# Verixa — User Requirements Specification

# Module 25: Environmental Monitoring

| Field | Value |
|---|---|
| Document ID | VRX-URS-25 |
| Version | 1.0 |
| Status | Final — ready for QA, Validation, Regulatory Affairs, Information Security, Manufacturing Head, Microbiology Lead, Site Quality Lead, Qualified Person Authority, and Founder approval. URS approval is separate from validation execution. This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" only after signature capture in the Document Approval block. It becomes "Released for validation execution" only after the module migration evidence gate (URS-25-VAL-008) and validation evidence pack are satisfied. |
| Document Type | User Requirements Specification (URS) |
| GAMP 5 Category | Category 5 — Custom Application |
| Code Modules | Target implementation binding: expected primary code module `environmental`, expected API mounts `/api/v1/environmental/*` (canonical), expected supporting modules `studies`, `context-filter`, `rbac`, `audit-log`, `authority`, `electronic_signatures`, `hitl`, `documents`, expected event-bus emission for `em_schedule_created`, `em_schedule_updated`, `em_location_added`, `em_alert_limit_proposed`, `em_alert_limit_approved`, `em_alert_limit_effective`, `em_result_recorded`, `em_result_reviewed`, `em_result_approved`, `em_excursion_created`, `em_excursion_investigation_linked`, `em_excursion_closed`, `em_lims_imported`, `em_lims_reconciliation_logged`, `em_trend_dataset_refreshed`, `em_program_locked`, `em_program_reopened`, expected MIRA context integration through `useMiraRecord('em_schedule', id)`, `useMiraRecord('em_result', id)`, and `useMiraRecord('em_excursion', id)` mappings, expected OOS/OOT-source emission consumed by URS-15 (`em_excursion` source type) for excursion-precipitated OOS where applicable, expected findings-source emission consumed by URS-21 (`em_finding` source type), expected CAPA-source emission consumed by URS-18 (`em_excursion` source type), expected deviation-source emission consumed by URS-16 (`em_excursion_deviation` source type) — primary downstream consumer for excursion-precipitated investigations, expected risk-source emission consumed by URS-19 (EM-precipitated risk), expected URS-13 change-control linkage for alert/action/spec limit effective release, expected URS-12 document-control SOP citation linkage on EM schedules, expected URS-23 batch-record consumer for batch-context EM evidence (cleanroom EM tied to batch manufacture), expected URS-24 stability consumer for chamber EM evidence, expected URS-26 APQR consumer for periodic EM trending summary, expected URS-22 inspection-readiness export consumer, expected Authority Profile + HITL + e-signature integration for non-bypassable result approval, alert/action/spec limit release, excursion closure, program lock, and reopen, expected platform_admin / super_admin support / break-glass only paths. Implementation evidence remains subject to repository verification and validation evidence. |
| Architecture Bindings | This module is subject to **ARCH-AI-001 AI Optionality and Manual Continuity**. Verixa internally classifies this AI surface as **high-risk under internal AI governance**, aligned with the high-risk classification approach in **EU AI Act (Regulation 2024/1689) Annex III**, unless a jurisdiction-specific legal assessment determines otherwise — escalated under Annex III where AI output supports excursion classification (URS-16), CAPA disposition (URS-18), or batch release-decision input (URS-23). AI-assisted EM surfaces (AI EM trending, AI excursion classification suggestion, AI predictive alerting on alert/action limit trend, MIRA EM copilot) are advisory only under internal AI governance aligned with EU AI Act Article 13 transparency principles. Every AI surface shall provide a fully functional manual schedule, sampling, recording, review, approval, excursion handling, and closure path; EM schedule definition, sampling location registration, alert/action/spec limit proposal and approval, result recording, result review, result approval, excursion handling, and program close shall be executable when AI services are disabled, degraded, or overridden by the EM reviewer. **No AI service shall be the sole path to approve an EM result, release an alert/action/spec limit, classify an excursion, or close an EM program; a qualified human EM reviewer or Microbiology authority shall sign the disposition.** This module binds ARCH-AI-001 AC-2, AC-3, AC-4, and AC-7. Verixa treats **EU GMP Annex 22 Draft 2025 §7** as an internal forward-looking architectural control (not an enacted predicate rule); under that internal control, generative / probabilistic AI is **PROHIBITED** in EM result approval, alert/action/spec limit release decisions, excursion classification decisions, and EM program closure decision paths. Static deterministic AI may surface trending regressions, prior-excursion patterns by location/grade/time-of-day, and historical limit-trend patterns as advisory help; the human EM reviewer's signed disposition is the system of record. Jurisdiction-specific legal enforceability of Annex 22 and the EU AI Act remains subject to a future jurisdiction-specific legal assessment. |
| Regulatory Classification | Critical infrastructure substrate — operates the canonical Environmental Monitoring (EM) program covering viable (microbial — settle plates, contact plates, active air, surface swabs, personnel monitoring) and non-viable (particulate, temperature, humidity, differential pressure) monitoring under EU GMP Annex 1 (revised 2022, effective 2023), 21 CFR Part 211 §211.42 (Design and construction features) and §211.46 (Ventilation, air filtration, air heating and cooling), USP <1116> (Microbiological Control and Monitoring of Aseptic Processing Environments), USP <797> (Pharmaceutical Compounding — Sterile Preparations), ISO 14644-1 (Cleanrooms — Classification of air cleanliness), ISO 14644-2 (Cleanrooms — Monitoring), and PIC/S PE 009-17 Annex 1; the EM-schedule lifecycle (`draft → effective → superseded → archived` with controlled supersession per DEC-25-06); the sampling-location registry with grade classification (ISO 14644-1 grade A / B / C / D and equivalent EU GMP Annex 1 Grade A / B / C / D); the alert/action/spec limit lifecycle (`draft → under_review → approved → effective → superseded` with bound e-signature per DEC-25-04 —); the result-recording lifecycle with automatic alert/action limit evaluation and **automatic excursion creation on limit exceedance** per DEC-25-05 (retained ALIGNED); the result review/approval lifecycle (`recorded → reviewed → approved` with bound e-signature per DEC-25-06 —); the excursion lifecycle (`open → under_investigation → linked_to_deviation → closed` with **non-bypassable closure gating requiring linked URS-16 deviation** per DEC-25-07 —); the LIMS-import provenance with idempotency via `lims_result_id` uniqueness, duplicate prevention, and reconciliation log per DEC-25-08; the trend-dataset generation governance with on-demand calculation and scheduled refresh per DEC-25-09; the multi-dimensional context capture (`tenant_id` mandatory, `study_id` mandatory —, `site_id` optional persisted on the `studies` parent, `batch_id` optional for batch-context EM, `chamber_id` optional for stability-chamber EM, `cleanroom_id` mandatory at sampling-location level); the canonical API contract `/api/v1/environmental/*`; the typed schema validation across every route with shared-schema/migration-contract alignment; the controlled frontend route surface with explicit page coverage for `/environmental/schedules`, `/environmental/locations`, `/environmental/results`, `/environmental/excursions/:id`, `/environmental/limits`; the deprecation of `sample_location_ids` denormalized field in favor of normalized `em_sampling_locations` only per DEC-25-03; the audit-trail coverage with reason-for-change discipline on every mutable record per DEC-25-11; the post-locked record immutability across the EM program lock; the controlled reopen workflow with executive authority co-sign and Qualified Person co-sign per DEC-25-22; the canonical findings-source emission to URS-21 for EM findings per DEC-25-15; the canonical CAPA-source emission to URS-18 with `em_excursion` source type per DEC-25-16; the canonical deviation-source emission to URS-16 for excursion-precipitated investigations per DEC-25-17 — primary downstream consumer; the canonical risk-source emission to URS-19 for EM-precipitated risk per DEC-25-18; the URS-23 batch-record release-decision input integration for cleanroom EM evidence; the URS-24 stability chamber EM integration; the URS-26 APQR periodic EM-trending summary integration; the URS-22 inspection-readiness export consumer; the MIRA copilot read-only context integration on EM records, and the per-jurisdictional regulatory expectations under FDA 21 CFR Part 11, FDA 21 CFR Part 211 §211.42 / §211.46 / §211.113 (Control of microbiological contamination), §211.84 (Testing and approval or rejection of components, drug product containers, and closures), EU GMP Annex 11, **EU GMP Annex 1 (revised 2022, effective 25 August 2023)** — primary predicate, EU GMP Annex 22 Draft 2025 §7 (HITL — internal forward-looking control), EU AI Act (Regulation 2024/1689) Art. 13 / Annex III (internal forward-looking control), MHRA Data Integrity Guidance (ALCOA+), GAMP 5 Cat 5, ICH Q9 (Quality Risk Management), ICH Q10 §3.2.1 (CAPA system), USP <1116> Microbiological Control and Monitoring of Aseptic Processing Environments, USP <797> Pharmaceutical Compounding — Sterile Preparations, ISO 14644-1 / ISO 14644-2 (Cleanroom classification and monitoring), PIC/S PE 009-17 Annex 1, WHO TRS Annex 6 (GMP for Sterile Pharmaceutical Products), and India CDSCO Schedule M (Revised) §11 / §12 (Sterile Products — Premises and Environmental Conditions) and Schedule M-III §3.3 (medical device sterile manufacture) subject to a future jurisdiction-specific legal assessment for Verixa's exact CDSCO obligations. |
| Date of Issue | 2026-05-07 |
| Module Owner (Engineering) | Quality / Environmental Monitoring Squad |
| Module Owner (Quality Validation) | CSV / CSA Lead — Environmental Monitoring |
| Module Owner (Compliance) | Quality Assurance, Microbiology, Manufacturing, Regulatory Affairs, Qualified Person Authority |
| Approving Authority | Founder / Chairman & MD; QA Head; Manufacturing Head; Microbiology Lead; Validation Head; RA Head; Information Security Head; Qualified Person (QP) Authority; Site Quality Lead |

---

## 0. Document Framing

### 0.1 Purpose of this document

This URS defines the target expected state for Verixa's Environmental Monitoring (EM) module (Module 25). It is the binding contract between product, engineering, quality validation, regulatory affairs, manufacturing, microbiology, the Qualified Person authority, laboratory operations, distribution, information security, and the executive authority for the design, implementation, validation, release, and on-going periodic review of the regulated EM substrate: the canonical EM schedule registry; the EM schedule lifecycle state machine (`draft → effective → superseded → archived` with controlled supersession per DEC-25-06); the sampling-location registry with EU GMP Annex 1 grade (A / B / C / D) and ISO 14644-1 cleanroom classification; the alert/action/spec limit lifecycle (`draft → under_review → approved → effective → superseded` with bound e-signature per DEC-25-04 —); the result-recording lifecycle with automatic alert/action limit evaluation and automatic excursion creation on limit exceedance per DEC-25-05; the result review/approval lifecycle (`recorded → reviewed → approved`) with bound e-signature per DEC-25-06; the excursion lifecycle (`open → under_investigation → linked_to_deviation → closed`) with non-bypassable closure gating requiring linked URS-16 deviation per DEC-25-07; the LIMS-import provenance with idempotency, duplicate prevention, and reconciliation log per DEC-25-08; the trend-dataset generation governance per DEC-25-09; the multi-dimensional context capture (`tenant_id`, `study_id` mandatory matching migration 034 NOT NULL, `cleanroom_id` mandatory at location level, `batch_id` / `chamber_id` optional); the canonical API contract `/api/v1/environmental/*`; the typed schema validation across every route; the frontend route surface with explicit page coverage; the deprecation of `sample_location_ids` denormalized field per DEC-25-03; the audit-trail coverage with reason-for-change discipline on every mutable record per DEC-25-11; the post-locked record immutability; the controlled reopen workflow with executive authority co-sign and Qualified Person co-sign per DEC-25-22; the canonical findings-source emission to URS-21 per DEC-25-15; the canonical CAPA-source emission to URS-18 with `em_excursion` source type per DEC-25-16; the canonical deviation-source emission to URS-16 — primary downstream consumer per DEC-25-17; the canonical risk-source emission to URS-19 per DEC-25-18; the URS-23 batch-record release-decision input integration; the URS-24 stability chamber EM integration; the URS-26 APQR integration; the URS-22 inspection-readiness export consumer; the MIRA copilot read-only context integration with **no GenAI in EM result approval / limit release / excursion classification / closure decision paths** under the internal Annex 22 §7 control; the audit trail coverage with reason-for-change discipline; and the per-jurisdictional regulatory expectations. Compliance with this URS is mandatory.

### 0.2 Audience

Engineering, QA, RA, Manufacturing, Microbiology, Qualified Person Authority, Laboratory Operations, Distribution, Validation, Information Security, executive authority, the platform's Implementation team, internal and external auditors, and inspectors from regulatory bodies (FDA, EMA, MHRA, Health Canada, CDSCO, PIC/S, PMDA, WHO). The plain-language primer (§0.4) and worked examples (§3.5) make Module 25 accessible to non-domain engineers, product owners, validation engineers, and quality investigators.

### 0.3 Cross-references

- **URS-01** Authentication, Session & Access Control — identity envelope for every EM mutation
- **URS-02** RBAC & Permissions — the `environmental:*`, `environmental:schedule:*`, `environmental:location:*`, `environmental:limits:*`, `environmental:result:*`, `environmental:excursion:*`, `environmental:lims:*`, `environmental:trend:*` permission set
- **URS-03** Context Gate & Approval Scope — context-gate enforcement for EM scope dimensions
- **URS-04** Workflow / HITL / E-Signature / Approval Authority — Controlled Approval Modal contract for limit release / result approval / excursion closure / program lock / reopen
- **URS-05** Authority Profile / Delegation / SoD — Authority Profiles consumed (`em_schedule_authority`, `em_limit_authority`, `em_result_review_authority`, `em_result_approval_authority`, `em_excursion_closure_authority`, `microbiology_authority`, `qualified_person_authority`, `final_quality_approver`, `executive_authority`)
- **URS-06** Audit Trail / Hash Chain / Tamper-Evident — append-only audit substrate
- **URS-07** Study Management — mandatory study-scope dimension consumed
- **URS-08** Tenant Management Lifecycle — tenant context for EM records
- **URS-09** Site / Facility Management — site-scope inherited via `studies` parent
- **URS-10** Product / SKU / Drug Master Data — product context for batch-linked EM
- **URS-12** Document Control / SOP — affected-document linkage; SOP citation linkage on EM schedules; ISO / Annex 1 reference document
- **URS-13** Change Control — alert/action/spec limit effective-state release linkage; schedule effective-release linkage
- **URS-14** Complaints — complaint-trend linkage to EM investigation where applicable
- **URS-15** OOS / OOT — secondary linkage where excursion classification rises to OOS classification on the linked product / batch
- **URS-16** Deviations — **primary downstream consumer** for excursion-precipitated deviations per DEC-25-17
- **URS-17** RCA — RCA records for excursion root-cause analysis
- **URS-18** CAPA — primary downstream consumer for excursion CAPA via `em_excursion` source type per DEC-25-16
- **URS-19** Risk Assessment — EM-precipitated risk records per DEC-25-18
- **URS-20** Reviews — periodic EM-program review consumer
- **URS-21** Findings — primary downstream consumer for EM findings per DEC-25-15
- **URS-22** Inspection Mgmt — EM-record evidence retrieval source for inspections
- **URS-23** Batch Records — primary cleanroom EM evidence consumer for batch-record release-decision input (URS-23 BR-23-04 reference)
- **URS-24** Stability — chamber EM linkage to stability conditions per URS-24 BR-24-22
- **URS-25** Environmental Monitoring (this URS)
- **URS-26** APQR — primary periodic EM-trending summary consumer
- **URS-27** Regulatory Intelligence — predicate-rule citation source for EU GMP Annex 1 / ISO 14644 / USP <1116> / USP <797>
- **URS-28** Training — training-evidence consumer for EM personnel (gowning, aseptic technique)
- **URS-30** Notifications — notification delivery for EM lifecycle events
- **URS-31** DQG — data-quality gate evidence for EM-record completeness
- **URS-32** MIRA AI — read-only MIRA copilot context integration on EM records; **no LLM/GenAI in EM result approval / limit release / excursion classification / closure decisions** per Annex 22 §7 internal control
- **URS-33** GMP Manufacturing — primary GMP module integration for cleanroom EM
- **URS-34** GDP Distribution — released-batch distribution context
- **URS-35** Infrastructure / Backup-Restore — operational continuity

### 0.4 Plain-language primer

In a regulated pharmaceutical operation, **environmental monitoring (EM) is the routine surveillance of cleanroom and controlled environments to demonstrate that the facility, personnel, and processes are not introducing contamination into the product**. EM is the contamination-control system of record under EU GMP Annex 1 (revised 2022, effective 25 August 2023; primary predicate), 21 CFR Part 211 §211.42 / §211.46 / §211.113, USP <1116> for aseptic processing, USP <797> for pharmaceutical compounding, ISO 14644-1 for cleanroom classification (Grade A ≤ 1 µm = no particles permitted, Grade B/C/D scaled), and ISO 14644-2 for cleanroom monitoring. EM has two pillars: **viable monitoring** (microbial — settle plates, contact plates, active air samplers, surface swabs, personnel monitoring) and **non-viable monitoring** (particulate counts, temperature, humidity, differential pressure, recovery rate). Each pillar requires structured handling under predicate rules: (1) define an EM schedule (which locations, which sample types, which frequencies), (2) define alert/action/spec limits per location-grade-sample-type tuple, (3) execute sampling per the schedule, (4) record results with attributable analyst / instrument / LIMS-import provenance, (5) auto-create excursions on limit exceedance, (6) review and approve results, (7) link excursions to URS-16 deviations for controlled investigation, (8) close excursions only after the linked deviation closes (and CAPA is opened where required), (9) generate trend datasets for periodic review and APQR. Module 25 is the target specification for this regulated workflow.

The most common mistake in regulated EM handling is **closing an excursion without a linked deviation and full investigation**. The regulator's tell-tale at inspection is an excursion record with `closed` status and no `linked_deviation_id`. Module 25 enforces the pathway: excursions cannot transition to `closed` without a linked URS-16 deviation in terminal status per DEC-25-07. The second most common mistake is **alert/action limits going effective without controlled approval** despite the table having `approved_by` and `reason_for_change` fields. Module 25 enforces the pathway: alert/action/spec limits follow a controlled lifecycle (`draft → under_review → approved → effective → superseded`) with bound e-signature per DEC-25-04. The third most common mistake is **LIMS imports without idempotency** producing duplicate result rows on retries. Module 25 enforces the pathway: LIMS imports use `lims_result_id` uniqueness for idempotency with explicit reconciliation log per DEC-25-08.

The **AI-assistance** dimension is critical. Static deterministic AI (deterministic regression, control-chart logic) may surface "EM trending regression candidates" or "historical excursion patterns by location/grade/time-of-day" or "limit-trend advisory alerts" as advisory help; this is permitted under the internal Annex 22 §7 control. **Generative AI (LLMs / MIRA copilot) is PROHIBITED in EM result approval, alert/action/spec limit release decisions, excursion classification decisions, and EM program closure decision paths** under the internal Annex 22 §7 + EU AI Act Annex III internal forward-looking control. MIRA copilot may read closed EM records for read-only context via `useMiraRecord(.)` mappings but no AI service writes to `em_*` tables, and no AI service finalizes EM disposition. The qualified human EM reviewer's signed disposition is the system of record.

The **two-step release path** mirrors every other Module: this URS becomes "Approved Controlled URS — released for engineering implementation and validation planning" upon signature capture in the Document Approval block; it becomes "Released for validation execution" only after URS-25-VAL-008 (Migration Evidence Gate) and the §17 validation evidence pack are satisfied.

### 0.5 Conventions

Each requirement has a unique identifier. "MUST" denotes a mandatory requirement; "SHOULD" denotes a strong recommendation; "MAY" denotes an option. The document is self-contained: front end (§5), back end (§6), data model (§6.2), application programming interface (§6.3), workflow (§6.4), business rules (§6.5), audit (§6.6), security (§12), regulatory mapping (§14), test cases (§16), and validation evidence (§17) are all in this single file. Every requirement is mandatory unless explicitly marked SHOULD or MAY.

### 0.6 Glossary

| Term | Definition |
|---|---|
| EM schedule | The controlled-template document defining sampling locations, sample types (settle plate, contact plate, active air, surface swab, personnel, particulate, temperature, humidity, differential pressure), and frequencies for an EM program; lifecycle `draft → effective → superseded → archived`. |
| Sampling location | A registered cleanroom location with EU GMP Annex 1 grade (A / B / C / D) and ISO 14644-1 ISO class (e.g., ISO 5 / ISO 7 / ISO 8); registered under the schedule via the normalized `em_sampling_locations` table per DEC-25-03. |
| Alert limit | A limit that triggers heightened surveillance when exceeded; lower than action limit. |
| Action limit | A limit that requires immediate investigation when exceeded; per EU GMP Annex 1 / USP <1116>. |
| Spec limit | A regulatory-bound specification limit. |
| Excursion | An automatically-created record representing a result that exceeded an alert / action / spec limit; lifecycle `open → under_investigation → linked_to_deviation → closed`; closure gated by linked URS-16 deviation per DEC-25-07. |
| Trend dataset | A computed dataset of EM results over time aggregated by location/grade/sample-type; refreshed on schedule and on demand per DEC-25-09. |
| LIMS import | Result import from external LIMS (e.g., LabWare, STARLIMS); idempotent via `lims_result_id` uniqueness; reconciliation log persists failed/duplicate imports per DEC-25-08. |
| Cleanroom EM | EM tied to manufacturing cleanroom for batch-record release-decision input (URS-23). |
| Stability chamber EM | EM tied to stability chamber for stability-study context (URS-24). |
| Reopen | A governed transition event from `locked → in_progress` requiring `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason; appends a new investigation iteration without mutating prior locked evidence per DEC-25-22. |
| ARCH-AI-001 | Platform architecture binding requiring manual continuity for every AI surface (AC-2, AC-3, AC-4, AC-7). |
| Annex 22 | EU GMP Annex 22 (Draft 2025) §7. Verixa treats Annex 22 §7 and EU AI Act high-risk / transparency concepts as internal forward-looking AI governance controls unless a jurisdiction-specific legal assessment determines otherwise. Under the internal control, generative / probabilistic AI is prohibited in EM result approval, limit release, excursion classification, and program closure decision paths. Binding predicate-rule obligations remain those listed in §14. |
| MIRA | The platform's read-only AI copilot service; for Module 25 MIRA is read-only context on EM records via `useMiraRecord(.)` mappings; no MIRA write paths; no LLM/GenAI in critical EM decisions. |

### 0.7 Module-25 architectural picture

```mermaid
flowchart TD
 AUTH[Schedule Author / Reviewer] --> SCH[/EM Schedules — controlled template/]
 SCH --> LOC[Sampling Locations — grade + ISO class]
 SCH --> LIM[Alert/Action/Spec Limits — controlled lifecycle + URS-13 CR]
 EX[EM Analyst] --> RES[Results — auto-evaluation against limits]
 RES -- limit exceedance --> EXC[/Excursions — auto-created/]
 RES --> REV[Result Review + Approval bound e-sign]
 EXC --> INV[Investigation linked to URS-16 deviation — non-bypassable closure gate]
 INV --> CAPA_LINK[CAPA via URS-18 with em_excursion source type]
 CLOSE[Excursion Close — bound e-sign + linked URS-16 terminal] --> EXC
 LIMS[LIMS Imports — idempotent + reconciliation] --> RES
 TRD[Trend datasets — governed refresh] --> RES
 M16[URS-16 Deviations — primary consumer] <-- EXC
 M18[URS-18 CAPA] <-- INV
 M19[URS-19 Risk Assessment] <-- EXC
 M21[URS-21 Findings] <-- EM-finding events
 M22[URS-22 Inspection] -- evidence retrieval --> SCH
 M23[URS-23 Batch Records] <-- RES (cleanroom EM evidence)
 M24[URS-24 Stability] <-- RES (chamber EM evidence)
 M26[URS-26 APQR] <-- TRD (periodic trending summary)
 M13[URS-13 Change Control] --> LIM (limit effective release); --> SCH (schedule release)
 M12[URS-12 Document Control] --> SCH (SOP citation)
 M27[URS-27 Regulatory Intelligence] --> SCH (Annex 1 / ISO 14644 / USP citation)
 M30[URS-30 Notifications] <-- EXC
 M32[URS-32 MIRA AI] <-- RES (read-only context — no GenAI in critical decisions)
 M33[URS-33 GMP] -- bound to --> SCH (cleanroom GMP)
 PROG[EM Program Lock] --> SCH
 PROG -. governed reopen + executive + QP co-sign.-> SCH
```

The platform shall implement: a controlled EM-schedule registry; a normalized sampling-location registry per DEC-25-03; a controlled alert/action/spec limit lifecycle with bound e-signature per DEC-25-04; result auto-evaluation against active limits with auto-created excursions on exceedance per DEC-25-05 (retained); result review/approval with bound e-signature per DEC-25-06; non-bypassable excursion closure gating requiring linked URS-16 deviation per DEC-25-07; LIMS-import idempotency + reconciliation per DEC-25-08; trend-dataset generation governance per DEC-25-09; mandatory `study_id` per DEC-25-02 alignment; canonical API contract `/api/v1/environmental/*` per DEC-25-01; typed schema validation per DEC-25-02; frontend route surface alignment per DEC-25-10; audit-trail coverage + reason-for-change per DEC-25-11; post-locked record immutability; governed reopen with executive + QP co-sign per DEC-25-22; canonical deviation-source emission to URS-16 (primary consumer) per DEC-25-17; canonical CAPA / findings / risk emissions per DEC-25-15.18; URS-23 cleanroom EM integration; URS-24 chamber EM integration; URS-26 APQR integration; MIRA copilot read-only with no GenAI in critical EM decisions; and per-jurisdictional regulatory expectations.

### 0.8 Locked Launch Controls

| Locked control | Authority | Rationale |
|---|---|---|
| Two-step release path: signature → engineering implementation → validation execution | DEC-25-01 / VAL-008 | Mirrors every other Module. |
| "No Module 25 internal decisions outstanding" | §11.6 | Captured in locked decisions DEC-25-01..DEC-25-23 (§3.2). |
| `platform_admin` / `super_admin` support / break-glass only | DEC-25-20 / SoD-25-07 | Operating-tenant EM ownership is the regulated path. |
| Target implementation binding language | Module bindings | URS specifies expected implementation. |
| AI overclaim posture as **internal forward-looking governance** with **GenAI prohibition in EM result approval / limit release / excursion classification / closure decisions** | Architecture Bindings | EU GMP Annex 22 Draft 2025 §7 + EU AI Act Annex III treated as internal controls. Static deterministic AI permitted; GenAI / LLMs prohibited in critical EM disposition. |
| Enumerated error codes | §6.7 | Stable machine-readable error contract. |
| JSON multi-signature evidence as **derived snapshot** | §6.6 | The `electronic_signatures` substrate is the system of record. |
| India CDSCO §11 / §12 row | §14 | India CDSCO Schedule M (Revised) §11 / §12 + Schedule M-III §3.3 sterile-product EM expectations subject to a future jurisdiction-specific legal assessment. |
| Version 1.0 posture | Header | First binding version. |
| Canonical API mount `/api/v1/environmental/*` | DEC-25-01 / ENV-001 | Frontend hooks use canonical relative `/environmental/*`. |
| Mandatory study scope alignment (`study_id` NOT NULL) | DEC-25-02 / ENV-002 | `createScheduleSchema` and `setAlertLimitsSchema` require `study_id`. |
| Context-filter alignment with persisted schema | DEC-25-02 / ENV-002 | `MODULE_CONTEXT_CONFIG.environmental` no longer references non-existent `site_id` column; site-scope inherited via `studies` parent. |
| `sample_location_ids` deprecation in favor of normalized `em_sampling_locations` | DEC-25-03 / ENV-003 | Denormalized `sample_location_ids` removed from schedule type; locations only via normalized child table. |
| Alert/action/spec limit controlled lifecycle with bound e-signature | DEC-25-04 / ENV-006 | `draft → under_review → approved → effective → superseded`; `em_limit_authority` + HITL + e-sign + URS-13 CR linkage. |
| Result auto-evaluation + auto-excursion creation | DEC-25-05 / ENV-004 |; Retention aligned. |
| Result review/approval with bound e-signature | DEC-25-06 / ENV-005 | `recorded → reviewed → approved`; `em_result_review_authority` + HITL + e-sign; dormant DB fields wired to controlled flow. |
| Non-bypassable excursion closure gating requiring linked URS-16 deviation | DEC-25-07 / ENV-007 | Excursion `closed` only with linked URS-16 deviation in terminal status. |
| LIMS-import idempotency + duplicate prevention + reconciliation log | DEC-25-08 / ENV-008 | `lims_result_id` UNIQUE constraint; reconciliation log for failed/duplicate imports. |
| Trend-dataset generation governance | DEC-25-09 / ENV-009 | Scheduled refresh + on-demand calculation; trend dataset is governed projection. |
| Frontend route surface alignment | DEC-25-10 / ENV-010 | `/environmental/schedules`, `/environmental/locations`, `/environmental/results`, `/environmental/excursions/:id`, `/environmental/limits` routes added. |
| Audit-trail coverage + reason-for-change discipline | DEC-25-11 / ENV-011 | LIMS-import / approval / effective-limit changes audited with reason-for-change. |
| Authority/HITL segregation for high-risk EM actions | DEC-25-12 / ENV-012 | `withAuthority(.)` integrated for limit release / result approval / excursion closure / program lock / reopen. |
| Bound e-signature persistence on every regulated final action | DEC-25-12 / DEC-25-23 | Limit release / result approval / excursion closure / program lock / governed reopen — all carry bound e-signature. |
| Governed reopen pattern (`locked → in_progress`) | DEC-25-22 / SoD-25-06 | Append-only iteration; executive + QP co-sign; does NOT mutate prior locked evidence. |

---

## 1. Scope and Out-of-Scope

### 1.1 In-scope

- The canonical EM-schedule registry and lifecycle.
- The normalized sampling-location registry with grade + ISO class.
- The alert/action/spec limit lifecycle with bound e-signature.
- The result-recording lifecycle with auto-evaluation and auto-excursion.
- The result review/approval lifecycle with bound e-signature.
- The excursion lifecycle with non-bypassable closure gating.
- The LIMS-import idempotency + reconciliation.
- The trend-dataset generation governance.
- The MIRA copilot read-only context integration (no GenAI in critical EM decisions).
- The findings emission to URS-21.
- The CAPA emission to URS-18.
- The deviation emission to URS-16 (primary consumer).
- The risk emission to URS-19.
- The change-control linkage to URS-13 for limit effective release and schedule release.
- The URS-23 batch-record release-decision input integration (cleanroom EM evidence).
- The URS-24 stability chamber EM integration.
- The URS-26 APQR periodic-trending integration.
- The URS-22 inspection-readiness export integration.
- The governed reopen workflow.
- The audit-trail coverage with reason-for-change discipline.
- The per-jurisdictional regulatory expectations.

### 1.2 Out-of-scope

- The deviations register itself (URS-16) — this URS emits excursion-precipitated deviation events; lifecycle is the URS-16 contract.
- The CAPA register itself (URS-18) — this URS emits excursion CAPA events; CAPA closure is the URS-18 contract.
- The findings register itself (URS-21) — this URS emits EM finding events; finding lifecycle is the URS-21 contract.
- The change-control register itself (URS-13).
- The document-control register itself (URS-12).
- The MIRA copilot service itself (URS-32).
- Direct cleanroom DCS / SCADA / BMS integration — out of scope for v1.0; tracked under URS-33 GMP and URS-35 infrastructure future-state.
- Vendor-specific LIMS API connectors (LabWare, STARLIMS) — generic LIMS-import provenance pattern in scope; vendor connectors are future-state.
- Cleanroom HVAC qualification register — tracked under URS-33 GMP.

---

## 2. Preconditions, Dependencies, Constraints

### 2.1 Operating preconditions

The following preconditions MUST hold for this URS to apply at validation time. Each bullet is a binding precondition; deviations require a controlled exception per URS-13 Change Control.

- The platform's authentication and session substrate (URS-01), RBAC (URS-02), context gate (URS-03), HITL / e-sign (URS-04), Authority Profile registry (URS-05), audit-trail hash-chain (URS-06), document-control (URS-12), change-control (URS-13), deviations (URS-16), CAPA (URS-18), findings (URS-21), risk assessment (URS-19), and MIRA AI (URS-32) are released and operational at validation time.
- EM analysts, microbiology authority, EM result reviewers, EM result approvers, Qualified Person are trained, attributable users with documented authority.
- AI-assisted EM surfaces are advisory only; the human EM reviewer's signed disposition is the system of record.
- The tenant operating jurisdiction(s) are configured and applicable predicate rules surface accordingly.

### 2.2 Dependencies

- URS-01.URS-24, URS-26.URS-35 platform contracts.
- The `electronic_signatures` substrate.
- The `authority` substrate.
- The `hitl` substrate.
- The `audit_trail` substrate.
- The `documents` substrate (URS-12).
- The `change_control` substrate (URS-13).
- The `deviations` substrate (URS-16).
- The `notifications` substrate (URS-30).

### 2.3 Constraints

- The canonical API mount is `/api/v1/environmental/*`. No frontend hook may use `/api/environmental/*` (extra `/api`).
- The EM module is study-scoped at schedule level (matching migration 034 `study_id NOT NULL`); site-scope inherited via `studies` parent.
- AI-assisted content is advisory-only; **no AI service finalizes EM result approval, limit release, excursion classification, or program closure**.
- Generative AI / LLMs are prohibited in EM result approval / limit release / excursion classification / closure decision paths under the internal Annex 22 §7 + EU AI Act Annex III control.
- Effective alert/action/spec limit versions are immutable; revisions create new version rows.
- Out-of-spec EM results MUST emit excursion records (retained per ENV-004 ALIGNED).
- Excursion closure is non-bypassable: requires linked URS-16 deviation in terminal status per DEC-25-07.

---

## 3. Closed Launch Decisions

### 3.1 Decision register

| Decision ID | Title | Locked decision |
|---|---|---|
| DEC-25-01 | Two-step release path | Module 25 follows the same two-step release path as every other Module. |
| DEC-25-02 | Mandatory study scope + context-filter alignment + typed schema | `study_id` is mandatory at schedule and limit level (matching migration 034 NOT NULL); `MODULE_CONTEXT_CONFIG.environmental` aligns with persisted schema (no `site_id` reference); shared schemas aligned (`createScheduleSchema`, `setAlertLimitsSchema` no longer allow nullable `study_id`); typed schema validation across every route. |
| DEC-25-03 | Sampling-location normalization | The denormalized `sample_location_ids` field is deprecated and removed from the EM schedule type; sampling locations are managed only via the normalized `em_sampling_locations` table. |
| DEC-25-04 | Alert/action/spec limit controlled lifecycle | Limit lifecycle is `draft → under_review → approved → effective → superseded`; release to `effective` requires `em_limit_authority` + HITL + bound e-signature + URS-13 change-request linkage; revisions create new version rows; superseded versions are immutable; `reason_for_change` mandatory on revisions. |
| DEC-25-05 | Result auto-evaluation + auto-excursion creation | retained: result recording auto-evaluates against active alert/action/spec limits and auto-creates excursion records on exceedance ALIGNED. |
| DEC-25-06 | Result review/approval with bound e-signature | Result lifecycle is `recorded → reviewed → approved`; review and approval gated by `em_result_review_authority` and `em_result_approval_authority` + HITL + bound e-signature; dormant DB fields (`reviewed_by`, `approved_by`, `approval_signature_ip`, `approval_signature_ua`) wired to controlled flow. |
| DEC-25-07 | Non-bypassable excursion closure gating | Excursion lifecycle is `open → under_investigation → linked_to_deviation → closed`; closure requires `em_excursion_closure_authority` + HITL + bound e-signature + linked URS-16 deviation in terminal status; the `closed` transition emits `em_excursion_closed` event. |
| DEC-25-08 | LIMS-import idempotency + duplicate prevention + reconciliation | LIMS-import uses `lims_result_id` UNIQUE constraint within tenant + LIMS source for idempotency; duplicate detection rejects already-imported records; failed/duplicate imports persisted in `em_lims_reconciliation_log`; per-record audit provenance preserved. |
| DEC-25-09 | Trend-dataset generation governance | Trend datasets are governed projections over `em_results`; refreshed on configurable schedule (default daily) and on demand by authorized users; generation logs persisted; trend records are immutable snapshots. |
| DEC-25-10 | Frontend route surface alignment | Frontend routes `/environmental/schedules`, `/environmental/locations`, `/environmental/results`, `/environmental/excursions/:id`, `/environmental/limits`, `/environmental/lims-import`, `/environmental/trends` are declared in `App.tsx`; dashboard CTAs resolve to real pages. |
| DEC-25-11 | Audit-trail coverage + reason-for-change discipline | All mutation routes emit audit-trail entries; LIMS-import per-record audit provenance preserved; approval and effective-limit changes capture reason-for-change in audit `details` JSON; material updates after draft require structured reason-for-change. |
| DEC-25-12 | Authority/HITL segregation for high-risk EM actions | Limit release, result approval, excursion closure, program lock, and reopen use `withAuthority(.)` + HITL + bound e-signature persisted via `electronic_signatures` substrate. |
| DEC-25-13 | Multi-dimensional context model | `tenant_id`, `study_id`, `cleanroom_id`, `batch_id` (optional for batch-context EM), `chamber_id` (optional for stability-chamber EM); child records inherit and persist parent context. |
| DEC-25-14 | EM schedule lifecycle | EM schedule lifecycle is `draft → effective → superseded → archived` with controlled supersession; release to `effective` requires `em_schedule_authority` + HITL + bound e-signature + URS-13 CR linkage. |
| DEC-25-15 | Findings emission to URS-21 | EM findings (e.g., recurring excursion patterns, control-chart trend findings) emit `em_finding_created` to URS-21 with `em_finding` source type. |
| DEC-25-16 | CAPA emission to URS-18 | EM excursion-precipitated CAPA emits `em_excursion_capa_linked` event consumed by URS-18 (`em_excursion` source type per URS-18 declared source set). |
| DEC-25-17 | Deviation emission to URS-16 (primary consumer) | EM excursions emit `em_excursion_deviation_created` event consumed by URS-16 (primary downstream consumer); URS-16 deviation closure is required for excursion closure per DEC-25-07. |
| DEC-25-18 | Risk emission to URS-19 | EM-precipitated risk records emit `em_risk_created` event consumed by URS-19. |
| DEC-25-19 | URS-13 change-control linkage | Schedule `draft → effective` and limit `under_review → effective` require URS-13 change-request linkage via `schedule_release_change_request_id` and `limit_release_change_request_id`. |
| DEC-25-20 | platform_admin / super_admin | `platform_admin` / `super_admin` are support / break-glass only paths. |
| DEC-25-21 | Reason-for-change on material updates | Captured per DEC-25-11. |
| DEC-25-22 | EM program reopen as governed transition | EM program `locked → in_progress` requires `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason; appends new investigation iteration without mutating prior locked evidence (consistent with M14.M24 reopen pattern). |
| DEC-25-23 | Bound e-signature on every regulated final action | Limit release, result approval, excursion closure, program lock, governed reopen — all carry bound e-signature persisted via `electronic_signatures` substrate. |

### 3.2 Locked-decision rationale narrative

The decisions above define the binding launch posture for Module 25 v1.0. The most consequential locked controls are: (a) DEC-25-02 anchors the module at study level and aligns `MODULE_CONTEXT_CONFIG.environmental`, `createScheduleSchema`, and the typed DB layer to one canonical set with the persisted schema; (b) DEC-25-04 adds controlled alert/action/spec-limit lifecycle with HITL + e-signature + URS-13 CR linkage; (c) DEC-25-06 wires `reviewed_by`, `approved_by`, `approval_signature_ip`, `approval_signature_ua` to a controlled result review/approval flow with bound e-signature; (d) DEC-25-07 mandates linked URS-16 deviation in terminal status before excursion closure; (e) DEC-25-08 adds `lims_result_id` UNIQUE constraint and a reconciliation log for LIMS import idempotency; (f) DEC-25-09 defines governed trend-dataset refresh and on-demand calculation; (g) DEC-25-22 defines reopen as a governed append-only transition consistent with the Module-14..-24 reopen pattern.

### 3.3 Closed launch decisions: cross-link to items

| Specification item ID | Specification item | Locked decision |
|---|---|---|
| ENV-001 | API contract standardization | DEC-25-01 |
| ENV-002 | Study scope + context-filter conflict | DEC-25-02 |
| ENV-003 | `sample_location_ids` denormalization | DEC-25-03 |
| ENV-004 | Auto-excursion (ALIGNED) | DEC-25-05 (retained) |
| ENV-005 | Result review/approval missing | DEC-25-06 |
| ENV-006 | Limit lifecycle missing | DEC-25-04 |
| ENV-007 | Excursion closure gating missing | DEC-25-07 |
| ENV-008 | LIMS provenance / idempotency missing | DEC-25-08 |
| ENV-009 | Trend dataset writer missing | DEC-25-09 |
| ENV-010 | Frontend route surface broken | DEC-25-10 |
| ENV-011 | Audit + reason-for-change gaps | DEC-25-11 / DEC-25-21 |
| ENV-012 | Authority/HITL missing on regulated finals | DEC-25-12 / DEC-25-23 |
| ENV-013 | Test evidence missing | §16 + §17 |

### 3.4 Locked-decision authority

Each locked decision is approved by the Founder / Chairman & MD on signature capture in the Document Approval block of this URS (§19). Decisions cannot be unlocked except through controlled URS revision under the URS change-control process and re-approval.

### 3.5 Worked examples

**Worked example 1 — EU GMP Annex 1 Grade A aseptic processing line.**
The Microbiology Lead authors EM schedule `EM-SCH-LineA-v3` for the Grade A / ISO 5 aseptic filling line covering active air (1 m³ per session), settle plates (4-hour exposure), contact plates, surface swabs (post-batch), particulate (continuous ≥ 0.5 µm and ≥ 5.0 µm), and personnel monitoring (gowning + glove-print) per EU GMP Annex 1. Sampling locations are registered via the normalized `em_sampling_locations` table per DEC-25-03 (e.g., `SmplLoc-LineA-FillingZone`, `SmplLoc-LineA-AccessZone`). Alert/action limits are proposed: viable air ≤ 1 CFU/m³ action, viable settle ≤ 1 CFU/4h action, particulate ≥ 0.5 µm ≤ 3520/m³ at-rest action per ISO 5 / Annex 1. Limits go through URS-13 change request CC-2026-0044; `em_limit_authority` releases limits to `effective` with HITL + bound e-signature per DEC-25-04. Schedule released to `effective` with `em_schedule_authority` + bound e-signature per DEC-25-14. During Batch BR-2026-08-15-001, the EM analyst records: 0 CFU/m³ active air (in spec); 0 CFU/4h settle (in spec); particulate ≥ 0.5 µm 3210/m³ (in spec); particulate ≥ 0.5 µm 3850/m³ at sampling location SmplLoc-LineA-FillingZone — exceeds action limit. Auto-excursion `EXC-2026-08-15-001` created per DEC-25-05; `em_excursion_deviation_created` event emitted to URS-16; URS-16 deviation `DEV-2026-08-15-007` opened (primary downstream consumer per DEC-25-17). Investigation finds HEPA filter integrity intact but recovery time exceeded due to door cycling; URS-17 RCA performed; URS-18 CAPA opened with `em_excursion` source type per DEC-25-16. Result is reviewed (`em_result_review_authority` + bound e-sign) and approved (`em_result_approval_authority` + bound e-sign) per DEC-25-06. URS-23 batch-record `BR-2026-08-15-001` consumes the EM evidence for release-decision input. After URS-16 deviation closes and URS-18 CAPA verifies, excursion transitions `linked_to_deviation → closed` with bound e-signature per DEC-25-07.

**Worked example 2 — LIMS import idempotency.**
A scheduled LIMS sync job imports 47 EM results from STARLIMS for 2026-08-16. The import payload includes `lims_result_id` for each record; `lims_import_hash` computed per record. 45 records insert successfully. 2 records have `lims_result_id` already present in `em_results` (re-sent retry from STARLIMS) — rejected as duplicates per DEC-25-08; reconciliation log persists `import_status = duplicate_rejected`. Operator reviews reconciliation log; 0 manual intervention required. The sync log records 47 attempted, 45 inserted, 2 duplicates_rejected, 0 errors.

**Worked example 3 — Trend dataset generation.**
The APQR consumer (URS-26) requests EM trend dataset for `Cleanroom-A` Grade-B viable air over Q3-2026. The trend job runs the configurable refresh; output dataset (`em_trend_dataset_id = TRD-2026-Q3-CRA-B-AIR`) is persisted with: count, mean, p95, max, action-limit exceedance count, alert-limit exceedance count, time-series points. Dataset is immutable snapshot; URS-26 consumer references the dataset ID in the APQR.

**Worked example 4 — Governed reopen of locked EM program.**
On `2027-04-15` an inspection finding (URS-22) reveals a previously closed excursion may have been classified incorrectly. The Manufacturing Head initiates a reopen for the locked EM program for that period; per DEC-25-22 + SoD-25-06, both `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason are required. On both co-signs the program transitions `locked → in_progress` and a new investigation iteration is appended; the prior locked evidence (excursions, results, deviations) is NOT mutated; the new iteration captures the additional investigation activity which may end with re-classification, re-approval, and re-lock cycles.

---

## 4. End-to-End User Journeys (28 launch journeys)

| # | Journey | Actor | Pre-condition | Path | Post-condition |
|---|---|---|---|---|---|
| 1 | Author EM schedule draft | Schedule Author | `environmental:schedule:create`; `study_id` resolved | Create schedule `(study_id, version=1)` in `draft`; add sampling locations; reference SOP citations | Schedule `draft`; audit entry |
| 2 | Release EM schedule to effective | Schedule Releaser | Schedule `draft` complete; URS-13 CR | HITL + bound e-sign + URS-13 CR linkage; transition `draft → effective`; supersede prior version | Schedule `effective`; prior `superseded`; bound e-signature; `em_schedule_*` event |
| 3 | Add sampling location | Schedule Author | Schedule `draft`; `em_sampling_locations` normalized table | Add location with grade (A/B/C/D) and ISO class (5/7/8) | Location persisted; audit entry |
| 4 | Propose alert/action/spec limit | Limit Author | `environmental:limits:create` | Propose limit `(location_id, sample_type, alert_value, action_value, spec_value)` in `draft` | Limit `draft`; audit entry |
| 5 | Submit limit for review | Limit Author | Limit `draft` | Transition `draft → under_review` | Limit `under_review`; audit entry |
| 6 | Approve limit | `em_limit_authority` | Limit `under_review` | HITL + bound e-sign; transition `under_review → approved` | Limit `approved`; audit entry |
| 7 | Release limit to effective | `em_limit_authority` + URS-13 CR | Limit `approved`; URS-13 CR linkage | HITL + bound e-sign + URS-13 CR linkage; transition `approved → effective`; supersede prior version | Limit `effective`; prior `superseded`; `em_alert_limit_effective` event |
| 8 | Record EM result (in spec) | EM Analyst | Schedule + limits effective | Record result; auto-evaluate against limits per DEC-25-05 | Result `recorded`; in spec; audit entry |
| 9 | Record EM result (out of spec) — auto excursion | EM Analyst | Limit exceedance | Record result; auto-create excursion per DEC-25-05; emit `em_excursion_deviation_created` to URS-16 (primary consumer) per DEC-25-17 | Result `recorded`; excursion `open`; URS-16 deviation created; audit entry |
| 10 | LIMS import results (idempotent) | LIMS Importer (system) | LIMS payload valid | Import results with `lims_result_id` UNIQUE per DEC-25-08; duplicates rejected; reconciliation log | Results inserted; duplicates logged; audit per record |
| 11 | LIMS import duplicate rejection | LIMS Importer (system) | `lims_result_id` already present | Reject duplicate; persist reconciliation log entry | Reconciliation log entry persisted; no insert |
| 12 | Review EM result | `em_result_review_authority` (SoD-distinct from recorder) | Result `recorded` | HITL + bound e-sign per DEC-25-06; transition `recorded → reviewed` | Result `reviewed`; bound e-signature; audit entry |
| 13 | Approve EM result | `em_result_approval_authority` (SoD-distinct from reviewer) | Result `reviewed` | HITL + bound e-sign per DEC-25-06; transition `reviewed → approved` | Result `approved`; bound e-signature; `em_result_approved` event |
| 14 | Investigate excursion | Microbiology Authority | Excursion `open` | Transition `open → under_investigation`; capture investigation evidence | Excursion `under_investigation`; audit entry |
| 15 | Link excursion to URS-16 deviation | Microbiology Authority | Excursion `under_investigation`; URS-16 deviation created | Persist `linked_deviation_id`; transition `under_investigation → linked_to_deviation` | Excursion `linked_to_deviation`; URS-16 linkage immutable; audit entry |
| 16 | Open URS-18 CAPA from excursion | URS-16 lifecycle | Deviation requires CAPA | Emit `em_excursion_capa_linked` to URS-18 with `em_excursion` source type per DEC-25-16 | URS-18 CAPA created; linkage immutable |
| 17 | Close excursion | `em_excursion_closure_authority` | Excursion `linked_to_deviation`; linked URS-16 deviation in terminal status per DEC-25-07 | HITL + bound e-sign + linked-deviation terminal check; transition `linked_to_deviation → closed` | Excursion `closed`; bound e-signature; `em_excursion_closed` event; cannot close without URS-16 terminal |
| 18 | Generate trend dataset on demand | Trend Generator (system or authorized user) | EM data exists | Generate immutable trend dataset snapshot per DEC-25-09 | Trend dataset persisted; `em_trend_dataset_refreshed` event |
| 19 | Scheduled trend dataset refresh | Trend Refresh Job | Daily schedule | Generate trend datasets per configured schedule | Trend datasets refreshed; audit entry |
| 20 | Consume EM evidence for batch release | URS-23 Batch Record | Batch in `pending_release` | URS-23 reads cleanroom EM evidence for batch context | URS-23 batch-record release-decision input populated |
| 21 | Consume chamber EM evidence for stability | URS-24 Stability | Stability study `in_progress` | URS-24 reads chamber EM context | URS-24 study has chamber EM context |
| 22 | Generate APQR EM trending summary | URS-26 APQR | APQR period | URS-26 consumes trend datasets per DEC-25-09 | APQR EM trending summary populated |
| 23 | Lock EM program | Final Quality Approver | EM program close | HITL + bound e-sign; transition to `locked` per DEC-25-23 | EM program `locked`; immutable; `em_program_locked` event |
| 24 | Reopen locked EM program (governed transition) | Manufacturing Head + Executive Authority + Qualified Person | EM program `locked`; documented reason | Executive co-sign AND QP co-sign; transition `locked → in_progress`; append new iteration row per DEC-25-22 | EM program `in_progress`; new iteration appended; prior locked evidence NOT mutated; bound e-signature; `em_program_reopened` event |
| 25 | Apply context filter on EM query | Reader | `environmental:read`; study context active | Query filtered by `study_id` per DEC-25-02 | Study-scoped results; no invalid SQL |
| 26 | Cross-tenant `platform_admin` break-glass | platform_admin | Documented reason | Cross-tenant EM coordination access; logged | Break-glass action logged in platform support audit per DEC-25-20 |
| 27 | Emit EM finding to URS-21 | System (event) | EM finding triggered | Emit `em_finding_created` to URS-21 | URS-21 standalone finding created |
| 28 | Emit EM-precipitated risk to URS-19 | System (event) | EM risk pattern triggered | Emit `em_risk_created` to URS-19 | URS-19 risk record created |

---

## 5. Front-end Requirements

### 5.1 EM Dashboard

The EM dashboard (URS-25-FE-001) renders summary cards (open excursions, pending result reviews, pending limit approvals, recent trends), upcoming sampling sessions, and recent excursions with filters by study, cleanroom, location, grade, sample type, date range; uses canonical `/environmental/*` hooks per DEC-25-01.

### 5.2 EM Schedule Console

The EM schedule console (URS-25-FE-002) supports schedule draft authoring with full sampling-location editor (normalized per DEC-25-03); release flow with HITL + e-signature gates linked to URS-13 change-request selection; new route `/environmental/schedules` per DEC-25-10.

### 5.3 Sampling Location Console

The sampling-location console (URS-25-FE-003) supports location registration with grade (A/B/C/D), ISO class (5/7/8), cleanroom binding; new route `/environmental/locations` per DEC-25-10.

### 5.4 Limit Console

The limit console (URS-25-FE-004) supports limit lifecycle `draft → under_review → approved → effective → superseded` with HITL + bound e-signature ceremony per DEC-25-04; new route `/environmental/limits` per DEC-25-10.

### 5.5 Result Capture Form

The result capture form (URS-25-FE-005) supports result entry with sampling-location selection; auto-evaluation badge display; out-of-limit results automatically open excursion view; new route `/environmental/results` per DEC-25-10.

### 5.6 Result Review/Approval Console

The result review/approval console (URS-25-FE-006) renders pending results with bound e-signature ceremony for review and approval per DEC-25-06.

### 5.7 Excursion Detail

The excursion detail (URS-25-FE-007) renders excursion lifecycle, linked URS-16 deviation, linked URS-18 CAPA, investigation evidence; closure ceremony with bound e-signature + linked-deviation terminal check per DEC-25-07; new route `/environmental/excursions/:id` per DEC-25-10.

### 5.8 LIMS Import Console

The LIMS import console (URS-25-FE-008) supports LIMS-payload upload with idempotency + reconciliation log per DEC-25-08; reconciliation surface for failed/duplicate imports; new route `/environmental/lims-import` per DEC-25-10.

### 5.9 Trend Console

The trend console (URS-25-FE-009) renders trend datasets with on-demand refresh and configurable scheduled refresh per DEC-25-09; new route `/environmental/trends` per DEC-25-10.

### 5.10 MIRA Copilot Integration

MIRA copilot (URS-25-FE-010) is read-only context on EM records via `useMiraRecord('em_schedule', id)`, `useMiraRecord('em_result', id)`, `useMiraRecord('em_excursion', id)`. **No MIRA write paths to EM tables; no LLM/GenAI in critical EM decisions.** MIRA may surface advisory information (similar prior excursions, historical limit-trend patterns) labeled as advisory.

### 5.11 Accessibility

WCAG 2.1 AA accessible.

---

## 6. Back-end Requirements

### 6.1 Module structure

`packages/backend/src/modules/environmental/` with `plugin.ts`, `routes.ts` (typed schemas — per DEC-25-02), `service.ts` (auto-evaluation retained per DEC-25-05; result review/approval added per DEC-25-06; excursion closure gating per DEC-25-07; LIMS-import idempotency per DEC-25-08; trend governance per DEC-25-09; audit-trail coverage + reason-for-change), `schemas.ts` (aligned with migration 034 per DEC-25-02), `events.ts` (event emission for `em_schedule_*`, `em_alert_limit_*`, `em_result_*`, `em_excursion_*`, `em_lims_*`, `em_trend_dataset_refreshed`, `em_program_*`, `em_finding_created`, `em_excursion_deviation_created`, `em_excursion_capa_linked`, `em_risk_created`).

### 6.2 Data model

#### 6.2.1 `em_sampling_schedules`

`id`, `tenant_id`, `study_id` (NOT NULL FK per DEC-25-02), `schedule_code`, `title`, `version` (INTEGER NOT NULL), `effective_from`, `effective_to`, `supersedes_schedule_id` (self-FK nullable), `schedule_release_change_request_id` (FK to URS-13 per DEC-25-19), `approved_by`, `approved_at`, `e_signature_id` (FK), `status` (ENUM `draft` / `effective` / `superseded` / `archived`), audit columns. Note: deprecated denormalized `sample_location_ids` field is removed per DEC-25-03. Uniqueness `(tenant_id, study_id, schedule_code, version)`. RLS enabled.

#### 6.2.2 `em_sampling_locations`

`id`, `tenant_id`, `schedule_id` (FK), `location_code`, `location_name`, `cleanroom_id` (FK), `grade` (ENUM `A` / `B` / `C` / `D`), `iso_class` (ENUM `iso_5` / `iso_7` / `iso_8` / `iso_other`), `sample_types` (TEXT[] — e.g., `active_air`, `settle_plate`, `contact_plate`, `surface_swab`, `personnel`, `particulate`, `temperature`, `humidity`, `differential_pressure`), audit columns.

#### 6.2.3 `em_alert_limits`

`id`, `tenant_id`, `study_id` (NOT NULL FK per DEC-25-02), `location_id` (FK), `sample_type`, `alert_value`, `action_value`, `spec_value`, `value_unit`, `version`, `effective_from`, `effective_to`, `supersedes_limit_id` (self-FK nullable), `limit_release_change_request_id` (FK to URS-13 per DEC-25-19), `approved_by`, `approved_at`, `e_signature_id` (FK), `reason_for_change` (TEXT nullable per DEC-25-21), `status` (ENUM `draft` / `under_review` / `approved` / `effective` / `superseded`), audit columns.

#### 6.2.4 `em_results`

`id`, `tenant_id`, `study_id` (NOT NULL FK), `location_id` (FK), `batch_id` (FK nullable for batch-context EM), `chamber_id` (FK nullable for stability-chamber EM), `sample_type`, `sampled_at`, `recorded_by`, `recorded_at`, `result_value_numeric`, `result_value_text`, `result_unit`, `applied_alert_value`, `applied_action_value`, `applied_spec_value`, `applied_limit_id` (FK), `is_alert_exceeded` (BOOLEAN), `is_action_exceeded` (BOOLEAN), `is_spec_exceeded` (BOOLEAN), `excursion_id` (FK to `em_excursions` nullable — populated on auto-excursion per DEC-25-05), `lims_result_id` (TEXT nullable), `lims_source` (TEXT nullable), `lims_import_hash` (TEXT nullable), `imported_by` (FK nullable), `imported_at` (TIMESTAMPTZ nullable), `reviewed_by` (FK nullable), `reviewed_at` (TIMESTAMPTZ nullable), `review_e_signature_id` (FK nullable), `approved_by` (FK nullable), `approved_at` (TIMESTAMPTZ nullable), `approval_e_signature_id` (FK nullable), `approval_signature_ip` (TEXT nullable), `approval_signature_ua` (TEXT nullable), `status` (ENUM `recorded` / `reviewed` / `approved`), audit columns. UNIQUE `(tenant_id, lims_source, lims_result_id)` per DEC-25-08.

#### 6.2.5 `em_excursions`

`id`, `tenant_id`, `study_id` (FK), `result_id` (FK), `location_id` (FK), `excursion_severity` (ENUM `alert` / `action` / `spec`), `linked_deviation_id` (FK to URS-16 nullable — required for closure per DEC-25-07), `linked_capa_id` (FK to URS-18 nullable), `investigation_id` (FK nullable), `root_cause_identified` (TEXT nullable), `corrective_action` (TEXT nullable), `remediation_due_date`, `remediation_completed_date`, `closed_by` (FK nullable), `closed_at` (TIMESTAMPTZ nullable), `closure_e_signature_id` (FK nullable), `status` (ENUM `open` / `under_investigation` / `linked_to_deviation` / `closed`), audit columns.

#### 6.2.6 `em_lims_sync_log`

`id`, `tenant_id`, `lims_source`, `sync_started_at`, `sync_completed_at`, `attempted_count`, `inserted_count`, `duplicates_rejected_count`, `errors_count`, `initiated_by`, audit columns.

#### 6.2.7 `em_lims_reconciliation_log`

`id`, `tenant_id`, `sync_log_id` (FK), `lims_result_id`, `lims_import_hash`, `import_status` (ENUM `inserted` / `duplicate_rejected` / `validation_failed` / `error`), `error_message` (TEXT nullable), `recorded_at`, audit columns.

#### 6.2.8 `em_trend_datasets`

`id`, `tenant_id`, `study_id` (FK), `cleanroom_id` (FK nullable), `grade`, `sample_type`, `period_start`, `period_end`, `count`, `mean`, `p95`, `max`, `alert_exceedance_count`, `action_exceedance_count`, `spec_exceedance_count`, `time_series` (JSONB), `formula_version`, `generated_by`, `generated_at`, audit columns. Immutable snapshot per DEC-25-09.

#### 6.2.9 `em_program_locks`

`id`, `tenant_id`, `study_id` (FK), `period_start`, `period_end`, `locked_by`, `locked_at`, `lock_e_signature_id` (FK), `reopened_at` (TIMESTAMPTZ nullable), `reopened_by` (FK nullable), `reopen_executive_co_signer` (FK nullable per DEC-25-22), `reopen_qp_co_signer` (FK nullable per DEC-25-22), `reopen_reason` (TEXT nullable), audit columns.

#### 6.2.10 RLS

All Module 25 tables have RLS enabled.

### 6.3 API contract

| Route | Method | Permission | Status |
|---|---|---|---|
| `/api/v1/environmental/schedules` | GET / POST | `environmental:schedule:read` / `environmental:schedule:create` | (typed schema) |
| `/api/v1/environmental/schedules/:id` | GET / PATCH (draft only) | `environmental:schedule:read` / `environmental:schedule:update` | |
| `/api/v1/environmental/schedules/:id/release` | POST | `em_schedule_authority` + HITL + bound e-sign + URS-13 CR linkage | target route per DEC-25-14 / DEC-25-19 |
| `/api/v1/environmental/locations` | GET / POST | `environmental:location:read` / `environmental:location:create` | (normalized per DEC-25-03) |
| `/api/v1/environmental/locations/:id` | GET / PATCH | `environmental:location:read` / `environmental:location:update` | (audit per DEC-25-11) |
| `/api/v1/environmental/limits` | GET / POST | `environmental:limits:read` / `environmental:limits:create` | |
| `/api/v1/environmental/limits/:id` | GET / PATCH (draft only) | `environmental:limits:read` / `environmental:limits:update` | |
| `/api/v1/environmental/limits/:id/release` | POST | `em_limit_authority` + HITL + bound e-sign + URS-13 CR linkage per DEC-25-04 / DEC-25-19 | target route |
| `/api/v1/environmental/results` | GET / POST | `environmental:result:read` / `environmental:result:create` (auto-evaluation per DEC-25-05) | |
| `/api/v1/environmental/results/:id` | GET / PATCH | `environmental:result:read` / `environmental:result:update` | |
| `/api/v1/environmental/results/:id/review` | POST | `em_result_review_authority` + HITL + bound e-sign per DEC-25-06 | target route |
| `/api/v1/environmental/results/:id/approve` | POST | `em_result_approval_authority` + HITL + bound e-sign per DEC-25-06 | target route |
| `/api/v1/environmental/excursions` | GET | `environmental:excursion:read` | |
| `/api/v1/environmental/excursions/:id` | GET / PATCH | `environmental:excursion:read` / `environmental:excursion:update` | |
| `/api/v1/environmental/excursions/:id/start-investigation` | POST | `microbiology_authority` | target route |
| `/api/v1/environmental/excursions/:id/link-deviation` | POST | `microbiology_authority` (links URS-16 deviation) | target route per DEC-25-17 |
| `/api/v1/environmental/excursions/:id/link-capa` | POST | `microbiology_authority` (emits `em_excursion_capa_linked`) | target route per DEC-25-16 |
| `/api/v1/environmental/excursions/:id/close` | POST | `em_excursion_closure_authority` + HITL + bound e-sign + linked URS-16 deviation in terminal status per DEC-25-07 | target route |
| `/api/v1/environmental/lims-imports` | POST | `environmental:lims:import` (idempotent per DEC-25-08) | |
| `/api/v1/environmental/lims-imports/:syncLogId/reconciliation` | GET | `environmental:lims:read` | target route |
| `/api/v1/environmental/trends` | GET | `environmental:trend:read` | |
| `/api/v1/environmental/trends/refresh` | POST | `environmental:trend:refresh` (on-demand per DEC-25-09) | target route |
| `/api/v1/environmental/program-locks` | POST | `final_quality_approver` + HITL + bound e-sign | target route |
| `/api/v1/environmental/program-locks/:id/reopen` | POST | `executive_authority` co-sign AND `qualified_person_authority` co-sign + HITL + reason per DEC-25-22 | target route |

### 6.4 Workflow

#### 6.4.1 EM schedule lifecycle

```mermaid
stateDiagram-v2
 [*] --> draft: create
 draft --> effective: release (em_schedule_authority + HITL + e-sign + URS-13 CR)
 effective --> superseded: revise (new version)
 superseded --> archived: archive
```

#### 6.4.2 Limit lifecycle

```mermaid
stateDiagram-v2
 [*] --> draft: create
 draft --> under_review: submit for review
 under_review --> approved: approve (em_limit_authority + HITL + e-sign)
 approved --> effective: release (URS-13 CR linkage)
 effective --> superseded: revise (new version)
```

#### 6.4.3 Result lifecycle

```mermaid
stateDiagram-v2
 [*] --> recorded: record (auto-evaluate against limits; auto-create excursion if exceeded — DEC-25-05)
 recorded --> reviewed: review (em_result_review_authority + HITL + e-sign)
 reviewed --> approved: approve (em_result_approval_authority + HITL + e-sign)
```

#### 6.4.4 Excursion lifecycle

```mermaid
stateDiagram-v2
 [*] --> open: auto-create on result exceedance
 open --> under_investigation: start investigation
 under_investigation --> linked_to_deviation: link URS-16 deviation
 linked_to_deviation --> closed: close (em_excursion_closure_authority + HITL + e-sign + linked URS-16 terminal — DEC-25-07)
```

#### 6.4.5 EM program lock lifecycle

```mermaid
stateDiagram-v2
 [*] --> active
 active --> locked: lock (final_quality_approver + HITL + e-sign)
 locked --> in_progress: governed reopen (executive + QP co-sign + reason — DEC-25-22)
```

### 6.5 Business rules

- BR-25-01: EM schedule uniqueness `(tenant_id, study_id, schedule_code, version)` per DEC-25-02 / DEC-25-14.
- BR-25-02: EM schedule release requires `em_schedule_authority` + HITL + bound e-sign + URS-13 CR linkage per DEC-25-14 / DEC-25-19.
- BR-25-03: Effective EM schedule is immutable; revisions create new version rows.
- BR-25-04: Sampling locations registered only via normalized `em_sampling_locations` table per DEC-25-03; denormalized `sample_location_ids` deprecated.
- BR-25-05: Alert/action/spec limit lifecycle is `draft → under_review → approved → effective → superseded` per DEC-25-04.
- BR-25-06: Limit release requires `em_limit_authority` + HITL + bound e-sign + URS-13 CR linkage per DEC-25-04 / DEC-25-19.
- BR-25-07: Result auto-evaluation against active limits + auto-excursion creation on exceedance per DEC-25-05 (retained).
- BR-25-08: Result review and approval require `em_result_review_authority` and `em_result_approval_authority` respectively + HITL + bound e-sign per DEC-25-06.
- BR-25-09: Excursion closure non-bypassable: requires `em_excursion_closure_authority` + HITL + bound e-sign + linked URS-16 deviation in terminal status per DEC-25-07.
- BR-25-10: LIMS-import idempotency: UNIQUE `(tenant_id, lims_source, lims_result_id)`; duplicates rejected and logged in `em_lims_reconciliation_log` per DEC-25-08.
- BR-25-11: Trend datasets are immutable snapshots refreshed on schedule + on-demand per DEC-25-09.
- BR-25-12: `study_id` mandatory at schedule and limit level per DEC-25-02.
- BR-25-13: Material updates after draft require structured reason-for-change per DEC-25-21.
- BR-25-14: Bound e-signature persistence on every regulated final action per DEC-25-23.
- BR-25-15: Excursion-precipitated deviation events emitted to URS-16 (primary consumer) per DEC-25-17.
- BR-25-16: Excursion CAPA linkage emits `em_excursion_capa_linked` to URS-18 (`em_excursion` source type) per DEC-25-16.
- BR-25-17: EM findings emit `em_finding_created` to URS-21 per DEC-25-15.
- BR-25-18: EM-precipitated risks emit `em_risk_created` to URS-19 per DEC-25-18.
- BR-25-19: EM program reopen `locked → in_progress` requires `executive_authority` co-sign AND `qualified_person_authority` co-sign + reason per DEC-25-22.
- BR-25-20: `platform_admin` / `super_admin` are support / break-glass only paths per DEC-25-20.
- BR-25-21: **No LLM/GenAI in EM result approval / limit release / excursion classification / closure decision paths**; static deterministic AI permitted as advisory.
- BR-25-22: Result reviewer MUST NOT be result recorder per SoD-25-02; result approver MUST NOT be reviewer per SoD-25-03.

### 6.6 Audit trail

Every Module 25 record mutation persists an audit-trail entry via `auditTrailService.log(.)`. Material updates after draft persist `reason_for_change` per DEC-25-21. LIMS-import operations persist per-record audit provenance. Regulated final actions persist a bound e-signature via the `electronic_signatures` substrate; the JSON multi-signature evidence in the audit-trail `details` JSON is a derived snapshot. Append-only.

### 6.7 Error handling

| Code | HTTP | Meaning |
|---|---|---|
| `ENV_VALIDATION_FAILED` | 400 | Schema validation failure |
| `ENV_UNAUTHORIZED` | 401 | Authentication required |
| `ENV_FORBIDDEN` | 403 | RBAC denied |
| `ENV_NOT_FOUND` | 404 | Resource not found |
| `ENV_DUPLICATE_KEY` | 409 | Uniqueness violation |
| `ENV_LIMS_DUPLICATE` | 409 | LIMS `lims_result_id` already imported per DEC-25-08 |
| `ENV_INVALID_TRANSITION` | 422 | Lifecycle transition not permitted |
| `ENV_SCHEDULE_NOT_EFFECTIVE` | 422 | Result recording against non-effective schedule |
| `ENV_LIMIT_NOT_EFFECTIVE` | 422 | Auto-evaluation against non-effective limit |
| `ENV_LIMIT_CHANGE_REQUEST_REQUIRED` | 422 | Limit release without URS-13 CR |
| `ENV_SCHEDULE_CHANGE_REQUEST_REQUIRED` | 422 | Schedule release without URS-13 CR |
| `ENV_EXCURSION_DEVIATION_REQUIRED` | 422 | Excursion closure without linked URS-16 deviation in terminal status per DEC-25-07 |
| `ENV_AUTHORITY_REQUIRED` | 422 | Authority Profile missing |
| `ENV_HITL_DECISION_REQUIRED` | 422 | HITL decision capture missing |
| `ENV_E_SIGNATURE_REQUIRED` | 422 | Bound e-signature persistence missing |
| `ENV_RESULT_REVIEWER_SOD_VIOLATION` | 422 | Result reviewer = result recorder |
| `ENV_RESULT_APPROVER_SOD_VIOLATION` | 422 | Result approver = result reviewer |
| `ENV_REASON_FOR_CHANGE_REQUIRED` | 422 | Material update after draft without reason-for-change |
| `ENV_REOPEN_AUTHORITY_REQUIRED` | 422 | Reopen attempted without executive + QP co-sign per DEC-25-22 |
| `ENV_CONTEXT_FILTER_MISMATCH` | 422 | Query against context column not present in schema |
| `ENV_INTERNAL` | 500 | Sanitized server error |

### 6.8 Configuration rules

- Trend dataset refresh schedule (default daily) configurable per tenant.
- ISO 14644-1 grade enumerations and EU GMP Annex 1 grade alignment configured at platform level.
- LIMS source enumerations configured at platform level.

---

## 7. Non-functional Requirements

- NFR-25-01: List pagination (default 50, max 200).
- NFR-25-02: List p95 < 800ms (1M results, 100k excursions per tenant).
- NFR-25-03: Result-capture p95 < 600ms including auto-evaluation + auto-excursion.
- NFR-25-04: LIMS-import batch p95 < 60s for 1000-row payload with idempotency check.
- NFR-25-05: Trend-dataset refresh p95 < 30s per dataset.
- NFR-25-06: Audit-trail append p99 < 200ms.
- NFR-25-07: Concurrent EM analysts per tenant: 50.
- NFR-25-08: Storage scalability: 10M results per tenant; 1M excursions per tenant.
- NFR-25-09: Backup / restore RPO ≤ 15 min; RTO ≤ 4 hours per URS-35.
- NFR-25-10: Bound e-signature persistence transaction p95 < 1.5s.

---

## 8. Localization

English (en-US, en-GB), Hindi (hi-IN), Marathi (mr-IN), Japanese (ja-JP) at launch.

---

## 9. Migration

### 9.1 Migration scope

Greenfield at launch.

### 9.2 Schema migration

Migration 034 baseline; target migrations (035+) reconcile `study_id` NOT NULL on `em_sampling_schedules` and `em_alert_limits`, remove denormalized `sample_location_ids` per DEC-25-03, add `em_alert_limits` lifecycle columns + e-signature FK per DEC-25-04, wire `em_results` review/approval columns to controlled flow per DEC-25-06, add `em_excursions.linked_deviation_id` FK to URS-16 per DEC-25-07, add UNIQUE `(tenant_id, lims_source, lims_result_id)` on `em_results` per DEC-25-08, add `em_lims_reconciliation_log` table per DEC-25-08, add `em_trend_datasets` table with formula_version + immutable-snapshot semantics per DEC-25-09, add `em_program_locks` table with reopen columns per DEC-25-22, reconcile `MODULE_CONTEXT_CONFIG.environmental` with persisted schema (no `site_id` reference) per DEC-25-02.

### 9.3 Migration evidence gate (URS-25-VAL-008)

(a) all migrations applied; (b) RLS verified; (c) typed schema validation verified; (d) `study_id` NOT NULL reconciliation verified; (e) `sample_location_ids` deprecation verified; (f) limit controlled lifecycle + URS-13 CR linkage verified; (g) result auto-evaluation + auto-excursion verified; (h) result review/approval bound e-signature verified; (i) excursion closure non-bypassable gating verified; (j) LIMS-import idempotency + reconciliation verified; (k) trend dataset generation governance verified; (l) frontend route surface alignment verified; (m) cross-module event emission verified (URS-13, URS-16 primary, URS-18, URS-19, URS-21, URS-23, URS-24, URS-26); (n) audit-trail coverage on every mutation verified; (o) governed reopen append-only verified; (p) §17 validation evidence pack signed.

---

## 10. Decommissioning

Module 25 records subject to platform record-retention policy: retained for the longer of (a) 30 years from program lock (FDA 21 CFR §211.180) or (b) 50 years from product expiry (EU GMP). On tenant decommissioning, records exported per URS-35.

---

## 11. Decisions, Dependencies, Risks, and Error Handling
### 11.1 Closed decision posture

**No Module 25 internal decisions outstanding.** Launch decisions are captured in the locked decisions above.

### 11.2 External dependencies

- URS-13 change-control register must support `schedule_release_change_request_id` and `limit_release_change_request_id` linkage per DEC-25-19.
- URS-16 deviations register must accept `em_excursion_deviation` source type and `em_excursion_id` reference per DEC-25-17.
- URS-18 CAPA register must accept `em_excursion` source type per DEC-25-16.
- URS-21 findings register must accept `em_finding` source type per DEC-25-15.
- URS-19 risk register must accept `em_risk` source type per DEC-25-18.
- URS-23 batch-record release-decision input must consume cleanroom EM evidence.
- URS-24 stability must consume chamber EM evidence.
- URS-26 APQR must consume `em_trend_datasets`.
- URS-32 MIRA AI must support read-only `useMiraRecord('em_schedule',.)`, `useMiraRecord('em_result',.)`, `useMiraRecord('em_excursion',.)` mappings; **no GenAI in critical EM decisions**.

### 11.3 Risks

- Risk-25-01: LIMS payloads from vendors that do not provide `lims_result_id` may collide on hash-based dedupe. Mitigation: server-computed hash combines `(tenant_id, lims_source, location_id, sample_type, sampled_at, value)` for idempotency fallback.
- Risk-25-02: Trend-dataset generation may be expensive on large tenants. Mitigation: NFR-25-05 latency budget; partial-period incremental refresh; off-peak schedule.
- Risk-25-03: Excursion-closure gating to URS-16 deviation closure may extend close cycles. Mitigation: clear UX language; URS-16 SLA visibility; escalation path for delayed deviations.
- Risk-25-04: Reopen workflow gravity (executive + QP co-sign) may delay urgent inspection responses. Mitigation: documented reopen SLA.

### 11.4 Out-of-scope risks tracked elsewhere

- Direct cleanroom DCS / SCADA / BMS integration (URS-33 future-state).
- Vendor-specific LIMS API connectors (future-state).
- Cleanroom HVAC qualification register (URS-33).

### 11.5 Risk owner

Module-25 risk register owned by Quality / EM Squad with quarterly review by QA Head + Manufacturing Head + Microbiology Lead + Validation Head + Qualified Person Authority.

### 11.6 Decision discipline

No Module 25 internal decisions outstanding.

### 11.7 Error Handling and Negative Paths

This section defines the controlled error envelope, the enumerated machine-code catalogue, and the negative-path response contract required for this module. The error envelope is the standard platform envelope (human message, machine code in upper-snake-case, optional structured details, correlation identifier). Errors are returned with the appropriate HTTP status; the UI surfaces inline errors at the field of cause where applicable, otherwise a controlled error toast or modal. Every error path is logged to the URS-06 audit substrate when the originating action is regulated; errors that occur before authentication are logged without `userId`. Audit-trail write failure on a state-changing action MUST cause the originating action to NOT commit (atomic write per URS-04 BR-04-15). The enumerated machine codes for this module's negative paths are defined alongside the corresponding lifecycle gates, segregation-of-duties controls, and authority-resolution outcomes throughout §6 (Back-end Requirements) and §13 (Segregation of Duties); engineering MUST surface every enumerated machine code through the standard envelope and MUST NOT swallow errors silently. Cross-module error propagation follows the §20 Cross-Module Event Contract.


---

## 12. Security

- SEC-25-01: Tenant isolation enforced at RLS on every Module 25 table.
- SEC-25-02: RBAC enforced on every route via `requirePermission(.)`.
- SEC-25-03: Authority resolution enforced on regulated final actions before HITL + e-signature.
- SEC-25-04: HITL decision capture enforced before bound e-signature persistence.
- SEC-25-05: Bound e-signature persistence via `electronic_signatures` substrate; signature binding includes user identity, action, resource ID, action timestamp, signature hash, IP, and user agent (per dormant-DB-fields wiring per DEC-25-06).
- SEC-25-06: PII redaction in logs.
- SEC-25-07: Audit-trail integrity via URS-06 hash chain.
- SEC-25-08: AI-request provenance via `ai_requests`; **no LLM/GenAI in critical EM decisions**; static deterministic AI permitted as advisory.
- SEC-25-09: `platform_admin` / `super_admin` break-glass actions logged per DEC-25-20.
- SEC-25-10: LIMS-import payload integrity via `lims_import_hash`; idempotency via `lims_result_id` UNIQUE.
- SEC-25-11: Context-gate filtering enforced on detail reads per DEC-25-02.

---

## 13. Segregation of Duties

| SoD ID | Constraint |
|---|---|
| SoD-25-01 | The schedule releaser MUST NOT be the schedule author when tenant policy requires content-author/releaser separation. |
| SoD-25-02 | The result reviewer MUST NOT be the result recorder. |
| SoD-25-03 | The result approver MUST NOT be the result reviewer. |
| SoD-25-04 | The excursion closer MUST NOT be the excursion investigator (which is anchored in URS-16 deviation lifecycle). |
| SoD-25-05 | The limit releaser MUST NOT be the limit author when tenant policy requires content-author/releaser separation. |
| SoD-25-06 | The reopen co-signers (executive AND Qualified Person per DEC-25-22) MUST NOT be the original close-and-lock signers; reopen append-only semantics enforced. |
| SoD-25-07 | The `platform_admin` / `super_admin` support / break-glass action MUST NOT be a regulated production action; logged and reviewed per DEC-25-20. |

---

## 14. Regulatory Mapping

| Predicate rule | Section | Module 25 binding |
|---|---|---|
| FDA 21 CFR Part 11 | §11.10(a), §11.10(d), §11.10(e), §11.50, §11.70 | URS-25-VAL-008 + bound e-sign on every regulated final action + audit-trail on every mutation |
| FDA 21 CFR Part 211 | §211.42 Design and construction; §211.46 Ventilation/air filtration; §211.84 Testing of components; §211.113 Control of microbiological contamination; §211.180 Records retention | EM cleanroom design context; HVAC evidence; component-batch EM linkage; microbiological control of record |
| EU GMP Annex 11 | §1, §4, §9, §12, §16 | Risk; validation; audit trails; security; incident management |
| **EU GMP Annex 1 (revised 2022, effective 25 August 2023)** | Primary predicate — Manufacture of Sterile Medicinal Products | EM schedule + alert/action limits + grade A/B/C/D + ISO classification + Contamination Control Strategy |
| EU GMP Annex 22 Draft 2025 | §7 — HITL / GenAI prohibition in critical EM decisions | Internal forward-looking control; static deterministic AI only; GenAI prohibited in EM result approval / limit release / excursion classification / closure |
| EU AI Act (Regulation 2024/1689) | Annex III + Art. 13 transparency | Adopted as internal forward-looking AI governance; advisory-labeling |
| MHRA Data Integrity Guidance | ALCOA+ | Audit-trail; bound e-signature; record retention |
| GAMP 5 Cat 5 | Custom-application validation lifecycle | URS-25 validation evidence pack per URS-25-VAL-008 |
| ICH Q9 | Quality Risk Management | EM-precipitated risk emission to URS-19 |
| ICH Q10 §3.2.1 | CAPA system | EM excursion CAPA emission to URS-18 |
| USP <1116> | Microbiological Control and Monitoring of Aseptic Processing Environments | EM monitoring program for aseptic processing |
| USP <797> | Pharmaceutical Compounding — Sterile Preparations | Pharmacy compounding EM |
| ISO 14644-1 | Cleanrooms — Classification of air cleanliness | ISO class assignment on locations |
| ISO 14644-2 | Cleanrooms — Monitoring | EM monitoring frequency + at-rest / in-operation criteria |
| PIC/S PE 009-17 Annex 1 | International harmonization with EU GMP Annex 1 | EM expectations harmonized for PIC/S members |
| WHO TRS Annex 6 | GMP for Sterile Pharmaceutical Products | WHO sterile-products EM expectations |
| India CDSCO Schedule M (Revised) | §11 Sterile Products — Premises; §12 Environmental Conditions | India operations regulatory baseline subject to a future jurisdiction-specific legal assessment |
| India CDSCO Schedule M-III | §3.3 — Medical device sterile manufacture | India medical-device sterile EM subject to a future jurisdiction-specific legal assessment |

---

## 15. Code Modules

| Code module | Path | Status |
|---|---|---|
| `environmental` plugin | `packages/backend/src/modules/environmental/plugin.ts` | (canonical mount) |
| `environmental` routes | `packages/backend/src/modules/environmental/routes.ts` | (typed schemas; route additions per §6.3) |
| `environmental` service | `packages/backend/src/modules/environmental/service.ts` | (auto-evaluation retained; result review/approval added; excursion closure gating; LIMS idempotency; trend governance; audit + reason-for-change) |
| `environmental` schemas | `packages/backend/src/modules/environmental/schemas.ts` | (aligned with migration 034) |
| `environmental` events | `packages/backend/src/modules/environmental/events.ts` | target route |
| Migration 034 | `packages/backend/src/db/migrations/034_environmental_monitoring_tables.sql` | (035+ migrations add limit lifecycle columns, excursion linked_deviation FK, LIMS UNIQUE + reconciliation log, trend dataset table, program locks, context-config alignment, sample_location_ids deprecation) |
| Shared types | `packages/shared/src/types/environmental.ts` | (sample_location_ids removed) |
| Shared schemas | `packages/shared/src/schemas/environmental.schema.ts` | (study_id mandatory) |
| Frontend hooks | `packages/frontend/src/api/hooks/useEnvironmental.ts` | (canonical relative `/environmental/*`) |
| Frontend dashboard | `packages/frontend/src/pages/EnvironmentalDashboard.tsx` | (CTA targets resolve) |
| Frontend detail | `packages/frontend/src/pages/EnvironmentalDetail.tsx` | |
| Frontend schedule console | `packages/frontend/src/pages/EnvironmentalSchedules.tsx` | target route per DEC-25-10 |
| Frontend location console | `packages/frontend/src/pages/EnvironmentalLocations.tsx` | target route per DEC-25-10 |
| Frontend limit console | `packages/frontend/src/pages/EnvironmentalLimits.tsx` | target route per DEC-25-04 / DEC-25-10 |
| Frontend results | `packages/frontend/src/pages/EnvironmentalResults.tsx` | target route per DEC-25-10 |
| Frontend excursion detail | `packages/frontend/src/pages/EnvironmentalExcursionDetail.tsx` | target route per DEC-25-07 / DEC-25-10 |
| Frontend LIMS import | `packages/frontend/src/pages/EnvironmentalLimsImport.tsx` | target route per DEC-25-08 / DEC-25-10 |
| Frontend trend console | `packages/frontend/src/pages/EnvironmentalTrends.tsx` | target route per DEC-25-09 / DEC-25-10 |
| App routing | `packages/frontend/src/App.tsx` | (per DEC-25-10) |

---

## 16. Test Cases

### 16.1 Unit tests

- TC-25-U-001: EM schedule uniqueness `(tenant_id, study_id, schedule_code, version)` rejects duplicate.
- TC-25-U-002: Schedule release without URS-13 CR rejects with `ENV_SCHEDULE_CHANGE_REQUEST_REQUIRED`.
- TC-25-U-003: Effective schedule edit rejects with `ENV_INVALID_TRANSITION`.
- TC-25-U-004: `study_id` null on schedule create rejects with `ENV_VALIDATION_FAILED`.
- TC-25-U-005: `sample_location_ids` denormalized field deprecated — schema rejects with `ENV_VALIDATION_FAILED`.
- TC-25-U-006: Limit release without URS-13 CR rejects with `ENV_LIMIT_CHANGE_REQUEST_REQUIRED`.
- TC-25-U-007: Effective limit edit rejects with `ENV_INVALID_TRANSITION`.
- TC-25-U-008: Result auto-evaluation triggers auto-excursion on action-limit exceedance per DEC-25-05.
- TC-25-U-009: Result review by recorder rejects with `ENV_RESULT_REVIEWER_SOD_VIOLATION`.
- TC-25-U-010: Result approval by reviewer rejects with `ENV_RESULT_APPROVER_SOD_VIOLATION`.
- TC-25-U-011: Excursion closure without linked URS-16 deviation rejects with `ENV_EXCURSION_DEVIATION_REQUIRED`.
- TC-25-U-012: Excursion closure with linked URS-16 deviation in non-terminal status rejects with `ENV_EXCURSION_DEVIATION_REQUIRED`.
- TC-25-U-013: LIMS-import duplicate `lims_result_id` rejects with `ENV_LIMS_DUPLICATE`.
- TC-25-U-014: LIMS-import per-record audit provenance preserved.
- TC-25-U-015: Trend-dataset on-demand refresh persists immutable snapshot.
- TC-25-U-016: Reopen without executive AND QP co-sign rejects with `ENV_REOPEN_AUTHORITY_REQUIRED`.
- TC-25-U-017: Reopen appends new iteration; prior locked evidence not mutated.
- TC-25-U-018: Material update after draft without reason-for-change rejects with `ENV_REASON_FOR_CHANGE_REQUIRED`.
- TC-25-U-019: Context-filter query against `study_id` works correctly post-target-migration.
- TC-25-U-020: `MODULE_CONTEXT_CONFIG.environmental` aligned — query against non-existent column rejects with `ENV_CONTEXT_FILTER_MISMATCH`.

### 16.2 Integration tests

- TC-25-I-001: Full EM schedule draft → effective lifecycle with HITL + e-signature + URS-13 CR linkage.
- TC-25-I-002: Full limit lifecycle `draft → under_review → approved → effective` with HITL + e-signature.
- TC-25-I-003: Result recording with auto-evaluation + auto-excursion creation (out-of-spec) + URS-16 deviation emission.
- TC-25-I-004: Result review + approval with bound e-signature + SoD enforcement.
- TC-25-I-005: Excursion lifecycle `open → under_investigation → linked_to_deviation → closed` with linked URS-16 terminal check.
- TC-25-I-006: LIMS import with idempotency + duplicate rejection + reconciliation log.
- TC-25-I-007: Trend dataset generation on demand + scheduled refresh.
- TC-25-I-008: EU GMP Annex 1 Grade A aseptic processing line per Worked Example 1.
- TC-25-I-009: LIMS import idempotency per Worked Example 2.
- TC-25-I-010: Trend dataset generation per Worked Example 3.
- TC-25-I-011: Governed reopen of locked EM program per Worked Example 4.
- TC-25-I-012: URS-23 batch-record consumes cleanroom EM evidence.
- TC-25-I-013: URS-24 stability consumes chamber EM evidence.
- TC-25-I-014: URS-26 APQR consumes `em_trend_datasets`.
- TC-25-I-015: MIRA copilot read-only context; no MIRA write paths; no GenAI in critical decisions.

### 16.3 End-to-end tests

- TC-25-E-001: Aseptic processing EM program per Worked Example 1.
- TC-25-E-002: LIMS import idempotency per Worked Example 2.
- TC-25-E-003: Trend dataset for APQR per Worked Example 3.
- TC-25-E-004: Governed reopen per Worked Example 4.
- TC-25-E-005: Concurrent EM analysts — 50 users — NFR-25-07 verification.
- TC-25-E-006: India CDSCO Schedule M sterile EM with India predicate-rule citations.

### 16.4 Performance tests

- TC-25-P-001: List p95 latency (NFR-25-02).
- TC-25-P-002: Result-capture p95 latency (NFR-25-03).
- TC-25-P-003: LIMS-import p95 latency (NFR-25-04).
- TC-25-P-004: Trend-refresh p95 latency (NFR-25-05).
- TC-25-P-005: Bound e-signature p95 latency (NFR-25-10).

### 16.5 Security tests

- TC-25-S-001: Cross-tenant access rejected by RLS.
- TC-25-S-002: Missing RBAC rejected.
- TC-25-S-003: Missing Authority Profile rejected on regulated final action.
- TC-25-S-004: Missing HITL rejected.
- TC-25-S-005: Missing bound e-signature rejected.
- TC-25-S-006: SQL injection against typed-schema route rejected.
- TC-25-S-007: Audit-trail UPDATE / DELETE rejected at DB level.
- TC-25-S-008: GenAI write to critical EM decision path rejected.
- TC-25-S-009: PII redaction in logs verified.
- TC-25-S-010: LIMS-import hash tampering detected.

---

## 17. Validation Evidence

### 17.1 URS-25-VAL-001: Requirements traceability matrix

Complete RTM mapping every URS-25 requirement (DEC-25-01.DEC-25-23, BR-25-01.BR-25-22, NFR-25-01.NFR-25-10, SoD-25-01.SoD-25-07, SEC-25-01.SEC-25-11) to test cases (TC-25-U-001.TC-25-U-020, TC-25-I-001.TC-25-I-015, TC-25-E-001.TC-25-E-006, TC-25-P-001.TC-25-P-005, TC-25-S-001.TC-25-S-010) and code modules (§15).

### 17.2 URS-25-VAL-002: Design qualification (DQ)

Architecture, data model, API contract, workflow, business rules, audit trail, security, integration; signed by Validation Head, QA Head, RA Head, Manufacturing Head, Microbiology Lead, Qualified Person Authority.

### 17.3 URS-25-VAL-003: Installation qualification (IQ)

Migration application + RLS verification + route mount verification + frontend hook resolution + frontend route surface verification.

### 17.4 URS-25-VAL-004: Operational qualification (OQ)

Happy-path execution of every test case with evidence captures.

### 17.5 URS-25-VAL-005: Performance qualification (PQ)

NFR-25-01.NFR-25-10 verification.

### 17.6 URS-25-VAL-006: AI/ML governance evidence

Per ARCH-AI-001: (a) MIRA read-only context integration; (b) static-deterministic-AI advisory surfaces; (c) **GenAI/LLM prohibition in EM result approval / limit release / excursion classification / closure decisions** verification; (d) Annex 22 §7 + EU AI Act Annex III internal forward-looking control compliance evidence.

### 17.7 URS-25-VAL-007: Regulatory mapping evidence

FDA 21 CFR Part 11 + 211 (§42, §46, §84, §113, §180), EU GMP Annex 11, **EU GMP Annex 1 (2022)** primary predicate, Annex 22 Draft 2025 §7, EU AI Act Art. 13 / Annex III, MHRA Data Integrity (ALCOA+), GAMP 5 Cat 5, ICH Q9, ICH Q10 §3.2.1, USP <1116>, USP <797>, ISO 14644-1, ISO 14644-2, PIC/S PE 009-17 Annex 1, WHO TRS Annex 6, India CDSCO Schedule M (Revised) §11 / §12 / Schedule M-III §3.3.

### 17.8 URS-25-VAL-008: Migration evidence gate

Per §9.3.

### 17.9 URS-25-VAL-009: Signature manifest

QA Head, RA Head, Validation Head, Manufacturing Head, Microbiology Lead, Qualified Person Authority, Information Security Head, Site Quality Lead, Founder / Chairman & MD per §19.

### 17.10 URS-25-VAL-010: Post-launch periodic-review pack

(a) EM metrics (results per tenant, excursion rate, alert/action exceedance rate); (b) AI-quality (advisory acceptance rate); (c) audit-trail integrity; (d) reopen-event audit; (e) cross-tenant break-glass audit; (f) cross-module event integrity (URS-13, URS-16, URS-18, URS-19, URS-21, URS-23, URS-24, URS-26); (g) LIMS-import reconciliation summary; (h) trend dataset accuracy; periodic review at quarterly cadence by QA Head + Manufacturing Head + Microbiology Lead + Validation Head + Qualified Person Authority.

---

## 18. Document Change History

| Version | Date | Author | Change Summary |
|---|---|---|---|
| 1.0 | 2026-05-07 | Founder Doctrine — Verixa URS Cell | First issued user requirements specification for Module 25. |

---

## 19. Document Approval

| Role | Name | Signature | Date |
|---|---|---|---|
| Founder / Chairman & MD | Vimal | __________ | __________ |
| QA Head | __________ | __________ | __________ |
| RA Head | __________ | __________ | __________ |
| Validation Head | __________ | __________ | __________ |
| Manufacturing Head | __________ | __________ | __________ |
| Microbiology Lead | __________ | __________ | __________ |
| Qualified Person Authority | __________ | __________ | __________ |
| Information Security Head | __________ | __________ | __________ |
| Site Quality Lead | __________ | __________ | __________ |

---

## 20. Cross-Module Event Contract

| Event | Emitter | Consumer | Payload key fields |
|---|---|---|---|
| `em_schedule_created` | Module 25 | URS-30 | `schedule_id`, `tenant_id`, `study_id`, `version` |
| `em_schedule_released_effective` | Module 25 | URS-30, URS-13 (audit) | `schedule_id`, `change_request_id`, `released_by`, `e_signature_id` |
| `em_location_added` | Module 25 | URS-30 | `location_id`, `schedule_id`, `grade`, `iso_class` |
| `em_alert_limit_proposed` | Module 25 | URS-30 | `limit_id`, `location_id`, `sample_type` |
| `em_alert_limit_approved` | Module 25 | URS-30 | `limit_id`, `approved_by`, `e_signature_id` |
| `em_alert_limit_effective` | Module 25 | URS-30, URS-13 (audit) | `limit_id`, `change_request_id`, `released_by`, `e_signature_id` |
| `em_result_recorded` | Module 25 | URS-30 | `result_id`, `location_id`, `is_alert_exceeded`, `is_action_exceeded`, `is_spec_exceeded`, `recorded_by` |
| `em_result_reviewed` | Module 25 | URS-30 | `result_id`, `reviewed_by`, `review_e_signature_id` |
| `em_result_approved` | Module 25 | URS-30, URS-23 (cleanroom EM consumer), URS-24 (chamber EM consumer) | `result_id`, `approved_by`, `approval_e_signature_id` |
| `em_excursion_created` | Module 25 | URS-30 | `excursion_id`, `result_id`, `excursion_severity` |
| `em_excursion_deviation_created` | Module 25 | **URS-16 (Deviations — primary consumer)**, URS-30 | `excursion_id`, `deviation_id` (URS-16), `severity` |
| `em_excursion_capa_linked` | Module 25 | **URS-18 (CAPA — primary consumer)**, URS-30 | `excursion_id`, `capa_id`, `linked_by`, `source_type = em_excursion` |
| `em_excursion_investigation_linked` | Module 25 | URS-30 | `excursion_id`, `investigation_id` |
| `em_excursion_closed` | Module 25 | URS-30 | `excursion_id`, `closed_by`, `closure_e_signature_id`, `linked_deviation_id` |
| `em_lims_imported` | Module 25 | URS-30 | `sync_log_id`, `inserted_count`, `duplicates_rejected_count`, `errors_count` |
| `em_lims_reconciliation_logged` | Module 25 | URS-30 | `reconciliation_id`, `import_status`, `lims_result_id` |
| `em_trend_dataset_refreshed` | Module 25 | URS-26 (APQR), URS-30 | `dataset_id`, `study_id`, `period_start`, `period_end`, `formula_version` |
| `em_program_locked` | Module 25 | URS-30 | `program_lock_id`, `study_id`, `period_start`, `period_end`, `locked_by`, `lock_e_signature_id` |
| `em_program_reopened` | Module 25 | URS-30, URS-21 (governed-reopen audit) | `program_lock_id`, `reopened_by`, `executive_co_signer`, `qp_co_signer`, `reopen_reason` |
| `em_finding_created` | Module 25 | **URS-21 (Findings — primary consumer)**, URS-30 | `finding_id` (URS-21), `severity`, `finding_type` |
| `em_risk_created` | Module 25 | **URS-19 (Risk — primary consumer)**, URS-30 | `risk_id` (URS-19), `risk_pattern_type` |

---

## 21. References

- ARCH-AI-001 — AI Optionality and Manual Continuity (binding architecture)
- VRX-SPEC-URS-025-Environmental-Monitoring.md (Module specification)
- URS-01.URS-24, URS-26.URS-35 (cross-module contracts)
- FDA 21 CFR Part 11
- FDA 21 CFR Part 211 §211.42 / §211.46 / §211.84 / §211.113 / §211.180
- **EU GMP Annex 1 (revised 2022, effective 25 August 2023)** — primary predicate
- EU GMP Annex 11 (Computerised Systems)
- EU GMP Annex 22 (Draft 2025) §7 — internal forward-looking control
- EU AI Act (Regulation 2024/1689) Art. 13 / Annex III — internal forward-looking control
- MHRA Data Integrity Guidance (2018) — ALCOA+
- GAMP 5 Cat 5 — Custom-application validation lifecycle
- ICH Q9 (Quality Risk Management)
- ICH Q10 §3.2.1 (CAPA)
- USP <1116> Microbiological Control and Monitoring of Aseptic Processing Environments
- USP <797> Pharmaceutical Compounding — Sterile Preparations
- ISO 14644-1 (Cleanrooms — Classification of air cleanliness)
- ISO 14644-2 (Cleanrooms — Monitoring)
- PIC/S PE 009-17 Annex 1
- WHO TRS Annex 6 — GMP for Sterile Pharmaceutical Products
- India CDSCO Schedule M (Revised) §11 / §12
- India CDSCO Schedule M-III §3.3

---

**END OF VRX-URS-25 — ENVIRONMENTAL MONITORING — VERSION 1.0**
