# Verixa — User Requirements Specification

# Module 15: OOS / OOT

| Field | Value |
|---|---|
| Document ID | VRX-URS-15 |
| Version | 1.0 |
| Status | Final — ready for QA, Validation, Regulatory Affairs, Information Security, QC Head, Site Quality Lead, and Founder approval. URS approval is separate from validation execution. This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" only after signature capture in the Document Approval block. It becomes "Released for validation execution" only after the module migration evidence gate (URS-15-VAL-008) and validation evidence pack are satisfied. |
| Document Type | User Requirements Specification (URS) |
| GAMP 5 Category | Category 5 — Custom Application |
| Code Modules | Target implementation binding: expected primary code module `oos-oot`. Expected API mounts `/api/v1/oos/*` and `/api/v1/oot/*`. Expected route / service / schema / type / migration / DB-schema / context-filter ownership within the `oos-oot` module. Implementation evidence remains subject to repository verification and validation evidence. |
| Architecture Bindings | This module is subject to **ARCH-AI-001 AI Optionality and Manual Continuity**. Verixa internally classifies this AI surface as **high-risk under internal AI governance**, aligned with the high-risk classification approach in **EU AI Act (Regulation 2024/1689) Annex III**, unless a jurisdiction-specific legal assessment determines otherwise. AI-assisted OOS / OOT surfaces (AI investigation assistant, AI root-cause suggestion, AI scoring of investigation outcome, MIRA copilot recommendations, AI trend detection) are advisory only under internal AI governance aligned with EU AI Act Article 13 transparency principles. Every AI surface shall provide a fully functional manual investigation path; the investigation record, disposition, and e-signature approval shall be executable and closable when AI services are disabled, degraded, or disagreed with by the investigator. **No AI service shall be the sole path to classify, close, or dispose an OOS or OOT event.** This module binds ARCH-AI-001 AC-2, AC-3, AC-4, and AC-7. Verixa treats **EU GMP Annex 22 (Draft 2025)** as an internal forward-looking architectural control (not an enacted predicate rule); under that internal control, generative / probabilistic AI is **PROHIBITED** in OOS phase 1 / phase 2 disposition decisions, retest disposition decisions, OOT false-positive adjudication decisions, and parent-OOS closure decisions. Static deterministic AI may suggest investigation steps and surface trend signals; the human investigator's signed decision is the system of record. Jurisdiction-specific legal enforceability of Annex 22 and the EU AI Act remains subject to a future jurisdiction-specific legal assessment. |
| Regulatory Classification | Critical infrastructure substrate — operates the canonical OOS investigation register, the staged investigation lifecycle (phase 1 laboratory check → phase 2 manufacturing / root-cause investigation → retest → final disposition), the OOT alert register, the trend-data register with computation provenance, the deviation / CAPA linkage, the authority-gated final disposition with e-signature, the SoD-enforced investigator / approver separation, the false-positive adjudication for OOT, and the cross-module linkage to URS-10 product specifications, URS-23 batch records, URS-24 stability, URS-25 environmental monitoring, URS-16 deviations, URS-17 RCA, URS-18 CAPA. |
| Date of Issue | 2026-05-06 |
| Module Owner (Engineering) | OOS / OOT / Investigation Squad |
| Module Owner (Quality Validation) | CSV / CSA Lead — OOS / OOT |
| Module Owner (Compliance) | Quality Assurance, Quality Control, Manufacturing, Regulatory Affairs |
| Approving Authority | Founder / Chairman & MD; QA Head; QC Head; Validation Head; RA Head; Information Security Head; Site Quality Lead |

---

## 0. Document Framing

### 0.1 Purpose of this document

This URS defines the target expected state for Verixa's OOS / OOT module (Module 15). It is the binding contract between product, engineering, quality validation, regulatory affairs, quality control / laboratory operations, manufacturing, information security, and the executive authority for the design, implementation, validation, release, and on-going periodic review of the regulated investigation substrate: the canonical OOS investigation register; the staged investigation lifecycle (phase 1 laboratory check, phase 2 manufacturing / root-cause investigation, retest / resample, final disposition); the OOT alert register and trend-data register with computation provenance; the controlled completion-decision rules (lab error vs full investigation path); the parent-OOS state advancement after phase 2 completion ; the retest-driven disposition ; the authority-gated final disposition under e-signature; the SoD-enforced investigator / approver / closer separation; the OOT false-positive adjudication workflow; the cross-module linkage to deviations / RCA / CAPA / batch records / stability / environmental monitoring; the OOS / OOT reporting and search surfaces with overdue and pending visibility; and the per-jurisdictional regulatory expectations under FDA OOS Guidance (Oct 2006), EU GMP Annex 15 §10, ICH Q9 / Q10, MHRA Data Integrity. Compliance with this URS is mandatory.

### 0.2 Audience

Engineering, QA, QC, Validation, Regulatory Affairs, Manufacturing, Quality Operations, Information Security, executive authority, the platform's Implementation team, internal and external auditors, and inspectors from regulatory bodies (FDA, EMA, MHRA, Health Canada, CDSCO, PIC/S, PMDA). The plain-language primer (§0.4) and worked examples (§3.5) make Module 15 accessible to non-domain engineers, product owners, validation engineers, and laboratory analysts.

### 0.3 How to read this document

Each requirement has a unique identifier. "MUST" denotes a mandatory requirement; "SHOULD" denotes a strong recommendation; "MAY" denotes an option. The document is self-contained: front end (§5), back end (§6), data model (§6.2), application programming interface (§6.3), workflow (§6.4), business rules (§6.5), audit (§6.6), security (§12), regulatory mapping (§14), test cases (§16), and validation evidence (§17) are all in this single file. Every requirement is mandatory unless explicitly marked SHOULD or MAY.

### 0.4 Plain-language primer for non-domain readers

In a regulated pharmaceutical operation, **no laboratory result is ever silently re-tested or thrown away**. When a laboratory test on a marketed product, an in-process material, a stability sample, or a release sample produces a result that **falls outside the registered acceptance criteria** — for example, a tablet assay returning 92% of label claim against a 95-105% specification, an impurity peak above the registered limit, a microbial count above the action level, a dissolution result below the Q-15% bar — the platform must record the result as an **Out-of-Specification (OOS)** investigation, immediately quarantine the affected batch from release, and run a regulated, multi-phase investigation under **FDA OOS Guidance (October 2006), EU GMP Annex 15 §10, ICH Q10 §3.2.4, Annex 1 Revision 2023, MHRA Data Integrity (2018), USP <1010>, and ISO 17025**. Module 15 is the target specification for this regulated workflow.

A separate but related concept is **Out-of-Trend (OOT)**. An OOT alert fires when a result is *within* specification but *outside the historical statistical trend* (control chart out-of-control rule violation, 2-sigma drift, Western Electric rules, Nelson rules). OOT signals an emerging quality risk that must be evaluated even though no specification was breached.

An **OOS investigation** is the regulated record. It is created when a laboratory analyst observes a failing result; the analyst captures the test method, the sample, the result, the specification, the batch / lot / material, and the discovery date. Module 15 generates a server-authoritative OOS number (e.g., `OOS-2026-001234`) and assigns the investigation to QC. The investigation enters **phase 1**.

In **phase 1 (laboratory investigation)** per FDA OOS Guidance §IV.A, the QC analyst and supervisor evaluate whether the result is attributable to laboratory error: incorrect calculation, incorrect sample preparation, instrument malfunction, reagent deterioration, transcription error, calibration drift. If a clear, assignable, documented laboratory error is identified, the OOS may be **closed at phase 1 as "lab error invalidated"**: the original result is invalidated, a documented re-test is performed, and (if the re-test passes specification) the original result is rejected and the batch may proceed. Per FDA OOS Guidance, the lab-error decision MUST be documented, signed, and supported by objective evidence; per Module 15 / DEC-15-04, the phase 1 completion is e-signed via Controlled Approval Modal and SoD-15-02 enforced (the analyst who produced the original result cannot also be the supervisor who signs the lab-error invalidation).

If phase 1 does NOT identify a clear lab error, the OOS proceeds to **phase 2 (manufacturing / production / formulation investigation)** per FDA OOS Guidance §IV.B. In phase 2, the manufacturing team, formulation, process engineering, and QA jointly evaluate whether the result reflects a real product or process problem: process deviation, raw-material variability, equipment performance, formulation issue, environmental conditions, sampling representativeness. Phase 2 may include manufacturing record review, equipment-data pulls, deviation linkage (URS-16), RCA initiation (URS-17), additional analytical testing on the original sample, and review of process trend data.

When phase 2 concludes, the OOS receives a **disposition**: `confirmed` (real OOS — batch fails specification — proceed to disposition workflow including reject, reprocess, rework, downgrade, recall), `invalidated` (objective evidence supports invalidation per FDA OOS Guidance — e.g., assignable cause identified in manufacturing or laboratory after deeper investigation), or `inconclusive` (cannot definitively assign cause — defaults to `confirmed` for batch-disposition purposes per FDA OOS Guidance, with executive authority co-sign required). Per Module 15 / DEC-15-06, phase 2 completion **MUST advance the parent OOS state to `pending_disposition`** .

A **retest / resample** may be ordered at phase 1 or phase 2 per a documented retest plan with statistical justification per FDA OOS Guidance §V. Retest results MUST drive controlled parent disposition . Statistical evaluation per USP <1010> Outlier Tests is documented; if a retest result is excluded as a statistical outlier, the exclusion is documented and signed.

The **final disposition** is authority-gated and e-signed. Per Module 15 / DEC-15-08, the final disposition requires `oos_final_disposition_authority` Authority Profile + `requiresEsign: true` + `requiresDelegationValidation: true`. SoD-15-04 enforced: the investigator (phase 1 or phase 2) cannot also be the disposition approver. Where the disposition is `inconclusive`, executive authority co-sign is required per DEC-15-21. Where the disposition triggers a recall or field action, URS-14 Complaint workflow is initiated.

For **OOT**, the lifecycle is simpler: an OOT alert fires from the trend-data computation pipeline (per DEC-15-12 — periodic statistical computation against the control chart), the alert is reviewed by QC, and the QC analyst assesses whether it represents a **true positive** (real trend signal — escalate to OOS investigation OR proactive process change) or a **false positive** (statistical artefact — adjudicate with documented rationale). The false-positive adjudication is e-signed by an `oot_adjudication_authority` per DEC-15-09. SoD-15-05 enforced.

Verixa internally classifies AI-assisted OOS / OOT decision making as **high-risk AI under internal AI governance**, aligned with the high-risk classification approach in EU AI Act Annex III, unless a jurisdiction-specific legal assessment determines otherwise. Verixa treats **EU GMP Annex 22 (Draft 2025)** as an internal forward-looking architectural control (not an enacted predicate rule). Under those internal controls: AI may suggest investigation steps, root causes, retest plans, OOT classifications — but every AI suggestion is **advisory** under ARCH-AI-001 AC-2; visibly labelled per AC-3; never autonomously writes to the investigation record per AC-4; degrades gracefully when unavailable per AC-7. **Generative / probabilistic AI is PROHIBITED in OOS phase 1 / phase 2 / retest disposition / OOT false-positive adjudication / parent-OOS closure decision paths per the internal Annex 22 control / DEC-15-18.** Static deterministic AI may surface signals; the human investigator's signed decision is the system of record. Jurisdiction-specific legal enforceability of Annex 22 and the EU AI Act remains subject to a future jurisdiction-specific legal assessment.

Module 15 is the **substrate that ensures every laboratory result either passes specification or is investigated under written procedure with electronic signature** — the inspector's primary check during a marketed-product inspection.

### 0.5 OOS investigation lifecycle diagram

```mermaid
stateDiagram-v2
  state "OOS Investigation Lifecycle" as OOSLC {
    [*] --> opened : Analyst opens OOS
    opened --> phase1_in_progress : QC supervisor assigns phase 1 (SoD-15-01)
    phase1_in_progress --> closed_lab_error : Lab error documented + signed (SoD-15-02 + DEC-15-04)
    phase1_in_progress --> phase2_in_progress : No lab error → phase 2
    phase2_in_progress --> retest_in_progress : Retest ordered per plan (DEC-15-07)
    retest_in_progress --> phase2_in_progress : Retest results evaluated → return to phase 2
    phase2_in_progress --> pending_disposition : Phase 2 complete (CORRECTS OOS-REQ-006)
    pending_disposition --> confirmed : Disposition `confirmed` + authority + e-sign (SoD-15-04)
    pending_disposition --> invalidated : Disposition `invalidated` + authority + e-sign + objective evidence
    pending_disposition --> inconclusive : Disposition `inconclusive` + executive authority co-sign (DEC-15-21)
    confirmed --> closed_confirmed : Closure attestation (triggers downstream actions)
    invalidated --> closed_invalidated : Closure attestation
    inconclusive --> closed_inconclusive_treated_as_confirmed : Per FDA OOS Guidance, treated as confirmed for batch disposition
    closed_lab_error --> [*]
    closed_confirmed --> [*]
    closed_invalidated --> [*]
    closed_inconclusive_treated_as_confirmed --> [*]
    note right of pending_disposition
      Authority: oos_final_disposition_authority
      SoD-15-04 enforced
      Inconclusive → executive authority co-sign DEC-15-21
    end note
    note right of confirmed
      Triggers: batch quarantine,
      reject/reprocess/rework decision (URS-23),
      possible CAPA (URS-18),
      possible recall (URS-14)
    end note
  }
```

Diagram 0.5-A — OOS investigation lifecycle. Per FDA OOS Guidance phase 1 (laboratory) → phase 2 (manufacturing / process) → retest → disposition. Every transition is electronically signed; SoD enforced at analyst-vs-supervisor and investigator-vs-approver boundaries; inconclusive disposition requires executive authority co-sign per DEC-15-21.

### 0.6 Glossary of key terms used in this document

| Term | Definition |
|---|---|
| Annex 22 | EU GMP Annex 22 (Draft 2025) governing AI in pharmaceutical manufacturing; prohibits generative / probabilistic AI in critical decision paths. |
| ARCH-AI-001 | Platform architecture binding requiring manual continuity for every AI surface (AC-1..AC-7); applied to Module 15 as AC-2, AC-3, AC-4, AC-7. |
| Closed (lab error) | OOS terminal state when phase 1 lab error is documented + signed per FDA OOS Guidance §IV.A. |
| Closed (confirmed) | OOS terminal state when phase 2 disposition is `confirmed` + authority signed. |
| Closed (invalidated) | OOS terminal state when objective evidence supports invalidation per FDA OOS Guidance + authority signed. |
| Closed (inconclusive) | OOS terminal state when disposition is `inconclusive`; treated as confirmed for batch-disposition per FDA OOS Guidance + executive authority co-sign per DEC-15-21. |
| Confirmed | Disposition outcome where the OOS reflects a real specification failure. |
| Disposition | The final regulated decision on the OOS — `confirmed` / `invalidated` / `inconclusive`. |
| FDA OOS Guidance | FDA Guidance for Industry "Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production" (October 2006). |
| Inconclusive | Disposition outcome where cause cannot be definitively assigned; treated as confirmed for batch decisions per FDA OOS Guidance. |
| Invalidated | Disposition outcome where objective evidence supports invalidation of the original result. |
| OOS | Out-of-Specification — laboratory result outside the registered acceptance criteria. |
| OOT | Out-of-Trend — laboratory or process result inside specification but outside the historical statistical trend. |
| OOT False Positive | OOT alert adjudicated as a statistical artefact, not a real trend signal. |
| Phase 1 | Laboratory investigation phase per FDA OOS Guidance §IV.A — assesses laboratory error. |
| Phase 2 | Manufacturing / process investigation phase per FDA OOS Guidance §IV.B — assesses real product / process problem. |
| Retest | Documented re-testing of the original sample (or a fresh sample with statistical justification) per FDA OOS Guidance §V. |
| Resample | Fresh sample drawn for re-testing; requires documented justification. |
| SoD | Segregation of Duties — service-layer enforced separation between analyst, supervisor, investigator, approver, closer. |
| Trend Data | Computed statistical summary (mean, SD, control limits, run-rules outcome) over historical results. |

### 0.7 Module 15 architectural picture

```mermaid
graph LR
  subgraph M15 [Module 15 — OOS / OOT]
    OOS[OOS Investigation Registry<br/>code: oos-oot]
    OOSLC[OOS Lifecycle workflow]
    P1[Phase 1 Laboratory Check<br/>oos_phase1_checks]
    P2[Phase 2 Investigation<br/>oos_phase2_investigations]
    RT[Retests<br/>oos_retests]
    DISP[Final Disposition<br/>oos_final_dispositions]
    OOT[OOT Alert Registry<br/>oot_alerts]
    TR[Trend Data + Computation Pipeline<br/>oot_trend_data]
    AUTH[Authority + SoD + E-Sign]
  end

  M01[URS-01 Auth] --> AUTH
  M02[URS-02 RBAC] --> OOS
  M03[URS-03 Active Scope] --> OOS
  M04[URS-04 Workflow / E-Sign] --> AUTH
  M05[URS-05 Authority Profiles] --> AUTH
  M06[URS-06 Audit Substrate] <-- OOS
  M10[URS-10 Product specifications] --> OOS
  M13[URS-13] --> OOS
  M14[URS-14 Complaints] <-- DISP
  M16[URS-16 Deviations] <--> P2
  M17[URS-17 RCA] <--> P2
  M18[URS-18 CAPA] <--> DISP
  M21[URS-21 Findings] <-- OOS
  M22[URS-22 Inspection Mgmt] <-- OOS
  M23[URS-23 Batch Records] <--> OOS
  M23 <--> DISP
  M24[URS-24 Stability] --> OOS
  M25[URS-25 Environmental Monitoring] --> OOS
  M30[URS-30 Notifications] <-- OOSLC
  ANNEX22[Annex 22 GenAI prohibition] -.governs.-> P1
  ANNEX22 -.governs.-> P2
  ANNEX22 -.governs.-> DISP
  ANNEX22 -.governs.-> OOT
  ARCHAI[ARCH-AI-001 advisory AI] -.governs.-> OOS
  AIAct[EU AI Act Annex III HIGH-RISK] -.classifies.-> OOS
```

Diagram 0.7-A — Module 15 architectural picture. The target `oos-oot` code module is the expected owner of the OOS registry, phase 1 / phase 2 / retest / disposition lifecycle, OOT alerts, and trend computation; ownership is target binding and remains subject to repository verification and validation evidence. Verixa treats EU GMP Annex 22 Draft 2025 and EU AI Act high-risk / transparency concepts as internal forward-looking AI governance controls unless a jurisdiction-specific legal assessment determines otherwise; under the internal control, generative AI is prohibited in disposition decision paths and the module is internally classified high-risk AI. ARCH-AI-001 governs advisory deterministic AI. Binding predicate-rule obligations remain those listed in §14.

---

## 1. Module Purpose

Module 15 establishes OOS / OOT as the canonical substrate for "every laboratory result that fails specification or breaches statistical trend" in Verixa. It owns the OOS investigation register, the staged investigation lifecycle (phase 1 → phase 2 → retest → disposition), the OOT alert and trend-data registries with computation provenance, the controlled completion-decision rules, the authority-gated final disposition under e-signature, the SoD-enforced investigator / approver separation, the OOT false-positive adjudication, the cross-module linkage to deviations / RCA / CAPA / batch records / stability / environmental monitoring, and the per-jurisdictional regulatory compliance under FDA OOS Guidance (Oct 2006), EU GMP Annex 15 §10, ICH Q9 / Q10, MHRA Data Integrity (2018), USP <1010>, ISO 17025. Module 15 is consumed by URS-23 batch records (release decisions), URS-24 stability (stability-failing-result triggers), URS-25 environmental monitoring (excursion-alarm triggers), URS-21 findings (OOS findings precipitate Findings), URS-14 complaints (confirmed OOS may precipitate field action), URS-26 APQR (OOS / OOT statistics in Annual Product Quality Review).

Module 15 is the **single source of truth for "show me the failing result, the investigation, and the disposition"** — the inspector's most common laboratory-related request after analytical method validation evidence.

---

## 2. Scope

### 2.1 In scope

#### OOS Investigation Registry

- The OOS investigation master registry per DEC-15-01: per-tenant registry with `id`, `tenant_id`, `oos_number` (server-authoritative `OOS-{YYYY}-{nnnnnn}` per DEC-15-03 — race-safe sequential), `discovery_date`, `analyst_user_id`, `qc_supervisor_user_id` (nullable until assigned), `study_id` (FK URS-07 — nullable unless the OOS / OOT originates from a study), `product_id` (FK URS-10 nullable), `site_id` (FK URS-09 nullable), `batch_id` (FK URS-23 nullable), `stability_source_id` (nullable; FK URS-24), `em_source_id` (nullable; FK URS-25), `method_id`, `specification_id`, `result_value`, `specification_window`, `severity_initial`, `lifecycle_state`, `created_at`, `updated_at`, `deleted_at` (nullable for soft-delete). Every OOS / OOT record MUST carry applicable scope dimensions: product, site, study, batch, stability source, or EM source as applicable. If study is not applicable, store `study_scope = not_applicable` with controlled rationale. The platform MUST NOT force `study_id` on non-study commercial GMP OOS.
- Context model normalization per OOS-REQ-002 / DEC-15-13: `MODULE_CONTEXT_CONFIG['oos-oot']` declares product + study filtering as applicable per scope dimensions captured on the registry record.

#### OOS Lifecycle

- Lifecycle state machine per DEC-15-02: `opened → phase1_in_progress → {closed_lab_error | phase2_in_progress} → {retest_in_progress ↔ phase2_in_progress} → pending_disposition → {confirmed | invalidated | inconclusive} → closed_*`. 
- Each transition is electronically signed; all transitions log dual-write to `oos_lifecycle_events` + URS-06 substrate.

#### Phase 1 Laboratory Check

- `oos_phase1_checks` table per DEC-15-04 with `id`, `oos_id`, `analyst_user_id`, `qc_supervisor_user_id`, `lab_error_assessment_jsonb` (calculation, sample-prep, instrument, reagent, transcription, calibration evaluation), `lab_error_identified` (boolean), `assignable_cause_evidence_text`, `phase1_outcome` (`closed_lab_error` / `proceed_to_phase2`), `signed_at`, `signature_id`. 
- Per FDA OOS Guidance §IV.A, lab-error closure requires documented assignable cause + supervisor sign; **SoD-15-02 enforced**: analyst who produced original result cannot sign lab-error invalidation.

#### Phase 2 Manufacturing / Process Investigation

- `oos_phase2_investigations` per DEC-15-05 with `id`, `oos_id`, `investigator_user_id`, `manufacturing_record_review_summary`, `equipment_data_pull_summary`, `formulation_review_summary`, `process_trend_review_summary`, `deviation_id` (FK URS-16 nullable), `rca_id` (FK URS-17 nullable), `additional_testing_summary`, `phase2_outcome` (`disposition_recommended_confirmed` / `disposition_recommended_invalidated` / `disposition_recommended_inconclusive`), `signed_at`, `signature_id`. 
- SoD-15-03 enforced: phase 1 supervisor cannot be phase 2 investigator (independence of investigation phases).

#### Retest / Resample

- `oos_retests` per DEC-15-06 with `id`, `oos_id`, `retest_plan_text`, `statistical_justification`, `retest_type` (`retest_original_sample` / `resample_fresh`), `retest_analyst_user_id`, `retest_result_value`, `retest_unit`, `outlier_test_outcome` (per USP <1010>), `outlier_excluded` (boolean with documented sign), `retest_disposition_impact` (`supports_invalidation` / `supports_confirmation` / `inconclusive`), `signed_at`, `signature_id`. 
- Outlier exclusion per USP <1010> requires statistical test outcome + documented sign.

#### Final Disposition

- `oos_final_dispositions` per DEC-15-07 with `id`, `oos_id`, `disposition` (`confirmed` / `invalidated` / `inconclusive`), `objective_evidence_summary`, `disposition_authority_user_id`, `disposition_signature_id`, `founder_cosign_signature_id` (nullable; required if `inconclusive` per DEC-15-21), `batch_action_taken_jsonb` (`reject` / `reprocess` / `rework` / `downgrade` / `recall` / `release_with_caveat`), `signed_at`. 
- Authority gate per DEC-15-08: `oos_final_disposition_authority` Authority Profile + `requiresEsign: true` + `requiresDelegationValidation: true`.
- SoD-15-04 enforced: phase 1 / phase 2 investigator cannot also be the disposition approver.
- Per Annex 22 / DEC-15-18: NO LLM / generative AI in disposition decision path. Static deterministic AI may surface evidence patterns; human signed decision is system of record.

#### OOT Alert Lifecycle

- `oot_alerts` per DEC-15-09 with `id`, `tenant_id`, `oot_number` (server-authoritative `OOT-{YYYY}-{nnnnnn}`), `triggering_test_method_id`, `product_id`, `batch_id` (nullable), `result_value`, `control_limit_violated` (`upper_warning` / `upper_action` / `lower_warning` / `lower_action` / `western_electric_rule_X` / `nelson_rule_X`), `alert_severity` (`low` / `medium` / `high`), `triggered_at`, `assigned_qc_user_id`, `adjudication_outcome` (nullable until adjudicated; `true_positive_escalate_to_oos` / `true_positive_proactive_action` / `false_positive_statistical_artefact`), `adjudication_rationale_text`, `adjudicator_signature_id` (nullable), `closed_at` (nullable). 
- Authority gate per DEC-15-09: `oot_adjudication_authority` Authority Profile.
- SoD-15-05 enforced: adjudicator cannot be the analyst who produced the triggering result.

#### OOT Trend Data + Computation Pipeline

- `oot_trend_data` per DEC-15-10 with `id`, `tenant_id`, `test_method_id`, `product_id`, `data_window_start`, `data_window_end`, `n_results`, `mean`, `sd`, `cv`, `upper_warning_limit`, `upper_action_limit`, `lower_warning_limit`, `lower_action_limit`, `control_chart_payload_jsonb`, `western_electric_violations_jsonb`, `nelson_violations_jsonb`, `computed_at`, `compute_run_id`. 
- Computation pipeline per DEC-15-11: deterministic statistical engine (control limits per ±3σ default; Western Electric rules WE-1 through WE-4; Nelson rules N-1 through N-8) recomputed on schedule (DEC-15-12: hourly batch; on-demand recompute by `qc_supervisor`).
- Per Annex 22 / DEC-15-18: NO LLM / generative AI in trend computation. Static deterministic statistical engine only.

#### Deviation / CAPA / Batch / Stability / EM Linkage

- OOS may link to URS-16 deviation (suspected manufacturing cause), URS-17 RCA (deeper investigation), URS-18 CAPA (corrective action), URS-23 batch record (affected batch), URS-24 stability (stability-failing trigger), URS-25 environmental monitoring (EM excursion trigger). 

#### Audit Trail

- Every Module 15 mutation calls `auditTrailService.log()` per QS-1. Lifecycle transitions log dual-write to `oos_lifecycle_events` + URS-06.
- Final disposition decision logs explicit `oos_final_disposition_signed` event with full attribution.
- AI advisory output, human acceptance / override, and reason all log to `ai_requests` per ARCH-AI-001 AC-5.

#### Reporting and Search Surfaces

- List filters per DEC-15-14: by lifecycle state, priority, product, batch, test method, date range, due-for-disposition, overdue.
- Reports per §9: OOS inventory, lifecycle aging, disposition SLA, OOT alert open queue, trend-recompute health.

### 2.2 Out of scope

- **Document Control** — URS-12 owns document register; OOS report PDFs are stored as URS-12 documents.
- **Deviations, RCA, CAPA workflows** — URS-16 / 17 / 18; M15 references via FK.
- **Batch release / disposition workflows** — URS-23; M15 raises batch-action triggers.
- **Stability registry / study management** — URS-24.
- **Environmental monitoring / excursion register** — URS-25.
- **Authentication, RBAC, scope** — URS-01 / 02 / 03.
- **E-signature substrate** — URS-04.
- **Authority Profile registry** — URS-05.
- **Audit substrate** — URS-06.
- **Generative / probabilistic AI in OOS / OOT decision paths** — prohibited per Annex 22 / DEC-15-18.

### 2.3 Closed launch decisions

| ID | Decision | Disposition |
|---|---|---|
| DEC-15-01 | OOS investigation registry shape and per-tenant scoping | Locked;. |
| DEC-15-02 | OOS lifecycle state machine | Locked: per §0.5 with parent-state advancement requirement. |
| DEC-15-03 | Server-authoritative race-safe OOS number | Locked: `OOS-{YYYY}-{nnnnnn}` with database sequence (corrects race-prone count-based generation). |
| DEC-15-04 | Phase 1 entity model + lab-error decision logic | Locked / OOS-REQ-004. |
| DEC-15-05 | Phase 2 entity model + parent-state advancement | Locked / OOS-REQ-006. |
| DEC-15-06 | Retest entity model + outlier per USP <1010> | Locked. |
| DEC-15-07 | Final disposition entity model | Locked. |
| DEC-15-08 | Authority gate for final disposition | Locked: `oos_final_disposition_authority` + SoD-15-04. |
| DEC-15-09 | OOT adjudication authority | Locked: `oot_adjudication_authority` + SoD-15-05. |
| DEC-15-10 | Trend data table | Locked. |
| DEC-15-11 | Statistical computation engine | Locked: deterministic Western Electric WE-1..4 + Nelson N-1..8 + ±3σ control limits. |
| DEC-15-12 | Trend recompute schedule | Locked: hourly batch + on-demand by `qc_supervisor`. |
| DEC-15-13 | Context-filter normalization | Locked. |
| DEC-15-14 | Reporting filters at launch | Locked per §2.1. |
| DEC-15-15 | Cross-module linkage breadth | Locked per §2.1. |
| DEC-15-16 | Audit-trail extension | Locked. |
| DEC-15-17 | Per-jurisdiction regulatory expectations mapping | Locked per §14. |
| DEC-15-18 | Annex 22 GenAI prohibition in OOS / OOT decision paths | Locked: NO LLM / generative AI in phase 1 / phase 2 / retest / disposition / OOT adjudication / closure decisions. |
| DEC-15-19 | ARCH-AI-001 binding for advisory AI (AC-2, AC-3, AC-4, AC-7) | Locked. |
| DEC-15-20 | EU AI Act Annex III HIGH-RISK classification | Locked: full HIGH-RISK obligations apply. |
| DEC-15-21 | executive authority co-sign on inconclusive disposition | Locked. |
| DEC-15-22 | Reopen requires executive authority co-sign + reason | Locked. |
| DEC-15-23 | Tenant offboarding cascade | Locked: open OOS → `archived_for_audit`; closed records preserved. |
| DEC-15-24 | URS-23 batch-action trigger upon `confirmed` disposition | Locked. |
| DEC-15-25 | URS-14 complaint workflow trigger when disposition implicates marketed batch | Locked. |

---

## 3. User Roles and Permissions

### 3.1 Architecture

Module 15 consumes URS-01 identity, URS-02 RBAC, URS-03 active scope, URS-04 e-signature, URS-05 Authority Profile registry. Three-guard hierarchy: RoleGuard → PermissionGuard → AuthorityGuard.

### 3.2 Role definitions

| Role | Purpose | Module 15 ownership |
|---|---|---|
| `viewer` | Read-only | Read OOS, phases, retests, dispositions, OOT alerts, trend data |
| `qc_analyst` | Per-tenant laboratory analyst | All `viewer` + create OOS from failing result + execute retests |
| `qc_supervisor` | QC laboratory supervisor | All `qc_analyst` + assign phase 1 investigation + sign phase 1 lab-error decision (SoD-15-02) |
| `phase2_investigator` | Manufacturing / process investigator | All `viewer` + execute and sign phase 2 investigations |
| `oos_disposition_authority` | Final disposition authority | All `viewer` + e-sign `confirmed` / `invalidated` disposition + (with executive authority for `inconclusive`) |
| `oot_adjudication_authority` | OOT adjudication | All `viewer` + adjudicate OOT alerts (true positive / false positive) |
| `quality_lead` | Quality oversight | All `qc_supervisor` + co-sign closure where required + audit oversight |
| `regulatory_affairs_lead` | RA oversight | All `viewer` + assess regulatory implications of confirmed OOS (recall, market action) |
| `manufacturing_lead` | Manufacturing oversight | All `viewer` + provide manufacturing input to phase 2 |
| `closure_authority` | Closure attestation | All `oos_disposition_authority` + closure attestation per DEC-15-07 |
| `admin` | Tenant administration | All `quality_lead` + admin trend-recompute schedule + manage statistical rule configuration |
| `platform_admin` | Verixa platform | Tenant-scoped Module 15 actions are support / break-glass only (with reason, support-ticket reference, electronic signature, `PLATFORM_TENANT_ACCESS_USED` audit emit, SOC alert). Routine tenant OOS/OOT administration is the responsibility of tenant `admin` users. |
| `super_admin` | Verixa super-admin | All `platform_admin` + executive break-glass operations |

### 3.3 Authority Profiles consumed by Module 15

| Authority Profile | Description |
|---|---|
| `oos_phase1_lab_error_signoff` | E-signature authority for phase 1 lab-error closure decision |
| `oos_phase2_investigation_signoff` | E-signature authority for phase 2 investigation completion |
| `oos_retest_signoff` | E-signature authority for retest result + outlier exclusion |
| `oos_final_disposition_authority` | E-signature authority for final disposition (`confirmed` / `invalidated`) |
| `oos_inconclusive_executive_authority` | executive authority for inconclusive disposition co-sign (DEC-15-21) |
| `oos_closure_authority` | E-signature authority for closure attestation |
| `oot_adjudication_authority` | E-signature authority for OOT alert adjudication |
| `oos_reopen_executive_authority` | executive authority for OOS reopen (DEC-15-22) |
| `trend_recompute_admin` | Authority to trigger on-demand trend recomputation |

### 3.4 Segregation-of-Duties rules

| SoD Rule | Description |
|---|---|
| SoD-15-01 | The QC analyst who created the OOS (original-result analyst) cannot also be the QC supervisor who assigns phase 1. |
| SoD-15-02 | The QC analyst who produced the original result cannot sign the phase 1 lab-error closure decision (canonical FDA OOS Guidance §IV.A independence requirement). |
| SoD-15-03 | The phase 1 supervisor cannot be the phase 2 investigator (independence of investigation phases). |
| SoD-15-04 | Phase 1 / phase 2 investigators cannot be the final disposition approver. |
| SoD-15-05 | OOT adjudicator cannot be the analyst who produced the triggering result. |
| SoD-15-06 | Executive authority reopen co-signer cannot be the original closure authority. |
| SoD-15-07 | Closure authority cannot be the original analyst who created the OOS. |
| SoD-15-08 | Retest analyst cannot be the original-result analyst (FDA OOS Guidance §V independence). |

### 3.5 Worked examples

**Example 1: Phase 1 lab error, batch released.** `qc_analyst` Sarah runs an HPLC assay on Batch B-12345 and obtains 92% (spec 95-105%). She opens OOS-2026-001234. `qc_supervisor` Tom (different from Sarah, SoD-15-01) assigns phase 1. Phase 1 evaluation identifies a clear assignable cause: the reference standard solution had been prepared 48 hours earlier with documented degradation per the standard's stability data. Tom signs phase 1 closure as `closed_lab_error` with documented evidence (SoD-15-02: Tom ≠ Sarah). A documented retest is performed with fresh reference standard; new result 99.2% — passes specification. Original result is invalidated; batch is released. URS-06 captures the full chain. FDA OOS Guidance §IV.A satisfied.

**Example 2: Phase 1 → Phase 2 → confirmed disposition → batch reject.** Sarah opens OOS-2026-001235 for Batch B-12346 with assay 88% (spec 95-105%). Phase 1 finds no assignable lab error. Tom signs `proceed_to_phase2`. Phase 2 investigator (different from Tom per SoD-15-03) reviews manufacturing records and finds a partial mixing-time deviation already logged as `DEV-2026-0234` (URS-16). Phase 2 completes with `disposition_recommended_confirmed`. Parent OOS state advances to `pending_disposition` (per DEC-15-05 / OOS-REQ-006 parent-state advancement requirement). `oos_disposition_authority` (different from phase 1/2 investigators per SoD-15-04) e-signs disposition `confirmed` with batch_action `reject`. URS-23 batch record updated to `rejected`. URS-18 CAPA initiated. URS-21 finding logged. State `closed_confirmed`.

**Example 3: Phase 2 inconclusive requires executive authority co-sign (DEC-15-21).** OOS-2026-001236 phase 2 cannot definitively assign cause despite extensive investigation. Phase 2 outcome `disposition_recommended_inconclusive`. `oos_disposition_authority` e-signs `inconclusive`; **executive authority co-signs per DEC-15-21**. Per FDA OOS Guidance, inconclusive treated as confirmed for batch disposition; URS-23 batch action `reject`. State `closed_inconclusive_treated_as_confirmed`.

**Example 4: SoD-15-02 enforcement — original analyst attempts lab-error sign.** Sarah (original analyst) attempts to sign phase 1 `closed_lab_error` herself. Service rejects with HTTP 403 + `OOS_SOD_VIOLATION_ANALYST_CANNOT_SIGN_LAB_ERROR`. Per FDA OOS Guidance §IV.A independence requirement. URS-06 audit substrate records the attempt.

**Example 5: OOT trend signal triggers proactive process improvement.** Hourly trend recompute identifies a Western Electric Rule 1 violation (1 point > 3σ) on batch dissolution data for Product P. OOT alert OOT-2026-005678 fires with `alert_severity=medium`. `oot_adjudication_authority` reviews; concludes `true_positive_proactive_action` (no specification breach but real process drift). URS-13 record opened referencing this OOT alert; process tightening implemented before any batch fails specification.

**Example 6: OOT false-positive adjudication.** OOT alert OOT-2026-005679 fires from a Nelson Rule 2 violation. Adjudicator reviews; the trigger was driven by a single calibration-day data point that has been excluded as a documented outlier per USP <1010>. Adjudicator e-signs `false_positive_statistical_artefact` with rationale. SoD-15-05 enforced. State `closed_false_positive`.

**Example 7: Annex 22 GenAI prohibition runtime block (DEC-15-18).** A user attempts to invoke "AI-suggest disposition" in an experimental UI. Runtime block returns HTTP 403 + `OOS_GENAI_PROHIBITED`. Per Annex 22 / EU AI Act Annex III. Static deterministic AI MAY suggest investigation steps based on historical patterns; only that is permitted.

### 3.6 Role-permission matrix (Module 15 administrative surface only)

| Permission | viewer | qc_analyst | qc_supervisor | phase2_investigator | oos_disposition_authority | oot_adjudication_authority | quality_lead | admin |
|---|---|---|---|---|---|---|---|---|
| `oos:read` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| `oos:create` | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ |
| `oos:assign_phase1` (with authority + SoD-15-01) | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ |
| `oos:phase1_signoff` (with authority + SoD-15-02 + e-sign) | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ |
| `oos:phase2_create_investigate` (with SoD-15-03) | ✗ | ✗ | ✗ | ✓ | ✗ | ✗ | ✓ | ✓ |
| `oos:phase2_signoff` (with authority + e-sign) | ✗ | ✗ | ✗ | ✓ | ✗ | ✗ | ✓ | ✓ |
| `oos:retest_create` | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ |
| `oos:retest_signoff` (with authority + SoD-15-08 + e-sign) | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ |
| `oos:disposition_signoff` (with authority + SoD-15-04 + e-sign) | ✗ | ✗ | ✗ | ✗ | ✓ | ✗ | ✓ | ✓ |
| `oos:disposition_inconclusive_founder_cosign` (executive authority) | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ (executive authority only) |
| `oos:closure_signoff` (with authority + SoD-15-07 + e-sign) | ✗ | ✗ | ✗ | ✗ | ✓ | ✗ | ✓ | ✓ |
| `oos:reopen_executive_authority` (executive authority + SoD-15-06) | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ (executive authority only) |
| `oot:read` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| `oot:adjudicate` (with authority + SoD-15-05 + e-sign) | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ✓ |
| `oot:trend_recompute_ondemand` (with authority) | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ |
| `oos-oot:read_audit` | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

---

## 4. End-to-End User Journeys

### J-01 — QC analyst opens OOS from failing result

`qc_analyst` runs analytical test, observes failing result. Opens `/oos/new`. Captures method, sample, result vs spec, batch, lot, study, product, discovery date. Saves; platform assigns `OOS-{YYYY}-{nnnnnn}` race-safe per DEC-15-03. State `opened`. URS-06 records create. URS-23 batch quarantined automatically per DEC-15-24.

### J-02 — QC supervisor assigns phase 1 (SoD-15-01)

`qc_supervisor` (different from creator per SoD-15-01) opens OOS, reviews, assigns to phase 1 investigation. State `opened → phase1_in_progress`.

### J-03 — Phase 1 lab-error closure (FDA OOS Guidance §IV.A, SoD-15-02)

QC supervisor evaluates lab-error checklist (calculation / sample-prep / instrument / reagent / transcription / calibration). Assignable cause identified. E-signs phase 1 closure as `closed_lab_error` via Controlled Approval Modal. SoD-15-02 enforced: original-result analyst cannot sign. State `phase1_in_progress → closed_lab_error`.

### J-04 — Phase 1 → phase 2 (no lab error)

Phase 1 finds no assignable lab error. Supervisor signs `proceed_to_phase2`. State `phase1_in_progress → phase2_in_progress`. URS-30 notifies phase 2 investigator team.

### J-05 — Phase 2 investigation (SoD-15-03)

`phase2_investigator` (different from phase 1 supervisor per SoD-15-03) reviews manufacturing records, equipment data, formulation, process trends. Optionally links `deviation_id` (URS-16), `rca_id` (URS-17). Captures phase 2 outcome.

### J-06 — Phase 2 completion advances parent state 

Phase 2 signed completion. Parent OOS state advances `phase2_in_progress → pending_disposition`. URS-30 notifies disposition authority.

### J-07 — Retest ordered with statistical justification (SoD-15-08)

Investigator orders retest per documented retest plan. Retest analyst (different from original analyst per SoD-15-08) executes retest. Outlier test per USP <1010>; outlier exclusion documented if applicable. Retest signed.

### J-08 — Retest result drives controlled parent disposition 

Retest disposition impact captured (`supports_invalidation` / `supports_confirmation` / `inconclusive`). Parent OOS receives input toward final disposition. 

### J-09 — Final disposition `confirmed` (SoD-15-04)

`oos_disposition_authority` (different from phase 1/2 investigators per SoD-15-04) e-signs disposition `confirmed`. Batch action selected (`reject` / `reprocess` / `rework` / `downgrade` / `recall` / `release_with_caveat`). State `pending_disposition → confirmed`. URS-23 batch record updated; URS-18 CAPA may be initiated.

### J-10 — Final disposition `invalidated`

Objective evidence supports invalidation. `oos_disposition_authority` e-signs `invalidated`. Original result invalidated; batch may proceed. State `pending_disposition → invalidated`.

### J-11 — Final disposition `inconclusive` executive authority co-sign (DEC-15-21)

Cause cannot be definitively assigned. Disposition authority e-signs `inconclusive`; executive authority co-signs per DEC-15-21. Per FDA OOS Guidance, treated as confirmed for batch disposition. State `pending_disposition → inconclusive → closed_inconclusive_treated_as_confirmed`.

### J-12 — Closure attestation (SoD-15-07)

Closure authority (different from creator per SoD-15-07) e-signs closure. State transitions to terminal `closed_*`. URS-30 notifies all stakeholders.

### J-13 — OOS triggers URS-23 batch action

`confirmed` disposition with `batch_action=reject` triggers URS-23 batch state change to `rejected`. Per DEC-15-24.

### J-14 — Confirmed OOS implicates marketed batch → URS-14 complaint workflow

If `confirmed` disposition affects a marketed batch, URS-14 complaint workflow is initiated automatically per DEC-15-25 for field-action assessment.

### J-15 — Reopen with executive authority co-sign (DEC-15-22, SoD-15-06)

Post-closure issue identified. executive authority e-signs reopen via `oos_reopen_executive_authority`. SoD-15-06 enforced. State returns to `phase2_in_progress` or earlier as documented.

### J-16 — OOT alert auto-fires from trend computation

Hourly trend recompute detects rule violation. OOT alert created with severity. State `triggered → assigned_to_qc`.

### J-17 — OOT adjudication true positive escalate to OOS

`oot_adjudication_authority` reviews; concludes `true_positive_escalate_to_oos`. Adjudicator e-signs (SoD-15-05). New OOS opened referencing this OOT.

### J-18 — OOT adjudication true positive proactive action

Adjudicator concludes `true_positive_proactive_action` (no spec breach; trend signal). URS-13 record opened referencing this OOT.

### J-19 — OOT false-positive adjudication (SoD-15-05)

Adjudicator concludes `false_positive_statistical_artefact` with documented rationale (e.g., outlier per USP <1010>). E-signs adjudication. State `closed_false_positive`.

### J-20 — On-demand trend recompute by QC supervisor

`qc_supervisor` (with `trend_recompute_admin` authority) triggers on-demand recompute for a method / product. URS-30 notifies on completion.

### J-21 — Per-product trend dashboard

QC lead opens trend dashboard. Statistical control chart for selected method / product / time-window with WE / Nelson rule violations highlighted.

### J-22 — Cross-module link to URS-24 stability OOS

Stability sample fails specification. URS-24 stability service creates OOS in Module 15 with linkage to stability study. Phase 1 / phase 2 / disposition flow per standard.

### J-23 — Cross-module link to URS-25 EM excursion

Environmental monitoring excursion exceeds action limit. URS-25 service creates OOS in Module 15 with linkage to EM record. Phase 1 / phase 2 / disposition per standard.

### J-24 — Static deterministic AI investigation-step suggestion (ARCH-AI-001 AC-2)

On phase 2 open, static deterministic AI surfaces "similar prior OOS investigations on this product / method in the last 12 months" with suggested investigation step list. Visibly labelled "AI-suggested — requires human review" per AC-3. Investigator confirms or overrides; advisory + decision audited per AC-5. Per Annex 22 / DEC-15-18: NO LLM / generative AI; only static deterministic similarity over `oos_investigations` historical data.

### J-25 — Annex 22 GenAI prohibition runtime block (DEC-15-18)

User attempts to invoke "AI-suggest disposition" experimental UI. Runtime block returns HTTP 403 + `OOS_GENAI_PROHIBITED`. Per Annex 22 / EU AI Act Annex III HIGH-RISK.

### J-26 — Auditor reviews OOS evidence pack

Inspector requests evidence on a closed OOS. Platform exports evidence pack: full OOS record + phase 1 + phase 2 + retests + disposition + executive authority co-sign (if inconclusive) + closure + linked deviation/RCA/CAPA + URS-06 audit hash-chain proof. Watermarked, e-signed by `quality_lead`.

### J-27 — Tenant offboarding cascade (DEC-15-23)

Tenant `offboarding`: open OOS → `archived_for_audit`; closed records preserved per retention class.

### J-28 — APQR consumption of OOS / OOT statistics

URS-26 APQR (Annual Product Quality Review) consumes OOS / OOT statistics (count by classification, mean disposition SLA, % invalidated, % confirmed, OOT trend rule violations) per ICH Q10.

---

## 5. Front-End Expected State

### 5.1 Routes

| Route | Purpose |
|---|---|
| `/oos` | OOS landing — list, filter |
| `/oos/new` | Create OOS |
| `/oos/:id` | OOS detail (phase 1 / phase 2 / retests / disposition / closure tabs) |
| `/oos/:id/phase1` | Phase 1 editor + lab-error decision |
| `/oos/:id/phase2` | Phase 2 editor |
| `/oos/:id/retests` | Retest list + create + sign |
| `/oos/:id/disposition` | Disposition decision modal |
| `/oos/:id/closure` | Closure attestation |
| `/oos/:id/audit` | Per-OOS audit trail |
| `/oot` | OOT alert landing — list, filter |
| `/oot/:id` | OOT alert detail + adjudication |
| `/oot/trends/:methodId/:productId` | Statistical trend dashboard |
| `/oos/me/assignments` | My open Module 15 assignments |
| `/oos/dashboards/aging` | Lifecycle aging |
| `/oos/dashboards/disposition-sla` | Disposition SLA |
| `/oos/dashboards/overdue` | Overdue investigations |
| `/admin/trend-recompute-schedule` | Trend recompute schedule admin (`admin`+) |
| `/executive/oos-inconclusive` | Executive authority inconclusive co-sign queue (executive authority only) |
| `/executive/oos-reopen` | Executive authority reopen workflow (executive authority only) |

### 5.2 Component requirements

- **OOSList / OOSCard** — lifecycle state, priority, age, assignment.
- **Phase1LabErrorEditor** — checklist + assignable-cause text + e-sign with SoD-15-02 enforcement.
- **Phase2InvestigationEditor** — manufacturing review + equipment data + formulation + process trends + linkage to deviation/RCA.
- **RetestEditor** — retest plan + statistical justification + outlier test outcome (USP <1010>).
- **DispositionDecisionModal** — disposition picker (`confirmed` / `invalidated` / `inconclusive`) + objective evidence + batch action picker + e-sign + (executive authority co-sign for inconclusive).
- **ClosurePrerequisiteChecklistViewer** — closure prerequisites + e-sign with SoD-15-07.
- **OOTAdjudicationModal** — adjudication outcome + rationale + e-sign with SoD-15-05.
- **TrendDashboard** — statistical control chart with WE / Nelson rule violation highlights.
- **AIAdvisoryBanner** — visible "AI-suggested" labelling per ARCH-AI-001 AC-3.
- **AuditTrailViewer** — chronological per-OOS view.
- **ExecutiveAuthorityInconclusiveCoSignModal** — Executive-authority-only co-sign for inconclusive disposition.

### 5.3 Accessibility and internationalisation

- WCAG 2.1 AA across all components.
- Keyboard navigation; screen-reader labelling; AI advisory pill announcements.
- Internationalisation: all UI strings in resource files; numeric formatting per locale; statistical limit displays preserve precision per scientific convention.

---

## 6. Back-End Expected State

### 6.1 Domain entities

| Entity | Purpose | Code module |
|---|---|---|
| `oos_investigations` | Master OOS registry | `oos-oot` |
| `oos_lifecycle_events` | Lifecycle transition audit | `oos-oot` |
| `oos_phase1_checks` | Phase 1 lab investigation | `oos-oot` |
| `oos_phase2_investigations` | Phase 2 investigation | `oos-oot` |
| `oos_retests` | Retest records | `oos-oot` |
| `oos_final_dispositions` | Final disposition records | `oos-oot` |
| `oot_alerts` | OOT alert registry | `oos-oot` |
| `oot_trend_data` | Trend computation results | `oos-oot` |
| `oot_compute_runs` | Trend computation provenance | `oos-oot` |
| `auth_audit_log` | Auth events (URS-06 substrate) | shared |
| `ai_requests` | Advisory AI request audit (URS-06 substrate) | shared |

### 6.1.1 Diagram 6.1-A — Module 15 entity-relationship overview

```mermaid
erDiagram
  OOS_INVESTIGATIONS ||--o{ OOS_LIFECYCLE_EVENTS : emits
  OOS_INVESTIGATIONS ||--o{ OOS_PHASE1_CHECKS : has
  OOS_INVESTIGATIONS ||--o{ OOS_PHASE2_INVESTIGATIONS : has
  OOS_INVESTIGATIONS ||--o{ OOS_RETESTS : has
  OOS_INVESTIGATIONS ||--o| OOS_FINAL_DISPOSITIONS : has
  TENANTS ||--o{ OOS_INVESTIGATIONS : owns
  STUDIES ||--o{ OOS_INVESTIGATIONS : scopes
  PRODUCTS ||--o{ OOS_INVESTIGATIONS : implicates
  BATCH_RECORDS ||--o{ OOS_INVESTIGATIONS : implicates
  USERS ||--o{ OOS_INVESTIGATIONS : creates
  USERS ||--o{ OOS_PHASE1_CHECKS : signs
  USERS ||--o{ OOS_PHASE2_INVESTIGATIONS : signs
  USERS ||--o{ OOS_RETESTS : performs
  USERS ||--o{ OOS_FINAL_DISPOSITIONS : approves
  DEVIATIONS ||--o{ OOS_PHASE2_INVESTIGATIONS : linked_via_deviation_id
  RCAS ||--o{ OOS_PHASE2_INVESTIGATIONS : linked_via_rca_id
  CAPAS ||--o{ OOS_FINAL_DISPOSITIONS : triggers
  TENANTS ||--o{ OOT_ALERTS : owns
  PRODUCTS ||--o{ OOT_ALERTS : implicates
  USERS ||--o{ OOT_ALERTS : adjudicates
  TENANTS ||--o{ OOT_TREND_DATA : owns
  OOT_COMPUTE_RUNS ||--o{ OOT_TREND_DATA : produced
  OOT_TREND_DATA ||--o{ OOT_ALERTS : triggers
  OOS_INVESTIGATIONS ||--o{ AUTH_AUDIT_LOG : security_logged
  OOS_INVESTIGATIONS ||--o{ AI_REQUESTS : advisory_for
  OOT_ALERTS ||--o{ AI_REQUESTS : advisory_for
```

Diagram 6.1-A — Module 15 entity-relationship.

### 6.1.2 Diagram 6.1-B — OOS lifecycle state machine (full with parent-state advancement requirement)

```mermaid
stateDiagram-v2
  [*] --> opened : create
  opened --> phase1_in_progress : assign_phase1 (SoD-15-01)
  phase1_in_progress --> closed_lab_error : phase1_signed=closed_lab_error (SoD-15-02)
  phase1_in_progress --> phase2_in_progress : phase1_signed=proceed_to_phase2
  phase2_in_progress --> retest_in_progress : retest_ordered
  retest_in_progress --> phase2_in_progress : retest_signed (SoD-15-08)
  phase2_in_progress --> pending_disposition : phase2_signed — phase 2 completion advances parent state
  pending_disposition --> confirmed : disposition_signed=confirmed (SoD-15-04 + authority)
  pending_disposition --> invalidated : disposition_signed=invalidated (SoD-15-04 + authority)
  pending_disposition --> inconclusive : disposition_signed=inconclusive + executive authority co-sign (DEC-15-21)
  confirmed --> closed_confirmed : closure_signed (SoD-15-07)
  invalidated --> closed_invalidated : closure_signed (SoD-15-07)
  inconclusive --> closed_inconclusive_treated_as_confirmed : closure_signed (SoD-15-07)
  closed_lab_error --> reopened : executive authority co-sign (DEC-15-22, SoD-15-06)
  closed_confirmed --> reopened : executive authority co-sign
  closed_invalidated --> reopened : executive authority co-sign
  closed_inconclusive_treated_as_confirmed --> reopened : executive authority co-sign
  reopened --> phase2_in_progress : re-evaluation
  closed_lab_error --> [*]
  closed_confirmed --> [*]
  closed_invalidated --> [*]
  closed_inconclusive_treated_as_confirmed --> [*]
```

Diagram 6.1-B — OOS lifecycle including the parent-state advancement requirement (OOS-REQ-006), the inconclusive executive authority co-sign branch (DEC-15-21), and the reopen path requiring executive authority co-sign (DEC-15-22).

### 6.1.3 Diagram 6.1-C — Phase 1 lab-error decision flow (FDA OOS Guidance §IV.A)

```mermaid
flowchart TD
  P1Start[Phase 1 begins] --> Eval[QC supervisor evaluates lab-error checklist]
  Eval --> CalcCheck{Calculation error?}
  CalcCheck -- yes --> Document[Document assignable cause]
  CalcCheck -- no --> SamplePrep{Sample-prep error?}
  SamplePrep -- yes --> Document
  SamplePrep -- no --> Inst{Instrument malfunction?}
  Inst -- yes --> Document
  Inst -- no --> Reagent{Reagent issue?}
  Reagent -- yes --> Document
  Reagent -- no --> Trans{Transcription error?}
  Trans -- yes --> Document
  Trans -- no --> Cal{Calibration drift?}
  Cal -- yes --> Document
  Cal -- no --> NoLabError[No assignable lab error → proceed to phase 2]
  Document --> SoD{SoD-15-02: original analyst != signer?}
  SoD -- violates --> Reject403[HTTP 403 SOD_VIOLATION]
  SoD -- ok --> Authority{withAuthority oos_phase1_lab_error_signoff}
  Authority -- denied --> Reject403b[HTTP 403 AUTHORITY_DENIED]
  Authority -- granted --> ESign[Controlled Approval Modal e-sign]
  ESign --> Closed[Phase 1 closed_lab_error]
  Closed --> Retest[Documented retest with fresh standard / sample]
  Retest --> RetestPass{Retest passes?}
  RetestPass -- yes --> InvalidateOriginal[Original result invalidated; batch may proceed]
  RetestPass -- no --> EscalatePhase2[Escalate to phase 2]
  NoLabError --> Phase2[State: phase2_in_progress]
```

Diagram 6.1-C — Phase 1 decision flow per FDA OOS Guidance §IV.A. Lab-error closure requires: documented assignable cause → SoD-15-02 → authority gate → e-signature → documented retest. Otherwise escalate to phase 2.

### 6.1.4 Diagram 6.1-D — OOT computation pipeline + adjudication

```mermaid
flowchart TD
  Source[Raw test results from URS-23 batch records / URS-24 stability / URS-25 EM] --> Pipe[Trend computation pipeline DEC-15-11]
  Pipe --> Stat[Statistical engine: ±3σ + Western Electric WE-1..4 + Nelson N-1..8]
  Stat --> TrendStore[oot_trend_data with mean/SD/CV/control limits + violations payload]
  TrendStore --> Schedule{Scheduler}
  Schedule -- hourly batch --> Pipe
  Schedule -- on-demand by qc_supervisor --> Pipe
  TrendStore --> ViolDetect{Rule violation detected?}
  ViolDetect -- yes --> Alert[oot_alert created with severity]
  Alert --> Notify[URS-30 notify QC + adjudicator]
  Notify --> Adjudicate[Adjudicator opens alert]
  Adjudicate --> SoD{SoD-15-05}
  SoD -- violates --> Reject403[HTTP 403]
  SoD -- ok --> Authority{withAuthority oot_adjudication_authority}
  Authority -- granted --> Decision{Decision}
  Decision -- true_positive_escalate_to_oos --> NewOOS[New OOS opened referencing OOT]
  Decision -- true_positive_proactive_action --> URS13[URS-13 record opened]
  Decision -- false_positive_statistical_artefact --> Closed[oot_alert closed_false_positive]
  NewOOS --> Audit[URS-06 + ai_requests audit]
  URS13 --> Audit
  Closed --> Audit
  Pipe -.Annex 22.-> NoGenAI[NO LLM / generative AI; deterministic statistics only DEC-15-18]
```

Diagram 6.1-D — OOT computation pipeline + adjudication. Hourly batch + on-demand recompute; statistical rules deterministic (no AI); adjudication requires SoD-15-05 + authority + e-sign; outcomes escalate to OOS, trigger URS-13, or close as false positive.

### 6.2 Data model requirements

| Requirement | Statement |
|---|---|
| URS-15-DATA-001 | `oos_investigations` per DEC-15-01: `study_id` is nullable unless the OOS / OOT originates from a study. Every OOS / OOT record MUST carry applicable scope dimensions: product, site, study, batch, stability source, or EM source as applicable. If study is not applicable, `study_scope = not_applicable` with controlled rationale. The platform MUST NOT force `study_id` on non-study commercial GMP OOS. |
| URS-15-DATA-002 | Race-safe sequential `oos_number` via DB sequence per DEC-15-03. |
| URS-15-DATA-003 | `oos_lifecycle_events` append-only with `from_state`, `to_state`, `actor_user_id`, `at_timestamp`, `signature_id`, `reason`. |
| URS-15-DATA-004 | `oos_phase1_checks` per DEC-15-04.  |
| URS-15-DATA-005 | `oos_phase2_investigations` per DEC-15-05 with parent-state advancement on completion.  |
| URS-15-DATA-006 | `oos_retests` per DEC-15-06 with USP <1010> outlier outcome.  |
| URS-15-DATA-007 | `oos_final_dispositions` per DEC-15-07.  |
| URS-15-DATA-008 | `oot_alerts` per DEC-15-09.  |
| URS-15-DATA-009 | `oot_trend_data` per DEC-15-10.  |
| URS-15-DATA-010 | `oot_compute_runs` provenance table. |
| URS-15-DATA-011 | All Module 15 tables have RLS per QS-6. |
| URS-15-DATA-012 | All mutations record to URS-06 audit substrate per QS-1. |
| URS-15-DATA-013 | `MODULE_CONTEXT_CONFIG['oos-oot']` declares product + study filtering per OOS-REQ-002. |

### 6.3 API requirements

| Endpoint | Method | Purpose | Priority |
|---|---|---|---|
| `/api/v1/oos` | GET, POST | List, create | MUST |
| `/api/v1/oos/:id` | GET, PATCH | Get, update | MUST |
| `/api/v1/oos/:id/assign-phase1` | POST (with authority + SoD-15-01 + e-sign) | Phase 1 assignment | MUST |
| `/api/v1/oos/:id/phase1` | POST | Phase 1 record create | MUST |
| `/api/v1/oos/:id/phase1/:p1Id/signoff` | POST (with authority + SoD-15-02 + e-sign) | Phase 1 lab-error / proceed sign-off | MUST |
| `/api/v1/oos/:id/phase2` | POST (with SoD-15-03) | Phase 2 record create | MUST |
| `/api/v1/oos/:id/phase2/:p2Id/signoff` | POST (with authority + e-sign) | Phase 2 sign-off + parent state advance | MUST |
| `/api/v1/oos/:id/retests` | POST | Retest create | MUST |
| `/api/v1/oos/:id/retests/:rtId/signoff` | POST (with authority + SoD-15-08 + e-sign) | Retest sign-off | MUST |
| `/api/v1/oos/:id/disposition` | POST (with authority + SoD-15-04 + e-sign) | Final disposition | MUST |
| `/api/v1/oos/:id/disposition/executive-cosign` | POST (executive authority + e-sign) | Inconclusive executive authority co-sign | MUST |
| `/api/v1/oos/:id/closure` | POST (with authority + SoD-15-07 + e-sign) | Closure attestation | MUST |
| `/api/v1/oos/:id/reopen` | POST (executive authority + SoD-15-06 + reason) | Reopen | MUST |
| `/api/v1/oos/:id/audit` | GET | Per-OOS audit trail | MUST |
| `/api/v1/oot` | GET | OOT alert list | MUST |
| `/api/v1/oot/:id` | GET, PATCH | Get, update | MUST |
| `/api/v1/oot/:id/adjudicate` | POST (with authority + SoD-15-05 + e-sign) | Adjudication | MUST |
| `/api/v1/oot/trends/:methodId/:productId` | GET | Trend data + control chart | MUST |
| `/api/v1/oot/recompute/:methodId/:productId` | POST (with `trend_recompute_admin` authority) | On-demand recompute | MUST |
| `/api/v1/oos/me/assignments` | GET | My open assignments | MUST |
| `/api/v1/oos/admin/trend-schedule` | GET, PUT (with admin authority) | Trend recompute schedule | MUST |

### 6.4 Workflow / lifecycle requirements

- URS-15-WF-001: Lifecycle state transitions per §6.4; unauthorised transitions return HTTP 422 + `OOS_INVALID_TRANSITION`.
- URS-15-WF-002: Phase 1 assignment enforces SoD-15-01.
- URS-15-WF-003: Phase 1 lab-error sign-off enforces SoD-15-02 (FDA OOS Guidance §IV.A).
- URS-15-WF-004: Phase 2 investigator enforces SoD-15-03.
- URS-15-WF-005: Phase 2 sign-off advances parent OOS state to `pending_disposition`; phase 2 completion advances parent state.
- URS-15-WF-006: Retest sign-off enforces SoD-15-08 (retest analyst ≠ original analyst per FDA OOS Guidance §V).
- URS-15-WF-007: Retest result drives controlled parent disposition.
- URS-15-WF-008: Disposition enforces SoD-15-04.
- URS-15-WF-009: Inconclusive disposition requires executive authority co-sign per DEC-15-21.
- URS-15-WF-010: Closure enforces SoD-15-07.
- URS-15-WF-011: Reopen requires executive authority per DEC-15-22 + SoD-15-06.
- URS-15-WF-012: OOT adjudication enforces SoD-15-05.
- URS-15-WF-013: Trend recompute on-demand requires `trend_recompute_admin` authority.

### 6.5 Business rules

- BR-15-01: Race-safe `oos_number` via DB sequence per DEC-15-03.
- BR-15-02: Tenant isolation enforced via TDAL + RLS.
- BR-15-03: `study_id` is nullable on `oos_investigations` unless the OOS / OOT originates from a study. Every OOS / OOT record MUST carry applicable scope dimensions: product, site, study, batch, stability source, or EM source as applicable. If study is not applicable, `study_scope = not_applicable` with controlled rationale. The platform MUST NOT force `study_id` on non-study commercial GMP OOS.
- BR-15-04: Trend recompute hourly batch + on-demand per DEC-15-12.
- BR-15-05: Statistical rules deterministic per DEC-15-11 (WE-1..4 + Nelson N-1..8 + ±3σ).
- BR-15-06: Per Annex 22 / DEC-15-18: NO LLM / generative AI in OOS phase / disposition / OOT adjudication / closure decision paths.
- BR-15-07: Inconclusive disposition treated as confirmed for batch decisions per FDA OOS Guidance.
- BR-15-08: Reopen requires executive authority co-sign per DEC-15-22.
- BR-15-09: Confirmed disposition triggers URS-23 batch action per DEC-15-24.
- BR-15-10: Confirmed disposition affecting marketed batch triggers URS-14 complaint workflow per DEC-15-25.
- BR-15-11: Audit trail append-only per QS-1.

### 6.6 Audit trail requirements

- Every Module 15 mutation calls `auditTrailService.log()` per QS-1.
- Lifecycle transitions logged dual-write to `oos_lifecycle_events` + URS-06.
- Phase 1, phase 2, retest, disposition (with executive authority co-sign if inconclusive), closure, reopen, OOT adjudication, trend recompute — all logged.
- Auth events logged to `auth_audit_log`.
- Advisory AI requests logged to `ai_requests` per AC-5.
- Append-only per QS-1.

### 6.7 Architecture binding — Internal Annex 22 GenAI prohibition control + ARCH-AI-001 (AC-2, AC-3, AC-4, AC-7) + internal EU AI Act Annex III high-risk classification (forward-looking; not enacted predicate rule; binding predicate-rule obligations remain those listed in §14)

| Surface | AI use permitted | Governance |
|---|---|---|
| Phase 1 lab-error decision | NONE — Annex 22 + Annex III HIGH-RISK | Manual decision per FDA OOS Guidance §IV.A |
| Phase 2 disposition recommendation | NONE — Annex 22 | Manual investigation; deterministic deviation/RCA linkage |
| Retest disposition impact | NONE — Annex 22 | Manual; USP <1010> outlier statistics deterministic |
| Final disposition decision | NONE — Annex 22 | Manual; oos_disposition_authority + executive authority for inconclusive |
| OOT adjudication decision | NONE — Annex 22 | Manual; oot_adjudication_authority |
| Closure decision | NONE — Annex 22 | Manual; closure_authority |
| Trend computation (statistical) | YES — deterministic statistical engine only | Per DEC-15-11 |
| Investigation-step similarity (advisory) | YES — static deterministic over historical OOS | ARCH-AI-001 AC-2, AC-3, AC-4, AC-7 |
| MIRA copilot read-only retrieval over closed OOS | YES — read-only | RAG per URS-12 |

 Internal AI-governance obligations aligned with EU AI Act Annex III high-risk classification (treated as internal forward-looking control, not enacted predicate rule) include AI-specific QMS, conformity assessment, technical documentation, ongoing monitoring, human oversight; supported by ARCH-AI-001 architectural reference + URS-06 audit substrate + Authority-gated workflow. Jurisdiction-specific legal enforceability remains subject to a future jurisdiction-specific legal assessment. Binding predicate-rule obligations remain those listed in §14.

---

## 7. Cross-Module Wiring and Change-Impact

### 7.1 Cross-module wiring

```mermaid
flowchart LR
  M01[URS-01 Auth] --> M15[Module 15]
  M02[URS-02 RBAC] --> M15
  M03[URS-03 Active Scope] --> M15
  M04[URS-04 Workflow / E-Sign] --> M15
  M05[URS-05 Authority Profiles] --> M15
  M06[URS-06 Audit Substrate] <-- M15
  M10[URS-10 Product specifications] --> M15
  M13[URS-13] --> M15
  M14[URS-14 Complaints] <-- M15
  M16[URS-16 Deviations] <--> M15
  M17[URS-17 RCA] <--> M15
  M18[URS-18 CAPA] <--> M15
  M21[URS-21 Findings] <-- M15
  M22[URS-22 Inspection Mgmt] <-- M15
  M23[URS-23 Batch Records] <--> M15
  M24[URS-24 Stability] --> M15
  M25[URS-25 Environmental Monitoring] --> M15
  M26[URS-26 APQR] <-- M15
  M30[URS-30 Notifications] <-- M15
  ANNEX22[Annex 22 GenAI prohibition] -.governs.-> M15
  ARCHAI[ARCH-AI-001] -.governs.-> M15
  AIAct[EU AI Act Annex III HIGH-RISK] -.classifies.-> M15
```

Diagram 7.1-A — Module 15 cross-module wiring.

### 7.2 Change-Impact Matrix (CIM)

| Module 15 capability | Affects | Direction | URS-13 trigger if modified |
|---|---|---|---|
| Lifecycle state machine | All consuming modules | Outbound | Class 1 |
| Statistical computation rules | URS-23, URS-24, URS-25, URS-26 | Outbound | Class 1 |
| Disposition outcomes enum | URS-23 batch action mapping | Outbound | Class 1 |
| Authority Profile set | URS-04, URS-05 | Outbound | Class 2 |
| executive authority co-sign requirements | URS-05 | Outbound | Class 1 |

### 7.3 Cross-module dependencies (consumed by Module 15)

- URS-01 — Auth.
- URS-02 — RBAC.
- URS-03 — Active scope.
- URS-04 — Workflow / e-sign.
- URS-05 — Authority Profile registry.
- URS-06 — Audit substrate.
- URS-10 — Product specifications.
- URS-13 — for OOS that precipitate platform changes (e.g., trend signal triggers process change).
- URS-16 — Deviations (linked via `deviation_id`).
- URS-17 — RCA (linked via `rca_id`).
- URS-18 — CAPA (linked via `capa_id`).
- URS-23 — Batch Records (batch-action trigger upon `confirmed`).
- URS-24 — Stability (stability-failing OOS source).
- URS-25 — Environmental Monitoring (EM excursion OOS source).
- URS-26 — APQR (consumes OOS / OOT statistics).
- URS-30 — Notifications.
- EU GMP Annex 22 — GenAI prohibition.
- ARCH-AI-001 — Advisory AI binding.
- EU AI Act Annex III — HIGH-RISK classification.

---

## 8. AI / Automation / Human-in-the-Loop Controls

Per the internal Annex 22 control (DEC-15-18; treated as internal forward-looking AI governance control, not enacted predicate rule), generative / probabilistic AI is **PROHIBITED** in all OOS / OOT decision paths (phase 1 lab-error, phase 2, retest, final disposition, OOT adjudication, closure). Verixa internally classifies this module as high-risk AI under internal AI governance, aligned with the EU AI Act Annex III high-risk classification approach (treated as internal forward-looking AI governance control), unless a jurisdiction-specific legal assessment determines otherwise. Per ARCH-AI-001, the architectural constraint set is AC-2 (advisory secondary), AC-3 (visible labelling), AC-4 (no autonomous write), AC-7 (graceful degradation).

| AI Surface | Permitted | Governance |
|---|---|---|
| AI disposition suggestion | NO (Annex 22) | Not built |
| AI lab-error classification | NO (Annex 22) | Not built |
| AI OOT adjudication | NO (Annex 22) | Not built |
| AI closure suggestion | NO (Annex 22) | Not built |
| Statistical trend computation | YES — deterministic only | DEC-15-11 |
| Investigation-step similarity (advisory) | YES — static deterministic over historical OOS records | ARCH-AI-001 AC-2/3/4/7 |
| MIRA copilot read-only retrieval over closed OOS | YES — read-only | URS-12 RAG |

All advisory AI output visibly labelled per AC-3; all advisory output preserved in audit per AC-6 even when not in the binding set; full audit trail per AC-5.

---

## 9. Reports, Dashboards, and Exports

| Report / Dashboard | Purpose | Audience |
|---|---|---|
| OOS inventory | All OOS by lifecycle, priority, product, batch | QC, QA |
| Lifecycle aging | Time in each state | QC, QA |
| Disposition SLA dashboard | Time-to-disposition vs SLA | QA |
| Overdue investigations | Past-SLA OOS by investigator | QC, QA |
| Open Executive authority inconclusive co-sign queue | Inconclusive dispositions awaiting executive authority | Executive authority |
| OOT alert open queue | Pending adjudication | OOT adjudication team |
| Trend recompute health | Last-run timestamps, errors, coverage | QC supervisor, admin |
| Per-product control chart | WE / Nelson rule violations over time | QC, QA, Manufacturing |
| APQR data feed (URS-26) | OOS / OOT statistics for annual product quality review | QA |
| Cross-tenant indices (platform-admin support / break-glass only) | Aggregate Module 15 events | `platform_admin` (support / break-glass only with reason, support-ticket reference, electronic signature, `PLATFORM_TENANT_ACCESS_USED` audit emit, SOC alert) |

Exports:

- OOS evidence pack (zipped: full OOS + phase 1 + phase 2 + retests + disposition + executive authority co-sign + closure + linked deviation/RCA/CAPA + URS-06 audit hash-chain).
- Trend data export per method / product.
- APQR data extract.

---

## 10. Notifications and Queues

| Event | Recipients | Channel |
|---|---|---|
| OOS opened | QC supervisor + QA | URS-30 in-app |
| Phase 1 assigned | QC supervisor | URS-30 in-app + email |
| Phase 1 lab-error closure | QA + analyst | URS-30 in-app |
| Phase 1 → phase 2 | Phase 2 investigator team | URS-30 in-app + email |
| Phase 2 signed → pending disposition | Disposition authority | URS-30 in-app + email |
| Disposition confirmed | URS-23 batch system + QA + RA | URS-30 critical |
| Disposition inconclusive | executive office | URS-30 critical |
| Closure signed | All stakeholders | URS-30 in-app |
| Reopen executive authority cosigned | All stakeholders | URS-30 critical |
| OOT alert created | QC + adjudicator | URS-30 in-app |
| OOT adjudicated true positive escalate | OOS team | URS-30 in-app |
| OOT trend recompute completed | QC supervisor | URS-30 in-app |
| OOT trend recompute failure | QC supervisor + admin | URS-30 critical |
| OOS overdue (past disposition SLA) | Investigator + QA | URS-30 reminder |

---

## 11. Error Handling and Negative Paths

### 11.1 Error envelope

`AppError` envelope per QS-9.

### 11.2 Error-code catalogue

| Code | HTTP | Meaning |
|---|---|---|
| `OOS_NOT_FOUND` | 404 | OOS ID not in tenant scope |
| `OOS_INVALID_TRANSITION` | 422 | Lifecycle transition not allowed |
| `OOS_AUTHORITY_REQUIRED` | 403 | Authority Profile required |
| `OOS_SOD_VIOLATION_ANALYST_VS_SUPERVISOR` | 403 | SoD-15-01 |
| `OOS_SOD_VIOLATION_ANALYST_CANNOT_SIGN_LAB_ERROR` | 403 | SoD-15-02 (FDA OOS Guidance §IV.A) |
| `OOS_SOD_VIOLATION_PHASE1_VS_PHASE2` | 403 | SoD-15-03 |
| `OOS_SOD_VIOLATION_INVESTIGATOR_VS_DISPOSITION` | 403 | SoD-15-04 |
| `OOT_SOD_VIOLATION_ADJUDICATOR_EQUALS_ANALYST` | 403 | SoD-15-05 |
| `OOS_SOD_VIOLATION_REOPEN_EXECUTIVE_AUTHORITY` | 403 | SoD-15-06 |
| `OOS_SOD_VIOLATION_CLOSURE_VS_CREATOR` | 403 | SoD-15-07 |
| `OOS_SOD_VIOLATION_RETEST_ANALYST` | 403 | SoD-15-08 (FDA OOS Guidance §V) |
| `OOS_INCONCLUSIVE_EXECUTIVE_AUTHORITY_REQUIRED` | 403 | Inconclusive disposition requires executive authority per DEC-15-21 |
| `OOS_REOPEN_EXECUTIVE_AUTHORITY_REQUIRED` | 403 | Reopen requires executive authority per DEC-15-22 |
| `OOS_PHASE2_PARENT_STATE_NOT_ADVANCED` | 422 | Phase 2 sign-off must advance parent state per OOS-REQ-006 (defensive runtime check) |
| `OOS_RETEST_DOES_NOT_DRIVE_DISPOSITION` | 422 | Retest sign-off must drive parent disposition per OOS-REQ-007 |
| `OOS_GENAI_PROHIBITED` | 403 | GenAI not permitted per Annex 22 / DEC-15-18 |
| `OOT_RECOMPUTE_AUTHORITY_REQUIRED` | 403 | Trend recompute requires `trend_recompute_admin` authority |
| `OOT_TREND_DATA_STALE` | 200 (with header) | Trend data older than acceptable freshness threshold |
| `VALIDATION_FAILED` | 400 | Zod validation |
| `SCOPE_MISMATCH` | 403 | Active scope mismatch |

### 11.3 Negative-path catalogue

- Original analyst signs lab-error closure → `OOS_SOD_VIOLATION_ANALYST_CANNOT_SIGN_LAB_ERROR`.
- Phase 2 investigator equals phase 1 supervisor → `OOS_SOD_VIOLATION_PHASE1_VS_PHASE2`.
- Inconclusive disposition without executive authority → `OOS_INCONCLUSIVE_EXECUTIVE_AUTHORITY_REQUIRED`.
- GenAI invocation in disposition path → `OOS_GENAI_PROHIBITED`.
- Trend recompute attempted by non-authority → `OOT_RECOMPUTE_AUTHORITY_REQUIRED`.

---

## 12. Security, Privacy, and Tenant Isolation

### 12.1 Authentication dependency

URS-01 authenticated session required.

### 12.2 Authorisation pipeline

Three-guard hierarchy per QS-7.

### 12.3 Tenant isolation

TDAL on every DB op per QS-5; RLS on every Module 15 table per QS-6.

### 12.4 Encryption

At-rest + TLS 1.2+.

### 12.5 Logging hygiene

No raw analytical data secrets in operational logs per QS-19; OOS results are tenant-scoped data, not platform secrets.

### 12.6 Privacy and data residency

Module 15 records inherit tenant data residency.

### 12.7 Periodic access review

Per QS-7: per-tenant Authority Profile + statistical-rule configuration review every 6 months.

### 12.8 Periodic audit-trail review

Per QS-19: monthly Module 15 audit-trail sample by `quality_lead`; quarterly tenant-wide integrity check.

### 12.9 Security-operations alert thresholds

| Alert | Threshold |
|---|---|
| SoD violations | Any |
| GenAI prohibition violation | Any (always critical) |
| Executive authority inconclusive co-sign | Any |
| Executive authority reopen | Any |
| Trend recompute failure | Any (>1 in 24h critical) |
| Bulk OOS export | >20 in 1 hour |

### 12.10 Self-modification block

Module 15 services cannot modify their own audit trail or rule-configuration tables.

### 12.11 Secure export

Evidence-pack exports watermarked, audit-logged, TLS.

### 12.12 Cross-tenant confidentiality envelope

Tenant A cannot read tenant B OOS / OOT under any RBAC; only `platform_admin` support / break-glass cross-tenant operations (with reason, support-ticket reference, electronic signature, `PLATFORM_TENANT_ACCESS_USED` audit emit, SOC alert) are permitted.

---

## 13. Data Integrity and ALCOA+ Controls

| ALCOA+ Principle | Module 15 Implementation |
|---|---|
| Attributable | Every OOS, phase, retest, disposition, OOT alert, trend computation carries `created_by` / `signed_by` per QS-2. |
| Legible | Records human-readable; statistical payloads structured JSONB. |
| Contemporaneous | Server-generated timestamps per QS-3. |
| Original | Original result preserved when invalidated; AI advisory preserved when overridden per AC-6. |
| Accurate | Schema + Zod validation per QS-8; referential integrity per QS-14; deterministic statistical engine. |
| Complete | All required fields enforced; closure non-bypassable; phase 2 must advance parent. |
| Consistent | Context model normalized per OOS-REQ-002 / DEC-15-13. |
| Enduring | Records preserved per retention class; append-only audit per QS-1. |
| Available | Tenant-scoped retrieval; evidence pack export; trend dashboard. |
| Traceable | Hash-chained URS-06 audit; per-OOS audit view; cross-module reference chain. |

---

## 14. Regulatory Mapping

### 14.1 Predicate-rule applicability matrix

| Authority | Predicate | Module 15 obligation |
|---|---|---|
| FDA | 21 CFR Part 11 §11.10(a/d/e) §11.50/11.70/11.100/11.200/11.300 | Validation + RBAC + audit + e-signature |
| FDA | FDA Guidance "Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production" (Oct 2006) | Phase 1 / phase 2 / retest / disposition workflow |
| FDA | 21 CFR Part 211 §211.192 (Production record review — deviations / OOS) | Investigation requirement |
| FDA | 21 CFR Part 211 §211.165 (Testing and release for distribution) | Release governance |
| EMA / PIC/S | EU GMP Annex 11 §4/9/12/16 | Validation + audit + security + incident |
| EMA / PIC/S | EU GMP Annex 15 §10 (Investigation) | OOS investigation |
| Internal architectural control (forward-looking; not enacted predicate rule) | EU GMP Annex 22 (Draft 2025) | GenAI prohibition per DEC-15-18 (treated as internal forward-looking control; jurisdiction-specific legal enforceability subject to future legal assessment) |
| Internal architectural control (forward-looking; not enacted predicate rule) | EU AI Act Regulation 2024/1689 Annex III (high-risk classification approach) | Internal high-risk AI governance aligned with the Annex III approach (jurisdiction-specific legal enforceability subject to future legal assessment) |
| Internal architectural control (forward-looking; not enacted predicate rule) | EU AI Act Art. 13 — Transparency principles | Visible advisory labelling (jurisdiction-specific legal enforceability subject to future legal assessment) |
| MHRA | MHRA Data Integrity Guidance (2018) — ALCOA+ | §13 |
| Health Canada | C.02.020 — GMP records | Investigation workflow |
| ICH | ICH Q9 — Risk Management | Risk-based investigation |
| ICH | ICH Q10 — Pharmaceutical QMS | Investigation element |
| ICH | ICH Q1A(R2) — Stability Testing | Stability OOS triggers |
| USP | USP <1010> — Analytical Data Interpretation (outlier tests) | Retest outlier statistics |
| ISO | ISO 17025 — Testing Laboratory Competence | Laboratory investigation |
| GAMP | GAMP 5 Cat 5 | Validation per §17 |
| FDA | FDA CSA Final Guidance (Sep 2025) | Risk-based testing |
| WHO | TRS 996 Annex 5 | Good data management |
| India CDSCO (per applicable scope) | India Drugs and Cosmetics Act 1940 + Drugs Rules 1945 + Revised Schedule M (laboratory / OOS investigation expectations within GMP) + New Drugs and Clinical Trials Rules 2019 (where clinical-laboratory OOS scope) + Medical Devices Rules 2017 (where device-test OOS scope) — Applicable per India tenant operation and jurisdictional regulatory assessment | OOS / OOT investigation register, phase 1 / phase 2 staged investigation, retest disposition, parent-OOS closure with executive authority co-sign for inconclusive; external jurisdictional legal / RA confirmation required for clause applicability per India laboratory / investigation scope |

---

## 15. URS Requirements Register

### 15.1 Front-end (FE)

| ID | Requirement | Priority |
|---|---|---|
| URS-15-FE-001 | OOS landing route | MUST |
| URS-15-FE-002 | Create OOS route | MUST |
| URS-15-FE-003 | OOS detail with phase tabs | MUST |
| URS-15-FE-004 | Phase 1 lab-error editor with SoD-15-02 | MUST |
| URS-15-FE-005 | Phase 2 investigation editor with SoD-15-03 | MUST |
| URS-15-FE-006 | Retest editor with USP <1010> outlier | MUST |
| URS-15-FE-007 | Disposition decision modal with executive authority co-sign for inconclusive | MUST |
| URS-15-FE-008 | Closure attestation modal with SoD-15-07 | MUST |
| URS-15-FE-009 | OOT alert detail + adjudication modal | MUST |
| URS-15-FE-010 | Statistical trend dashboard with WE / Nelson rule highlights | MUST |
| URS-15-FE-011 | AI advisory banner per ARCH-AI-001 AC-3 | MUST |
| URS-15-FE-012 | Executive authority inconclusive co-sign queue | MUST |
| URS-15-FE-013 | Executive authority reopen modal | MUST |
| URS-15-FE-014 | Per-OOS audit view | MUST |
| URS-15-FE-015 | WCAG 2.1 AA across all routes | MUST |
| URS-15-FE-016 | i18n / l10n with locale-aware numeric formatting for statistical limits | MUST |
| URS-15-FE-017 | ErrorBoundary + loading/error/empty states per QS-17 | MUST |
| URS-15-FE-018 | Annex 22 GenAI prohibition surface (no AI offered in critical decision UI) | MUST (negative requirement) |

### 15.2 Back-end (BE)

| ID | Requirement | Priority |
|---|---|---|
| URS-15-BE-001 | `oos-oot` REST surface per §6.3 | MUST |
| URS-15-BE-002 | Lifecycle state machine with parent-state advancement | MUST |
| URS-15-BE-003 | Race-safe `oos_number` via DB sequence | MUST |
| URS-15-BE-004 | Phase 1 sign-off route with SoD-15-02 + authority + e-sign | MUST |
| URS-15-BE-005 | Phase 2 sign-off route advancing parent state | MUST |
| URS-15-BE-006 | Retest sign-off with USP <1010> outlier + SoD-15-08 | MUST |
| URS-15-BE-007 | Final disposition route with SoD-15-04 + authority + executive authority for inconclusive | MUST |
| URS-15-BE-008 | Closure route with SoD-15-07 + authority | MUST |
| URS-15-BE-009 | Reopen route with executive authority + SoD-15-06 | MUST |
| URS-15-BE-010 | OOT adjudication route with SoD-15-05 + authority | MUST |
| URS-15-BE-011 | Trend computation pipeline (deterministic, scheduled) per DEC-15-11 / DEC-15-12 | MUST |
| URS-15-BE-012 | On-demand trend recompute with `trend_recompute_admin` | MUST |
| URS-15-BE-013 | Context-filter normalization per OOS-REQ-002 | MUST |
| URS-15-BE-014 | Audit-trail extension per OOS-REQ-012 | MUST |
| URS-15-BE-015 | Per-OOS audit route | MUST |
| URS-15-BE-016 | URS-23 batch-action trigger upon `confirmed` per DEC-15-24 | MUST |
| URS-15-BE-017 | URS-14 complaint trigger upon marketed-batch implication per DEC-15-25 | MUST |
| URS-15-BE-018 | Tenant offboarding cascade | MUST |

### 15.3 Workflow (WF)

| ID | Requirement | Priority |
|---|---|---|
| URS-15-WF-001..013 | Per §6.4 | MUST |

### 15.4 Data (DATA)

| ID | Requirement | Priority |
|---|---|---|
| URS-15-DATA-001..013 | Per §6.2 | MUST |

### 15.5 Security (SEC)

| ID | Requirement | Priority |
|---|---|---|
| URS-15-SEC-001 | Three-guard pipeline | MUST |
| URS-15-SEC-002 | TDAL per QS-5 | MUST |
| URS-15-SEC-003 | RLS per QS-6 | MUST |
| URS-15-SEC-004 | Cross-tenant envelope | MUST |
| URS-15-SEC-005 | Watermarked evidence-pack export | MUST |
| URS-15-SEC-006 | Bulk export authority gate | MUST |
| URS-15-SEC-007 | Self-modification block | MUST |
| URS-15-SEC-008 | Periodic access + statistical-rule review cadence | MUST |
| URS-15-SEC-009 | Periodic audit integrity check | MUST |
| URS-15-SEC-010 | GenAI prohibition runtime block | MUST |

### 15.6 Audit (AUD)

| ID | Requirement | Priority |
|---|---|---|
| URS-15-AUD-001 | Every mutation audited per QS-1 | MUST |
| URS-15-AUD-002 | Lifecycle dual-write | MUST |
| URS-15-AUD-003 | Phase / retest / disposition / closure / reopen / OOT adjudication / trend recompute audited | MUST |
| URS-15-AUD-004 | Auth events to `auth_audit_log` | MUST |
| URS-15-AUD-005 | Advisory AI requests to `ai_requests` per AC-5 | MUST |
| URS-15-AUD-006 | Append-only per QS-1 | MUST |
| URS-15-AUD-007 | Per-OOS audit view route | MUST |

### 15.7 AI / HITL (AI)

| ID | Requirement | Priority |
|---|---|---|
| URS-15-AI-001 | NO LLM/GenAI in OOS / OOT decision paths per Annex 22 | MUST (negative) |
| URS-15-AI-002 | Static deterministic statistical engine for trend computation per DEC-15-11 | MUST |
| URS-15-AI-003 | Investigation-step similarity advisory (deterministic) | MUST |
| URS-15-AI-004 | Visible "AI-suggested" labelling per ARCH-AI-001 AC-3 | MUST |
| URS-15-AI-005 | No autonomous write per AC-4 | MUST |
| URS-15-AI-006 | Graceful degradation per AC-7 | MUST |
| URS-15-AI-007 | Full AI request audit per AC-5 | MUST |
| URS-15-AI-008 | Internal forward-looking AI governance evidence (EU AI Act Annex III high-risk classification approach) | MUST |
| URS-15-AI-009 | EU AI Act Art. 13 transparency | MUST |

### 15.8 Integration (INT)

| ID | Requirement | Priority |
|---|---|---|
| URS-15-INT-001 | URS-01..06 substrate consumed | MUST |
| URS-15-INT-002 | URS-10 Product specifications | MUST |
| URS-15-INT-003 | URS-13 linkage when OOS / OOT precipitate platform changes | MUST |
| URS-15-INT-004 | URS-14 complaint trigger per DEC-15-25 | MUST |
| URS-15-INT-005 | URS-16 Deviation linkage (`deviation_id`) | MUST |
| URS-15-INT-006 | URS-17 RCA linkage | MUST |
| URS-15-INT-007 | URS-18 CAPA linkage | MUST |
| URS-15-INT-008 | URS-23 Batch Records batch-action trigger per DEC-15-24 | MUST |
| URS-15-INT-009 | URS-24 Stability OOS source | MUST |
| URS-15-INT-010 | URS-25 Environmental Monitoring OOS source | MUST |
| URS-15-INT-011 | URS-26 APQR statistics consumer | MUST |
| URS-15-INT-012 | URS-30 Notifications wired per §10 | MUST |
| URS-15-INT-013 | Internal forward-looking AI governance evidence (EU GMP Annex 22 Draft 2025) | MUST |
| URS-15-INT-014 | ARCH-AI-001 binding | MUST |
| URS-15-INT-015 | Internal forward-looking AI governance evidence (EU AI Act Annex III high-risk classification approach) | MUST |

### 15.9 Reporting (REP)

| ID | Requirement | Priority |
|---|---|---|
| URS-15-REP-001..010 | Per §9 | MUST |

### 15.10 Notifications (NOTIF)

| ID | Requirement | Priority |
|---|---|---|
| URS-15-NOTIF-001..014 | Per §10 | MUST |

### 15.11 Validation (VAL)

| ID | Requirement | Priority |
|---|---|---|
| URS-15-VAL-001 | URS approval | Pending |
| URS-15-VAL-002 | Functional Specification | Pending |
| URS-15-VAL-003 | IQ / OQ / PQ | Pending |
| URS-15-VAL-004 | Traceability matrix | Pending |
| URS-15-VAL-005 | Risk-based testing per FDA CSA | Pending |
| URS-15-VAL-006 | RLS evidence | Pending |
| URS-15-VAL-007 | Audit trail integrity | Pending |
| URS-15-VAL-008 | Migration evidence gate | Pending |
| URS-15-VAL-009 | Internal forward-looking AI governance evidence (EU GMP Annex 22 Draft 2025 GenAI prohibition control) | Pending |
| URS-15-VAL-010 | ARCH-AI-001 AC-2/3/4/7 compliance | Pending |
| URS-15-VAL-011 | Internal forward-looking AI governance evidence (EU AI Act Annex III high-risk classification approach) | Pending |
| URS-15-VAL-012 | Internal forward-looking AI governance evidence (EU AI Act Art. 13 transparency principles) | Pending |
| URS-15-VAL-013 | SoD-15-01..08 enforcement evidence | Pending |
| URS-15-VAL-014 | Statistical engine deterministic-rule evidence (WE-1..4 + Nelson N-1..8) | Pending |
| URS-15-VAL-015 | Parent-state advancement evidence (OOS-REQ-006) | Pending |
| URS-15-VAL-016 | Executive authority inconclusive co-sign procedural evidence | Pending |
| URS-15-VAL-017 | FDA OOS Guidance (Oct 2006) workflow conformance | Pending |
| URS-15-VAL-018 | USP <1010> outlier methodology evidence | Pending |

---

## 16. Acceptance Criteria and Test Cases

### 16.1 Plain-language test cases

| TC | Plain-language test |
|---|---|
| TC-15-01 | Phase 1 lab-error happy path: analyst opens OOS → supervisor signs lab-error closure → retest passes → batch released. |
| TC-15-02 | Phase 1 → phase 2 → confirmed disposition → batch reject lifecycle. |
| TC-15-03 | Phase 2 inconclusive → executive authority co-sign → treated as confirmed. |
| TC-15-04 | Original analyst attempts lab-error sign; rejected via SoD-15-02. |
| TC-15-05 | Phase 1 supervisor attempts phase 2 investigation; rejected via SoD-15-03. |
| TC-15-06 | Investigator attempts disposition sign; rejected via SoD-15-04. |
| TC-15-07 | Retest performed by original analyst; rejected via SoD-15-08. |
| TC-15-08 | Phase 2 sign-off advances parent state to `pending_disposition` . |
| TC-15-09 | Retest result drives parent disposition outcome . |
| TC-15-10 | Reopen attempted by non-executive-authority; rejected. |
| TC-15-11 | OOT alert auto-fires from WE-1 violation; adjudicated true positive escalate to OOS. |
| TC-15-12 | OOT alert adjudicated false positive with USP <1010> outlier rationale. |
| TC-15-13 | OOT adjudicator equals triggering analyst; rejected via SoD-15-05. |
| TC-15-14 | GenAI invocation attempted in disposition path; runtime block + `OOS_GENAI_PROHIBITED`. |
| TC-15-15 | Trend recompute schedule runs hourly; on-demand recompute by `qc_supervisor` works. |
| TC-15-16 | Inspector evidence pack exported with watermark + audit hash-chain. |

### 16.2 Technical test cases

| TC | Test technique |
|---|---|
| TC-15-T01 | Unit test on service-layer SoD-15-01..08; assert HTTP 403 + correct error code. |
| TC-15-T02 | Integration test on parent-state advancement . |
| TC-15-T03 | Integration test on retest-driven disposition . |
| TC-15-T04 | Race-condition test on `oos_number` generation under concurrent creates per DEC-15-03. |
| TC-15-T05 | Statistical engine test: WE-1..4 + Nelson N-1..8 deterministic outputs against reference dataset. |
| TC-15-T06 | RLS test: tenant A user cannot read tenant B OOS / OOT. |
| TC-15-T07 | Audit test: every mutation produces URS-06 audit entry. |
| TC-15-T08 | E2E test (Playwright): full happy-path lifecycle. |
| TC-15-T09 | Performance test: trend recompute P95 latency for 12-month dataset. |
| TC-15-T10 | Security test: bulk export >20 triggers authority gate. |
| TC-15-T11 | Tenant-isolation test: TDAL violation blocked. |
| TC-15-T12 | Annex 22 negative test: any GenAI in critical decision path blocked at runtime + lint. |
| TC-15-T13 | Context-filter normalization test (OOS-REQ-002): list filters by product AND study correctly. |
| TC-15-T14 | USP <1010> outlier test: outlier exclusion documented + signed; statistical correctness validated. |

### 16.3 Acceptance criteria

| AC | Statement |
|---|---|
| AC-15-01 | OOS registry supports all launch lifecycle states + race-safe numbering. |
| AC-15-02 | Phase 1 lab-error closure SoD-15-02 enforced (FDA OOS Guidance §IV.A). |
| AC-15-03 | Phase 2 sign-off advances parent state per OOS-REQ-006. |
| AC-15-04 | Retest drives parent disposition per OOS-REQ-007. |
| AC-15-05 | Final disposition SoD-15-04 + authority + executive authority for inconclusive per DEC-15-21. |
| AC-15-06 | Closure SoD-15-07. |
| AC-15-07 | Reopen executive authority + SoD-15-06 per DEC-15-22. |
| AC-15-08 | OOT adjudication SoD-15-05 + authority. |
| AC-15-09 | Statistical engine deterministic per DEC-15-11. |
| AC-15-10 | Annex 22 GenAI prohibition enforced runtime + lint per DEC-15-18. |
| AC-15-11 | ARCH-AI-001 AC-2, AC-3, AC-4, AC-7 satisfied. |
| AC-15-12 | Internal forward-looking AI governance evidence (EU AI Act Annex III high-risk classification approach) maintained. |
| AC-15-13 | All Module 15 tables RLS-enabled per QS-6. |
| AC-15-14 | Every mutation produces audit entry per QS-1. |
| AC-15-15 | URS-23 batch action triggered upon `confirmed` per DEC-15-24. |
| AC-15-16 | URS-14 complaint workflow triggered upon marketed-batch implication per DEC-15-25. |

```mermaid
sequenceDiagram
  participant Analyst as qc_analyst
  participant Sup as qc_supervisor
  participant P2 as phase2_investigator
  participant Disp as oos_disposition_authority
  participant ExecAuthority
  participant Close as closure_authority
  participant ESign as URS-04 E-Sign
  participant Audit as URS-06
  Analyst->>Sup: open OOS (state opened)
  Sup->>ESign: assign_phase1 (SoD-15-01)
  ESign-->>Sup: signature
  Sup->>Audit: log assign
  Sup->>P2: phase 1 closes proceed_to_phase2 (SoD-15-02)
  P2->>ESign: phase 2 signoff (SoD-15-03)
  ESign-->>P2: signature
  P2->>Audit: log phase 2 + parent state advance (OOS-REQ-006)
  P2->>Disp: pending_disposition
  Disp->>ESign: disposition signoff (SoD-15-04 + authority)
  alt inconclusive
    ESign-->>Disp: signature
    Disp->>ExecAuthority: request co-sign DEC-15-21
    ExecAuthority->>ESign: executive authority e-sign
    ESign-->>ExecAuthority: signature
  else confirmed/invalidated
    ESign-->>Disp: signature
  end
  Disp->>Audit: log disposition
  Disp->>Close: closure
  Close->>ESign: closure signoff (SoD-15-07)
  ESign-->>Close: signature
  Close->>Audit: log closure
```

Diagram 16-A — End-to-end happy-path acceptance test sequence.

### 16.4 Requirements-to-test traceability

| Requirement ID | Test Case ID | AC ID |
|---|---|---|
| URS-15-FE-001..018 | TC-15-T08 | AC-15-01..16 |
| URS-15-BE-001..018 | TC-15-T01..14 | AC-15-01..16 |
| URS-15-WF-001..013 | TC-15-T01..09 | AC-15-02..09 |
| URS-15-DATA-001..013 | TC-15-T04, TC-15-T06, TC-15-T13 | AC-15-13 |
| URS-15-SEC-001..010 | TC-15-T06, TC-15-T10..12 | AC-15-13, AC-15-10 |
| URS-15-AUD-001..007 | TC-15-T07 | AC-15-14 |
| URS-15-AI-001..009 | TC-15-T05, TC-15-T12 | AC-15-09..12 |
| URS-15-INT-001..015 | TC-15-T08 | AC-15-15..16 |

---

## 17. Validation and CSV/CSA Evidence Expectations

### 17.1 Supplier and service-provider qualification pack

- E-signature substrate provider qualification (URS-04).
- USP <1010> reference data + statistical engine validation.
- Hosting region qualification per tenant residency.

### 17.2 Inspection-ready evidence index

- URS approval pack.
- Functional Specification per `oos-oot` code module.
- IQ / OQ / PQ scripts and execution evidence.
- Traceability matrix.
- Risk-based testing per FDA CSA.
- RLS evidence per QS-6.
- Audit trail integrity evidence.
- Migration evidence (URS-15-VAL-008).
- Internal forward-looking AI governance evidence (EU GMP Annex 22 Draft 2025 GenAI prohibition control).
- ARCH-AI-001 AC-2/3/4/7 advisory AI evidence pack.
- Internal forward-looking AI governance evidence (EU AI Act Annex III high-risk classification approach: technical documentation, ongoing monitoring, human oversight).
- Internal forward-looking AI governance evidence (EU AI Act Art. 13 transparency principles).
- SoD-15-01..08 enforcement evidence.
- Statistical engine validation evidence (deterministic outputs against reference dataset for WE-1..4 + Nelson N-1..8).
- Parent-state advancement enforcement evidence (OOS-REQ-006).
- Retest-driven disposition enforcement evidence (OOS-REQ-007).
- FDA OOS Guidance (Oct 2006) workflow conformance evidence.
- USP <1010> outlier methodology evidence.
- Race-safe `oos_number` evidence (concurrent-create test).
- Executive authority inconclusive + reopen procedural evidence.

---

## 18. Closed Decision and Dependency Register

### 18.1 Closed Launch Decisions Register

DEC-15-01..25 per §2.3 are closed for launch.

| ID | Disposition |
|---|---|
| DEC-15-01..02 | Locked; OOS-REQ-006 parent-state advancement requirement. |
| DEC-15-03 | Locked; race-safe DB sequence numbering. |
| DEC-15-04 | Locked; phase 1 entity per FDA OOS Guidance §IV.A. |
| DEC-15-05..06 | Locked; phase 2 + retest entities. |
| DEC-15-07..08 | Locked; final disposition + authority gate. |
| DEC-15-09 | Locked; OOT adjudication authority. |
| DEC-15-10..12 | Locked; trend data + statistical engine + recompute schedule. |
| DEC-15-13..15 | Locked; context normalization + reporting + cross-module breadth. |
| DEC-15-16 | Locked; audit-trail extension. |
| DEC-15-17 | Locked; per-jurisdiction regulatory mapping. |
| DEC-15-18 | Locked; EU GMP Annex 22 critical-decision GenAI prohibition. |
| DEC-15-19..20 | Locked; ARCH-AI-001 AC-2/3/4/7 + EU AI Act Annex III HIGH-RISK. |
| DEC-15-21..22 | Locked; executive authority co-sign for inconclusive + reopen. |
| DEC-15-23 | Locked; tenant offboarding cascade. |
| DEC-15-24..25 | Locked; URS-23 batch-action trigger + URS-14 complaint trigger. |

### 18.2 Dependencies

| Dependency | Direction | Source |
|---|---|---|
| URS-01 authentication | Inbound | URS-01 |
| URS-02 RBAC | Inbound | URS-02 |
| URS-03 active scope | Inbound | URS-03 |
| URS-04 workflow / e-sign | Inbound | URS-04 |
| URS-05 Authority Profile | Inbound | URS-05 |
| URS-06 audit substrate | Inbound | URS-06 |
| URS-08 tenant lifecycle cascade | Inbound | URS-08 |
| URS-10 Product specifications | Inbound | URS-10 |
| URS-13 (linkage when OOS/OOT precipitate platform changes) | Outbound | URS-13 |
| URS-14 Complaints (trigger upon marketed-batch implication) | Outbound | URS-14 |
| URS-16 Deviations | Bidirectional | URS-16 |
| URS-17 RCA | Bidirectional | URS-17 |
| URS-18 CAPA | Bidirectional | URS-18 |
| URS-23 Batch Records (batch-action trigger) | Outbound | URS-23 |
| URS-24 Stability (OOS source) | Inbound | URS-24 |
| URS-25 Environmental Monitoring (OOS source) | Inbound | URS-25 |
| URS-26 APQR (statistics consumer) | Outbound | URS-26 |
| URS-30 Notifications | Outbound | URS-30 |
| EU GMP Annex 22 | Internal forward-looking architectural reference (not enacted predicate rule) | Internal forward-looking AI governance evidence (Annex 22 platform reference) |
| ARCH-AI-001 | Architectural binding | ARCH-AI-001 platform binding |
| EU AI Act Annex III (high-risk classification approach) | Internal forward-looking architectural reference (not enacted predicate rule) | EU AI Act |

---

## 19. Completeness Checklist

| Item | Priority |
|---|---|
| Header + mapping + Code Modules Mapped + Architecture Bindings (ARCH-AI-001 + Annex 22 + Annex III HIGH-RISK) | ✓ |
| Plain-language primer + glossary + architectural picture | ✓ |
| OOS lifecycle diagram | ✓ |
| Module Purpose | ✓ |
| Scope (in / out / closed launch decisions) | ✓ |
| User Roles + Authority Profiles + SoD-15-01..08 + worked examples + role-permission matrix | ✓ |
| 28 end-to-end user journeys | ✓ |
| Front-end expected state | ✓ |
| Back-end expected state (entities + ER + lifecycle + phase 1 flow + OOT computation flow + data + API + workflow + business rules + audit) | ✓ |
| Annex 22 + ARCH-AI-001 + Annex III high-risk architecture reference section | ✓ |
| Cross-module wiring + CIM + dependencies | ✓ |
| AI / Automation / HITL controls | ✓ |
| Reports / dashboards / exports | ✓ |
| Notifications and queues | ✓ |
| Error envelope + error-code catalogue + negative paths | ✓ |
| Security, privacy, tenant isolation | ✓ |
| ALCOA+ controls | ✓ |
| Regulatory mapping | ✓ |
| URS Requirements Register | ✓ |
| Acceptance Criteria + Test Cases + traceability | ✓ |
| Validation evidence expectations | ✓ |
| Closed decisions + dependencies | ✓ |
| Module scoped strictly to OOS / OOT | ✓ |
| Version 1.0 only | ✓ |

---

## 20. Final Module Output Quality Gate

**URS approval is separate from validation execution.** This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" upon signature capture; it becomes "Released for validation execution" only after URS-15-VAL-008 (Migration Evidence Gate) and the §17 validation evidence pack are satisfied. **No Module 15 internal open questions remain.**

- **Specification ready for engineering review?** Yes — every requirement is fully specified within this URS..OOS-REQ-014.
- **Specification ready for quality validation review?** Yes — IQ/OQ/PQ + RLS + audit chain + Annex 22 GenAI-prohibition + ARCH-AI-001 + Annex III HIGH-RISK + SoD + parent-state advancement + retest-driven disposition + statistical engine + FDA OOS Guidance + USP <1010> + executive authority co-sign procedural evidence are itemised in §17.
- **Specification ready for compliance review?** Yes — ALCOA+, 21 CFR Part 11, FDA OOS Guidance (Oct 2006), 21 CFR Part 211 §211.165 / §211.192, EU GMP Annex 11, EU GMP Annex 15 §10, MHRA ALCOA+, ICH Q9 / Q10 / Q1A(R2), USP <1010>, ISO 17025, GAMP 5 Cat 5, FDA CSA, WHO TRS 996 Annex 5 — all mapped in §14. EU GMP Annex 22 (Draft 2025) and EU AI Act Regulation 2024/1689 (Annex III high-risk classification approach + Art. 13 transparency principles) are treated as internal forward-looking architectural controls; jurisdiction-specific legal enforceability remains subject to a future jurisdiction-specific legal assessment.
- **Specification ready for inspector / client review?** Yes — 28 journeys (§4), full requirements register (§15), evidence pack index (§17.2).
- **Specification ready for Founder approval?** Yes.
- **Blocking gaps?** None internal.
- **Two-step release path:**
  1. **Approved Controlled URS — released for engineering implementation and validation planning.**
  2. **Released for validation execution.** After URS-15-VAL-008 + §17 evidence complete.

---

## Appendix A — Module 15 End-to-End Composite (Open → Phase 1 → Phase 2 → Retest → Disposition → Closure)

```mermaid
flowchart TD
  A([qc_analyst opens OOS — race-safe oos_number DEC-15-03]) --> B[OPENED + URS-23 batch quarantined DEC-15-24]
  B --> C[qc_supervisor assigns phase 1 SoD-15-01]
  C --> D[PHASE1_IN_PROGRESS]
  D --> E[Lab-error checklist FDA OOS Guidance §IV.A]
  E --> F{Assignable cause?}
  F -- yes --> G[Phase 1 sign closed_lab_error SoD-15-02]
  G --> H[Documented retest with fresh standard]
  H --> I{Retest passes?}
  I -- yes --> J[Original invalidated; batch released; CLOSED_LAB_ERROR]
  I -- no --> K[Escalate to phase 2]
  F -- no --> K
  K --> L[PHASE2_IN_PROGRESS SoD-15-03]
  L --> M[Phase 2 review: manufacturing + equipment + formulation + trends]
  M --> N{Retest needed?}
  N -- yes --> O[RETEST_IN_PROGRESS — outlier per USP <1010> SoD-15-08]
  O --> M
  N -- no --> P[Phase 2 sign-off → PARENT STATE ADVANCED to PENDING_DISPOSITION OOS-REQ-006]
  P --> Q{Disposition decision SoD-15-04 + authority}
  Q -- confirmed --> R[CONFIRMED → URS-23 batch action DEC-15-24]
  Q -- invalidated --> S[INVALIDATED → batch may proceed]
  Q -- inconclusive --> T[INCONCLUSIVE + executive authority co-sign DEC-15-21 → treated as confirmed]
  R --> U[Closure attestation SoD-15-07]
  S --> U
  T --> U
  U --> V[CLOSED_*]
  V --> W{Lifecycle event}
  W -- post-closure issue --> X[Executive authority reopen DEC-15-22 SoD-15-06 → REOPENED → PHASE2_IN_PROGRESS]
  W -- normal --> Y[Terminal closed]
  R -.if marketed batch.-> Z[URS-14 complaint trigger DEC-15-25]
  Q -.Annex 22.-> AA[NO GenAI in disposition path DEC-15-18]
  L -.advisory.-> AB[Static deterministic similarity ARCH-AI-001 AC-2]
```

Diagram Appendix A — Module 15 End-to-End Composite. Single composite flow showing OOS open → phase 1 lab-error decision (FDA OOS Guidance §IV.A) → phase 2 with parent-state advancement  → retest with USP <1010> outlier  → final disposition with authority + SoD + executive authority co-sign for inconclusive (DEC-15-21) → closure with SoD-15-07 → terminal states with reopen path requiring executive authority co-sign (DEC-15-22). Verixa treats EU GMP Annex 22 Draft 2025 and EU AI Act high-risk / transparency concepts as internal forward-looking AI governance controls unless a jurisdiction-specific legal assessment determines otherwise; under the internal control, generative AI is prohibited in critical decisions and the module is internally classified high-risk AI. ARCH-AI-001 governs advisory deterministic AI in similarity / signal surfacing. Binding predicate-rule obligations remain those listed in §14.

— End of Module 15 User Requirements Specification —
