# Verixa — User Requirements Specification

# Module 16: Deviations

| Field | Value |
|---|---|
| Document ID | VRX-URS-16 |
| Version | 1.0 |
| Status | Final — ready for QA, Validation, Regulatory Affairs, Information Security, Manufacturing Head, Clinical / PV Head, Site Quality Lead, and Founder approval. URS approval is separate from validation execution. This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" only after signature capture in the Document Approval block. It becomes "Released for validation execution" only after the module migration evidence gate (URS-16-VAL-008) and validation evidence pack are satisfied. |
| Document Type | User Requirements Specification (URS) |
| GAMP 5 Category | Category 5 — Custom Application |
| Code Modules | Target implementation binding: expected primary code module `deviations`, expected API mount `/api/v1/deviations/*`, expected practice-specific deviation classifier ownership for GCP, GDP, GLP, GMP, and GVP deviation classifiers. Implementation evidence remains subject to repository verification and validation evidence. |
| Architecture Bindings | This module is subject to **ARCH-AI-001 AI Optionality and Manual Continuity**. Verixa internally classifies this AI surface as **high-risk under internal AI governance**, aligned with the high-risk classification approach in **EU AI Act (Regulation 2024/1689) Annex III**, unless a jurisdiction-specific legal assessment determines otherwise. AI-assisted deviations surfaces (AI-suggested severity, AI-suggested type, AI root-cause proposal, MIRA copilot, AI priority suggestion, practice-specific AI classifiers) are advisory only under internal AI governance aligned with EU AI Act Article 13 transparency principles. Every AI surface shall provide a fully functional manual classification and investigation path; deviation creation, classification, investigation conclusion, and closure shall be executable when AI services are disabled, degraded, or overridden. **No AI service shall be the sole path to classify, route, or dispose a deviation.** This module binds ARCH-AI-001 AC-2, AC-3, AC-4, AC-5, and AC-7. Verixa treats **EU GMP Annex 22 (Draft 2025)** as an internal forward-looking architectural control (not an enacted predicate rule); under that internal control, generative / probabilistic AI is **PROHIBITED** in deviation classification disposition decisions, severity-driven escalation decisions, regulatory-impact decisions, and closure-disposition decisions. Static deterministic AI may suggest classification candidates and similar prior deviations; the human investigator's signed decision is the system of record. Jurisdiction-specific legal enforceability of Annex 22 and the EU AI Act remains subject to a future jurisdiction-specific legal assessment. |
| Regulatory Classification | Critical infrastructure substrate — operates the canonical Deviation register, the deviation lifecycle state machine (draft → investigating → closed | voided; reopen is a governed transition event from `closed → investigating` that appends a new investigation iteration and does not mutate or erase the prior closed evidence — DEC-16-22 + SoD-16-06), the practice-specific deviation taxonomy (GMP / GCP / GLP / GDP / GVP / multi-practice), the severity classification (minor / major / critical) with controlled escalation, the deviation investigation workflow with root-cause analysis linkage to URS-17 RCA, the impact-area linkage, the affected-document linkage to URS-12, the cross-module linkage to URS-14 complaints, URS-15 OOS/OOT, URS-18 CAPA, URS-23 batch records, URS-24 stability, URS-25 environmental monitoring, URS-13 (when deviations precipitate platform changes), and URS-21 findings; the post-closure / post-void record immutability; the void workflow with reason + authority + e-signature; the configurable severity and classification taxonomy at tenant level; and the per-jurisdictional regulatory expectations under FDA 21 CFR §211.192 (Production record review), 21 CFR §312.62 (Investigator records — clinical), EU GMP Annex 1 (revised 2023) §10, EU GMP Chapter 1 §1.4, ICH Q9 / Q10, MHRA Data Integrity. |
| Date of Issue | 2026-05-06 |
| Module Owner (Engineering) | Deviation / Quality Squad |
| Module Owner (Quality Validation) | CSV / CSA Lead — Deviations |
| Module Owner (Compliance) | Quality Assurance, Manufacturing, Clinical / Pharmacovigilance, Regulatory Affairs |
| Approving Authority | Founder / Chairman & MD; QA Head; Manufacturing Head; Clinical / PV Head; Validation Head; RA Head; Information Security Head; Site Quality Lead |

---

## 0. Document Framing

### 0.1 Purpose of this document

This URS defines the target expected state for Verixa's Deviations module (Module 16). It is the binding contract between product, engineering, quality validation, regulatory affairs, manufacturing, clinical / pharmacovigilance, distribution, laboratory operations, information security, and the executive authority for the design, implementation, validation, release, and on-going periodic review of the regulated deviation-management substrate: the canonical deviation register; the lifecycle state machine (`draft → investigating → closed | voided` with terminal `voided` requiring authority + e-signature; reopen is a governed transition event from `closed → investigating` that appends a new lifecycle event and a new investigation iteration without mutating or erasing the prior closed evidence — DEC-16-22 + SoD-16-06); the practice-specific deviation taxonomy (GMP manufacturing deviations, GCP clinical protocol deviations, GLP non-clinical study protocol deviations, GDP distribution deviations, GVP pharmacovigilance deviations, and multi-practice deviations); the severity classification with controlled escalation (minor / major / critical) and severity-driven SoD; the impact-area structured linkage; the affected-document linkage to URS-12 with controlled cascade; the investigation workflow with root-cause analysis, correlation to URS-15 OOS/OOT, and downstream linkage to URS-17 RCA, URS-18 CAPA, URS-13, URS-14 complaints; the post-closure / post-void record immutability across parent and child rows; the void workflow with reason + authority + e-signature (void requires documented reason, deviation_void_authority, e-signature, SoD enforcement, soft-delete only, and audit retention); the configurable severity and classification taxonomy with tenant overrides; the reporting and search surfaces with overdue and pending visibility; and the per-jurisdictional regulatory expectations. Compliance with this URS is mandatory.

### 0.2 Audience

Engineering, QA, QC, Manufacturing, Clinical Operations / Pharmacovigilance, Distribution, Laboratory Operations, Validation, Regulatory Affairs, Information Security, the executive authority, the platform's Implementation team, internal and external auditors, and inspectors from regulatory bodies (FDA, EMA, MHRA, Health Canada, CDSCO, PIC/S, PMDA). The plain-language primer (§0.4) and worked examples (§3.5) make Module 16 accessible to non-domain engineers, validation engineers, manufacturing operators, clinical monitors, and distribution managers.

### 0.3 How to read this document

Each requirement has a unique identifier. "MUST" denotes a mandatory requirement; "SHOULD" denotes a strong recommendation; "MAY" denotes an option. The document is self-contained: front end (§5), back end (§6), data model (§6.2), application programming interface (§6.3), workflow (§6.4), business rules (§6.5), audit (§6.6), security (§12), regulatory mapping (§14), test cases (§16), and validation evidence (§17) are all in this single file. Every requirement is mandatory unless explicitly marked SHOULD (strong recommendation) or MAY (option).

### 0.4 Plain-language primer for non-domain readers

In a regulated pharmaceutical operation, **a deviation is a documented departure from an approved procedure, process, specification, or condition**. When a manufacturing operator notices that a mixing time was 8 minutes instead of the SOP-required 10 minutes; a clinical monitor finds that an enrolled subject did not meet inclusion criterion #4; a distribution coordinator discovers that a temperature-controlled shipment had a 2-hour excursion above the specified storage range; a laboratory analyst transcribes an out-of-window environmental-monitoring reading; a pharmacovigilance officer logs a missed reportability deadline — each event is a **deviation** that must be recorded, evaluated for impact on product quality / patient safety / data integrity / regulatory compliance, investigated for root cause, dispositioned (close as no-impact, escalate to RCA, escalate to CAPA, void as duplicate / not-a-deviation), and closed under written procedure with electronic signature per **21 CFR Part 211.192 (Production record review for unexplained discrepancies), 21 CFR §312.62 (Investigator records and reports for clinical), 21 CFR Part 211.198 (when deviations relate to complaints), EU GMP Annex 1 (revised 2023) §10 (Contamination control / sterile manufacturing deviations), EU GMP Chapter 1 §1.4 (Pharmaceutical Quality System), ICH Q9 (Quality Risk Management), ICH Q10 (Pharmaceutical Quality System §3.2.4), MHRA Data Integrity Guidance (2018), and PIC/S PE 009**. Module 16 is the target specification for this regulated workflow.

A **deviation** is the regulated record. It is created by the discovering user (operator, monitor, analyst, coordinator, inspector); captures: the deviation type per practice domain (GMP manufacturing, GCP clinical protocol, GLP non-clinical, GDP distribution, GVP pharmacovigilance, or multi-practice); the severity (minor — no impact on quality / safety / efficacy / data; major — could affect product / safety / data, requires investigation; critical — known impact on product release, patient safety, or regulatory commitment); the discovery date; the discoverer; the affected scope (study, site, product, supplier, batch, equipment, document); the symptom description; the immediate-action taken; and the priority. The platform assigns a server-authoritative deviation number (e.g., `DEV-2026-001234`).

The deviation enters **investigation**. The named investigator (independent of discoverer per SoD-16-01) reviews the event, determines root cause (or routes to URS-17 RCA for deeper analysis), evaluates impact across product quality / patient safety / data integrity / regulatory compliance, decides whether downstream actions are needed (URS-18 CAPA initiation, URS-13 record opening for corrective platform change, URS-14 complaint workflow if customer-facing impact, URS-15 OOS investigation if linked to a failing result), captures the impact-area structured linkage (`impact_areas`), captures the affected-document linkage (`affected_documents`), and records the investigation conclusion. The investigation conclusion is e-signed.

Verixa internally classifies AI-assisted deviation classification as **high-risk AI under internal AI governance**, aligned with the high-risk classification approach in EU AI Act Annex III, unless a jurisdiction-specific legal assessment determines otherwise. Verixa treats **EU GMP Annex 22 (Draft 2025)** as an internal forward-looking architectural control (not an enacted predicate rule). Under those internal controls: AI may suggest severity, type, similar prior deviations, root-cause patterns — but every AI suggestion is **advisory** under ARCH-AI-001 AC-2; visibly labelled per AC-3; never autonomously writes to the deviation record per AC-4; full audit per AC-5; degrades gracefully when unavailable per AC-7. **Generative / probabilistic AI is PROHIBITED in classification disposition, severity-driven escalation, regulatory-impact, and closure-disposition decision paths.** Jurisdiction-specific legal enforceability of Annex 22 and the EU AI Act remains subject to a future jurisdiction-specific legal assessment.

The **closure** decision is authority-gated and e-signed. Major and critical deviations require additional cross-functional sign-off (QA + the relevant practice lead — Manufacturing for GMP, Clinical for GCP, Distribution for GDP, etc.). Critical deviations affecting registered products or marketed batches additionally require executive authority co-sign. SoD-16-04 enforced: investigator cannot also be the closure authority.

A deviation may be **voided** when the record is determined to be a duplicate, not-a-deviation, or created in error. Per Module 16 / DEC-16-09, void requires: a documented reason, an authority gate (`deviation_void_authority` Authority Profile), an e-signature via Controlled Approval Modal, and SoD-16-05 (voider cannot be the original creator). Void requires controlled authority gate, e-signature, SoD-16-05 enforcement, and audit retention. The voided record is preserved for audit (soft delete only — no hard delete ever).

**Closed and voided deviations are immutable.** Per Module 16 / DEC-16-08, mutations on `closed` or `voided` parent records are blocked at the service layer; mutations on impact-area or affected-document child rows are also blocked when the parent is `closed` or `voided`. Child-row immutability is enforced normatively when parent is `closed` or `voided`.

The deviation register is the **substrate that captures every documented departure from procedure** — the inspector's first-pass review during a marketed-product or clinical-study inspection.

### 0.5 Deviation lifecycle diagram

```mermaid
stateDiagram-v2
  state "Deviation Lifecycle" as DEVLC {
    [*] --> draft : Discoverer creates deviation
    draft --> investigating : Submit for investigation (SoD-16-01)
    draft --> voided : Void with reason + authority + e-sign (SoD-16-05)
    investigating --> closed : Investigation complete; closure authority + e-sign (SoD-16-04)
    investigating --> voided : Void with reason + authority + e-sign (SoD-16-05)
    closed --> [*] : Immutable (DEC-16-08)
    voided --> [*] : Immutable (DEC-16-08)
    note right of investigating
      Severity-driven SoD:
      - Investigator signs the investigation conclusion. QA reviewer / closure authority signs closure. The investigator MUST NOT act as closure authority.
      - major: + practice_lead_* co-sign at closure
      - critical: + executive authority co-sign at closure
      Linkage opportunities:
      - URS-17 RCA escalation
      - URS-18 CAPA initiation
      - URS-13 platform change
      - URS-14 complaint workflow
      - URS-15 OOS investigation
    end note
    note right of closed
      Parent + all child rows immutable
      (impact_areas, affected_documents)
    end note
    note right of voided
      Authority + e-sign required
      (DEC-16-09)
      Soft-delete only — preserved for audit
    end note
  }
```

Diagram 0.5-A — Deviation lifecycle. Severity-driven SoD enforced at the closure gate; voided records require authority + e-signature (.

### 0.6 Glossary of key terms used in this document

| Term | Definition |
|---|---|
| Affected Document | Controlled document (URS-12) flagged as impacted by the deviation; child-link record on the deviation. |
| Annex 22 | EU GMP Annex 22 (Draft 2025); prohibits generative / probabilistic AI in critical deviation decision paths. |
| ARCH-AI-001 | Platform architecture binding requiring manual continuity for every AI surface; binds AC-2, AC-3, AC-4, AC-5, AC-7. |
| Closed | Terminal deviation state after investigation conclusion + authority-gated closure + e-signature. |
| Critical | Severity class denoting known impact on product release, patient safety, or regulatory commitment. |
| DEC | Decision identifier locked at launch (DEC-16-XX). |
| Deviation | A documented departure from an approved procedure, process, specification, or condition. |
| Deviation Number | Server-authoritative identifier `DEV-{YYYY}-{nnnnnn}` per DEC-16-03. |
| Discoverer | The user who first observed and recorded the deviation. |
| GCP | Good Clinical Practice — ICH E6(R3) — clinical protocol deviation taxonomy. |
| GDP | Good Distribution Practice — EU GDP / 21 CFR §205 / WHO TRS — distribution deviation taxonomy. |
| GLP | Good Laboratory Practice — OECD GLP / 21 CFR Part 58 — non-clinical study deviation taxonomy. |
| GMP | Good Manufacturing Practice — EU GMP / 21 CFR Part 211 — manufacturing deviation taxonomy. |
| GVP | Good Pharmacovigilance Practice — EU GVP — pharmacovigilance deviation taxonomy. |
| Impact Area | Structured area of impact on a deviation (e.g., product quality, patient safety, data integrity, regulatory commitment); child-link record. |
| Investigator | The user assigned to investigate the deviation; cannot be the discoverer per SoD-16-01. |
| Major | Severity class denoting potential impact on product / safety / data; requires investigation. |
| Minor | Severity class denoting no impact on quality / safety / efficacy / data. |
| Practice | One of GMP / GCP / GLP / GDP / GVP / multi — drives the deviation taxonomy and approval matrix. |
| Severity | Classification of deviation impact (minor / major / critical). |
| SoD | Segregation of Duties — service-layer enforced separation. |
| Void | Terminal deviation state when the record is determined to be duplicate / not-a-deviation / created-in-error; requires reason + authority + e-signature; soft-delete only. |

### 0.7 Module 16 architectural picture

```mermaid
graph LR
  subgraph M16 [Module 16 — Deviations]
    DEV[Deviation Registry<br/>code: deviations]
    DEVLC[Deviation Lifecycle workflow.ts]
    SEV[Severity Classification<br/>minor/major/critical]
    PRAC[Practice Taxonomy<br/>GMP/GCP/GLP/GDP/GVP/multi]
    IA[Impact Areas<br/>impact_areas child]
    AD[Affected Documents<br/>affected_documents child]
    INV[Investigation conclusion<br/>+ e-sign]
    VOID[Void workflow<br/>+ authority + e-sign DEC-16-09]
    AUTH[Authority + SoD + E-Sign]
  end

  M01[URS-01 Auth] --> AUTH
  M02[URS-02 RBAC] --> DEV
  M03[URS-03 Active Scope] --> DEV
  M04[URS-04 Workflow / E-Sign] --> AUTH
  M05[URS-05 Authority Profiles] --> AUTH
  M06[URS-06 Audit Substrate] <-- DEV
  M07[URS-07 Study] --> DEV
  M09[URS-09 Site] --> DEV
  M10[URS-10 Product] --> DEV
  M11[URS-11 Supplier] --> DEV
  M12[URS-12 Documents] <--> AD
  M13[URS-13] <-- INV
  M14[URS-14 Complaints] <--> INV
  M15[URS-15 OOS/OOT] <--> INV
  M17[URS-17 RCA] <-- INV
  M18[URS-18 CAPA] <-- INV
  M21[URS-21 Findings] <-- DEV
  M22[URS-22 Inspection Mgmt] <-- DEV
  M23[URS-23 Batch Records] <--> DEV
  M24[URS-24 Stability] --> DEV
  M25[URS-25 Environmental Monitoring] --> DEV
  M26[URS-26 APQR] <-- DEV
  M30[URS-30 Notifications] <-- DEVLC
  ANNEX22[Annex 22 GenAI prohibition] -.governs.-> AUTH
  ARCHAI[ARCH-AI-001 advisory AI] -.governs.-> DEV
  AIAct[EU AI Act Annex III HIGH-RISK] -.classifies.-> DEV
```

Diagram 0.7-A — Module 16 architectural picture. The target `deviations` code module is the expected owner of the registry, lifecycle, practice-specific taxonomy, severity classification, impact-area + affected-document linkages, investigation conclusion, void workflow, and authority gating; ownership is target binding and remains subject to repository verification and validation evidence. Verixa treats EU GMP Annex 22 Draft 2025 and EU AI Act high-risk / transparency concepts as internal forward-looking AI governance controls unless a jurisdiction-specific legal assessment determines otherwise; under the internal control, generative AI is prohibited in critical decisions and the module is internally classified high-risk AI. ARCH-AI-001 governs advisory deterministic AI. Binding predicate-rule obligations remain those listed in §14.

---

## 1. Module Purpose

Module 16 establishes Deviations as the canonical substrate for "every documented departure from approved procedure, process, specification, or condition" in Verixa. It owns the deviation master registry, the lifecycle state machine, the practice-specific taxonomy (GMP / GCP / GLP / GDP / GVP / multi), the severity classification with controlled escalation, the structured impact-area and affected-document linkages, the investigation workflow with root-cause and downstream linkage, the post-closure / post-void immutability of parent and child rows, the void workflow with reason + authority + e-signature, and the cross-module linkage to URS-12 documents, URS-13, URS-14 complaints, URS-15 OOS/OOT, URS-17 RCA, URS-18 CAPA, URS-21 findings, URS-22 inspection management, URS-23 batch records, URS-24 stability, URS-25 environmental monitoring, URS-26 APQR. Module 16 is consumed by URS-21 (deviation findings precipitate Findings), URS-22 (deviations inform inspection readiness), URS-26 APQR (deviation statistics in Annual Product Quality Review), and triggers URS-13 records when deviations precipitate platform changes.

Module 16 is the **single source of truth for "show me the deviation, the investigation, and the disposition"** — the inspector's most common operational request after the audit trail.

---

## 2. Scope

### 2.1 In scope

#### Deviation Registry

- The deviation master registry per DEC-16-01: per-tenant registry with `id`, `tenant_id`, `deviation_number` (server-authoritative `DEV-{YYYY}-{nnnnnn}` per DEC-16-03), `practice` (`gmp` / `gcp` / `glp` / `gdp` / `gvp` / `multi`), `deviation_type` (per-practice taxonomy from `module_options`), `severity` (`minor` / `major` / `critical`), `lifecycle_state` (`draft` / `investigating` / `closed` / `voided`), `discovery_date`, `discoverer_user_id`, `investigator_user_id` (nullable until assigned), `study_id` (FK URS-07 nullable), `site_id` (FK URS-09 nullable), `product_id` (FK URS-10 nullable), `supplier_id` (FK URS-11 nullable), `batch_id` (FK URS-23 nullable), `equipment_id` (FK URS-09 nullable), `symptom_description`, `immediate_action_taken`, `priority` (`standard` / `expedited` / `critical`), `created_at`, `updated_at`, `deleted_at` (nullable for soft-delete), `voided_at` (nullable), `voided_reason`, `voided_signature_id`. At least one scope anchor (`study_id`, `site_id`, `product_id`, `supplier_id`, `batch_id`, or `equipment_id`) is required.
- Server-authoritative race-safe deviation number per DEC-16-03 via DB sequence.

#### Deviation Lifecycle

- Lifecycle state machine per DEC-16-02: `draft → investigating → closed | voided` (with `draft → voided` direct void path for never-investigated records). **Reopen is a governed transition event from `closed → investigating` per DEC-16-22 + SoD-16-06; it appends a new lifecycle event and a new investigation iteration; it does NOT mutate or erase the prior closed evidence.**
- Each transition is electronically signed; all transitions log dual-write to `deviation_lifecycle_events` + URS-06 substrate.

#### Practice-Specific Deviation Taxonomy

- Practice-specific deviation classifiers per DEC-16-04:
  - **GMP manufacturing deviations** — taxonomy aligned to EU GMP / 21 CFR Part 211 / Annex 1 (sterile) / ICH Q7 (API) — process parameter deviation, equipment failure, environmental excursion, cleaning verification deviation, in-process control out-of-trend, batch record discrepancy, raw-material out-of-spec, holding-time deviation, sterilisation deviation.
  - **GCP clinical protocol deviations** — taxonomy aligned to ICH E6(R3) — protocol violation, informed-consent deviation, eligibility-criterion deviation, dosing deviation, study-procedure deviation, AE-reporting timeliness deviation, source-document deviation, IRB/IEC notification deviation.
  - **GLP non-clinical study deviations** — taxonomy aligned to OECD GLP / 21 CFR Part 58 — protocol deviation, equipment qualification deviation, animal-handling deviation, environmental deviation, data-recording deviation, archival deviation.
  - **GDP distribution deviations** — taxonomy aligned to EU GDP / WHO TRS — temperature excursion, pickup / delivery deviation, cold-chain breach, documentation deviation, storage condition deviation, suspected falsified medicine event.
  - **GVP pharmacovigilance deviations** — taxonomy aligned to EU GVP / FDA 21 CFR §314.80 — case-report deviation, reportability-deadline deviation, signal-detection deviation, periodic-report deviation.
  - **Multi-practice deviations** — affecting more than one practice domain.
- Tenant-configurable extensions per DEC-16-18 via `module_options`.

#### Severity Classification + Severity-Driven SoD

- Severity per DEC-16-05: `minor` (no impact on quality / safety / efficacy / data); `major` (potential impact requiring investigation); `critical` (known impact on product release, patient safety, or regulatory commitment).
- Severity-driven approval matrix per DEC-16-06:
  - Investigator signs the investigation conclusion. QA reviewer / closure authority signs closure. The investigator MUST NOT act as closure authority.
  - Major: + practice lead (Manufacturing / Clinical / Distribution / etc.) co-sign at closure.
  - Critical: + executive authority co-sign at closure (per DEC-16-21 critical-deviation executive co-sign).

#### Investigation Workflow

- Investigation conclusion per DEC-16-07 with `investigation_conclusion_text`, `root_cause_summary`, `rca_id` (FK URS-17 nullable — escalate when RCA depth required), `capa_id` (FK URS-18 nullable — initiate when corrective / preventive action is needed), `linked_change_id` (FK URS-13 nullable), `linked_complaint_id` (FK URS-14 nullable), `linked_oos_id` (FK URS-15 nullable), `signed_at`, `signature_id`.
- SoD-16-01 enforced: discoverer cannot be the investigator.
- SoD-16-04 enforced: investigator cannot be the closure authority.

#### Impact Areas (child link)

- `impact_areas` per DEC-16-10 with `id`, `deviation_id`, `impact_area` (`product_quality` / `patient_safety` / `data_integrity` / `regulatory_commitment` / `process_validation` / `cross_contamination` / `sterility_assurance` / `chain_of_custody` / `environmental_health_safety`), `impact_severity` (`none` / `low` / `medium` / `high` / `critical`), `assessor_user_id`, `assessor_signature_id`, `notes`. Post-closure / post-void parent immutability cascades to child rows per DEC-16-08.

#### Affected Documents (child link)

- `affected_documents` per DEC-16-11 with `id`, `deviation_id`, `document_id` (FK URS-12), `revision_required` (boolean), `target_revision_classification` (`administrative` / `minor` / `major` per URS-12 versioning scheme), `linked_urs13_record_id` (FK URS-13 nullable when revision precipitates a platform change). Post-closure / post-void parent immutability cascades to child rows per DEC-16-08.

#### Closed / Voided Record Immutability

- Post-closure and post-void parent immutability per DEC-16-08: `update`, child-row add, child-row update, child-row remove all blocked at the service layer when parent is `closed` or `voided`. Audit trail captures attempted-mutation events for forensic review.

#### Void Workflow

- Void workflow per DEC-16-09: requires `voided_reason` (text), `deviation_void_authority` Authority Profile, e-signature via Controlled Approval Modal, SoD-16-05 (voider ≠ creator). Soft-delete only — `deleted_at` set, parent state set to `voided`. Hard delete is prohibited.

#### Audit Trail

- Every Module 16 mutation calls `auditTrailService.log()` per QS-1 with full before/after payload (DEC-16-12 —normative).
- Lifecycle transitions log dual-write to `deviation_lifecycle_events` + URS-06.
- Child-row mutations (impact-area, affected-document) audited with parent-state context.
- Auth-related events (SoD violations, authority denials, void attempts) logged to `auth_audit_log`.

#### Event Publication

- Event emission per DEC-16-13: `deviation_created`, `deviation_status_changed`, `impact_area_added`, `impact_area_removed`, `affected_document_added`, `affected_document_removed`, `deviation_voided`, `deviation_closed`. Consumed by URS-21, URS-22, URS-26, URS-30.

#### Configurable Severity and Classification

- Tenant-configurable severity and per-practice classification per DEC-16-18 via `module_options` registry. Adding a severity or classification value is a controlled platform-level change.

#### Multi-dimensional Context

- Context capture per DEC-16-14: at least one scope anchor required. Active scope (URS-03) intersection drives list and discovery filters.
- `MODULE_CONTEXT_CONFIG['deviations']` declares site / product / study / supplier filtering.

#### Reporting and Search

- List filters per DEC-16-15: by lifecycle state, severity, practice, classification, scope, date range, due-for-investigation, overdue.
- Reports per §9: deviation inventory, lifecycle aging, severity distribution, practice-domain mix, overdue investigations, voided register, child-link orphan check.

### 2.2 Out of scope

- **Document Control** — URS-12; affected-document register lives there; Module 16 references via `document_id` FK.
- **RCA workflow** — URS-17; Module 16 references via `rca_id`.
- **CAPA workflow** — URS-18; Module 16 references via `capa_id`.
- **Complaint workflow** — URS-14; Module 16 may be linked from a complaint investigation.
- **OOS / OOT workflow** — URS-15; Module 16 may reference an OOS via `linked_oos_id` (deviation as the manufacturing cause for an OOS).
- **Batch release / disposition** — URS-23; Module 16 references batch via `batch_id`.
- **Stability / EM excursion registers** — URS-24 / URS-25.
- **Authentication, RBAC, scope** — URS-01 / 02 / 03.
- **E-signature substrate** — URS-04.
- **Authority Profile registry** — URS-05.
- **Audit substrate** — URS-06.
- **Generative / probabilistic AI in deviation classification / severity / closure decision paths** — prohibited per Annex 22 / DEC-16-19.

### 2.3 Closed launch decisions

| ID | Decision |
|---|---|
| DEC-16-01 | Deviation master registry shape and per-tenant scoping. |
| DEC-16-02 | Lifecycle state machine: `draft → investigating → closed | voided`. Reopen is a governed transition event from `closed → investigating` per DEC-16-22 + SoD-16-06; it appends a new lifecycle event and a new investigation iteration without mutating or erasing the prior closed evidence. |
| DEC-16-03 | Server-authoritative race-safe `DEV-{YYYY}-{nnnnnn}` numbering via DB sequence. |
| DEC-16-04 | Practice-specific taxonomy: GMP / GCP / GLP / GDP / GVP / multi. |
| DEC-16-05 | Severity model: minor / major / critical. |
| DEC-16-06 | Severity-driven approval matrix at closure. |
| DEC-16-07 | Investigation conclusion entity + cross-module linkage fields. |
| DEC-16-08 | Closed / voided parent + child immutability (normative). |
| DEC-16-09 | Void workflow requires reason + authority + e-signature + SoD-16-05 (normative. |
| DEC-16-10 | Impact-area child-link entity with structured taxonomy. |
| DEC-16-11 | Affected-document child-link entity with `linked_urs13_record_id`. |
| DEC-16-12 | Audit trail full before/after payload coverage (normative). |
| DEC-16-13 | Event publication catalogue. |
| DEC-16-14 | Multi-dimensional context with at-least-one scope anchor. |
| DEC-16-15 | Reporting / list filters at launch. |
| DEC-16-16 | Cross-module linkage breadth. |
| DEC-16-17 | URS-23 batch flag triggered upon critical deviation affecting batch. |
| DEC-16-18 | Tenant-configurable severity / classification via `module_options`. |
| DEC-16-19 | Annex 22 GenAI prohibition in classification / severity / closure decision paths. |
| DEC-16-20 | ARCH-AI-001 binding (AC-2, AC-3, AC-4, AC-5, AC-7); EU AI Act Annex III HIGH-RISK. |
| DEC-16-21 | Critical deviation requires executive authority co-sign. |
| DEC-16-22 | Reopen of closed deviation is a governed transition event from `closed → investigating`; requires executive authority co-sign + reason; appends a new lifecycle event + new investigation iteration; does NOT mutate or erase prior closed evidence. |
| DEC-16-23 | Tenant offboarding cascade: open deviations → archived; closed / voided preserved per retention class. |
| DEC-16-24 | Typed DB contract aligned to service usage (normative. |
| DEC-16-25 | Test evidence pack required before launch. |

---

## 3. User Roles and Permissions

### 3.1 Architecture

Module 16 consumes URS-01 identity, URS-02 RBAC, URS-03 active scope, URS-04 e-signature, URS-05 Authority Profile registry. Three-guard hierarchy: RoleGuard → PermissionGuard → AuthorityGuard.

### 3.2 Role definitions

| Role | Purpose |
|---|---|
| `viewer` | Read-only access |
| `deviation_discoverer` | Per-tenant authority to create deviations from any operational role (operator / monitor / analyst / coordinator) |
| `deviation_investigator` | Investigation authority; assigned by QA |
| `qa_reviewer` | QA reviewer for deviation closure |
| `practice_lead_gmp` / `practice_lead_gcp` / `practice_lead_glp` / `practice_lead_gdp` / `practice_lead_gvp` | Per-practice closure co-sign authority |
| `deviation_void_authority` | Void approval authority |
| `deviation_closure_authority` | Closure attestation authority |
| `quality_lead` | Quality oversight |
| `regulatory_affairs_lead` | RA oversight |
| `admin` | Tenant administration; manage `module_options` for severity / classification |
| `platform_admin` | Verixa platform — tenant-scoped Module 16 actions are support / break-glass only with reason, support-ticket reference, electronic signature, `PLATFORM_TENANT_ACCESS_USED` audit emit, and SOC alert; routine tenant deviation administration belongs to tenant `admin` users |
| `super_admin` | Verixa super-admin — tenant-scoped Module 16 actions are support / break-glass only under the same controls as `platform_admin` |

### 3.3 Authority Profiles consumed by Module 16

| Authority Profile | Description |
|---|---|
| `deviation_investigation_signoff` | E-signature authority for investigation conclusion |
| `deviation_minor_closure_authority` | E-signature authority for minor-deviation closure |
| `deviation_major_closure_authority` | E-signature authority for major-deviation closure (with practice-lead co-sign) |
| `deviation_critical_closure_authority` | E-signature authority for critical-deviation closure (requires executive authority per DEC-16-21) |
| `deviation_void_authority` | Authority to void a deviation per DEC-16-09 |
| `deviation_reopen_executive_authority` | Executive authority for reopen (DEC-16-22) |
| `practice_lead_authority` | Per-practice (GMP / GCP / GLP / GDP / GVP) closure co-sign authority |
| `deviation_critical_executive_authority` | Executive authority for critical-deviation closure co-sign per DEC-16-21 |
| `deviation_classification_admin` | Tenant administration of `module_options` for severity / classification |

### 3.4 Segregation-of-Duties rules

| SoD Rule | Description |
|---|---|
| SoD-16-01 | The discoverer cannot also be the investigator. |
| SoD-16-02 | The investigator for a major / critical deviation cannot also be the QA reviewer at closure (cross-functional independence). |
| SoD-16-03 | The investigator cannot also be the practice-lead co-signer at closure. |
| SoD-16-04 | The investigator cannot also be the closure attestation authority. |
| SoD-16-05 | The voider cannot be the original creator. |
| SoD-16-06 | The executive authority reopen co-signer cannot be the original closure authority. |
| SoD-16-07 | The closure authority for a critical deviation cannot be the same user as the executive authority co-signer (matrix independence). |

### 3.5 Worked examples

**Example 1: Minor GMP manufacturing deviation — direct closure.** A manufacturing operator notices that the in-process pH reading was 6.4 vs. SOP-required 6.5–7.5; immediate adjustment was made; no impact on the in-process material. Operator opens deviation `DEV-2026-001234`, practice = `gmp`, severity = `minor`, study/site/product/batch captured. Investigator (different from operator per SoD-16-01) reviews; concludes "isolated event, immediate corrective action effective, no further investigation required". Investigator signs the investigation conclusion. QA reviewer / closure authority signs closure per minor matrix (DEC-16-06). The investigator MUST NOT act as closure authority. Deviation `closed`. Parent + children become immutable per DEC-16-08.

**Example 2: Major GCP clinical protocol deviation.** A clinical monitor finds that subject S-042 received Visit 3 on Day 30 instead of the protocol-specified Day 28 ± 3 (i.e., out of window by 1 day on the high side). Discoverer opens deviation, practice = `gcp`, severity = `major` (out-of-window dosing in pivotal trial). Investigator reviews; impact-area linked to `data_integrity` (medium) and `regulatory_commitment` (low — protocol amendment may be needed). Affected document linked: study-protocol document with target_revision_classification = `minor`. URS-13 record opened referencing the deviation. URS-17 RCA initiated for investigation depth. Investigator signs the investigation conclusion. QA reviewer / closure authority signs closure per DEC-16-06 major matrix; major deviations add `practice_lead_gcp` co-sign. The investigator MUST NOT act as closure authority. Deviation `closed`.

**Example 3: Critical GMP deviation requires executive authority co-sign (DEC-16-21).** A sterile filtration step on Batch B-9876 was performed with a non-sterilised pre-filter for ~20 minutes before the deviation was caught. Severity = `critical` (potential contamination of marketed sterile product). Practice = `gmp`. Impact areas: `product_quality` (high), `patient_safety` (high), `sterility_assurance` (critical), `regulatory_commitment` (high). Investigation includes URS-15 OOS confirmation testing and URS-17 RCA. Affected documents: SOP-MFG-014, batch record. URS-13 record opened for filtration-step revalidation. URS-18 CAPA initiated. URS-14 complaint workflow potentially triggered if marketed batch implicated. Investigator signs the investigation conclusion. QA reviewer / closure authority signs closure with `practice_lead_gmp` co-sign and **executive authority co-sign per DEC-16-21**. The investigator MUST NOT act as closure authority. SoD-16-07 enforced (closure authority ≠ executive authority).

**Example 4: SoD-16-01 enforcement — discoverer attempts to investigate own deviation.** The operator who created `DEV-2026-001235` is also a qualified investigator and attempts to assign themselves. Service rejects with HTTP 403 + `DEVIATION_SOD_VIOLATION_DISCOVERER_CANNOT_INVESTIGATE`. URS-06 audit substrate records the attempt.

**Example 5: Void with reason + authority + e-signature (DEC-16-09).** A QA reviewer determines `DEV-2026-001236` was created in error (operator misread the SOP). The reviewer opens void workflow; provides reason ("SOP requirement was 6.0–8.0 per current revision; 6.4 reading is in spec; deviation created in error"); authority gate `deviation_void_authority` is enforced; e-signature via Controlled Approval Modal (with `meaningOfSignature` + `reasonForChange`). SoD-16-05 enforced: voider cannot be the original creator. Deviation `voided` (soft-delete; preserved for audit). Void requires controlled authority gate, e-signature, and SoD-16-05 enforcement.

**Example 6: Reopen requires executive authority co-sign (DEC-16-22).** A closed deviation is found post-closure to have additional implicated batches. QA proposes reopen. Executive authority e-signs reopen via `deviation_reopen_executive_authority`. SoD-16-06 enforced. Deviation transitions back to `investigating`.

**Example 7: Annex 22 GenAI prohibition runtime block (DEC-16-19).** A user attempts to invoke "AI-suggest closure disposition" experimental UI. Runtime block returns HTTP 403 + `DEVIATION_GENAI_PROHIBITED`. Per Annex 22 / EU AI Act Annex III HIGH-RISK. Static deterministic AI MAY suggest similar prior deviations and pattern-matched classification candidates; only that is permitted (advisory under ARCH-AI-001 AC-2).

### 3.6 Role-permission matrix (Module 16 administrative surface only)

| Permission | viewer | deviation_discoverer | deviation_investigator | qa_reviewer | practice_lead | deviation_void_authority | deviation_closure_authority | quality_lead | admin |
|---|---|---|---|---|---|---|---|---|---|
| `deviations:read` | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| `deviations:create` | ✗ | ✓ | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ |
| `deviations:update_draft` | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ |
| `deviations:submit_for_investigation` (with SoD-16-01) | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ |
| `deviations:investigate` (with SoD-16-01 + e-sign) | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ |
| `deviations:add_impact_area` | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ |
| `deviations:add_affected_document` | ✗ | ✗ | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ |
| `deviations:close_minor` (with authority + SoD-16-04 + e-sign) | ✗ | ✗ | ✗ | ✓ | ✗ | ✗ | ✓ | ✓ | ✓ |
| `deviations:close_major` (with authority + SoD + e-sign + practice-lead co-sign) | ✗ | ✗ | ✗ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ |
| `deviations:close_critical` (with authority + SoD + e-sign + executive co-sign) | ✗ | ✗ | ✗ | ✓ | ✓ | ✗ | ✓ | ✓ | ✓ |
| `deviations:critical_executive_cosign` (executive authority) | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ (executive authority only) |
| `deviations:void` (with authority + SoD-16-05 + e-sign) | ✗ | ✗ | ✗ | ✓ | ✗ | ✓ | ✗ | ✓ | ✓ |
| `deviations:reopen_executive` (executive authority + SoD-16-06) | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ (executive authority only) |
| `deviations:read_audit` | ✗ | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

---

## 4. End-to-End User Journeys

### J-01 — Discoverer creates deviation

`deviation_discoverer` opens `/deviations/new`. Captures practice, classification (per `module_options` for selected practice), severity, scope (study / site / product / supplier / batch / equipment), discovery date, symptom, immediate action. Saves; platform assigns `DEV-{YYYY}-{nnnnnn}` race-safe per DEC-16-03. State `draft`. URS-06 records create with full payload.

### J-02 — Discoverer submits for investigation (SoD-16-01)

Discoverer clicks submit. Platform validates draft completeness. Transitions `draft → investigating`. URS-30 notifies QA + investigator team. The investigator assignment enforces SoD-16-01 (discoverer ≠ investigator).

### J-03 — Investigator opens investigation

`deviation_investigator` opens the deviation. Adds impact-area child rows (each e-signed by assessor). Adds affected-document child rows (each linked to URS-12 documents).

### J-04 — Investigator escalates to URS-17 RCA

Root cause requires deeper analysis. Investigator opens URS-17 RCA referencing `deviation_id`; `rca_id` saved on the deviation investigation record.

### J-05 — Investigator initiates URS-18 CAPA

Corrective / preventive action needed. Investigator opens URS-18 CAPA referencing `deviation_id`; `capa_id` saved.

### J-06 — Investigator triggers URS-13 record (deviation precipitates platform change)

Investigation reveals the deviation requires a controlled platform change (e.g., SOP revision). Investigator opens URS-13 record; `linked_change_id` saved.

### J-07 — Investigator links URS-15 OOS investigation

The deviation is the manufacturing cause for a previously opened OOS. Investigator links via `linked_oos_id` (URS-15).

### J-08 — Investigator links URS-14 complaint

A customer complaint precipitated the deviation. Investigator links via `linked_complaint_id` (URS-14).

### J-09 — Investigator records investigation conclusion (SoD-16-04)

Investigator records conclusion text, root-cause summary. E-signs investigation conclusion via Controlled Approval Modal. SoD-16-04 enforced: investigator cannot also be the closure authority.

### J-10 — Closure: minor deviation (DEC-16-06 minor matrix)

`deviation_closure_authority` + QA co-sign per minor matrix. E-signed. Transitions `investigating → closed`. Parent + children become immutable per DEC-16-08.

### J-11 — Closure: major deviation (DEC-16-06 major matrix)

`deviation_closure_authority` + QA + `practice_lead_*` (per the deviation's practice). E-signed. Transitions `investigating → closed`.

### J-12 — Closure: critical deviation requires executive authority co-sign (DEC-16-21)

`deviation_closure_authority` + QA + `practice_lead_*` + **executive authority via `deviation_critical_executive_authority`** per DEC-16-21. SoD-16-07 enforced (closure ≠ executive co-sign user). E-signed. Transitions `investigating → closed`.

### J-13 — Closure-blocked: SoD-16-04 violation

Investigator attempts to e-sign closure. Service rejects with HTTP 403 + `DEVIATION_SOD_VIOLATION_INVESTIGATOR_CANNOT_CLOSE`.

### J-14 — Void from draft (DEC-16-09)

A QA reviewer determines a draft deviation was created in error. Opens void workflow with reason. `deviation_void_authority` Authority Profile + e-signature. SoD-16-05 enforced. Transitions `draft → voided` (soft-delete; preserved).

### J-15 — Void from investigating (DEC-16-09)

Investigator confirms during investigation that the recorded event was not a deviation (procedure was correctly followed; observation was misinterpreted). Void workflow + reason + authority + e-signature. SoD-16-05 enforced. Transitions `investigating → voided`.

### J-16 — Void blocked: SoD-16-05 violation

Original creator attempts to void own deviation. Service rejects with HTTP 403 + `DEVIATION_SOD_VIOLATION_VOIDER_CANNOT_BE_CREATOR`.

### J-17 — Void blocked: missing authority

User without `deviation_void_authority` Authority Profile attempts void. HTTP 403 + `DEVIATION_AUTHORITY_REQUIRED`.

### J-18 — Mutation blocked on closed deviation (DEC-16-08 immutability)

User attempts to update a closed deviation. Service rejects with HTTP 422 + `DEVIATION_CLOSED_IMMUTABLE`. Audit substrate records attempted mutation.

### J-19 — Child-row mutation blocked on voided deviation (DEC-16-08 immutability)

User attempts to remove an impact-area child row on a voided deviation. Service rejects with HTTP 422 + `DEVIATION_VOIDED_PARENT_IMMUTABLE`. Audit records attempt.

### J-20 — Reopen of closed deviation requires executive authority co-sign (DEC-16-22)

Post-closure issue identified. Executive authority e-signs reopen via `deviation_reopen_executive_authority`. SoD-16-06 enforced. Transitions `closed → investigating` with documented reason.

### J-21 — Tenant administrator extends classification taxonomy (DEC-16-18)

`admin` updates `module_options` to add a tenant-specific GMP classification value. URS-13 platform-level record opened (because severity / classification taxonomy is platform-significant). Authority gate enforced.

### J-22 — Reporting: severity distribution dashboard

`quality_lead` opens the deviation severity dashboard. Per-product / per-site / per-practice / per-time-window severity distribution + overdue investigations + open critical / major queue.

### J-23 — Reporting: practice-domain mix

QA dashboard shows GMP / GCP / GLP / GDP / GVP / multi-practice deviation distribution; identifies hot spots (e.g., GDP cold-chain breaches trending up).

### J-24 — Static deterministic AI advisory: similar prior deviations (ARCH-AI-001 AC-2)

On deviation create, static deterministic similarity service surfaces "similar deviations in the last 12 months for this product / batch / classification" using historical pattern matching. Visibly labelled "AI-suggested — requires human review" per AC-3. Discoverer / investigator may reference the suggestion in the investigation. Advisory + decision audited per AC-5. Per Annex 22 / DEC-16-19: NO LLM / generative AI; only static deterministic similarity.

### J-25 — Annex 22 GenAI prohibition runtime block (DEC-16-19)

User attempts to invoke "AI-suggest closure disposition" experimental UI. Runtime block returns HTTP 403 + `DEVIATION_GENAI_PROHIBITED`. Lint rule (Gate 8 per CLAUDE.md QS-1..24) prevents the surface from shipping.

### J-26 — Auditor reviews deviation evidence pack

Inspector requests evidence on a closed deviation. Platform exports the deviation evidence pack: full deviation record + impact-areas + affected-documents + investigation conclusion + linked URS-17 RCA + URS-18 CAPA + URS-13 record + URS-14 complaint linkage + URS-15 OOS linkage + closure attestation matrix (with all required signatures) + URS-06 audit hash-chain proof. Watermarked, e-signed by `quality_lead`.

### J-27 — Tenant offboarding cascade (DEC-16-23)

Tenant `offboarding`: open deviations transition to `archived_for_audit`; closed / voided records preserved per retention class.

### J-28 — APQR consumption of deviation statistics (URS-26)

URS-26 APQR consumes deviation statistics (count by practice, severity distribution, mean time to closure, % critical / major / minor, % voided, top recurring classifications, cross-product deviation rates) per ICH Q10.

---

## 5. Front-End Expected State

### 5.1 Routes

| Route | Purpose |
|---|---|
| `/deviations` | Deviation landing — list, filter |
| `/deviations/new` | Create deviation (with practice / classification / severity selectors) |
| `/deviations/:id` | Deviation detail (investigation / impact areas / affected documents / closure / audit tabs) |
| `/deviations/:id/investigate` | Investigation editor with linkage to URS-17 / URS-18 / URS-13 / URS-14 / URS-15 |
| `/deviations/:id/impact-areas` | Impact-area child editor |
| `/deviations/:id/affected-documents` | Affected-document child editor |
| `/deviations/:id/close` | Closure modal (severity-driven matrix) |
| `/deviations/:id/void` | Void modal with reason + authority + e-sign |
| `/deviations/:id/audit` | Per-deviation audit trail |
| `/deviations/me/assignments` | My open assignments |
| `/deviations/dashboards/severity-distribution` | Severity dashboard |
| `/deviations/dashboards/practice-mix` | Practice-domain mix |
| `/deviations/dashboards/aging` | Lifecycle aging |
| `/deviations/dashboards/overdue` | Overdue investigations |
| `/deviations/dashboards/voided` | Voided register |
| `/admin/deviations/classification-taxonomy` | Classification taxonomy admin (`admin`+) |
| `/executive/deviations/critical-cosign` | Executive authority critical-cosign queue (executive authority only) |
| `/executive/deviations/reopen` | Executive authority reopen workflow (executive authority only) |

### 5.2 Component requirements

- **DeviationList / DeviationCard** — practice, classification, severity badge, lifecycle state, age, assignment.
- **DeviationCreateForm** — practice picker → classification picker (filtered by practice) → severity picker → scope → symptom → immediate action.
- **InvestigationEditor** — conclusion + RCA + linkage panel (URS-17 / URS-18 / URS-13 / URS-14 / URS-15).
- **ImpactAreaEditor** — structured taxonomy + impact-severity + assessor sign.
- **AffectedDocumentEditor** — URS-12 picker + revision-required toggle + target-revision classification + URS-13 link.
- **ClosureMatrixModal** — severity-driven matrix (minor / major / critical) with e-sign per slot + executive authority co-sign for critical.
- **VoidModal** — reason text + authority gate + e-sign with SoD-16-05.
- **AIAdvisoryBanner** — visible "AI-suggested" labelling per ARCH-AI-001 AC-3 on similarity / classification advisory surfaces.
- **AuditTrailViewer** — chronological per-deviation view with attempted-mutation forensic events.
- **ExecutiveAuthorityCriticalCoSignModal** — executive-authority-only critical-deviation co-sign.
- **ExecutiveAuthorityReopenModal** — executive-authority-only reopen.

### 5.3 Accessibility and internationalisation

- WCAG 2.1 AA across all components.
- Keyboard navigation; screen-reader labelling; AI advisory pill announcements.
- Internationalisation: all strings in resource files; locale-aware date/time.

---

## 6. Back-End Expected State

### 6.1 Domain entities

| Entity | Purpose |
|---|---|
| `deviations` | Master deviation registry |
| `deviation_lifecycle_events` | Lifecycle transition audit substrate |
| `deviation_impact_areas` | Impact-area child links |
| `deviation_affected_documents` | Affected-document child links |
| `deviation_investigation_conclusions` | Investigation conclusion records |
| `deviation_closure_attestations` | Per-slot closure signatures (minor / major / critical matrix) |
| `module_options` | Tenant-configurable severity + classification (consumed read) |
| `auth_audit_log` | Auth events (URS-06 substrate) |
| `ai_requests` | Advisory AI request audit (URS-06 substrate) |

### 6.1.1 Diagram 6.1-A — Module 16 entity-relationship overview

```mermaid
erDiagram
  DEVIATIONS ||--o{ DEVIATION_LIFECYCLE_EVENTS : emits
  DEVIATIONS ||--o{ DEVIATION_IMPACT_AREAS : has
  DEVIATIONS ||--o{ DEVIATION_AFFECTED_DOCUMENTS : has
  DEVIATIONS ||--o| DEVIATION_INVESTIGATION_CONCLUSIONS : has
  DEVIATIONS ||--o{ DEVIATION_CLOSURE_ATTESTATIONS : has
  TENANTS ||--o{ DEVIATIONS : owns
  STUDIES ||--o{ DEVIATIONS : optional_scopes
  SITES ||--o{ DEVIATIONS : optional_scopes
  PRODUCTS ||--o{ DEVIATIONS : optional_scopes
  SUPPLIERS ||--o{ DEVIATIONS : optional_scopes
  BATCH_RECORDS ||--o{ DEVIATIONS : optional_scopes
  EQUIPMENT ||--o{ DEVIATIONS : optional_scopes
  USERS ||--o{ DEVIATIONS : creates_investigates_closes_voids
  RCAS ||--o{ DEVIATION_INVESTIGATION_CONCLUSIONS : linked_via_rca_id
  CAPAS ||--o{ DEVIATION_INVESTIGATION_CONCLUSIONS : linked_via_capa_id
  URS13_RECORDS ||--o{ DEVIATION_INVESTIGATION_CONCLUSIONS : linked_via_change_id
  COMPLAINTS ||--o{ DEVIATION_INVESTIGATION_CONCLUSIONS : linked_via_complaint_id
  OOS_INVESTIGATIONS ||--o{ DEVIATION_INVESTIGATION_CONCLUSIONS : linked_via_oos_id
  DOCUMENTS ||--o{ DEVIATION_AFFECTED_DOCUMENTS : referenced_via_document_id
  MODULE_OPTIONS ||--o{ DEVIATIONS : configures_severity_classification
  DEVIATIONS ||--o{ AUTH_AUDIT_LOG : security_logged
  DEVIATIONS ||--o{ AI_REQUESTS : advisory_for
```

Diagram 6.1-A — Module 16 entity-relationship.

### 6.1.2 Diagram 6.1-B — Deviation lifecycle state machine (full)

```mermaid
stateDiagram-v2
  [*] --> draft : create
  draft --> investigating : submit_for_investigation (SoD-16-01)
  draft --> voided : void (DEC-16-09 + SoD-16-05)
  investigating --> closed : closure_signed (severity-driven matrix DEC-16-06 + SoD-16-04)
  investigating --> voided : void (DEC-16-09 + SoD-16-05)
  closed --> investigating : reopen — governed transition (DEC-16-22 + SoD-16-06; appends new lifecycle event + new investigation iteration; does NOT mutate or erase prior closed evidence)
  closed --> [*] : immutable parent + children DEC-16-08
  voided --> [*] : immutable parent + children DEC-16-08
  note right of investigating
    Severity gate at closure:
    Investigator signs investigation conclusion;
    QA reviewer / closure authority signs closure;
    major: + practice_lead_* co-sign;
    critical: + executive authority co-sign (DEC-16-21, SoD-16-07);
    Investigator MUST NOT act as closure authority.
  end note
```

Diagram 6.1-B — Deviation lifecycle state machine including severity-driven closure matrix (DEC-16-06), executive-authority-cosigned reopen path (DEC-16-22), and post-closure / post-void parent + child immutability (DEC-16-08).

### 6.1.3 Diagram 6.1-C — Severity-driven closure matrix

```mermaid
flowchart TD
  Inv[Investigation conclusion signed SoD-16-04] --> Sev{Severity}
  Sev -- minor --> Min[deviation_closure_authority + qa_reviewer e-sign]
  Sev -- major --> Maj[deviation_closure_authority + qa_reviewer + practice_lead_* e-sign]
  Sev -- critical --> Crit[deviation_closure_authority + qa_reviewer + practice_lead_* + executive authority DEC-16-21]
  Crit --> SoD7{SoD-16-07: closure_authority ≠ executive co-signer?}
  SoD7 -- violates --> Reject403[HTTP 403 SoD violation]
  SoD7 -- ok --> AuthGate[withAuthority deviation_critical_closure_authority + executive authority]
  AuthGate -- denied --> Reject403b[HTTP 403 authority denied]
  AuthGate -- granted --> ESign[Controlled Approval Modal each slot]
  Min --> Persist[Persist closure attestations + signatures]
  Maj --> Persist
  ESign --> Persist
  Persist --> StateClose[deviation → closed]
  StateClose --> Immutable[Parent + children immutable DEC-16-08]
  StateClose --> Audit[URS-06 closure audit + matrix evidence]
```

Diagram 6.1-C — Severity-driven closure matrix per DEC-16-06; critical deviations require executive authority co-sign per DEC-16-21 with SoD-16-07; closure attestations persisted with full signature evidence.

### 6.1.4 Diagram 6.1-D — Void workflow with reason + authority + e-signature

```mermaid
flowchart TD
  Init[Void requested] --> Reason[Capture voided_reason text]
  Reason --> SoD5{SoD-16-05: voider ≠ creator?}
  SoD5 -- violates --> Reject403[HTTP 403 DEVIATION_SOD_VIOLATION_VOIDER_CANNOT_BE_CREATOR]
  SoD5 -- ok --> AuthGate{withAuthority deviation_void_authority}
  AuthGate -- denied --> Reject403b[HTTP 403 DEVIATION_AUTHORITY_REQUIRED]
  AuthGate -- granted --> ESign[Controlled Approval Modal e-sign]
  ESign --> ParentCheck{Parent state}
  ParentCheck -- draft --> SoftDelete[Soft-delete: set deleted_at + state=voided + voided_signature_id]
  ParentCheck -- investigating --> SoftDelete
  ParentCheck -- closed --> Reject422[HTTP 422 DEVIATION_CLOSED_CANNOT_VOID]
  SoftDelete --> Immutable[Parent + children immutable DEC-16-08]
  SoftDelete --> Audit[URS-06 void audit with reason + signature]
```

Diagram 6.1-D — Void workflow per DEC-16-09 (normative. Reason + authority + e-signature + SoD-16-05 + soft-delete only.

### 6.2 Data model requirements

| Requirement | Statement |
|---|---|
| URS-16-DATA-001 | `deviations` table per DEC-16-01 with all listed fields per §2.1; at least one scope anchor required per DEC-16-14. |
| URS-16-DATA-002 | Race-safe sequential `deviation_number` via DB sequence per DEC-16-03. |
| URS-16-DATA-003 | `deviation_lifecycle_events` append-only with `from_state`, `to_state`, `actor_user_id`, `at_timestamp`, `signature_id`, `reason`. |
| URS-16-DATA-004 | `deviation_impact_areas` per DEC-16-10 with structured taxonomy + impact severity + assessor signature. |
| URS-16-DATA-005 | `deviation_affected_documents` per DEC-16-11 with `linked_urs13_record_id`. |
| URS-16-DATA-006 | `deviation_investigation_conclusions` per DEC-16-07 with `rca_id`, `capa_id`, `linked_change_id`, `linked_complaint_id`, `linked_oos_id`. |
| URS-16-DATA-007 | `deviation_closure_attestations` with per-slot signature rows per DEC-16-06 matrix. |
| URS-16-DATA-008 | All Module 16 tables have RLS per QS-6. |
| URS-16-DATA-009 | All mutations record full before/after payloads to URS-06 audit per DEC-16-12 / QS-1. |
| URS-16-DATA-010 | `MODULE_CONTEXT_CONFIG['deviations']` declares site / product / study / supplier filtering per DEC-16-14. |
| URS-16-DATA-011 | Typed DB contract aligned to service usage per DEC-16-24 (normative. |
| URS-16-DATA-012 | Hard-delete prohibited; soft-delete only via void workflow. |

### 6.3 API requirements

| Endpoint | Method | Purpose |
|---|---|---|
| `/api/v1/deviations` | GET, POST | List, create |
| `/api/v1/deviations/:id` | GET, PATCH | Get, update (blocked when closed/voided per DEC-16-08) |
| `/api/v1/deviations/:id/submit-for-investigation` | POST (with SoD-16-01) | Transition to investigating |
| `/api/v1/deviations/:id/investigate` | POST (with SoD-16-01 + e-sign) | Investigation conclusion sign |
| `/api/v1/deviations/:id/impact-areas` | GET, POST, DELETE | Manage impact areas (parent immutability enforced) |
| `/api/v1/deviations/:id/affected-documents` | GET, POST, DELETE | Manage affected documents (parent immutability enforced) |
| `/api/v1/deviations/:id/close` | POST (severity-driven matrix + SoD-16-04 + e-sign per slot) | Closure |
| `/api/v1/deviations/:id/close/critical-cosign` | POST (executive authority + SoD-16-07 + e-sign) | Critical co-sign per DEC-16-21 |
| `/api/v1/deviations/:id/void` | POST (with `deviation_void_authority` + SoD-16-05 + reason + e-sign) | Void per DEC-16-09 |
| `/api/v1/deviations/:id/reopen` | POST (executive authority + SoD-16-06 + reason) | Reopen per DEC-16-22 |
| `/api/v1/deviations/:id/audit` | GET | Per-deviation audit trail |
| `/api/v1/deviations/me/assignments` | GET | My open assignments |
| `/api/v1/deviations/admin/classification-taxonomy` | GET, PUT (with admin authority) | Tenant-configurable severity / classification |

### 6.4 Workflow / lifecycle requirements

- URS-16-WF-001: Lifecycle state transitions per §6.4; unauthorised transitions return HTTP 422 + `DEVIATION_INVALID_TRANSITION`.
- URS-16-WF-002: Submit-for-investigation enforces SoD-16-01.
- URS-16-WF-003: Investigation conclusion enforces SoD-16-04 (investigator ≠ closure authority).
- URS-16-WF-004: Closure enforces severity-driven matrix per DEC-16-06.
- URS-16-WF-005: Critical closure requires executive authority co-sign per DEC-16-21 with SoD-16-07.
- URS-16-WF-006: Void enforces reason + `deviation_void_authority` + e-signature + SoD-16-05.
- URS-16-WF-007: Reopen requires executive authority + SoD-16-06 per DEC-16-22.
- URS-16-WF-008: Closed / voided parent + child rows immutable per DEC-16-08.
- URS-16-WF-009: Hard delete prohibited.
- URS-16-WF-010: Critical deviation affecting batch triggers URS-23 batch flag per DEC-16-17.

### 6.5 Business rules

- BR-16-01: Race-safe `deviation_number` via DB sequence per DEC-16-03.
- BR-16-02: Tenant isolation enforced via TDAL + RLS.
- BR-16-03: Severity defaults are `module_options`-driven; tenant overrides require admin authority.
- BR-16-04: Critical deviation severity escalates closure matrix to require executive authority co-sign per DEC-16-21.
- BR-16-05: Per Annex 22 / DEC-16-19: NO LLM / generative AI in deviation classification / severity / closure decision paths.
- BR-16-06: Tenant offboarding cascade per DEC-16-23.
- BR-16-07: Closed deviation reopened only via executive authority + reason per DEC-16-22.
- BR-16-08: Audit trail append-only per QS-1; full before/after payload per DEC-16-12.
- BR-16-09: Practice-specific classification values from `module_options` validated at create / update.
- BR-16-10: Critical-system / Annex 1 sterile manufacturing deviation triggers automatic priority elevation.

### 6.6 Audit trail requirements

- Every Module 16 mutation calls `auditTrailService.log()` with full before/after payload per QS-1 + DEC-16-12.
- Lifecycle transitions logged dual-write to `deviation_lifecycle_events` + URS-06.
- Investigation conclusion, child-row add / remove, closure attestations, void, reopen all logged.
- Auth-related events (SoD violations, authority denials) logged to `auth_audit_log`.
- Advisory AI requests logged to `ai_requests` per AC-5.
- Append-only per QS-1.

### 6.7 Architecture binding — Internal Annex 22 GenAI prohibition control + ARCH-AI-001 (AC-2, AC-3, AC-4, AC-5, AC-7) + internal EU AI Act Annex III high-risk classification (forward-looking; not enacted predicate rule; binding predicate-rule obligations remain those listed in §14)

| Surface | AI use permitted | Governance |
|---|---|---|
| Closure disposition decision | NONE — Annex 22 prohibition | Manual decision; severity-matrix authority |
| Severity-driven escalation decision | NONE — Annex 22 prohibition | Manual; rule-based matrix |
| Regulatory-impact decision | NONE — Annex 22 prohibition | Manual |
| Void disposition decision | NONE — Annex 22 prohibition | Manual; deviation_void_authority |
| AI-suggested severity (advisory) | YES — static deterministic only | ARCH-AI-001 AC-2/3/4/5/7 |
| AI-suggested type (advisory) | YES — static deterministic only | ARCH-AI-001 AC-2/3/4/5/7 |
| AI similarity (advisory) | YES — static deterministic over historical deviations | ARCH-AI-001 AC-2/3/4/5/7 |
| AI root-cause proposal (advisory) | YES — static deterministic; never autonomous | ARCH-AI-001 AC-2/3/4/5/7 |
| MIRA copilot read-only retrieval over closed deviations | YES — read-only | URS-12 RAG |

Internal AI-governance obligations aligned with EU AI Act Annex III high-risk classification (treated as internal forward-looking control, not enacted predicate rule) include AI-specific QMS, conformity assessment, technical documentation, ongoing monitoring, human oversight; supported by ARCH-AI-001 architectural reference + URS-06 audit substrate + Authority-gated workflow. Jurisdiction-specific legal enforceability remains subject to a future jurisdiction-specific legal assessment. Binding predicate-rule obligations remain those listed in §14.

---

## 7. Cross-Module Wiring and Change-Impact

### 7.1 Cross-module wiring

```mermaid
flowchart LR
  M01[URS-01 Auth] --> M16[Module 16]
  M02[URS-02 RBAC] --> M16
  M03[URS-03 Active Scope] --> M16
  M04[URS-04 Workflow / E-Sign] --> M16
  M05[URS-05 Authority Profiles] --> M16
  M06[URS-06 Audit Substrate] <-- M16
  M07[URS-07 Study] --> M16
  M09[URS-09 Site] --> M16
  M10[URS-10 Product] --> M16
  M11[URS-11 Supplier] --> M16
  M12[URS-12 Documents] <--> M16
  M13[URS-13] <-- M16
  M14[URS-14 Complaints] <--> M16
  M15[URS-15 OOS/OOT] <--> M16
  M17[URS-17 RCA] <-- M16
  M18[URS-18 CAPA] <-- M16
  M21[URS-21 Findings] <-- M16
  M22[URS-22 Inspection Mgmt] <-- M16
  M23[URS-23 Batch Records] <--> M16
  M24[URS-24 Stability] --> M16
  M25[URS-25 Environmental Monitoring] --> M16
  M26[URS-26 APQR] <-- M16
  M30[URS-30 Notifications] <-- M16
  ANNEX22[Annex 22] -.governs.-> M16
  ARCHAI[ARCH-AI-001] -.governs.-> M16
  AIAct[EU AI Act Annex III HIGH-RISK] -.classifies.-> M16
```

### 7.2 Change-Impact Matrix

| Module 16 capability | Affects | Direction | URS-13 trigger if modified |
|---|---|---|---|
| Lifecycle state machine | All consuming modules | Outbound | Class 1 |
| Severity model (minor / major / critical) | URS-23, URS-26 | Outbound | Class 1 |
| Practice taxonomy | URS-21, URS-22, URS-26 | Outbound | Class 2 |
| Severity-driven closure matrix | URS-04, URS-05 | Outbound | Class 1 |
| Critical executive co-sign requirement | URS-05 | Outbound | Class 1 |
| Module-options-driven classification | URS-02, URS-04 | Outbound | Class 2 |

### 7.3 Cross-module dependencies (consumed by Module 16)

- URS-01 — Auth.
- URS-02 — RBAC.
- URS-03 — Active scope.
- URS-04 — Workflow / e-sign.
- URS-05 — Authority Profile registry.
- URS-06 — Audit substrate.
- URS-07 — Study.
- URS-09 — Site.
- URS-10 — Product.
- URS-11 — Supplier.
- URS-12 — Documents (affected-document linkage).
- URS-13 — for deviations precipitating platform changes.
- URS-14 — Complaints (linkage from investigation).
- URS-15 — OOS/OOT (linkage from investigation).
- URS-17 — RCA (linkage from investigation).
- URS-18 — CAPA (linkage from investigation).
- URS-23 — Batch Records (batch flag trigger).
- URS-24 — Stability.
- URS-25 — Environmental Monitoring.
- URS-26 — APQR (statistics consumer).
- URS-30 — Notifications.
- EU GMP Annex 22 — GenAI prohibition.
- ARCH-AI-001 — Advisory AI binding.
- EU AI Act Annex III — HIGH-RISK classification.

---

## 8. AI / Automation / Human-in-the-Loop Controls

Per the internal Annex 22 control (DEC-16-19; treated as internal forward-looking AI governance control, not enacted predicate rule), generative / probabilistic AI is **PROHIBITED** in deviation classification disposition, severity-driven escalation, regulatory-impact, and closure-disposition decision paths. Verixa internally classifies this module as high-risk AI under internal AI governance, aligned with the EU AI Act Annex III high-risk classification approach (treated as internal forward-looking AI governance control), unless a jurisdiction-specific legal assessment determines otherwise. ARCH-AI-001 architectural constraints: AC-2 (advisory secondary), AC-3 (visible labelling), AC-4 (no autonomous write), AC-5 (full audit), AC-7 (graceful degradation).

| AI Surface | Permitted | Governance |
|---|---|---|
| AI closure disposition | NO (Annex 22) | Not built |
| AI severity-driven escalation | NO (Annex 22) | Not built |
| AI regulatory-impact | NO (Annex 22) | Not built |
| AI-suggested severity (advisory) | YES — deterministic | ARCH-AI-001 |
| AI-suggested type (advisory) | YES — deterministic | ARCH-AI-001 |
| AI similarity (advisory over historical) | YES — deterministic | ARCH-AI-001 |
| AI root-cause proposal (advisory) | YES — deterministic | ARCH-AI-001 |
| MIRA read-only retrieval over closed deviations | YES — read-only | URS-12 RAG |

All advisory AI output visibly labelled per AC-3; full audit trail per AC-5; override capability with reason captured per AC-6 (advisory output preserved); graceful degradation per AC-7.

---

## 9. Reports, Dashboards, and Exports

| Report / Dashboard | Purpose | Audience |
|---|---|---|
| Deviation inventory | All deviations by lifecycle, severity, practice, scope | QA |
| Severity distribution | Per-product / per-site / per-practice / time-window severity mix | QA, Manufacturing, Clinical, Distribution |
| Practice-domain mix | GMP / GCP / GLP / GDP / GVP / multi distribution | QA |
| Lifecycle aging | Time in each state | QA |
| Overdue investigations | Past-SLA deviations | QA, investigators |
| Voided register | Voided deviations with reason + authority | QA, audit |
| Critical-deviation queue | Pending critical deviations awaiting executive authority co-sign | Executive authority + QA |
| Reopen audit register | Reopened deviations with executive authority attribution | QA, executive office |
| APQR data feed (URS-26) | Deviation statistics | QA |
| Cross-tenant indices (platform-admin support / break-glass only) | Aggregate Module 16 events | `platform_admin` (support / break-glass only with reason, support-ticket reference, electronic signature, `PLATFORM_TENANT_ACCESS_USED` audit emit, SOC alert) |

Exports:

- Deviation evidence pack (zipped).
- Practice-domain export.
- APQR data extract.

---

## 10. Notifications and Queues

| Event | Recipients | Channel |
|---|---|---|
| Deviation created | QA + investigator queue | URS-30 in-app |
| Submitted for investigation | Investigator team | URS-30 in-app + email |
| Investigation conclusion signed | QA + closure team | URS-30 in-app |
| Critical deviation requires executive co-sign | Executive authority + QA | URS-30 critical |
| Closure signed (critical) | All stakeholders | URS-30 critical |
| Voided | Original creator + QA | URS-30 in-app |
| Reopen executive co-signed | All stakeholders + executive office | URS-30 critical |
| Overdue investigation | Investigator + QA | URS-30 reminder |
| Practice-domain trend alert | QA + practice lead | URS-30 in-app |
| Tenant offboarding cascade | All stakeholders | URS-30 in-app |

---

## 11. Error Handling and Negative Paths

### 11.1 Error envelope

`AppError` envelope per QS-9.

### 11.2 Error-code catalogue

| Code | HTTP | Meaning |
|---|---|---|
| `DEVIATION_NOT_FOUND` | 404 | Deviation ID not in tenant scope |
| `DEVIATION_INVALID_TRANSITION` | 422 | Lifecycle transition not allowed |
| `DEVIATION_AUTHORITY_REQUIRED` | 403 | Authority Profile required |
| `DEVIATION_SOD_VIOLATION_DISCOVERER_CANNOT_INVESTIGATE` | 403 | SoD-16-01 |
| `DEVIATION_SOD_VIOLATION_INVESTIGATOR_VS_QA` | 403 | SoD-16-02 |
| `DEVIATION_SOD_VIOLATION_INVESTIGATOR_VS_PRACTICE_LEAD` | 403 | SoD-16-03 |
| `DEVIATION_SOD_VIOLATION_INVESTIGATOR_CANNOT_CLOSE` | 403 | SoD-16-04 |
| `DEVIATION_SOD_VIOLATION_VOIDER_CANNOT_BE_CREATOR` | 403 | SoD-16-05 |
| `DEVIATION_SOD_VIOLATION_REOPEN_EXECUTIVE` | 403 | SoD-16-06 |
| `DEVIATION_SOD_VIOLATION_CRITICAL_MATRIX_INDEPENDENCE` | 403 | SoD-16-07 |
| `DEVIATION_CRITICAL_EXECUTIVE_AUTHORITY_REQUIRED` | 403 | Critical deviation requires executive authority co-sign per DEC-16-21 |
| `DEVIATION_REOPEN_EXECUTIVE_AUTHORITY_REQUIRED` | 403 | Reopen requires executive authority per DEC-16-22 |
| `DEVIATION_CLOSED_IMMUTABLE` | 422 | Closed deviation parent + children immutable per DEC-16-08 |
| `DEVIATION_VOIDED_PARENT_IMMUTABLE` | 422 | Voided deviation parent + children immutable per DEC-16-08 |
| `DEVIATION_CLOSED_CANNOT_VOID` | 422 | Closed deviation cannot be voided |
| `DEVIATION_VOID_REASON_REQUIRED` | 400 | Void requires reason text |
| `DEVIATION_SCOPE_ANCHOR_REQUIRED` | 400 | At least one scope anchor required per DEC-16-14 |
| `DEVIATION_GENAI_PROHIBITED` | 403 | GenAI not permitted per Annex 22 / DEC-16-19 |
| `DEVIATION_HARD_DELETE_PROHIBITED` | 422 | Hard delete prohibited |
| `VALIDATION_FAILED` | 400 | Zod validation |
| `SCOPE_MISMATCH` | 403 | Active scope mismatch |

### 11.3 Negative-path catalogue

- Discoverer attempts to investigate own deviation → SoD-16-01 violation.
- Investigator attempts closure → SoD-16-04 violation.
- Original creator attempts void → SoD-16-05 violation.
- Update attempted on closed deviation → `DEVIATION_CLOSED_IMMUTABLE`.
- Child-row remove attempted on voided deviation → `DEVIATION_VOIDED_PARENT_IMMUTABLE`.
- Critical closure without executive authority → `DEVIATION_CRITICAL_EXECUTIVE_AUTHORITY_REQUIRED`.
- Reopen by non-executive-authority → `DEVIATION_REOPEN_EXECUTIVE_AUTHORITY_REQUIRED`.
- GenAI invocation in critical decision path → `DEVIATION_GENAI_PROHIBITED`.
- Hard-delete attempt → `DEVIATION_HARD_DELETE_PROHIBITED`.

---

## 12. Security, Privacy, and Tenant Isolation

### 12.1 Authentication dependency

URS-01 authenticated session required.

### 12.2 Authorisation pipeline

Three-guard hierarchy per QS-7.

### 12.3 Tenant isolation

TDAL on every DB op per QS-5; RLS on every Module 16 table per QS-6.

### 12.4 Encryption

At-rest + TLS 1.2+.

### 12.5 Logging hygiene

No raw operational secrets in operational logs per QS-19.

### 12.6 Privacy and data residency

Module 16 records inherit tenant data residency. GCP / GVP deviations may contain subject identifiers; PII tokenised per privacy policy.

### 12.7 Periodic access review

Per QS-7: per-tenant Authority Profile + classification taxonomy review every 6 months.

### 12.8 Periodic audit-trail review

Per QS-19: monthly Module 16 audit-trail sample by `quality_lead`; quarterly tenant-wide integrity check.

### 12.9 Security-operations alert thresholds

| Alert | Threshold |
|---|---|
| SoD violations | Any |
| GenAI prohibition violation | Any |
| Critical-deviation executive co-sign | Any |
| Reopen executive authority | Any |
| Bulk export | >20 in 1 hour |
| Hard-delete attempt | Any |

### 12.10 Self-modification block

Module 16 services cannot modify their own audit trail or `module_options` configuration tables.

### 12.11 Secure export

Evidence-pack exports watermarked, audit-logged, TLS.

### 12.12 Cross-tenant confidentiality envelope

Tenant A cannot read tenant B deviations under any RBAC; only `platform_admin` support / break-glass cross-tenant operations (with reason, support-ticket reference, electronic signature, `PLATFORM_TENANT_ACCESS_USED` audit emit, SOC alert) are permitted.

---

## 13. Data Integrity and ALCOA+ Controls

| ALCOA+ Principle | Module 16 Implementation |
|---|---|
| Attributable | Every deviation, child row, investigation, closure attestation, void, reopen carries `created_by` / `signed_by` per QS-2. |
| Legible | Records human-readable; structured taxonomy and impact-area JSONB. |
| Contemporaneous | Server-generated timestamps per QS-3. |
| Original | Closed / voided records immutable per DEC-16-08; soft-delete only per DEC-16-09. |
| Accurate | Schema + Zod validation per QS-8; typed DB contract aligned per DEC-16-24. |
| Complete | Full before/after payload audit per DEC-16-12; severity-matrix attestations complete. |
| Consistent | Context model normalized per DEC-16-14. |
| Enduring | Records preserved per retention class; append-only audit per QS-1. |
| Available | Tenant-scoped retrieval; evidence pack export. |
| Traceable | Hash-chained URS-06 audit; per-deviation audit view; cross-module reference chain. |

---

## 14. Regulatory Mapping

| Authority | Predicate | Module 16 obligation |
|---|---|---|
| FDA | 21 CFR Part 11 §11.10(a/d/e) §11.50/11.70/11.100/11.200/11.300 | Validation + RBAC + audit + e-signature |
| FDA | 21 CFR §211.192 (Production record review for unexplained discrepancies) | Investigation requirement |
| FDA | 21 CFR §312.62 (Investigator records and reports) | Clinical deviation capture |
| FDA | 21 CFR §211.198 (Complaint files; deviations linked to complaints) | URS-14 linkage |
| FDA | 21 CFR Part 58 (GLP) | GLP non-clinical taxonomy |
| EMA / PIC/S | EU GMP Annex 11 §4/9/12/16 | Validation + audit + security + incident |
| EMA / PIC/S | EU GMP Annex 1 (revised 2023) §10 | Sterile-manufacturing deviations |
| EMA / PIC/S | EU GMP Chapter 1 §1.4 | PQS deviation handling |
| Internal architectural control (forward-looking; not enacted predicate rule) | EU GMP Annex 22 (Draft 2025) | GenAI prohibition per DEC-16-19 (treated as internal forward-looking control; jurisdiction-specific legal enforceability subject to future legal assessment) |
| EU | EU GDP guidelines | GDP deviation taxonomy |
| EU | EU GVP modules | GVP deviation taxonomy |
| Internal architectural control (forward-looking; not enacted predicate rule) | EU AI Act Regulation 2024/1689 Annex III (high-risk classification approach) | Internal high-risk AI governance aligned with the Annex III approach (jurisdiction-specific legal enforceability subject to future legal assessment) |
| Internal architectural control (forward-looking; not enacted predicate rule) | EU AI Act Art. 13 — Transparency principles | Visible advisory labelling (jurisdiction-specific legal enforceability subject to future legal assessment) |
| MHRA | MHRA Data Integrity (2018) — ALCOA+ | §13 |
| Health Canada | C.02.020 — GMP records | Investigation workflow |
| ICH | ICH Q9 — Risk Management | Risk-based investigation |
| ICH | ICH Q10 — Pharmaceutical QMS §3.2.4 | Deviation handling element |
| ICH | ICH E6(R3) — GCP | Clinical taxonomy |
| OECD | OECD GLP | GLP taxonomy |
| WHO | TRS GDP | GDP taxonomy |
| GAMP | GAMP 5 Cat 5 | Validation per §17 |
| FDA | FDA CSA Final Guidance (Sep 2025) | Risk-based testing |
| India CDSCO (per applicable scope) | India Drugs and Cosmetics Act 1940 + Drugs Rules 1945 + Revised Schedule M (deviation handling within GMP) + Schedule M-III (where distribution-deviation scope) + New Drugs and Clinical Trials Rules 2019 (where clinical-protocol deviations are in scope) + CDSCO GCP guidance (where clinical / study deviation scope) + Medical Devices Rules 2017 (where device / combination-product deviation scope) — Applicable per India tenant operation and jurisdictional regulatory assessment | Deviation register, practice-specific taxonomy (GMP / GCP / GLP / GDP / GVP / multi), severity-driven approval matrix, closure with executive authority co-sign for critical, void / reopen audit chain; external jurisdictional legal / RA confirmation required for clause / form applicability per India deviation scope |

---

## 15. URS Requirements Register

### 15.1 Front-end (FE)

| ID | Requirement | Priority |
|---|---|---|
| URS-16-FE-001 | Deviation landing route | MUST |
| URS-16-FE-002 | Create deviation route with practice → classification → severity selectors | MUST |
| URS-16-FE-003 | Deviation detail with tabs | MUST |
| URS-16-FE-004 | Investigation editor with linkage to URS-17 / 18 / 13 / 14 / 15 | MUST |
| URS-16-FE-005 | Impact-area editor with structured taxonomy | MUST |
| URS-16-FE-006 | Affected-document editor with URS-13 link | MUST |
| URS-16-FE-007 | Closure matrix modal (severity-driven) with executive co-sign for critical | MUST |
| URS-16-FE-008 | Void modal with reason + authority + e-sign + SoD-16-05 | MUST |
| URS-16-FE-009 | AI advisory banner per ARCH-AI-001 AC-3 | MUST |
| URS-16-FE-010 | Severity distribution dashboard | MUST |
| URS-16-FE-011 | Practice-domain mix dashboard | MUST |
| URS-16-FE-012 | Aging + overdue dashboards | MUST |
| URS-16-FE-013 | Voided register | MUST |
| URS-16-FE-014 | Executive authority critical-cosign queue (executive only) | MUST |
| URS-16-FE-015 | Executive authority reopen modal (executive only) | MUST |
| URS-16-FE-016 | Per-deviation audit view | MUST |
| URS-16-FE-017 | WCAG 2.1 AA across all routes | MUST |
| URS-16-FE-018 | i18n / l10n | MUST |
| URS-16-FE-019 | ErrorBoundary + loading/error/empty states per QS-17 | MUST |
| URS-16-FE-020 | Annex 22 GenAI prohibition surface (no AI in critical decision UI) | MUST (negative) |

### 15.2 Back-end (BE)

| ID | Requirement | Priority |
|---|---|---|
| URS-16-BE-001 | `deviations` REST surface per §6.3 | MUST |
| URS-16-BE-002 | Race-safe `deviation_number` via DB sequence per DEC-16-03 | MUST |
| URS-16-BE-003 | Lifecycle state machine per §6.4 | MUST |
| URS-16-BE-004 | Submit-for-investigation with SoD-16-01 | MUST |
| URS-16-BE-005 | Investigation conclusion route with SoD-16-04 + e-sign | MUST |
| URS-16-BE-006 | Severity-driven closure matrix with per-slot signatures per DEC-16-06 | MUST |
| URS-16-BE-007 | Critical executive authority co-sign per DEC-16-21 + SoD-16-07 | MUST |
| URS-16-BE-008 | Void route with reason + authority + e-sign + SoD-16-05 per DEC-16-09 | MUST |
| URS-16-BE-009 | Reopen route with executive authority + SoD-16-06 per DEC-16-22 | MUST |
| URS-16-BE-010 | Closed / voided parent + child immutability per DEC-16-08 | MUST |
| URS-16-BE-011 | Hard delete prohibited | MUST |
| URS-16-BE-012 | Per-deviation audit trail route | MUST |
| URS-16-BE-013 | URS-23 batch flag trigger upon critical deviation per DEC-16-17 | MUST |
| URS-16-BE-014 | Tenant offboarding cascade | MUST |
| URS-16-BE-015 | Typed DB contract aligned per DEC-16-24 | MUST |
| URS-16-BE-016 | Full before/after audit payload per DEC-16-12 | MUST |
| URS-16-BE-017 | Tenant-configurable severity / classification via `module_options` | MUST |
| URS-16-BE-018 | Static deterministic similarity service (advisory) | MUST |

### 15.3 Workflow (WF)

| ID | Requirement | Priority |
|---|---|---|
| URS-16-WF-001..010 | Per §6.4 | MUST |

### 15.4 Data (DATA)

| ID | Requirement | Priority |
|---|---|---|
| URS-16-DATA-001..012 | Per §6.2 | MUST |

### 15.5 Security (SEC)

| ID | Requirement | Priority |
|---|---|---|
| URS-16-SEC-001 | Three-guard pipeline | MUST |
| URS-16-SEC-002 | TDAL per QS-5 | MUST |
| URS-16-SEC-003 | RLS per QS-6 | MUST |
| URS-16-SEC-004 | Cross-tenant envelope | MUST |
| URS-16-SEC-005 | Watermarked evidence-pack export | MUST |
| URS-16-SEC-006 | Bulk export authority gate | MUST |
| URS-16-SEC-007 | Self-modification block | MUST |
| URS-16-SEC-008 | Periodic access review | MUST |
| URS-16-SEC-009 | Periodic audit integrity check | MUST |
| URS-16-SEC-010 | GenAI prohibition runtime block | MUST |
| URS-16-SEC-011 | PII tokenisation for GCP / GVP subject identifiers | MUST |

### 15.6 Audit (AUD)

| ID | Requirement | Priority |
|---|---|---|
| URS-16-AUD-001 | Every mutation audited per QS-1 with full payload | MUST |
| URS-16-AUD-002 | Lifecycle dual-write to events + URS-06 | MUST |
| URS-16-AUD-003 | Investigation / impact-area / affected-doc / closure / void / reopen all audited | MUST |
| URS-16-AUD-004 | Auth events to `auth_audit_log` | MUST |
| URS-16-AUD-005 | Advisory AI requests to `ai_requests` per AC-5 | MUST |
| URS-16-AUD-006 | Append-only per QS-1 | MUST |
| URS-16-AUD-007 | Per-deviation audit view route | MUST |
| URS-16-AUD-008 | Attempted-mutation forensic events on immutable records | MUST |

### 15.7 AI / HITL (AI)

| ID | Requirement | Priority |
|---|---|---|
| URS-16-AI-001 | NO LLM/GenAI in classification / severity / closure decision paths per Annex 22 | MUST (negative) |
| URS-16-AI-002 | Static deterministic similarity advisory per ARCH-AI-001 AC-2 | MUST |
| URS-16-AI-003 | Static deterministic severity / type suggestion advisory | MUST |
| URS-16-AI-004 | Static deterministic root-cause proposal advisory | MUST |
| URS-16-AI-005 | Visible "AI-suggested" labelling per AC-3 | MUST |
| URS-16-AI-006 | No autonomous write per AC-4 | MUST |
| URS-16-AI-007 | Override capability with reason captured per AC-6 | MUST |
| URS-16-AI-008 | Full AI request audit per AC-5 | MUST |
| URS-16-AI-009 | Graceful degradation per AC-7 | MUST |
| URS-16-AI-010 | Internal forward-looking AI governance evidence (EU AI Act Annex III high-risk classification approach) | MUST |
| URS-16-AI-011 | EU AI Act Art. 13 transparency | MUST |

### 15.8 Integration (INT)

| ID | Requirement | Priority |
|---|---|---|
| URS-16-INT-001 | URS-01..06 substrate consumed | MUST |
| URS-16-INT-002 | URS-07 / 09 / 10 / 11 / 23 scope linkage | MUST |
| URS-16-INT-003 | URS-12 affected-document linkage | MUST |
| URS-16-INT-004 | URS-13 linkage when deviation precipitates platform change | MUST |
| URS-16-INT-005 | URS-14 complaint linkage from investigation | MUST |
| URS-16-INT-006 | URS-15 OOS linkage from investigation | MUST |
| URS-16-INT-007 | URS-17 RCA linkage | MUST |
| URS-16-INT-008 | URS-18 CAPA linkage | MUST |
| URS-16-INT-009 | URS-21 Findings outbound | MUST |
| URS-16-INT-010 | URS-22 Inspection Mgmt outbound | MUST |
| URS-16-INT-011 | URS-23 Batch flag trigger per DEC-16-17 | MUST |
| URS-16-INT-012 | URS-24 Stability inbound | MUST |
| URS-16-INT-013 | URS-25 EM inbound | MUST |
| URS-16-INT-014 | URS-26 APQR statistics consumer | MUST |
| URS-16-INT-015 | URS-30 Notifications wired | MUST |
| URS-16-INT-016 | Internal forward-looking AI governance evidence (EU GMP Annex 22 Draft 2025) | MUST |
| URS-16-INT-017 | ARCH-AI-001 binding | MUST |
| URS-16-INT-018 | Internal forward-looking AI governance evidence (EU AI Act Annex III high-risk classification approach) | MUST |

### 15.9 Reporting (REP)

| ID | Requirement | Priority |
|---|---|---|
| URS-16-REP-001..010 | Per §9 | MUST |

### 15.10 Notifications (NOTIF)

| ID | Requirement | Priority |
|---|---|---|
| URS-16-NOTIF-001..010 | Per §10 | MUST |

### 15.11 Validation (VAL)

| ID | Requirement | Priority |
|---|---|---|
| URS-16-VAL-001 | URS approval | Pending |
| URS-16-VAL-002 | Functional Specification | Pending |
| URS-16-VAL-003 | IQ / OQ / PQ | Pending |
| URS-16-VAL-004 | Traceability matrix | Pending |
| URS-16-VAL-005 | Risk-based testing per FDA CSA | Pending |
| URS-16-VAL-006 | RLS evidence | Pending |
| URS-16-VAL-007 | Audit trail integrity | Pending |
| URS-16-VAL-008 | Migration evidence gate | Pending |
| URS-16-VAL-009 | Internal forward-looking AI governance evidence (EU GMP Annex 22 Draft 2025 GenAI prohibition control) | Pending |
| URS-16-VAL-010 | ARCH-AI-001 AC-2/3/4/5/7 compliance | Pending |
| URS-16-VAL-011 | Internal forward-looking AI governance evidence aligned with EU AI Act Annex III high-risk concepts, subject to jurisdiction-specific legal assessment | Pending |
| URS-16-VAL-012 | EU AI Act Art. 13 transparency | Pending |
| URS-16-VAL-013 | SoD-16-01..07 enforcement evidence | Pending |
| URS-16-VAL-014 | Severity-matrix closure evidence per DEC-16-06 | Pending |
| URS-16-VAL-015 | Critical executive authority co-sign procedural evidence per DEC-16-21 | Pending |
| URS-16-VAL-016 | Void workflow procedural evidence per DEC-16-09 | Pending |
| URS-16-VAL-017 | Closed / voided parent + child immutability evidence per DEC-16-08 | Pending |
| URS-16-VAL-018 | Practice-specific taxonomy validation evidence (GMP / GCP / GLP / GDP / GVP) | Pending |

---

## 16. Acceptance Criteria and Test Cases

### 16.1 Plain-language test cases

| TC | Test |
|---|---|
| TC-16-01 | Minor deviation happy path: discoverer creates → investigator investigates and signs investigation conclusion → QA reviewer / closure authority signs closure → closed (investigator MUST NOT act as closure authority). |
| TC-16-02 | Major deviation: + practice-lead co-sign at closure. |
| TC-16-03 | Critical deviation: + executive authority co-sign per DEC-16-21. |
| TC-16-04 | Discoverer attempts to investigate own deviation; rejected via SoD-16-01. |
| TC-16-05 | Investigator attempts closure; rejected via SoD-16-04. |
| TC-16-06 | Original creator attempts void; rejected via SoD-16-05. |
| TC-16-07 | Update attempted on closed deviation; rejected via `DEVIATION_CLOSED_IMMUTABLE`. |
| TC-16-08 | Child-row remove attempted on voided deviation; rejected via `DEVIATION_VOIDED_PARENT_IMMUTABLE`. |
| TC-16-09 | Critical closure without executive co-sign; rejected. |
| TC-16-10 | Reopen by non-executive-authority; rejected. |
| TC-16-11 | Void via DELETE without authority; rejected (normative. |
| TC-16-12 | GenAI invocation in critical decision path; runtime block + `DEVIATION_GENAI_PROHIBITED`. |
| TC-16-13 | Practice-specific classification value validation per `module_options`. |
| TC-16-14 | Tenant offboarding cascade. |
| TC-16-15 | Inspector evidence pack with watermark + hash-chain. |

### 16.2 Technical test cases

| TC | Test technique |
|---|---|
| TC-16-T01 | Unit test on SoD-16-01..07; assert HTTP 403 + correct error code. |
| TC-16-T02 | Integration test on severity-driven closure matrix per DEC-16-06. |
| TC-16-T03 | Integration test on critical executive co-sign per DEC-16-21. |
| TC-16-T04 | Integration test on void workflow with authority + e-sign + SoD-16-05 per DEC-16-09. |
| TC-16-T05 | Integration test on closed/voided parent + child immutability per DEC-16-08. |
| TC-16-T06 | RLS test: tenant A user cannot read tenant B deviations. |
| TC-16-T07 | Audit test: every mutation produces URS-06 audit entry with full payload per DEC-16-12. |
| TC-16-T08 | E2E test (Playwright): full happy-path lifecycle. |
| TC-16-T09 | Performance test: list filter P95 latency ≤ 500ms with 100K deviations. |
| TC-16-T10 | Security test: bulk export >20 triggers authority gate. |
| TC-16-T11 | Tenant-isolation test: TDAL violation blocked. |
| TC-16-T12 | Annex 22 negative test: GenAI in critical decision path blocked at runtime + lint. |
| TC-16-T13 | Race-condition test on `deviation_number` generation. |
| TC-16-T14 | Hard-delete test: any hard-delete attempt blocked. |
| TC-16-T15 | Practice-specific classification: per-practice taxonomy validated against `module_options`. |

### 16.3 Acceptance criteria

| AC | Statement |
|---|---|
| AC-16-01 | Deviation registry supports practice / classification / severity / scope per DEC-16-01. |
| AC-16-02 | Race-safe `deviation_number` per DEC-16-03. |
| AC-16-03 | SoD-16-01..07 enforced at service layer. |
| AC-16-04 | Severity-driven closure matrix enforced per DEC-16-06. |
| AC-16-05 | Critical executive authority co-sign enforced per DEC-16-21 with SoD-16-07. |
| AC-16-06 | Void workflow enforces reason + authority + e-sign + SoD-16-05 per DEC-16-09. |
| AC-16-07 | Closed / voided parent + child immutability per DEC-16-08. |
| AC-16-08 | Hard delete prohibited. |
| AC-16-09 | Reopen requires executive authority per DEC-16-22. |
| AC-16-10 | Annex 22 GenAI prohibition enforced runtime + lint per DEC-16-19. |
| AC-16-11 | ARCH-AI-001 AC-2/3/4/5/7 satisfied. |
| AC-16-12 | Internal forward-looking AI governance evidence (EU AI Act Annex III high-risk classification approach) maintained. |
| AC-16-13 | All Module 16 tables RLS-enabled per QS-6. |
| AC-16-14 | Every mutation produces audit entry with full before/after payload per DEC-16-12. |
| AC-16-15 | Practice-specific taxonomy per DEC-16-04 validated against `module_options`. |
| AC-16-16 | Tenant offboarding cascade preserves audit retention per DEC-16-23. |

```mermaid
sequenceDiagram
  participant Disc as Discoverer
  participant Inv as Investigator
  participant QA as QA Reviewer
  participant Practice as Practice Lead
  participant Close as Closure Authority
  participant Exec as ExecAuthority
  participant ESign as URS-04 E-Sign
  participant Audit as URS-06
  Disc->>Inv: create + submit (SoD-16-01)
  Inv->>ESign: investigation conclusion (SoD-16-04)
  ESign-->>Inv: signature
  Inv->>Audit: log conclusion + linkages
  alt severity = critical
    Close->>QA: closure matrix
    QA->>ESign: QA e-sign
    Practice->>ESign: practice-lead e-sign
    Exec->>ESign: executive authority e-sign DEC-16-21 (SoD-16-07)
    Close->>ESign: closure attestation
  else severity = major
    Close->>ESign: closure (Inv + QA + practice-lead)
  else severity = minor
    Close->>ESign: closure (Inv + QA)
  end
  ESign-->>Close: signatures
  Close->>Audit: log closure with matrix evidence
  Note over Close: Parent + children immutable DEC-16-08
```

Diagram 16-A — End-to-end happy-path acceptance test sequence with severity-driven closure matrix.

### 16.4 Requirements-to-test traceability

| Requirement ID | Test Case ID | AC ID |
|---|---|---|
| URS-16-FE-001..020 | TC-16-T08 | AC-16-01..16 |
| URS-16-BE-001..018 | TC-16-T01..15 | AC-16-01..16 |
| URS-16-WF-001..010 | TC-16-T01..05 | AC-16-03..09 |
| URS-16-DATA-001..012 | TC-16-T06, TC-16-T13, TC-16-T14 | AC-16-13, AC-16-08 |
| URS-16-SEC-001..011 | TC-16-T06, TC-16-T10..12 | AC-16-13, AC-16-10 |
| URS-16-AUD-001..008 | TC-16-T07 | AC-16-14 |
| URS-16-AI-001..011 | TC-16-T12 | AC-16-10..12 |
| URS-16-INT-001..018 | TC-16-T08 | AC-16-16 |

---

## 17. Validation and CSV/CSA Evidence Expectations

### 17.1 Supplier and service-provider qualification pack

- E-signature substrate provider qualification (URS-04).
- Hosting region qualification per tenant residency.

### 17.2 Inspection-ready evidence index

- URS approval pack.
- Functional Specification per `deviations` code module.
- IQ / OQ / PQ scripts and execution evidence.
- Traceability matrix.
- Risk-based testing per FDA CSA.
- RLS evidence per QS-6.
- Audit trail integrity evidence.
- Migration evidence (URS-16-VAL-008).
- Internal forward-looking AI governance evidence (EU GMP Annex 22 Draft 2025 GenAI prohibition control).
- ARCH-AI-001 AC-2/3/4/5/7 advisory AI evidence pack.
- Internal forward-looking AI governance evidence (EU AI Act Annex III high-risk classification approach).
- Internal forward-looking AI governance evidence (EU AI Act Art. 13 transparency principles).
- SoD-16-01..07 enforcement evidence.
- Severity-matrix closure evidence per DEC-16-06.
- Critical executive authority co-sign procedural evidence per DEC-16-21.
- Void workflow procedural evidence per DEC-16-09.
- Closed / voided parent + child immutability evidence per DEC-16-08.
- Practice-specific taxonomy validation evidence (GMP / GCP / GLP / GDP / GVP).
- Race-safe `deviation_number` evidence (concurrent-create test).

---

## 18. Closed Decision and Dependency Register

### 18.1 Closed Launch Decisions Register

DEC-16-01..25 per §2.3 are closed for launch.

### 18.2 Dependencies

| Dependency | Direction | Source |
|---|---|---|
| URS-01 authentication | Inbound | URS-01 |
| URS-02 RBAC | Inbound | URS-02 |
| URS-03 active scope | Inbound | URS-03 |
| URS-04 workflow / e-sign | Inbound | URS-04 |
| URS-05 Authority Profile | Inbound | URS-05 |
| URS-06 audit substrate | Inbound | URS-06 |
| URS-07 / 09 / 10 / 11 scope linkage | Inbound | URS-07 / 09 / 10 / 11 |
| URS-12 Documents | Bidirectional | URS-12 |
| URS-13 (linkage when deviation precipitates platform change) | Outbound | URS-13 |
| URS-14 Complaints | Bidirectional | URS-14 |
| URS-15 OOS/OOT | Bidirectional | URS-15 |
| URS-17 RCA | Outbound | URS-17 |
| URS-18 CAPA | Outbound | URS-18 |
| URS-21 Findings | Outbound | URS-21 |
| URS-22 Inspection Mgmt | Outbound | URS-22 |
| URS-23 Batch Records | Bidirectional | URS-23 |
| URS-24 Stability | Inbound | URS-24 |
| URS-25 EM | Inbound | URS-25 |
| URS-26 APQR | Outbound | URS-26 |
| URS-30 Notifications | Outbound | URS-30 |
| EU GMP Annex 22 (Draft 2025) | Internal forward-looking architectural reference (not enacted predicate rule) | Internal forward-looking AI governance evidence (Annex 22 platform reference) |
| ARCH-AI-001 | Architectural binding | ARCH-AI-001 platform binding |
| EU AI Act Annex III (high-risk classification approach) | Internal forward-looking architectural reference (not enacted predicate rule) | EU AI Act |

---

## 19. Completeness Checklist

| Item | Status |
|---|---|
| Header + Architecture Bindings (ARCH-AI-001 + Annex 22 + Annex III HIGH-RISK) | ✓ |
| Plain-language primer + glossary + architectural picture | ✓ |
| Deviation lifecycle diagram | ✓ |
| Module Purpose | ✓ |
| Scope (in / out / closed launch decisions) | ✓ |
| User Roles + Authority Profiles + SoD-16-01..07 + worked examples + role-permission matrix | ✓ |
| 28 end-to-end user journeys | ✓ |
| Front-end expected state | ✓ |
| Back-end expected state (entities + ER + lifecycle + closure matrix flow + void workflow + data + API + workflow + business rules + audit) | ✓ |
| Annex 22 + ARCH-AI-001 + Annex III high-risk architecture reference section | ✓ |
| Cross-module wiring + CIM + dependencies | ✓ |
| AI / Automation / HITL controls | ✓ |
| Reports / dashboards / exports | ✓ |
| Notifications and queues | ✓ |
| Error envelope + error-code catalogue + negative paths | ✓ |
| Security, privacy, tenant isolation | ✓ |
| ALCOA+ controls | ✓ |
| Regulatory mapping | ✓ |
| URS Requirements Register | ✓ |
| Acceptance Criteria + Test Cases + traceability | ✓ |
| Validation evidence expectations | ✓ |
| Closed decisions + dependencies | ✓ |
| Module scoped strictly to Deviations | ✓ |
| Version 1.0 only | ✓ |

---

## 20. Final Module Output Quality Gate

**URS approval is separate from validation execution.** This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" upon signature capture; it becomes "Released for validation execution" only after URS-16-VAL-008 (Migration Evidence Gate) and the §17 validation evidence pack are satisfied. **No Module 16 internal open questions remain.**

- **Specification ready for engineering review?** Yes — every requirement is fully specified within this URS.
- **Specification ready for quality validation review?** Yes — IQ/OQ/PQ + RLS + audit chain + Annex 22 + ARCH-AI-001 + Annex III HIGH-RISK + SoD + severity-matrix closure + critical executive co-sign + void workflow + immutability + practice-specific taxonomy evidence are itemised in §17.
- **Specification ready for compliance review?** Yes — ALCOA+, 21 CFR Part 11, 21 CFR §211.192, 21 CFR §312.62, 21 CFR §211.198, 21 CFR Part 58, EU GMP Annex 11, EU GMP Annex 1 (revised 2023) §10, EU GMP Chapter 1 §1.4, EU GDP guidelines, EU GVP modules, MHRA ALCOA+, ICH Q9 / Q10 / E6(R3), OECD GLP, WHO TRS GDP, GAMP 5 Cat 5, FDA CSA — all mapped in §14. EU GMP Annex 22 (Draft 2025) and EU AI Act Regulation 2024/1689 (Annex III high-risk classification approach + Art. 13 transparency principles) are treated as internal forward-looking architectural controls; jurisdiction-specific legal enforceability remains subject to a future jurisdiction-specific legal assessment.
- **Specification ready for inspector / client review?** Yes — 28 journeys (§4), full requirements register (§15), evidence pack index (§17.2).
- **Specification ready for Founder approval?** Yes.
- **Blocking gaps?** None internal.
- **Two-step release path:**
  1. **Approved Controlled URS — released for engineering implementation and validation planning.**
  2. **Released for validation execution.** After URS-16-VAL-008 + §17 evidence complete.

---

## Appendix A — Module 16 End-to-End Composite (Discover → Investigate → Severity-Matrix Closure → Immutable / Void / Reopen)

```mermaid
flowchart TD
  A([deviation_discoverer creates deviation — race-safe deviation_number DEC-16-03]) --> B[DRAFT — at least one scope anchor required]
  B --> C{Submit or Void?}
  C -- Submit --> D[INVESTIGATING — investigator assigned SoD-16-01]
  C -- Void from draft --> E[Void: reason + deviation_void_authority + e-sign + SoD-16-05 DEC-16-09]
  D --> F[Investigator adds impact_areas + affected_documents + linkage to URS-17/18/13/14/15]
  F --> G[Investigation conclusion signed SoD-16-04]
  G --> H{Severity}
  H -- minor --> I[Closure: Inv + QA per DEC-16-06 minor matrix]
  H -- major --> J[Closure: Inv + QA + practice_lead_* per DEC-16-06 major matrix]
  H -- critical --> K[Closure: Inv + QA + practice_lead_* + executive authority DEC-16-21 SoD-16-07]
  K --> L{SoD-16-07 closure ≠ executive co-signer}
  L -- violates --> M[HTTP 403]
  L -- ok --> I
  J --> I
  K --> I
  I --> N[CLOSED — parent + children immutable DEC-16-08]
  D --> O[Void from investigating: reason + authority + e-sign + SoD-16-05]
  O --> P[VOIDED — soft-delete only; preserved for audit; immutable DEC-16-08]
  E --> P
  N --> Q{Lifecycle event}
  Q -- post-closure issue --> R[Reopen: executive authority + reason DEC-16-22 SoD-16-06 → INVESTIGATING]
  Q -- normal --> S[Terminal closed]
  N -.if critical batch-affecting.-> T[URS-23 batch flag triggered DEC-16-17]
  D -.advisory.-> U[Static deterministic similarity / severity / classification suggestion ARCH-AI-001 AC-2]
  H -.Annex 22.-> V[NO GenAI in classification / severity / closure decision per DEC-16-19]
```

Diagram Appendix A — Module 16 End-to-End Composite. Discover → submit (or void from draft) → investigation with cross-module linkage → severity-driven closure matrix per DEC-16-06 (minor / major / critical with executive authority co-sign per DEC-16-21 + SoD-16-07) → CLOSED with parent + children immutable per DEC-16-08 → executive-authority-cosigned reopen path per DEC-16-22 + SoD-16-06; void workflow per DEC-16-09 with reason + authority + e-sign + SoD-16-05; URS-23 batch flag per DEC-16-17. Verixa treats EU GMP Annex 22 Draft 2025 and EU AI Act high-risk / transparency concepts as internal forward-looking AI governance controls unless a jurisdiction-specific legal assessment determines otherwise; under the internal control, generative AI is prohibited in critical decisions and the module is internally classified high-risk AI. ARCH-AI-001 governs advisory deterministic AI. Binding predicate-rule obligations remain those listed in §14.

— End of Module 16 User Requirements Specification —
