 — A non-critical supplier (cleaning service) qualifies through standard flow with QA + procurement signatures.
- TC-PLAIN-002 — A critical supplier (API supplier) requires executive authority + RA + final QA co-signs at qualification.
- TC-PLAIN-003 — The user who created a supplier cannot also approve initial qualification.
- TC-PLAIN-004 — `supplier_owner` and `supplier_quality_lead` cannot be the same user.
- TC-PLAIN-005 — Quality agreement is mandatory for critical and major suppliers.
- TC-PLAIN-006 — Master service agreement is mandatory for every supplier.
- TC-PLAIN-007 — A user named in audit findings cannot be the sole signer of finding closure.
- TC-PLAIN-008 — A critical-impact change notification requires executive authority co-sign and linked URS-13 record.
- TC-PLAIN-009 — Periodic requalification missed beyond grace window auto-suspends supplier.
- TC-PLAIN-010 — Disqualification cannot complete while open material orders, contracts, studies, or delegations remain.
- TC-PLAIN-011 — A successor supplier preserves linkage to disqualified predecessor.
- TC-PLAIN-012 — Cross-tenant studies (URS-07) reference partner-tenant suppliers only within per-grant scope.
- TC-PLAIN-013 — Supplier mutations are blocked when the tenant is not `active`.
- TC-PLAIN-014 — Outsourced activities require RA co-sign + QA agreement + MAH accountability statement.

### 16.2 Technical test cases

- TC-TECH-001 — Provisional qualification by creator returns `403 APPROVER_IS_CREATOR`.
- TC-TECH-002 — Critical-supplier qualification without executive authority co-sign returns `401 CRITICAL_TYPE_REQUIRES_FOUNDER`.
- TC-TECH-003 — Provisional qualification submit without complete artifacts returns `409 QUALIFICATION_ARTIFACTS_INCOMPLETE`.
- TC-TECH-004 — Critical / major supplier qualification without QA agreement returns `409 QUALITY_AGREEMENT_REQUIRED`.
- TC-TECH-005 — Qualification submit without MSA returns `409 MASTER_SERVICE_AGREEMENT_REQUIRED`.
- TC-TECH-006 — `supplier_owner` equal to `supplier_quality_lead` returns `403 SUPPLIER_OWNER_NEQ_QUALITY_LEAD`.
- TC-TECH-007 — Audit closure without independent reviewer returns `401 MISSING_INDEPENDENT_REVIEWER`.
- TC-TECH-008 — Periodic requalification missed beyond grace triggers `SUPPLIER_REQUALIFICATION_MISSED_AUTO_SUSPENDED`.
- TC-TECH-009 — Critical-impact SCN resolution without executive authority co-sign returns `401 MISSING_FOUNDER_COSIGN`.
- TC-TECH-010 — Disqualification while open material orders exist returns `409 SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_ORDERS`.
- TC-TECH-011 — Disqualification attestation without executive authority co-sign for critical returns `401 MISSING_FOUNDER_COSIGN`.
- TC-TECH-012 — Cross-supplier relationship without `to_side` accept returns `409 STATE_NOT_ACCEPTED`.
- TC-TECH-013 — Supplier-confidential read by non-member returns `403 SUPPLIER_CONFIDENTIAL_NOT_MEMBER`.
- TC-TECH-014 — Mutation when tenant `suspended` returns `403 TENANT_NOT_ACTIVE`.
- TC-TECH-015 — Schema migrations idempotent; RLS enabled.
- TC-TECH-016 — Penetration test: cross-tenant supplier query without active URS-07 grant returns RLS-empty.
- TC-TECH-017 — Discovery view computes intersection correctly.
- TC-TECH-018 — Discovery export integrity manifest includes Merkle proofs per URS-06 BR-06-10.
- TC-TECH-019 — Static analysis finds zero LLM SDK references.
- TC-TECH-020 — Lifecycle event emits dual audit per URS-08 DEC-08-18.
- TC-TECH-021 — Snapshot pinning: a regulated decision signed at supplier-state `qualified` references the qualification state in its authority snapshot.
- TC-TECH-022 — Successor supplier creation preserves `successor_of_supplier_id`.
- TC-TECH-023 — `SUPPLIER_CATALOGUE_VIEW_OPENED` and `SUPPLIER_DISCOVERY_VIEW_OPENED` emit once per session.
- TC-TECH-024 — Outsourced activity registration without RA co-sign returns `401 MISSING_RA_COSIGN`.
- TC-TECH-025 — Scorecard threshold breach emits `SUPPLIER_SCORECARD_THRESHOLD_BREACHED` and triggers URS-30 alert.

### 16.3 Acceptance criteria

- AC-11-FUN-01 — Given supplier creator attempts qualification, When called, Then `403 APPROVER_IS_CREATOR`.
- AC-11-FUN-02 — Given critical supplier, When qualification submitted without executive authority co-sign, Then `401 CRITICAL_TYPE_REQUIRES_FOUNDER`.
- AC-11-FUN-03 — Given missing qualification artifacts, When submit attempted, Then `409 QUALIFICATION_ARTIFACTS_INCOMPLETE`.
- AC-11-FUN-04 — Given critical / major supplier without QA agreement, When qualification attempted, Then `409 QUALITY_AGREEMENT_REQUIRED`.
- AC-11-FUN-05 — Given audit closure without independent reviewer, When attempted, Then `401 MISSING_INDEPENDENT_REVIEWER`.
- AC-11-FUN-06 — Given critical-impact SCN, When resolved without executive authority co-sign, Then `401 MISSING_FOUNDER_COSIGN`.
- AC-11-FUN-07 — Given periodic requalification missed beyond grace, When schedule fires, Then auto-suspend.
- AC-11-FUN-08 — Given disqualification blockers, When attempted, Then `409` with one of `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_ORDERS`, `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_CONTRACTS`, `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_STUDIES`, `SUPPLIER_DISQUALIFICATION_BLOCKED_BY_OPEN_DELEGATIONS` per blocker category.
- AC-11-FUN-09 — Given mutation when tenant not `active`, Then `403 TENANT_NOT_ACTIVE`.
- AC-11-PERM-01 — Given non-member, When confidential read attempted on overlay-enabled supplier, Then `403 SUPPLIER_CONFIDENTIAL_NOT_MEMBER`.
- AC-11-PERM-02 — Given non-`tenant_admin_authority`, When attempting supplier creation, Then `403`.
- AC-11-AUD-01 — Every Module 11 mutation produces audit row through URS-06.
- AC-11-AUD-02 — Audit-write failure rolls back originating action.
- AC-11-DI-01 — Snapshot pinning preserves supplier qualification state at decision time.
- AC-11-DI-02 — Backup-restore drill produces same supplier lifecycle history and chain HEAD as source.
- AC-11-INT-01 — URS-03 active-scope intersection produces correct discovery.
- AC-11-INT-02 — URS-08 tenant lifecycle gates Module 11 mutations.
- AC-11-INT-03 — URS-12 QA agreement / SCN linkage required.
- AC-11-REP-01 — Every export carries integrity manifest + electronic signature.
- AC-11-AI-01 — Static analysis finds zero LLM SDK references.
- AC-11-NEG-01 — Every error code in §11.2 reachable by automated test.
- AC-11-PERF-01 — Discovery view p95 ≤ 2 s.
- AC-11-SEC-01 — Penetration test: cross-tenant query without active URS-07 grant returns RLS-empty.
- AC-11-MIG-01 — Module 11 migrations idempotent.
- AC-11-MIG-02 — Migrations bootstrap fixture; restore drill reproducible.

### 16.4 Requirements-to-test traceability

| Requirement | Plain-language | Technical | Given / When / Then |
|---|---|---|---|
| URS-11-FE-001 | — | (UI test) | — |
| URS-11-FE-002 | — | (UI test) | — |
| URS-11-FE-003 | TC-PLAIN-002 | TC-TECH-002 | AC-11-FUN-02 |
| URS-11-FE-004 | TC-PLAIN-001 | TC-TECH-003 | AC-11-FUN-03 |
| URS-11-FE-005 | TC-PLAIN-007 | TC-TECH-007 | AC-11-FUN-05 |
| URS-11-FE-006 | TC-PLAIN-005 | TC-TECH-004 | AC-11-FUN-04 |
| URS-11-FE-007 | TC-PLAIN-008 | TC-TECH-009 | AC-11-FUN-06 |
| URS-11-FE-008 | — | TC-TECH-025 | — |
| URS-11-FE-009 | — | TC-TECH-017 | AC-11-INT-01 |
| URS-11-FE-010 | TC-PLAIN-010 | TC-TECH-010, TC-TECH-011 | AC-11-FUN-08 |
| URS-11-FE-011 | TC-PLAIN-012 | TC-TECH-016 | AC-11-SEC-01 |
| URS-11-FE-012 | — | TC-TECH-015 | — |
| URS-11-FE-013 | — | (accessibility test) | — |
| URS-11-BE-001 | TC-PLAIN-003 | TC-TECH-001 | AC-11-FUN-01 |
| URS-11-BE-002 | TC-PLAIN-002 | TC-TECH-002 | AC-11-FUN-02 |
| URS-11-BE-003 | TC-PLAIN-001 | TC-TECH-003 | AC-11-FUN-03 |
| URS-11-BE-004 | TC-PLAIN-005 | TC-TECH-004 | AC-11-FUN-04 |
| URS-11-BE-005 | TC-PLAIN-006 | TC-TECH-005 | — |
| URS-11-BE-006 | TC-PLAIN-004 | TC-TECH-006 | — |
| URS-11-BE-007 | TC-PLAIN-007 | TC-TECH-007 | AC-11-FUN-05 |
| URS-11-BE-008 | TC-PLAIN-009 | TC-TECH-008 | AC-11-FUN-07 |
| URS-11-BE-009 | TC-PLAIN-008 | TC-TECH-009 | AC-11-FUN-06 |
| URS-11-BE-010 | TC-PLAIN-010 | TC-TECH-010 | AC-11-FUN-08 |
| URS-11-BE-011 | — | TC-TECH-011 | — |
| URS-11-BE-012 | — | TC-TECH-012 | — |
| URS-11-BE-013 | — | TC-TECH-013 | AC-11-PERM-01 |
| URS-11-BE-014 | — | TC-TECH-017 | AC-11-INT-01 |
| URS-11-BE-015 | TC-PLAIN-013 | TC-TECH-014 | AC-11-FUN-09 |
| URS-11-BE-016 | TC-PLAIN-012 | TC-TECH-016 | AC-11-SEC-01 |
| URS-11-BE-017 | — | TC-TECH-015 | AC-11-AUD-02 |
| URS-11-BE-018 | — | TC-TECH-020 | AC-11-AUD-01 |
| URS-11-BE-019 | TC-PLAIN-011 | TC-TECH-022 | — |
| URS-11-BE-020 | TC-PLAIN-014 | TC-TECH-024 | — |
| URS-11-BE-021 | — | (audit cadence test) | — |
| URS-11-BE-022 | — | TC-TECH-025 | — |
| URS-11-WF-001 | — | (state machine test) | — |
| URS-11-WF-002 | TC-PLAIN-009 | TC-TECH-008 | AC-11-FUN-07 |
| URS-11-WF-003 | TC-PLAIN-007 | TC-TECH-007 | — |
| URS-11-WF-004 | TC-PLAIN-008 | TC-TECH-009 | — |
| URS-11-WF-005 | TC-PLAIN-010 | TC-TECH-010 | AC-11-FUN-08 |
| URS-11-DATA-001 | — | TC-TECH-021 | AC-11-DI-01 |
| URS-11-DATA-002 | — | TC-TECH-015 | — |
| URS-11-DATA-003 | — | TC-TECH-017 | AC-11-INT-01 |
| URS-11-SEC-001 | — | TC-TECH-015, TC-TECH-016 | AC-11-SEC-01 |
| URS-11-SEC-002 | TC-PLAIN-002 | TC-TECH-002 | — |
| URS-11-SEC-003 | TC-PLAIN-003, TC-PLAIN-004, TC-PLAIN-007 | TC-TECH-001, TC-TECH-006, TC-TECH-007 | — |
| URS-11-SEC-004 | TC-PLAIN-012 | TC-TECH-016 | AC-11-SEC-01 |
| URS-11-AUD-001 | — | TC-TECH-020, TC-TECH-023 | AC-11-AUD-01 |
| URS-11-AUD-002 | — | (server timestamp test) | — |
| URS-11-AUD-003 | — | TC-TECH-015 | — |
| URS-11-AUD-004 | — | (writer-presence test) | — |
| URS-11-AUD-005 | — | TC-TECH-020 | AC-11-AUD-01 |
| URS-11-AI-001 | — | TC-TECH-019 | AC-11-AI-01 |
| URS-11-AI-002 | — | (URS-32 integration test) | — |
| URS-11-INT-001 | — | TC-TECH-017 | AC-11-INT-01 |
| URS-11-INT-002 | — | (URS-04 integration test) | — |
| URS-11-INT-003 | TC-PLAIN-002 | TC-TECH-002 | — |
| URS-11-INT-004 | — | TC-TECH-020 | AC-11-AUD-01 |
| URS-11-INT-005 | TC-PLAIN-012 | TC-TECH-016 | AC-11-INT-02 |
| URS-11-INT-006 | TC-PLAIN-013 | TC-TECH-014 | AC-11-FUN-09 |
| URS-11-INT-007 | — | (URS-09 integration test) | — |
| URS-11-INT-008 | — | (URS-10 integration test) | — |
| URS-11-INT-009 | TC-PLAIN-005 | TC-TECH-004 | AC-11-INT-03 |
| URS-11-INT-010 | — | (URS-28 integration test) | — |
| URS-11-INT-011 | — | (notification test) | — |
| URS-11-REP-001 | — | TC-TECH-018 | AC-11-REP-01 |
| URS-11-REP-002 | — | TC-TECH-018 | — |
| URS-11-REP-003 | — | (TTL test) | — |
| URS-11-NOTIF-001 | — | (notification delivery test) | — |
| URS-11-NOTIF-002 | TC-PLAIN-012 | (cross-tenant notification test) | — |
| URS-11-VAL-001 | — | TC-TECH-015 | — |
| URS-11-VAL-002 | All applicable | All applicable | All applicable |
| URS-11-VAL-003 | — | (PQ test) | AC-11-PERF-01 |
| URS-11-VAL-004 | — | full TC-TECH suite | — |
| URS-11-VAL-005 | — | this table is the seed | — |
| URS-11-VAL-006 | — | (supplier qualification) | — |
| URS-11-VAL-007 | — | (evidence index) | — |
| URS-11-VAL-008 | — | TC-TECH-015 | AC-11-MIG-01, AC-11-MIG-02 |

---

## 17. Validation and CSV/CSA Evidence Expectations

| Item | Required evidence |
|---|---|
| URS traceability | Per §16.4 |
| Risk assessment | GAMP 5 risk register; risk-based assurance per FDA CSA |
| Configuration specification | Documented seed of supplier-type registry; criticality matrix; qualification artifact requirements per (type × criticality) |
| Functional specification | Matches §6 |
| Design specification | Matches §6.1–§6.4 |
| Test protocols | IQ (schema, RLS, indexes, lifecycle bootstrap, scope-intersection bootstrap), OQ per URS-11-VAL-002, PQ per URS-11-VAL-003, regression per URS-11-VAL-004 |
| Test evidence | Pass / fail per protocol step |
| Defect log | Defects mapped to URS requirements |
| Requirements traceability matrix | Per §16.4 |
| Release approval | Electronically signed by Quality Lead, Validation Lead, Information Security Lead, Regulatory Affairs Lead, Supply Chain / Procurement Lead, executive authority |
| Training record | Engineering, QA, validation, RA, procurement, supplier-quality auditors trained on Module 11 |
| Periodic review | Annual per Annex 11 §11; trigger reviews on every Class 1 / Class 2 change |
| Data migration evidence | Backfill of supplier-type registry; criticality matrix; restore drill verifies supplier integrity |

### 17.1 Supplier and service-provider qualification pack

| Category | Required evidence |
|---|---|
| Cloud hosting provider | Inherited from URS-01 §17.1 |
| Document control provider (URS-12) | Right-to-audit; retention compliance |
| Notification provider (URS-30) | Inherited from URS-01 §17.1 |
| Backup / restore provider (URS-35) | Restore drill preserving supplier lifecycle and chain HEAD |
| Security-operations / SIEM | Alert routing per §12.9 |
| External supplier-data providers (where used; e.g., D&B, Refinitiv, Ecovadis, Sayari) | Provider qualification per §17.1 same as URS-08 |

### 17.2 Inspection-ready evidence index

| Evidence item | Owner | Location / system of record | Retention | Linked requirement | Inspection use |
|---|---|---|---|---|---|
| Supplier record (lifecycle) | Procurement / QA | `suppliers` + `supplier_lifecycle_events` + URS-06 | retain (long-term) | URS-11-WF-001 | demonstrate supplier oversight |
| Qualification artifacts | QA | `supplier_qualification_artifacts` + URS-12 | retain (long-term) | URS-11-BE-003 | demonstrate qualification |
| Audit register | QA | `supplier_audits` + `supplier_audit_findings` + URS-12 | retain (long-term) | URS-11-WF-003 | demonstrate audit cadence and findings |
| Quality agreements | QA / Legal | `supplier_quality_agreements` + URS-12 evidence | retain (long-term) | URS-11-BE-004 | demonstrate Chapter 7 compliance |
| Master service agreements | Procurement / Legal | `supplier_master_service_agreements` + URS-12 | retain (long-term) | URS-11-BE-005 | demonstrate commercial relationship |
| Change notifications | QA | `supplier_change_notifications` + URS-13 records | retain (long-term) | URS-11-WF-004 | demonstrate change governance |
| Scorecards | Procurement / QA | `supplier_scorecards` | retain (long-term) | URS-11-BE-022 | demonstrate performance over time |
| Risk assessments | QA | `supplier_risk_assessments` | retain (long-term) | URS-11-BE-014 | demonstrate ICH Q9 risk-based qualification |
| Outsourced activities register | QA / RA | `supplier_outsourced_activities` + QA agreements | retain (long-term) | URS-11-BE-020 | demonstrate Chapter 7 outsourced-activity governance |
| Disqualification records | Procurement / QA / executive authority for critical | `supplier_disqualification_runs` + signatures | retain (long-term) | URS-11-BE-011 | demonstrate supplier retirement governance |
| Periodic requalification records | QA | `supplier_periodic_requalifications` | retain (long-term) | URS-11-WF-002 | demonstrate cadence compliance |
| Validation evidence pack (IQ / OQ / PQ) | Validation | testing system of record | retain per release | URS-11-VAL-001..008 | release approval |
| Release approval (electronically signed) | Founder, QA, RA, Validation, IS, Supply Chain / Procurement | URS-12 | retain per release | URS-11-VAL-007 | demonstrate authority chain for release |

---

## 18. Closed Decision and Dependency Register

### 18.1 Closed Launch Decisions Register

| Closed decision | Spec reference |
|---|---|
| Supplier types and sub-classifications | DEC-11-01 |
| Criticality classification (critical / major / minor) | DEC-11-02 |
| Supplier lifecycle states | DEC-11-03 |
| Per-(type × criticality) qualification matrix | DEC-11-04 |
| Per-supplier audit register and cadence | DEC-11-05 |
| Quality agreement mandatory for critical / major | DEC-11-06 |
| MSA mandatory before provisional qualification | DEC-11-07 |
| SCN handling with impact classification | DEC-11-08 |
| Scorecard launch metrics | DEC-11-09 |
| Periodic requalification cadence per criticality | DEC-11-10 |
| Supplier-product linkage | DEC-11-11 |
| Supplier-site linkage | DEC-11-12 |
| Supplier risk assessment per ICH Q9 | DEC-11-13 |
| Disqualification gate and workflow | DEC-11-14 |
| Cross-tenant supplier visibility via URS-07 | DEC-11-15 |
| executive authority co-sign for critical-supplier qualification | DEC-11-16 |
| Discovery via URS-03 active-scope intersection | DEC-11-17 |
| Outsourced-activity management per EU GMP Chapter 7 | DEC-11-18 |
| Supplier deviation linkage to URS-16 and CAPA linkage to URS-18 | DEC-11-19 |
| Supply chain disruption / business continuity | DEC-11-20 |
| Cross-supplier relationships | DEC-11-21 |

### 18.2 Dependencies

| ID | Dependency | Source | Impact | Blocking? | Mitigation |
|---|---|---|---|---|---|
| DEP-11-01 | URS-01 authentication, MFA | URS-01 | Substrate | Blocking | none |
| DEP-11-02 | URS-02 base roles | URS-02 | Supplier role overlay | Blocking | none |
| DEP-11-03 | URS-03 active scope | URS-03 | Discovery | Blocking | none |
| DEP-11-04 | URS-04 e-sig ceremony | URS-04 | Lifecycle / amendment signatures | Blocking | none |
| DEP-11-05 | URS-05 authority resolver, scope dimensions | URS-05 | Supplier role gating | Blocking | none |
| DEP-11-06 | URS-06 audit substrate | URS-06 | Audit | Blocking | none |
| DEP-11-07 | URS-07 study scope (CRO/CTL); cross-tenant grants | URS-07 | Outsourced studies | Blocking | none |
| DEP-11-08 | URS-08 tenant lifecycle | URS-08 | Mutation gating | Blocking | none |
| DEP-11-09 | URS-09 site catalogue | URS-09 | Supplier-site linkage | Blocking | none |
| DEP-11-10 | URS-10 product master data | URS-10 | Supplier-product linkage | Blocking | none |
| DEP-11-11 | URS-12 document control | URS-12 | QA agreements / MSA / audit findings / SCN evidence | Blocking | none |
| DEP-11-12 | URS-28 qualification register | URS-28 | Supplier-personnel qualifications (where applicable) | Blocking | none |
| DEP-11-13 | URS-30 notifications | URS-30 | Reminders | Non-blocking | direct e-mail fallback |
| DEP-11-14 | URS-35 backup / restore / cold storage | URS-35 | Long-term archive | Blocking for PQ | DR drill |
| DEP-11-15 | Forward manufacturing BOM module + URS-23 + URS-26 | (BOM module-number is a program dependency, not URS-13) / URS-23 / URS-26 | Detailed BOM, batch records, recall integration | Forward (post-launch) | high-level linkage only |

---

## 19. Completeness Checklist

| Item | Yes / No | Evidence |
|---|---|---|
| Controlled-document metadata complete? | Yes | front matter |
| Approval block complete? | Yes (signatures pending) | Document Approval section |
| Version history complete? | Yes | Version History |
| Glossary complete? | Yes | §0.6 |
| Scope complete? | Yes | §2 |
| Roles and permissions complete? | Yes | §3 |
| User journeys complete? | Yes | §4 (28 journeys) |
| Front-end complete? | Yes | §5 |
| Backend complete? | Yes | §6 |
| Data model complete? | Yes | §6.2 |
| APIs complete? | Yes | §6.3 |
| Workflow / lifecycle complete? | Yes | §6.4 |
| Business rules complete? | Yes | §6.5 |
| Audit trail complete? | Yes | §6.6 |
| AI / Human-in-the-Loop complete? | Yes (no AI in core) | §8 |
| Reports complete? | Yes | §9 |
| Notifications complete? | Yes | §10 |
| Cross-module wiring complete? | Yes | §7 |
| Change-impact matrix complete? | Yes | §7.2 |
| Negative paths complete? | Yes | §11 |
| Security / privacy / tenant isolation complete? | Yes | §12 |
| ALCOA+ complete? | Yes | §13 |
| Regulatory mapping complete? | Yes | §14 |
| Predicate-rule applicability matrix complete? | Yes | §14.1 |
| Requirements register complete? | Yes | §15 |
| Acceptance tests complete? | Yes | §16 |
| Requirements-to-test traceability complete? | Yes | §16.4 |
| Validation evidence complete? | Yes | §17 |
| Supplier and service-provider qualification pack complete? | Yes | §17.1 |
| Decisions and dependencies registered (no internal decisions outstanding)? | Yes | §18.1, §18.2 |
| Final quality gate answered? | Yes | §20 |

---

## 20. Final Module Output Quality Gate

**URS approval is separate from validation execution.** This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" upon signature capture in the Document Approval block; it becomes "Released for validation execution" only after URS-11-VAL-008 (Migration Evidence Gate) and the §17 validation evidence pack are satisfied. **No Module 11 internal open questions remain.**

- **Specification ready for engineering review?** Yes.
- **Specification ready for quality validation review?** Yes.
- **Specification ready for compliance review?** Yes — ALCOA+, Part 11, Annex 11, Part 211 §211.84/§211.122, EU GMP Chapter 7, ICH Q10 §2.7, ICH Q9, Annex 8, ISO 13485, USP <1058>, ISO 11135/11137/17665.
- **Specification ready for inspector / client review?** Yes.
- **Specification ready for Founder approval?** Yes.
- **Blocking gaps?** None internal. Cross-module dependencies (§18.2) are owned by named companion modules. Forward-roadmap dependencies (URS-13 / URS-23 / URS-26) documented but not blocking for launch.
- **Two-step release path:**
  1. **Approved Controlled URS — released for engineering implementation and validation planning.** Reached upon signature capture.
  2. **Released for validation execution.** Reached after URS-11-VAL-008 is satisfied and the §17 evidence pack is complete.

---

## Appendix A — Supplier Lifecycle Composite

```mermaid
flowchart TD
  A([Tenant administrator creates supplier]) --> B[SUPPLIER_CREATED state under_evaluation]
  B --> C[Qualification artifacts gathered: questionnaire + audit + QA + MSA + sample testing per DEC-11-04 matrix]
  C --> D[Supplier owner submits for provisional qualification]
  D --> E{Critical type per DEC-11-16?}
  E -- yes --> F[supplier_owner + final_quality_approver + regulatory_oversight_admin + executive authority co-signs with MFA]
  E -- no --> G[supplier_owner signs independent of creator + final_quality_approver co-signs]
  F --> H[SUPPLIER_PROVISIONALLY_QUALIFIED state provisionally_qualified]
  G --> H
  H --> I[Performance evaluation period 6-12 months]
  I --> J{Pass criteria met?}
  J -- yes --> K[Full qualification co-signs incl executive authority for critical]
  K --> L[SUPPLIER_FULLY_QUALIFIED state qualified]
  J -- no --> M[SUPPLIER_REJECTED_AT_PERFORMANCE_PERIOD]
  L --> N[Supplier in active use; orders flow; deviations / complaints linked]
  N --> O[Periodic requalification per cadence: critical annual, major biennial, minor triennial]
  O --> P{Requalification on time?}
  P -- yes --> Q[SUPPLIER_REQUALIFIED]
  Q --> N
  P -- no --> R[SUPPLIER_REQUALIFICATION_MISSED_AUTO_SUSPENDED; lifecycle_state suspended; suspension_reason requalification_missed_regulatory_concern; qualification_status MAY be marked expired as a status, not a lifecycle state]
  N --> S{Lifecycle event?}
  S -- audit finding / quality concern / SCN critical impact --> T[SUPPLIER_SUSPENDED with reason]
  T --> U{Resolved?}
  U -- yes --> V[SUPPLIER_RETURNED_TO_QUALIFIED with co-signs incl executive authority for regulatory]
  V --> N
  U -- no --> W[Disqualification initiation]
  S -- business decision --> W
  W --> X[Pre-disqualification gate: orders, contracts, studies, delegations]
  X --> Y{Blockers?}
  Y -- yes --> Z[Surface remediation list]
  Z --> X
  Y -- no --> AA[Disqualification attestation: supplier_owner + supplier_quality_lead + RA + executive authority for critical]
  AA --> AB[SUPPLIER_DISQUALIFIED state disqualified]
  AB --> AC[Historical records preserved; queries continue for inspection]
```

— End of Module 11 User Requirements Specification —



