# Verixa — User Requirements Specification

# Module 27: Regulatory Intelligence and Submission Governance

| Field | Value |
|---|---|
| Document ID | VRX-URS-27 |
| Version | 1.0 |
| Status | Final — ready for QA, Validation, Regulatory Affairs (Primary Owner), Information Security, Manufacturing Head, Site Quality Lead, Qualified Person Authority, and Founder approval. URS approval is separate from validation execution. This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" only after signature capture in the Document Approval block. It becomes "Released for validation execution" only after the module migration evidence gate (URS-27-VAL-008) and validation evidence pack are satisfied. |
| Document Type | User Requirements Specification (URS) |
| GAMP 5 Category | Category 5 — Custom Application |
| Code Modules | Target implementation binding: expected primary code module `regulatory`, expected API mounts `/api/v1/regulatory/*` (canonical), expected supporting modules `inspection` (URS-22 boundary), `context-filter`, `rbac`, `audit-log`, `authority`, `electronic_signatures`, `hitl`, `documents`, `notifications`, `ai_requests`, expected event-bus emission for `regulatory_feed_created`, `regulatory_feed_synced`, `regulatory_feed_item_ingested`, `regulatory_feed_item_archived`, `regulatory_submission_created`, `regulatory_submission_status_changed`, `regulatory_submission_approved`, `regulatory_submission_rejected`, `regulatory_submission_withdrawn`, `regulatory_submission_locked`, `regulatory_submission_reopened`, `regulatory_milestone_created`, `regulatory_milestone_completed`, `regulatory_commitment_created`, `regulatory_commitment_due_soon`, `regulatory_commitment_overdue`, `regulatory_commitment_fulfilled`, `regulatory_commitment_capa_linked`, `regulatory_calendar_event_created`, `regulatory_calendar_event_completed`, `regulatory_inspection_record_created`, `regulatory_observation_added`, `regulatory_observation_resolved`, `regulatory_ai_summary_proposed`, `regulatory_ai_summary_accepted`, expected MIRA context integration through `useMiraRecord('regulatory_feed', id)`, `useMiraRecord('regulatory_feed_item', id)`, `useMiraRecord('regulatory_submission', id)`, `useMiraRecord('regulatory_commitment', id)`, and `useMiraRecord('regulatory_inspection_record', id)` mappings, expected URS-13 change-control linkage for regulatory-precipitated change requests, expected URS-18 CAPA linkage for commitment→CAPA implementation, expected URS-21 findings emission for regulatory observations / overdue commitments / submission approval gate findings, expected URS-22 Inspection Mgmt **boundary integration** (URS-22 owns inspection-readiness execution; this URS owns external regulatory inspection-record artifacts and regulatory observations per DEC-27-09), expected URS-12 Document Control predicate-rule citation registry consumer, expected URS-26 APQR consumer for regulatory feed items in periodic review, expected URS-30 Notifications for commitment due-soon / overdue alerting, expected Authority Profile + HITL + e-signature integration for non-bypassable submission approval / commitment fulfillment / inspection observation closure / lock / reopen, expected platform_admin / super_admin support / break-glass only paths. Implementation evidence remains subject to repository verification and validation evidence. |
| Architecture Bindings | This module is subject to **ARCH-AI-001 AI Optionality and Manual Continuity**. Verixa internally classifies this AI surface as **limited-risk under internal AI governance**, aligned with the limited-risk transparency approach in **EU AI Act (Regulation 2024/1689) Article 13**, escalating to **internal forward-looking AI governance aligned with EU AI Act Annex III concepts** where AI output supports a regulatory submission decision, an inspection preparation, or a compliance-status disposition. The **FDA Draft Guidance (January 2025) — Considerations for the Use of Artificial Intelligence to Support Regulatory Decision-Making for Drug and Biological Products** is treated as an internal forward-looking advisory predicate. AI-assisted regulatory-intelligence surfaces (AI regulatory summarization of feed items, AI impact analysis on URS-13 change requests, AI inspection-preparation copilot, AI submission-package draft, AI commitment-tracker suggestion, MIRA regulatory copilot) are advisory only under internal AI governance aligned with EU AI Act Article 13 transparency principles. Every AI surface shall provide a fully functional manual summarization, impact-analysis, drafting, and tracking path; regulatory record creation, change analysis, submission packaging, commitment tracking, review, and approval shall be executable when AI services are disabled, degraded, or overridden by the regulatory affairs owner. **AI-generated summaries and recommendations shall be visibly labeled as advisory; no AI service shall be the sole path to finalize a regulatory submission, dispose a compliance commitment, or sign an inspection-observation closure.** This module binds ARCH-AI-001 AC-1, AC-2, AC-3, AC-4, and AC-7. Verixa treats **EU GMP Annex 22 Draft 2025 §7** as an internal forward-looking architectural control (not an enacted predicate rule); under that internal control, generative AI may draft advisory summaries and impact-analysis text only with mandatory human acceptance recorded in `regulatory_ai_summaries` provenance; generative / probabilistic AI is **PROHIBITED from being the sole path to approve a regulatory submission, dispose a compliance commitment, sign an inspection-observation closure, or finalize regulatory-observation resolution**. Static deterministic AI may surface predicate-rule citations from the URS-12 document registry, similar prior submissions, and historical inspection-observation patterns as advisory help. Jurisdiction-specific legal enforceability of Annex 22, the EU AI Act, and the FDA AI Draft Guidance remains subject to a future jurisdiction-specific legal assessment. |
| Regulatory Classification | Critical infrastructure substrate — operates the canonical Regulatory Intelligence registry covering: (a) the regulatory-feed registry with controlled feed lifecycle (`draft → active → suspended → archived`) and **synchronization governance with explicit sync workflow + provenance** per DEC-27-03; (b) the regulatory-feed-item registry with **ingest provenance, deduplication, archival, and item-level audit-trail emission** per DEC-27-04; (c) the regulatory-submission registry covering NDA / IND / ANDA / BLA / MAA / CTD / IMPD / Type II Variations / DMF / Field Alert Reports / Adverse Event submissions to FDA / EMA / MHRA / Health Canada / CDSCO / PMDA, with **controlled lifecycle (`draft → in_progress → under_review → submitted → under_agency_review → approved | rejected | withdrawn → locked`) and terminal-state patch-bypass prevention** per DEC-27-05; (d) the submission-milestone registry with **completion authorization + reason-for-change discipline** per DEC-27-06; (e) the regulatory-commitment registry with **non-bypassable fulfillment governance + reminder/escalation engine + due-soon/overdue alerting + commitment-CAPA linkage to URS-18** per DEC-27-07; (f) the regulatory-calendar-event registry with **completion criteria governance + linked-record requirement** per DEC-27-08; (g) the regulatory-inspection-record registry **scoped to external-agency artifact only with explicit boundary against URS-22 inspection-readiness** per DEC-27-09; (h) the regulatory-observation registry with **controlled response/closure workflow + audit-trail emission on creation** per DEC-27-09; (i) the multi-dimensional context capture (`tenant_id` mandatory, `study_id` optional, `product_id` optional, `health_authority` mandatory, `site_id` optional inherited via `studies`); (j) the canonical API contract `/api/v1/regulatory/*`; (k) the typed schema validation across every route; (l) the controlled frontend route surface with explicit page coverage for `/regulatory/submissions`, `/regulatory/commitments`, `/regulatory/feeds`, `/regulatory/calendar`, `/regulatory/inspection-records`; (m) the audit-trail coverage with reason-for-change discipline on every mutable record, including the previously-missing `addFeedItem` and `addObservation` paths per DEC-27-11; (n) the Authority/HITL/e-signature substrate on every regulated final action per DEC-27-10; (o) the context model with tenant-wide visibility default + optional study/product narrowing per DEC-27-12; (p) the post-locked record immutability across the submission header and linked observations; (q) the controlled reopen workflow with executive authority co-sign and Qualified Person co-sign per DEC-27-22; (r) the canonical findings-source emission to URS-21 per DEC-27-15; (s) the canonical CAPA-source emission to URS-18 with `regulatory_commitment` source type per DEC-27-16; (t) the URS-12 Document Control predicate-rule citation registry consumer (predicate-rule citations are stored in URS-12 and consumed across modules via this module's intelligence layer); (u) the URS-22 Inspection Mgmt boundary integration; (v) the URS-26 APQR consumer for periodic regulatory review; (w) the AI-assisted summary substrate with **provenance + mandatory human acceptance** per DEC-27-13 (, ARCH-AI-001 binding); (x) the MIRA copilot read-only context integration on regulatory records, and the per-jurisdictional regulatory expectations under FDA 21 CFR Part 11, FDA 21 CFR Part 314 (NDA/ANDA), FDA 21 CFR Part 312 (IND), FDA 21 CFR Part 600 / 601 (BLA), FDA 21 CFR Part 803 (Medical Device Reports), FDA 21 CFR Part 314.81 (Field Alert Reports), FDA 21 CFR Part 314.80 (Adverse Drug Experience Reports), FDA 21 CFR Part 11, FDA Draft Guidance (January 2025) AI for Regulatory Decision-Making (internal forward-looking advisory predicate), EU GMP Annex 11, EU GMP Chapter 1, EU GMP Annex 22 Draft 2025 §7 (internal forward-looking control), EU AI Act (Regulation 2024/1689) Art. 13 / Annex III (internal forward-looking control), EU Directive 2001/83/EC (Marketing Authorisation), EU Variation Regulation (EC) No 1234/2008, MHRA Data Integrity Guidance (ALCOA+), GAMP 5 Cat 5, ICH M4 (Common Technical Document), ICH E2B(R3) (ICSR Reporting), ICH E6(R3) (GCP), ICH Q12 (Lifecycle Management), and India CDSCO NDCT 2019 §27 / Schedule Y / D&C Act 1940 / Drugs Rules 1945 / Schedule M (Revised) §17 / Medical Devices Rules 2017 subject to a future jurisdiction-specific legal assessment for Verixa's exact CDSCO obligations. |
| Date of Issue | 2026-05-07 |
| Module Owner (Engineering) | Quality / Regulatory Intelligence Squad |
| Module Owner (Quality Validation) | CSV / CSA Lead — Regulatory Intelligence |
| Module Owner (Compliance) | Regulatory Affairs (Primary Owner), Quality Assurance, Manufacturing, Qualified Person Authority |
| Approving Authority | Founder / Chairman & MD; QA Head; RA Head (Primary Owner); Manufacturing Head; Validation Head; Information Security Head; Qualified Person (QP) Authority; Site Quality Lead |

---

## 0. Document Framing

### 0.1 Purpose of this document

This URS defines the target expected state for Verixa's Regulatory Intelligence and Submission Governance module (Module 27). It is the binding contract between product, engineering, quality validation, regulatory affairs (primary owner), manufacturing, the Qualified Person authority, distribution, information security, and the executive authority for the design, implementation, validation, release, and on-going periodic review of the regulated regulatory-intelligence substrate: the canonical regulatory-feed registry with controlled feed lifecycle and synchronization governance per DEC-27-03; the regulatory-feed-item registry with ingest provenance, deduplication, archival, and item-level audit-trail emission per DEC-27-04; the regulatory-submission registry with controlled lifecycle (`draft → in_progress → under_review → submitted → under_agency_review → approved | rejected | withdrawn → locked`) and terminal-state patch-bypass prevention per DEC-27-05; the submission-milestone registry per DEC-27-06; the regulatory-commitment registry with non-bypassable fulfillment governance, reminder/escalation engine, due-soon/overdue alerting, and CAPA linkage per DEC-27-07; the regulatory-calendar-event registry per DEC-27-08; the regulatory-inspection-record registry **scoped to external-agency artifact only** with explicit boundary against URS-22 inspection-readiness per DEC-27-09; the regulatory-observation registry with controlled response/closure workflow per DEC-27-09; the multi-dimensional context capture; the canonical API contract `/api/v1/regulatory/*`; the typed schema validation across every route; the controlled frontend route surface with explicit page coverage; the audit-trail coverage with reason-for-change discipline; the Authority/HITL/e-signature substrate on every regulated final action per DEC-27-10; the context model with tenant-wide visibility default + optional study/product narrowing per DEC-27-12; the post-locked record immutability; the controlled reopen workflow with executive authority co-sign and Qualified Person co-sign per DEC-27-22; the canonical findings emission to URS-21 per DEC-27-15; the canonical CAPA emission to URS-18 (`regulatory_commitment` source type) per DEC-27-16; the URS-13 change-control linkage; the URS-12 Document Control predicate-rule citation consumer; the URS-22 Inspection boundary integration; the URS-26 APQR consumer; the AI-assisted summary substrate with provenance and mandatory human acceptance per DEC-27-13; the MIRA copilot read-only context integration with **AI advisory only — never the sole path to approve a submission, dispose a commitment, sign an observation closure, or finalize observation resolution** under the internal Annex 22 §7 + EU AI Act Annex III + FDA AI Draft Guidance (January 2025) controls; the audit trail coverage with reason-for-change discipline; and the per-jurisdictional regulatory expectations. Compliance with this URS is mandatory.

### 0.2 Audience

Engineering, QA, RA (primary), Manufacturing, Qualified Person Authority, Distribution, Validation, Information Security, executive authority, the platform's Implementation team, internal and external auditors, and inspectors from regulatory bodies (FDA, EMA, MHRA, Health Canada, CDSCO, PIC/S, PMDA, WHO). The plain-language primer (§0.4) and worked examples (§3.5) make Module 27 accessible to non-domain engineers, product owners, validation engineers, and quality investigators.

### 0.3 Cross-references

- **URS-01** Authentication, Session & Access Control — identity envelope for every regulatory mutation
- **URS-02** RBAC & Permissions — the `regulatory:*`, `regulatory:feed:*`, `regulatory:submission:*`, `regulatory:commitment:*`, `regulatory:calendar:*`, `regulatory:inspection_record:*`, `regulatory:observation:*`, `regulatory:ai_summary:*` permission set
- **URS-03** Context Gate & Approval Scope — context-gate enforcement for regulatory scope dimensions per DEC-27-12
- **URS-04** Workflow / HITL / E-Signature / Approval Authority — Controlled Approval Modal contract for submission approval / commitment fulfillment / observation closure / lock / reopen
- **URS-05** Authority Profile / Delegation / SoD — Authority Profiles consumed (`regulatory_author_authority`, `regulatory_review_authority`, `regulatory_submission_approver_authority`, `regulatory_commitment_owner_authority`, `regulatory_commitment_fulfillment_authority`, `regulatory_observation_closure_authority`, `qualified_person_authority`, `final_quality_approver`, `executive_authority`)
- **URS-06** Audit Trail / Hash Chain / Tamper-Evident — append-only audit substrate
- **URS-07** Study Management — optional study-scope dimension
- **URS-08** Tenant Management Lifecycle — tenant context for regulatory records
- **URS-09** Site / Facility Management — site-scope inherited via `studies` parent (where study-bound)
- **URS-10** Product / SKU / Drug Master Data — optional product-scope dimension
- **URS-11** Supplier Management — supplier linkage for supplier-related variations
- **URS-12** Document Control / SOP — **primary linkage**: predicate-rule citations stored in URS-12; submission packages linked to controlled documents
- **URS-13** Change Control — primary downstream consumer for regulatory-precipitated change requests; AI impact analysis advisory only
- **URS-14** Complaints — complaint-driven regulatory submission consumer (Field Alert Reports, ADRs)
- **URS-15** OOS / OOT — OOS-precipitated regulatory submission consumer
- **URS-16** Deviations — deviation-precipitated regulatory submission consumer
- **URS-17** RCA — RCA evidence for regulatory submissions
- **URS-18** CAPA — primary downstream consumer for regulatory-commitment→CAPA implementation per DEC-27-16
- **URS-19** Risk Assessment — risk evidence for regulatory submissions
- **URS-20** Reviews — periodic review consumer
- **URS-21** Findings — primary downstream consumer for regulatory findings (overdue commitments, submission gate findings, observation findings) per DEC-27-15
- **URS-22** Inspection Mgmt — **boundary partner**: URS-22 owns inspection-readiness execution (calendars, mock drills, back-room queues, deficiency responses); URS-27 owns external-agency regulatory inspection-record artifacts and regulatory observations per DEC-27-09; cross-boundary linkage via `inspection_calendar_id` (optional) on `regulatory_inspection_records`
- **URS-23** Batch Records — batch-evidence consumer for submissions
- **URS-24** Stability — stability-evidence consumer for submissions
- **URS-25** Environmental Monitoring — EM evidence consumer for submissions
- **URS-26** APQR — read-only consumer of regulatory feed items + commitments + submissions for periodic review
- **URS-28** Training — training-evidence consumer for personnel competency in regulatory submissions
- **URS-30** Notifications — primary consumer of `regulatory_commitment_due_soon` / `regulatory_commitment_overdue` events per DEC-27-07
- **URS-31** DQG — data-quality gate evidence
- **URS-32** MIRA AI — read-only MIRA copilot context integration; AI advisory drafting only with mandatory human acceptance per DEC-27-13
- **URS-33** GMP Manufacturing — GMP context for variation submissions
- **URS-34** GDP Distribution — distribution context for distribution-related submissions
- **URS-35** Infrastructure / Backup-Restore — operational continuity

### 0.4 Plain-language primer

In a regulated pharmaceutical operation, **regulatory intelligence and submission governance** is the cross-functional system that (1) monitors and ingests regulatory updates from health authorities (FDA, EMA, MHRA, Health Canada, CDSCO, PMDA, WHO) and predicate-rule sources (21 CFR Parts 11/210/211/312/314/600/601/803, EU GMP Chapters / Annexes, ICH guidelines, India CDSCO Schedule M / Schedule Y / NDCT 2019), (2) manages the lifecycle of regulatory submissions to those health authorities (NDA, IND, ANDA, BLA, MAA, CTD, IMPD, Type II Variations, DMF, Field Alert Reports, ADR / ICSR submissions), (3) tracks regulatory commitments made to the agency (e.g., post-marketing requirements, post-approval studies, stability commitments, CAPA commitments, RTQ — request to query), (4) maintains the regulatory calendar (submission deadlines, agency response deadlines, commitment due dates, inspection windows), (5) records external-agency inspection records and observations (FDA Form 483, EU GMP inspection reports, MHRA inspection reports, CDSCO inspection reports — distinct from the URS-22 inspection-readiness module which manages internal preparation), and (6) feeds predicate-rule citations into URS-12 Document Control for use across modules. Module 27 is the target specification for this regulated workflow.

The most common mistake in regulated regulatory-submission handling is **direct status patch bypassing the controlled approval workflow**. The regulator's tell-tale at inspection is a regulatory submission with `status = approved` or `status = withdrawn` and no corresponding signed approval evidence. Module 27 enforces the pathway: terminal-state patch-bypass is prevented per DEC-27-05; submission approval requires `regulatory_submission_approver_authority` + HITL + bound e-signature per DEC-27-10; submission withdrawal requires the same controlled ceremony plus reason-for-change captured in audit. The second most common mistake is **commitment overdue without escalation** — health authority commitments that pass their due date without action are existential business risks. Module 27 enforces the pathway: the reminder/escalation engine emits `regulatory_commitment_due_soon` (configurable lead time, default 30 / 14 / 7 days) and `regulatory_commitment_overdue` events consumed by URS-30 Notifications and URS-21 Findings per DEC-27-07.

The third most common mistake is **regulatory-inspection-record duplication with URS-22 inspection-readiness**. The boundary is clarified per DEC-27-09: URS-22 owns inspection-readiness execution (calendars, mock drills, back-room queues, deficiency responses, commitments, lessons learned); URS-27 owns the external-agency regulatory inspection-record artifact (the immutable record of the agency-issued inspection report — FDA Form 483, EU GMP report, MHRA report, CDSCO report) and the regulatory observations recorded against that report; cross-boundary linkage via `inspection_calendar_id` (optional FK) on `regulatory_inspection_records` ties an external-agency record to the URS-22 inspection-readiness preparation that preceded it.

The **AI-assistance** dimension is critical. Static deterministic AI may surface "predicate-rule citations from URS-12 document registry", "similar prior submissions by submission type / product / agency", or "historical inspection-observation patterns by agency / observation severity" as advisory help; this is permitted under the internal Annex 22 §7 control. **Generative AI (LLMs / MIRA copilot) is PROHIBITED from being the sole path to approve a regulatory submission, dispose a compliance commitment, sign an inspection-observation closure, or finalize regulatory-observation resolution** under the internal Annex 22 §7 + EU AI Act Annex III + FDA Draft Guidance (January 2025) controls. MIRA copilot may draft advisory regulatory summaries, impact-analysis text on URS-13 change requests, submission-package outlines, and commitment-tracker suggestions via the controlled `regulatory_ai_summaries` substructure with full provenance + mandatory human acceptance per DEC-27-13. The qualified human regulatory affairs owner's signed disposition is the system of record.

The **two-step release path** mirrors every other Module: this URS becomes "Approved Controlled URS — released for engineering implementation and validation planning" upon signature capture in the Document Approval block; it becomes "Released for validation execution" only after URS-27-VAL-008 (Migration Evidence Gate) and the §17 validation evidence pack are satisfied.

### 0.5 Conventions

Each requirement has a unique identifier. "MUST" denotes a mandatory requirement; "SHOULD" denotes a strong recommendation; "MAY" denotes an option. The document is self-contained: front end (§5), back end (§6), data model (§6.2), application programming interface (§6.3), workflow (§6.4), business rules (§6.5), audit (§6.6), security (§12), regulatory mapping (§14), test cases (§16), and validation evidence (§17) are all in this single file. Every requirement is mandatory unless explicitly marked SHOULD or MAY.

### 0.6 Glossary

| Term | Definition |
|---|---|
| Regulatory feed | A configured intelligence source (e.g., FDA Drug Safety Communications RSS, EMA News feed, MHRA Updates feed, ICH Working Group bulletin, CDSCO notification feed, PMDA reviewer feedback feed, internal subscription feeds); lifecycle `draft → active → suspended → archived` per DEC-27-03. |
| Feed sync | A controlled synchronization run pulling feed items from the source into Verixa with provenance (`source_url_hash`, `sync_mode` manual / scheduled / on_demand, `last_sync_at`, `last_sync_initiated_by`, `last_sync_outcome`) per DEC-27-03. |
| Feed item | An ingested item from a feed (e.g., a regulatory bulletin, a guidance update, a recall notice); deduplicated by `(tenant_id, feed_id, source_item_hash)` per DEC-27-04. |
| Regulatory submission | An external regulatory submission package (NDA / IND / ANDA / BLA / MAA / CTD / IMPD / Type II Variation / DMF / Field Alert Report / ADR / ICSR / response to deficiency); lifecycle `draft → in_progress → under_review → submitted → under_agency_review → approved | rejected | withdrawn → locked` per DEC-27-05. |
| Submission milestone | A milestone under a submission (e.g., target submission date, agency acknowledgement, agency information request, agency response, approval); completion authorized + reason-for-change discipline per DEC-27-06. |
| Regulatory commitment | A commitment made to a health authority (e.g., post-marketing study, additional stability arm, CAPA commitment, RTQ response); reminder/escalation engine emits due-soon and overdue events per DEC-27-07; commitments may escalate to URS-18 CAPA via `regulatory_commitment_capa_linked` event per DEC-27-16. |
| Calendar event | A regulatory deadline tracker (submission deadline, agency response deadline, commitment due date, inspection window); completion criteria governed per DEC-27-08. |
| Regulatory inspection record | The immutable external-agency-issued inspection-record artifact (FDA Form 483, EU GMP report, MHRA report, CDSCO report) — distinct from URS-22 inspection-readiness execution per DEC-27-09. |
| Regulatory observation | An observation recorded on a regulatory inspection record; controlled response/closure workflow per DEC-27-09. |
| Regulatory AI summary | An advisory AI-generated summary, impact-analysis text, or submission-draft text persisted in `regulatory_ai_summaries` with provenance + mandatory human acceptance per DEC-27-13. |
| Reopen | A governed transition event from `locked → in_progress` requiring `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason; appends a new iteration without mutating prior locked evidence per DEC-27-22. |
| ARCH-AI-001 | Platform architecture binding requiring manual continuity for every AI surface (AC-1, AC-2, AC-3, AC-4, AC-7). |
| Annex 22 | EU GMP Annex 22 (Draft 2025) §7. Verixa treats Annex 22 §7 + EU AI Act high-risk / transparency + FDA Draft Guidance (January 2025) as internal forward-looking AI governance controls unless a jurisdiction-specific legal assessment determines otherwise. Under the internal control, AI may draft advisory summaries with mandatory human acceptance; AI is prohibited from being the sole path to approve a submission, dispose a commitment, sign an observation closure, or finalize observation resolution. Binding predicate-rule obligations remain those listed in §14. |
| MIRA | The platform's read-only AI copilot service; for Module 27 MIRA may propose advisory drafts via `regulatory_ai_summaries`; no MIRA write paths to system-of-record regulatory fields without explicit human confirmation; no AI signs submissions or observation closures. |

### 0.7 Module-27 architectural picture

```mermaid
flowchart TD
 RA[Regulatory Affairs Owner] --> FEED[/Regulatory Feeds — controlled lifecycle + sync provenance/]
 FEED --> ITEM[/Feed Items — dedup + provenance + audit/]
 RA --> SUB[/Regulatory Submissions — controlled lifecycle/]
 SUB --> MS[Milestones — completion authorization + reason-for-change]
 RA --> CMT[/Regulatory Commitments — reminder/escalation/]
 CMT --> CAPA_LINK[Commitment→CAPA via URS-18]
 CMT -. due-soon / overdue events.-> M30[URS-30 Notifications]
 CMT -. overdue findings.-> M21[URS-21 Findings]
 RA --> CAL[/Regulatory Calendar Events/]
 RA --> INSP[/Regulatory Inspection Records — external-agency artifacts only/]
 INSP --> OBS[Regulatory Observations — controlled response/closure]
 INSP -. boundary linkage.-> M22[URS-22 Inspection Readiness]
 AI[MIRA AI Copilot] --> AIS[/Regulatory AI Summaries — advisory + provenance + human acceptance/]
 M12[URS-12 Document Control — predicate-rule citations] -- citation registry --> ALL[All modules]
 M13[URS-13 Change Control] <-- SUB (regulatory-precipitated CR)
 M18[URS-18 CAPA] <-- CMT (commitment_capa_linked)
 M21 <-- INSP / CMT / SUB (regulatory_finding events)
 M14[URS-14 Complaints] --> SUB (Field Alert / ADR)
 M15[URS-15 OOS] --> SUB (OOS-precipitated submission)
 M16[URS-16 Deviations] --> SUB (deviation-precipitated submission)
 M26[URS-26 APQR] <-- ITEM / CMT / SUB (periodic consumer)
 LOCK[Submission Locked] --> SUB
 LOCK -. governed reopen + executive + QP co-sign.-> SUB
```

The platform shall implement: a controlled regulatory-feed registry with synchronization governance per DEC-27-03; a regulatory-feed-item registry with ingest provenance + deduplication + audit-trail emission on creation per DEC-27-04; a controlled regulatory-submission registry with terminal-state patch-bypass prevention per DEC-27-05; a submission-milestone registry per DEC-27-06; a regulatory-commitment registry with reminder/escalation engine + due-soon/overdue alerting + CAPA linkage per DEC-27-07; a regulatory-calendar-event registry per DEC-27-08; a regulatory-inspection-record registry **scoped to external-agency artifact only with boundary against URS-22** per DEC-27-09; a regulatory-observation registry with controlled response/closure workflow per DEC-27-09; multi-dimensional context capture; canonical API contract `/api/v1/regulatory/*`; typed schema validation; controlled frontend route surface with explicit page coverage; audit-trail coverage with reason-for-change discipline including previously-missing `addFeedItem` and `addObservation` paths per DEC-27-11; Authority/HITL/e-signature substrate on every regulated final action per DEC-27-10; tenant-wide visibility default + optional study/product narrowing per DEC-27-12; post-locked record immutability; governed reopen with executive + QP co-sign per DEC-27-22; canonical findings/CAPA emission per DEC-27-15.16; URS-12 / URS-13 / URS-22 / URS-26 integration; AI-assisted summary substrate with provenance and mandatory human acceptance per DEC-27-13; MIRA copilot read-only with advisory drafting only; and per-jurisdictional regulatory expectations.

### 0.8 Locked Launch Controls

| Locked control | Authority | Rationale |
|---|---|---|
| Two-step release path: signature → engineering implementation → validation execution | DEC-27-01 / VAL-008 | Mirrors every other Module. |
| "No Module 27 internal decisions outstanding" | §11.6 | Captured in locked decisions DEC-27-01..DEC-27-23 (§3.2). |
| `platform_admin` / `super_admin` support / break-glass only | DEC-27-20 / SoD-27-07 | Operating-tenant regulatory ownership is the regulated path. |
| Target implementation binding language | Module bindings | URS specifies expected implementation. |
| AI overclaim posture as **internal forward-looking governance** with **GenAI prohibition in approving / disposing / signing-observation-closure / finalizing-observation-resolution** | Architecture Bindings | EU GMP Annex 22 Draft 2025 §7 + EU AI Act Annex III + FDA Draft Guidance (January 2025) treated as internal controls. AI may draft advisory text; AI cannot finalize regulatory disposition. |
| Enumerated error codes | §6.7 | Stable machine-readable error contract. |
| JSON multi-signature evidence as **derived snapshot** | §6.6 | The `electronic_signatures` substrate is the system of record. |
| India CDSCO §17 / Schedule Y / NDCT 2019 §27 row | §14 | India CDSCO regulatory framework captured (subject to a future jurisdiction-specific legal assessment). |
| Version 1.0 posture | Header | First binding version. |
| Canonical API mount `/api/v1/regulatory/*` | DEC-27-01 / REG-001 | Frontend hooks use canonical relative `/regulatory/*`; route comments aligned. |
| Frontend route surface alignment | DEC-27-02 / REG-001 | Routes `/regulatory/submissions`, `/regulatory/commitments`, `/regulatory/feeds`, `/regulatory/calendar`, `/regulatory/inspection-records` declared in `App.tsx`. |
| Boundary with URS-22 Inspection Mgmt clarified | DEC-27-09 / REG-002 | URS-22 owns inspection-readiness execution; URS-27 owns external-agency artifacts. |
| Feed sync workflow + provenance | DEC-27-03 / REG-003 | `last_sync_at` extended with `sync_mode`, `last_sync_initiated_by`, `last_sync_outcome`, `source_url_hash`. |
| Feed-item provenance + dedup + audit-trail emission | DEC-27-04 / REG-004 | `addFeedItem` emits audit-trail; UNIQUE `(tenant_id, feed_id, source_item_hash)`. |
| Submission terminal-state patch-bypass prevention | DEC-27-05 / REG-005 | `updateSubmission` excludes terminal `status` values; controlled lifecycle endpoints required. |
| Submission milestone completion authorization + reason-for-change | DEC-27-06 / REG-006 | Milestone completion uses `regulatory_milestone_authority` + reason-for-change. |
| Commitment fulfillment + reminder/escalation engine + CAPA linkage | DEC-27-07 / REG-007 | Reminder engine emits due-soon (30/14/7 days configurable) + overdue events; commitment→CAPA linkage. |
| Calendar event completion governance | DEC-27-08 / REG-008 | `is_completed` requires explicit completion criteria + audit reason. |
| External-agency inspection record boundary + observation governance | DEC-27-09 / REG-009 | Records and observations scoped to external-agency artifact only; `addObservation` emits audit. |
| Authority/HITL/e-sign on every regulated final action | DEC-27-10 / REG-010 | Submission approval / commitment fulfillment / observation closure / lock / reopen all gated. |
| Audit-trail coverage + reason-for-change discipline | DEC-27-11 / REG-011 | `addFeedItem` and `addObservation` audit gaps closed; reason-for-change required on terminal/reversal transitions. |
| Tenant-wide visibility default + optional study/product narrowing | DEC-27-12 / REG-012 | Module 27 is tenant-wide by default; study/product context filters available where applicable. |
| AI-assisted summary substrate with provenance + mandatory human acceptance (target requirement) | DEC-27-13 / ARCH-AI-001 | `regulatory_ai_summaries` table with model attribution + acceptance e-signature. |
| Bound e-signature persistence on every regulated final action | DEC-27-10 / DEC-27-23 | Submission approval / commitment fulfillment / observation closure / lock / reopen — all carry bound e-signature. |
| Governed reopen pattern (`locked → in_progress`) | DEC-27-22 / SoD-27-06 | Append-only iteration; executive + QP co-sign; does NOT mutate prior locked evidence. |

---

## 1. Scope and Out-of-Scope

### 1.1 In-scope

- The canonical regulatory-feed registry with controlled lifecycle and synchronization governance.
- The regulatory-feed-item registry with ingest provenance, deduplication, archival, and audit-trail emission.
- The regulatory-submission registry with controlled lifecycle and terminal-state patch-bypass prevention.
- The submission-milestone registry with completion authorization and reason-for-change discipline.
- The regulatory-commitment registry with reminder/escalation engine, due-soon/overdue alerting, and CAPA linkage.
- The regulatory-calendar-event registry with completion criteria governance.
- The regulatory-inspection-record registry **scoped to external-agency artifact only**.
- The regulatory-observation registry with controlled response/closure workflow.
- The Authority/HITL/e-signature substrate on every regulated final action.
- The audit-trail coverage with reason-for-change discipline.
- The MIRA copilot read-only context integration (advisory drafting only).
- The AI-assisted summary substrate with provenance and mandatory human acceptance.
- The findings emission to URS-21.
- The CAPA emission to URS-18.
- The change-control linkage to URS-13.
- The URS-12 Document Control predicate-rule citation registry consumer.
- The **boundary integration** with URS-22 Inspection Mgmt.
- The URS-26 APQR consumer integration.
- The governed reopen workflow.
- The per-jurisdictional regulatory expectations.

### 1.2 Out-of-scope

- The CAPA register itself (URS-18) — this URS emits commitment→CAPA events.
- The change-control register itself (URS-13) — this URS emits regulatory-precipitated CR events.
- The findings register itself (URS-21) — this URS emits regulatory-finding events.
- The document-control register itself (URS-12) — predicate-rule citations live in URS-12.
- The MIRA copilot service itself (URS-32).
- **Inspection-readiness execution (calendars, mock drills, back-room queues, deficiency responses, lessons learned)** — owned by URS-22 per DEC-27-09 boundary.
- Direct agency portal integration (FDA ESG, EMA EudraVigilance for ICSR, MHRA portal) — out of scope for v1.0; tracked as future-state.
- Vendor-specific regulatory intelligence connectors (e.g., Cortellis, Reuters Regulatory) — generic feed pattern in scope; vendor connectors are future-state.

---

## 2. Preconditions, Dependencies, Constraints

### 2.1 Operating preconditions

The following preconditions MUST hold for this URS to apply at validation time. Each bullet is a binding precondition; deviations require a controlled exception per URS-13 Change Control.

- The platform's authentication and session substrate (URS-01), RBAC (URS-02), context gate (URS-03), HITL / e-sign (URS-04), Authority Profile registry (URS-05), audit-trail hash-chain (URS-06), document-control (URS-12), change-control (URS-13), CAPA (URS-18), findings (URS-21), inspection (URS-22), APQR (URS-26), notifications (URS-30), and MIRA AI (URS-32) are released and operational at validation time.
- Regulatory affairs owners, submission approvers, commitment owners, observation closure authority, Qualified Person are trained, attributable users with documented authority.
- AI-assisted regulatory surfaces are advisory only; the human regulatory affairs owner's signed disposition is the system of record.
- The tenant operating jurisdiction(s) are configured and applicable predicate rules surface accordingly.

### 2.2 Dependencies

- URS-01.URS-26, URS-28.URS-35 platform contracts.
- The `electronic_signatures` substrate.
- The `authority` substrate.
- The `hitl` substrate.
- The `audit_trail` substrate.
- The `documents` substrate (URS-12 — predicate-rule citation registry).
- The `change_control` substrate (URS-13).
- The `capa` substrate (URS-18).
- The `inspection` substrate (URS-22 — boundary partner).
- The `notifications` substrate (URS-30 — primary consumer of due-soon/overdue events).

### 2.3 Constraints

- The canonical API mount is `/api/v1/regulatory/*`. No frontend hook may use `/api/regulatory/*` (extra `/api`).
- Module 27 is **tenant-wide by default** with optional study/product narrowing per DEC-27-12.
- AI-assisted content is advisory-only; **no AI service finalizes regulatory submission approval, commitment disposition, observation closure, or observation resolution**.
- Generative AI may draft advisory summaries / impact-analysis / submission-package draft text only with mandatory human acceptance.
- Approved / rejected / withdrawn / locked submission states cannot be set via direct PATCH per DEC-27-05.
- Inspection-readiness execution (calendars, mock drills, etc.) is owned by URS-22, NOT this module per DEC-27-09.
- Commitment closure requires fulfillment evidence + bound e-signature per DEC-27-07.

---

## 3. Closed Launch Decisions

### 3.1 Decision register

| Decision ID | Title | Locked decision |
|---|---|---|
| DEC-27-01 | Two-step release path | Module 27 follows the same two-step release path as every other Module. |
| DEC-27-02 | Frontend route surface alignment + canonical API contract | Frontend routes `/regulatory/submissions`, `/regulatory/commitments`, `/regulatory/feeds`, `/regulatory/calendar`, `/regulatory/inspection-records` are declared in `App.tsx`; all hooks in `useRegulatory.ts` use canonical relative `/regulatory/*` paths only; no hook prepends `/api`; route comments aligned to canonical `/api/v1/regulatory`. |
| DEC-27-03 | Feed lifecycle + synchronization governance | Feed lifecycle is `draft → active → suspended → archived`; feed-sync persists `sync_mode` (ENUM `manual` / `scheduled` / `on_demand`), `last_sync_at`, `last_sync_initiated_by`, `last_sync_outcome` (ENUM `success` / `partial` / `failed`), `last_sync_error`, `source_url_hash`; sync workflow has a controlled endpoint `POST /regulatory/feeds/:id/sync`. |
| DEC-27-04 | Feed-item provenance + deduplication + audit-trail emission | Feed items persist `source_item_hash`, `source_url`, `ingested_at`, `ingested_by` (or `ingested_by_system` for scheduled jobs), `ingestion_provenance_json`; UNIQUE `(tenant_id, feed_id, source_item_hash)` enforces deduplication; `addFeedItem` emits explicit audit-trail entry — closing the audit gap identified in REG-011. |
| DEC-27-05 | Submission lifecycle + terminal-state patch-bypass prevention | Submission lifecycle is `draft → in_progress → under_review → submitted → under_agency_review → approved | rejected | withdrawn → locked`; the generic `PATCH /regulatory/submissions/:id` route excludes `status` from allowed-fields; status transitions to `approved` / `rejected` / `withdrawn` / `locked` occur only through controlled lifecycle endpoints with `regulatory_submission_approver_authority` + HITL + bound e-signature per DEC-27-10; submission `version` increments on material update with reason-for-change per DEC-27-11. |
| DEC-27-06 | Submission milestone completion authorization + reason-for-change | Milestone completion requires `regulatory_milestone_authority` + audit reason; reason-for-change required on terminal/reversal transitions; immutable event log distinction maintained between original-due-date and revised-due-date. |
| DEC-27-07 | Commitment fulfillment + reminder/escalation engine + CAPA linkage | Commitment lifecycle is `open → in_progress → under_review → fulfilled → closed`; fulfillment requires `regulatory_commitment_fulfillment_authority` + HITL + bound e-signature + fulfillment evidence; reminder engine emits `regulatory_commitment_due_soon` events at configurable lead times (default 30 / 14 / 7 days before due date) and `regulatory_commitment_overdue` events on due-date passage, both consumed by URS-30 Notifications; overdue commitments emit `regulatory_finding_created` to URS-21 per DEC-27-15; commitments may escalate to URS-18 CAPA via `regulatory_commitment_capa_linked` event per DEC-27-16. |
| DEC-27-08 | Calendar event completion governance | Calendar event `is_completed` requires explicit completion criteria (linked submission milestone OR linked commitment fulfillment OR linked inspection record OR explicit completion authority + reason); generic patch on `is_completed` rejected. |
| DEC-27-09 | External-agency inspection record boundary + observation governance | Regulatory inspection records are scoped to **external-agency artifact only** (FDA Form 483, EU GMP report, MHRA report, CDSCO report); URS-22 Inspection Mgmt owns inspection-readiness execution (calendars, mock drills, back-room queues, deficiency responses, commitments, lessons learned); cross-boundary linkage via optional `inspection_calendar_id` FK on `regulatory_inspection_records` ties an external-agency record to the URS-22 preparation that preceded it; observation creation (`addObservation`) emits explicit audit-trail entry — closing the audit gap identified in REG-011. |
| DEC-27-10 | Authority/HITL/e-sign on every regulated final action | Submission approval / submission rejection / submission withdrawal / submission lock / submission reopen / commitment fulfillment / commitment closure / observation closure / observation resolution all use `withAuthority(.)` + HITL + bound e-signature persisted via `electronic_signatures` substrate. |
| DEC-27-11 | Audit-trail coverage + reason-for-change discipline | Every mutation route emits audit-trail entries including the previously-missing `addFeedItem` and `addObservation` paths; high-risk status changes (terminal-state transitions, reversals, archive, suspension) require structured reason-for-change captured in audit `details` JSON. |
| DEC-27-12 | Context model: tenant-wide default + optional study/product narrowing | Module 27 is tenant-wide by default reflecting cross-product / cross-study regulatory operations; optional `study_id` and `product_id` filters available on submissions / commitments / calendar events / inspection records where applicable; `MODULE_CONTEXT_CONFIG.regulatory` declares both `study_id` and `product_id` filtering (no `site_id` since regulatory is a tenant-wide function). |
| DEC-27-13 | AI-assisted summary substrate with provenance + mandatory human acceptance | `regulatory_ai_summaries` table persists per-summary columns including `summary_type` (ENUM `feed_item_summary` / `submission_impact` / `inspection_observation_pattern` / `commitment_tracker_advice` / `submission_package_draft`), `narrative_text`, `model_id`, `model_version`, `prompt_version`, `confidence`, `citation_snapshot_json`, `proposed_at`, `proposed_by_system`, `accepted_by`, `accepted_at`, `acceptance_e_signature_id`, `accepted_text_immutable`, `rejection_reason`, `status` (ENUM `proposed` / `accepted` / `rejected`); AI-generated text is advisory until accepted; promotion to system-of-record requires explicit human confirmation captured in `acceptance_e_signature_id` (target requirement, ARCH-AI-001 binding, parallel pattern to URS-26 DEC-26-11). |
| DEC-27-14 | Multi-dimensional context model | `tenant_id` mandatory, `study_id` optional, `product_id` optional, `health_authority` mandatory (ENUM `fda` / `ema` / `mhra` / `health_canada` / `cdsco` / `pmda` / `who` / `who_pq` / `internal`), `site_id` optional inherited via `studies` parent. |
| DEC-27-15 | Findings emission to URS-21 | Regulatory findings (overdue commitments, submission approval gate findings, observation findings, inspection-record gaps) emit `regulatory_finding_created` event to URS-21 with `regulatory_intelligence` source type. |
| DEC-27-16 | CAPA emission to URS-18 | Regulatory commitments escalated to CAPA emit `regulatory_commitment_capa_linked` event consumed by URS-18 (`regulatory_commitment` source type per URS-18 declared source set). |
| DEC-27-17 | Change-control linkage to URS-13 | Regulatory-precipitated changes (e.g., from a feed item triggering a guidance change, an agency response requiring a procedural change) emit linkage events to URS-13 change requests; linkage is captured on `regulatory_submissions.linked_change_request_ids`. |
| DEC-27-18 | URS-12 Document Control predicate-rule citation consumer | Predicate-rule citations (e.g., `21 CFR 211.180(e)`, `EU GMP Annex 1 §1`, `ICH Q1A(R2)`) are stored in URS-12 Document Control as controlled-document records; Module 27 consumes this registry and exposes citation lookup APIs (`GET /regulatory/predicate-rules`) for use across modules. |
| DEC-27-19 | URS-22 Inspection Mgmt boundary | Per DEC-27-09. |
| DEC-27-20 | platform_admin / super_admin | `platform_admin` / `super_admin` are support / break-glass only paths. |
| DEC-27-21 | Reason-for-change on material updates | Captured per DEC-27-11. |
| DEC-27-22 | Submission reopen as governed transition | Submission `locked → in_progress` requires `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason; appends a new submission iteration without mutating prior locked evidence (consistent with M14.M26 reopen pattern). |
| DEC-27-23 | Bound e-signature on every regulated final action | Submission approval / rejection / withdrawal / lock / reopen / commitment fulfillment / closure / observation closure / observation resolution — all carry bound e-signature persisted via `electronic_signatures` substrate. |

### 3.2 Locked-decision rationale narrative

The decisions above define the binding launch posture for Module 27 v1.0. The most consequential locked controls are: (a) DEC-27-02 locks the canonical API mount, frontend-route, and dashboard-CTA standardization in a single control; (b) DEC-27-05 removes terminal `status` values from generic PATCH and requires controlled submission-lifecycle endpoints; (c) DEC-27-07 introduces a commitment reminder engine emitting due-soon (30/14/7 days configurable) and overdue events to URS-30 Notifications and URS-21 Findings; (d) DEC-27-09 scopes regulatory-inspection-records to external-agency artifacts only and provides optional cross-boundary linkage to URS-22 via `inspection_calendar_id`; (e) DEC-27-10 requires `withAuthority(.)` + HITL + bound e-signature on every regulated final action; (f) DEC-27-11 closes the specific audit-trail requirements in `addFeedItem` and `addObservation`; (g) DEC-27-13 introduces the AI-assisted summary substrate with provenance + mandatory human acceptance, parallel to URS-26 DEC-26-11; (h) DEC-27-22 defines reopen as a governed append-only transition consistent with the Module-14..-26 reopen pattern.

### 3.3 Closed launch decisions: cross-link to items

| Specification item ID | Specification item | Locked decision |
|---|---|---|
| REG-001 | Canonical route + frontend hook + dashboard CTA standardization | DEC-27-02 |
| REG-002 | URS-22 boundary ambiguity | DEC-27-09 / DEC-27-19 |
| REG-003 | Feed sync governance missing | DEC-27-03 |
| REG-004 | Feed-item provenance + dedup missing | DEC-27-04 |
| REG-005 | Submission terminal-state patch bypass | DEC-27-05 |
| REG-006 | Milestone completion authorization missing | DEC-27-06 |
| REG-007 | Commitment escalation engine missing | DEC-27-07 / DEC-27-16 |
| REG-008 | Calendar completion governance thin | DEC-27-08 |
| REG-009 | External-agency artifact boundary missing | DEC-27-09 |
| REG-010 | Authority/HITL/e-sign missing on regulated finals | DEC-27-10 / DEC-27-23 |
| REG-011 | Audit + reason-for-change gaps | DEC-27-11 / DEC-27-21 |
| REG-012 | Context model thin | DEC-27-12 |
| REG-013 | Test evidence missing | §16 + §17 |

### 3.4 Locked-decision authority

Each locked decision is approved by the Founder / Chairman & MD on signature capture in the Document Approval block of this URS (§19). Decisions cannot be unlocked except through controlled URS revision under the URS change-control process and re-approval.

### 3.5 Worked examples

**Worked example 1 — FDA Drug Safety Communication ingest → impact analysis → CR.**
The Regulatory Affairs Owner configures a feed `FEED-FDA-DSC` for FDA Drug Safety Communications RSS in `draft` state; reviews and transitions to `active`. Scheduled sync runs daily; on `2026-08-12` 4 new items are ingested; deduplication via `(tenant_id, feed_id, source_item_hash)` ensures no duplicate insert; each item creates an audit-trail entry per DEC-27-04. One item flags a Drug Safety Communication regarding a class effect on tablets containing Compound P (relevant to Product P-Tabs). MIRA copilot proposes an advisory impact analysis via `regulatory_ai_summaries` with model identifier, model version, prompt version, confidence per DEC-27-13. The Regulatory Affairs Owner accepts the impact analysis (with bound e-signature); the accepted text is locked in `accepted_text_immutable`. The RA Owner opens a URS-13 Change Request `CC-2026-0098` with linkage captured in `regulatory_submissions.linked_change_request_ids` per DEC-27-17.

**Worked example 2 — NDA submission lifecycle.**
The Regulatory Affairs Owner creates an NDA submission `SUB-NDA-PTabs-2026` with `health_authority = fda`, `submission_type = NDA`, `product_id = PROD-PTabs`. Submission enters `draft → in_progress`. Milestones added: target submission date, agency acknowledgement, agency information request, agency response, approval. Submission package compiled (eCTD format). Submission transitions `under_review → submitted` (with `regulatory_submission_approver_authority` + HITL + bound e-sign per DEC-27-10); submitted to FDA ESG (manual upload — direct portal integration is future-state). Status transitions `submitted → under_agency_review`. After 8 months, FDA approval received; status transitions `under_agency_review → approved` (with controlled lifecycle endpoint + bound e-sign); auto-locks 24h later per DEC-27-23. **Direct PATCH attempt to set `status = approved` is rejected with `REG_TERMINAL_STATE_PATCH_FORBIDDEN`** per DEC-27-05.

**Worked example 3 — Post-marketing commitment with reminder/escalation chain.**
At NDA approval, FDA issues 3 post-marketing commitments. The RA Owner creates 3 `regulatory_commitments` records with due dates. The reminder engine schedules: (a) `regulatory_commitment_due_soon` event 30 days before due date → URS-30 Notifications; (b) `regulatory_commitment_due_soon` event 14 days before → escalation to RA Head; (c) `regulatory_commitment_due_soon` event 7 days before → escalation to QA Head; (d) `regulatory_commitment_overdue` event on due-date passage → URS-30 Notifications + `regulatory_finding_created` event to URS-21 per DEC-27-07 / DEC-27-15. Commitment 1 is fulfilled on time: fulfillment evidence + `regulatory_commitment_fulfillment_authority` + HITL + bound e-sign; transitions `under_review → fulfilled → closed`. Commitment 2 requires major remediation; escalated to URS-18 CAPA via `regulatory_commitment_capa_linked` event per DEC-27-16. Commitment 3 becomes overdue; URS-21 finding created; URS-18 CAPA opened.

**Worked example 4 — External-agency FDA Form 483 inspection record + URS-22 boundary.**
URS-22 Inspection Mgmt manages the inspection-readiness preparation (calendar `INSP-CAL-2026-Q4`, self-inspections, mock drills, back-room queue). On `2026-11-14` the FDA inspector arrives; URS-22 manages the back-room execution. On `2026-11-18` the FDA issues a Form 483 with 3 observations. The RA Owner creates a `regulatory_inspection_record` `RIR-2026-Q4-FDA` in URS-27 with `inspection_calendar_id = INSP-CAL-2026-Q4` (cross-boundary linkage per DEC-27-09). 3 `regulatory_observations` are added; each observation creation emits audit-trail entry per DEC-27-04 / DEC-27-11 (audit gap closed). Each observation enters controlled response/closure workflow; observation 1 (critical) emits `regulatory_finding_created` event to URS-21 per DEC-27-15 → standalone finding created → URS-18 CAPA opened. Observation closure requires `regulatory_observation_closure_authority` + HITL + bound e-sign per DEC-27-10.

**Worked example 5 — Governed reopen of locked submission.**
On `2027-08-10` post-approval surveillance reveals a material discrepancy in a previously approved and locked NDA. The Manufacturing Head initiates a reopen; per DEC-27-22 + SoD-27-06, both `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason are required. On both co-signs the submission transitions `locked → in_progress` and a new submission iteration is appended; the prior locked evidence is NOT mutated.

---

## 4. End-to-End User Journeys (28 launch journeys)

| # | Journey | Actor | Pre-condition | Path | Post-condition |
|---|---|---|---|---|---|
| 1 | Create regulatory feed | RA Owner | `regulatory:feed:create` | Create feed in `draft` with `source_url`, `source_url_hash`, `feed_type` | Feed `draft`; audit entry |
| 2 | Activate feed | RA Owner | Feed `draft` | Transition `draft → active` | Feed `active`; audit entry |
| 3 | Run feed sync (manual) | RA Owner | Feed `active` | POST `/regulatory/feeds/:id/sync` with `sync_mode = manual`; persist `last_sync_at`, `last_sync_initiated_by`, `last_sync_outcome` per DEC-27-03 | Feed sync log entry; new items deduplicated and ingested per DEC-27-04 |
| 4 | Run feed sync (scheduled) | System (scheduled job) | Feed `active`; schedule due | Sync runs with `sync_mode = scheduled`; persists `ingested_by_system` | Items ingested; audit entry per item |
| 5 | Reject duplicate feed item | System (validation) | `(tenant_id, feed_id, source_item_hash)` exists | Reject duplicate insert | No insert; reconciliation logged |
| 6 | MIRA proposes feed-item AI summary | System (MIRA) | Feed item ingested | Persist `regulatory_ai_summaries` with `summary_type = feed_item_summary` + full provenance per DEC-27-13 | Summary `proposed`; advisory only |
| 7 | Accept AI summary | RA Owner | Summary `proposed` | HITL + bound e-sign; persist `accepted_by`, `accepted_text_immutable`, `acceptance_e_signature_id` | Summary `accepted`; locked text |
| 8 | Create regulatory submission | RA Owner | `regulatory:submission:create` | Create submission `(health_authority, submission_type, product_id, study_id)` in `draft` | Submission `draft`; audit entry |
| 9 | Add submission milestone | RA Owner | Submission exists | Add milestone with `target_date` | Milestone created |
| 10 | Complete submission milestone | Milestone Authority | Milestone in_progress | Complete with `regulatory_milestone_authority` + reason-for-change per DEC-27-06 | Milestone `completed`; audit entry |
| 11 | Submit submission to agency | RA Submission Approver | Submission `under_review` | Controlled lifecycle endpoint + `regulatory_submission_approver_authority` + HITL + bound e-sign per DEC-27-10; transition `under_review → submitted` | Submission `submitted`; bound e-signature |
| 12 | Reject direct PATCH on terminal status | System (validation) | Generic PATCH attempt setting `status = approved` | Reject with `REG_TERMINAL_STATE_PATCH_FORBIDDEN` per DEC-27-05 | Operation rejected |
| 13 | Approve submission | RA Submission Approver | Submission `under_agency_review`; agency approval received | Controlled lifecycle endpoint + HITL + bound e-sign; transition `under_agency_review → approved` | Submission `approved`; bound e-signature |
| 14 | Withdraw submission | RA Submission Approver / Executive Authority | Submission `submitted` or `under_agency_review` | Controlled lifecycle endpoint + executive co-sign + HITL + bound e-sign + reason-for-change; transition to `withdrawn` | Submission `withdrawn`; bound e-signature |
| 15 | Auto-lock approved submission | System (auto + bound e-sign) | Submission `approved` for ≥ 24h | Transition `approved → locked` with bound e-sign per DEC-27-23 | Submission `locked`; immutable |
| 16 | Reopen locked submission (governed transition) | Manufacturing Head + Executive Authority + Qualified Person | Submission `locked`; documented reason | Executive co-sign AND QP co-sign; transition `locked → in_progress`; append new iteration per DEC-27-22 | Submission `in_progress`; new iteration appended; prior locked evidence NOT mutated |
| 17 | Create regulatory commitment | RA Owner | Submission approved with PMR | Create commitment `open` with due date | Commitment `open`; reminder engine schedules due-soon events |
| 18 | Emit commitment due-soon event | System (reminder engine) | Configurable lead time (30/14/7 days before due) | Emit `regulatory_commitment_due_soon` event consumed by URS-30 Notifications per DEC-27-07 | Notification delivered |
| 19 | Emit commitment overdue event | System (reminder engine) | Due date passed | Emit `regulatory_commitment_overdue` event + `regulatory_finding_created` event to URS-21 per DEC-27-07 / DEC-27-15 | URS-21 finding created |
| 20 | Fulfill commitment | Commitment Fulfillment Authority | Commitment `under_review` | HITL + bound e-sign + fulfillment evidence per DEC-27-07; transition `under_review → fulfilled` | Commitment `fulfilled`; bound e-signature |
| 21 | Link commitment to URS-18 CAPA | RA Owner | Commitment requires escalation | Emit `regulatory_commitment_capa_linked` to URS-18 with `regulatory_commitment` source type per DEC-27-16 | URS-18 CAPA created |
| 22 | Close commitment | Commitment Authority | Commitment `fulfilled` and CAPA terminal | Close with bound e-sign | Commitment `closed` |
| 23 | Create regulatory calendar event | RA Owner | `regulatory:calendar:create` | Create event with deadline | Event created |
| 24 | Complete calendar event | RA Owner | Event linked to milestone/commitment/inspection | Complete with explicit completion criteria + audit reason per DEC-27-08 | Event `completed`; audit entry |
| 25 | Create regulatory inspection record (external-agency artifact) | RA Owner | FDA Form 483 / EU GMP report received | Create record with optional `inspection_calendar_id` cross-boundary linkage to URS-22 per DEC-27-09 | Record created; audit entry |
| 26 | Add regulatory observation | RA Owner | Inspection record exists | Add observation; emit explicit audit-trail entry per DEC-27-04 / DEC-27-11 (gap closed) | Observation `open`; audit entry |
| 27 | Close regulatory observation | Observation Closure Authority | Observation responded | HITL + bound e-sign per DEC-27-10; transition to `closed` | Observation `closed`; bound e-signature |
| 28 | Cross-tenant `platform_admin` break-glass | platform_admin | Documented reason | Cross-tenant regulatory access; logged | Break-glass action logged in platform support audit per DEC-27-20 |

---

## 5. Front-end Requirements

### 5.1 Regulatory Dashboard

The regulatory dashboard (URS-27-FE-001) renders summary cards (active feeds, recent feed items, pending submissions, due-soon commitments, overdue commitments, upcoming calendar events, recent inspection records) with filters; uses canonical `/regulatory/*` hooks per DEC-27-02; **all CTAs resolve to real pages** per DEC-27-02.

### 5.2 Feed Console

The feed console (URS-27-FE-002) renders feed registry with sync status badges; supports manual sync per DEC-27-03; new route `/regulatory/feeds`.

### 5.3 Feed Item Console

The feed item console (URS-27-FE-003) renders ingested feed items with provenance badges; supports archival; new route `/regulatory/feeds/:id/items`.

### 5.4 Submission Console

The submission console (URS-27-FE-004) renders submissions list with filter by `health_authority` / `submission_type` / `status`; supports submission lifecycle ceremonies with HITL + bound e-signature per DEC-27-10; new route `/regulatory/submissions`.

### 5.5 Submission Detail

The submission detail (URS-27-FE-005) renders submission metadata, milestones timeline, linked URS-13 CRs, linked documents, AI impact-analysis summaries; existing route `/regulatory/submissions/:id`.

### 5.6 Commitment Console

The commitment console (URS-27-FE-006) renders commitments list with due-soon / overdue badges; supports fulfillment ceremony with HITL + bound e-signature per DEC-27-07; commitment-CAPA linkage UI; new route `/regulatory/commitments`.

### 5.7 Calendar Console

The calendar console (URS-27-FE-007) renders regulatory calendar events with completion criteria UI per DEC-27-08; new route `/regulatory/calendar`.

### 5.8 Inspection Record Console

The inspection record console (URS-27-FE-008) renders external-agency inspection records with observation lists; cross-boundary linkage badge to URS-22 inspection-readiness per DEC-27-09; observation closure ceremony with HITL + bound e-signature per DEC-27-10; new route `/regulatory/inspection-records`.

### 5.9 AI Summary Console

The AI summary console (URS-27-FE-009) renders AI-generated summaries with provenance (model, model version, prompt version, confidence, citation snapshot), accept ceremony with bound e-signature, reject ceremony with reason; advisory-only labeling per DEC-27-13 + ARCH-AI-001 AC-3.

### 5.10 Predicate-Rule Citation Lookup

The predicate-rule citation lookup (URS-27-FE-010) consumes URS-12 Document Control predicate-rule registry; supports search by jurisdiction / authority / clause per DEC-27-18.

### 5.11 MIRA Copilot Integration

MIRA copilot (URS-27-FE-011) is read-only context on regulatory records via `useMiraRecord('regulatory_feed', id)`, `useMiraRecord('regulatory_feed_item', id)`, `useMiraRecord('regulatory_submission', id)`, `useMiraRecord('regulatory_commitment', id)`, `useMiraRecord('regulatory_inspection_record', id)`. **AI-generated text is advisory only with mandatory human acceptance per DEC-27-13; no AI signs submissions; no AI disposes commitments; no AI signs observation closures.**

### 5.12 Accessibility

WCAG 2.1 AA accessible.

---

## 6. Back-end Requirements

### 6.1 Module structure

`packages/backend/src/modules/regulatory/` with `plugin.ts`, `routes.ts` (typed schemas), `service.ts` (terminal-state patch-bypass prevention; controlled lifecycle endpoints; reminder/escalation engine; AI summary substrate; audit-trail coverage including previously-missing `addFeedItem` and `addObservation`; reason-for-change discipline), `schemas.ts` (aligned with migration 038), `events.ts` (event emission for `regulatory_*` events).

### 6.2 Data model

#### 6.2.1 `regulatory_feeds`

`id`, `tenant_id`, `feed_code`, `feed_name`, `feed_type` (ENUM `fda_dsc` / `ema_news` / `mhra_updates` / `ich_bulletin` / `cdsco_notification` / `pmda_feedback` / `who_pq_update` / `internal_subscription` / `custom`), `source_url`, `source_url_hash` (TEXT — derived per DEC-27-03), `health_authority`, `sync_mode` (ENUM `manual` / `scheduled` / `on_demand`), `sync_schedule_cron` (TEXT nullable), `last_sync_at` (TIMESTAMPTZ), `last_sync_initiated_by` (FK nullable), `last_sync_outcome` (ENUM `success` / `partial` / `failed` / `null`), `last_sync_error` (TEXT nullable), `status` (ENUM `draft` / `active` / `suspended` / `archived`), audit columns. RLS enabled.

#### 6.2.2 `regulatory_feed_items`

`id`, `tenant_id`, `feed_id` (FK), `source_item_hash` (TEXT NOT NULL per DEC-27-04), `source_url`, `title`, `published_at`, `summary_text`, `body_text`, `tags` (TEXT[]), `ingested_at` (TIMESTAMPTZ), `ingested_by` (FK nullable), `ingested_by_system` (TEXT nullable — e.g., `scheduled_sync_job`), `ingestion_provenance_json` (JSONB), `archived_at` (TIMESTAMPTZ nullable), `archived_by` (FK nullable), audit columns. UNIQUE `(tenant_id, feed_id, source_item_hash)` per DEC-27-04.

#### 6.2.3 `regulatory_submissions`

`id`, `tenant_id`, `study_id` (FK nullable), `product_id` (FK nullable), `health_authority` (ENUM NOT NULL per DEC-27-14), `submission_type` (ENUM `nda` / `ind` / `anda` / `bla` / `maa` / `ctd` / `impd` / `type_ii_variation` / `dmf` / `field_alert_report` / `adr_icsr` / `response_to_deficiency` / `pma` / `510k` / `other`), `submission_code`, `title`, `version` (INTEGER NOT NULL DEFAULT 1 — increments on material update per DEC-27-05), `target_submission_date`, `actual_submission_date`, `agency_response_due_date`, `agency_response_received_date`, `linked_change_request_ids` (UUID[] FK to URS-13), `linked_complaint_ids` (UUID[] FK to URS-14), `linked_oos_ids` (UUID[] FK to URS-15), `linked_deviation_ids` (UUID[] FK to URS-16), `status` (ENUM `draft` / `in_progress` / `under_review` / `submitted` / `under_agency_review` / `approved` / `rejected` / `withdrawn` / `locked`), `approved_by` (FK nullable), `approved_at` (TIMESTAMPTZ nullable), `approval_e_signature_id` (FK nullable), `rejected_by` / `rejected_at` / `rejection_e_signature_id`, `withdrawn_by` / `withdrawn_at` / `withdrawal_e_signature_id` / `withdrawal_reason`, `locked_at` / `locked_by` / `lock_e_signature_id`, `reopened_at` / `reopened_by` / `reopen_executive_co_signer` / `reopen_qp_co_signer` / `reopen_reason`, `reason_for_change` (TEXT nullable per DEC-27-21), audit columns.

#### 6.2.4 `regulatory_milestones`

`id`, `tenant_id`, `submission_id` (FK), `milestone_label`, `original_due_date`, `revised_due_date` (TIMESTAMPTZ nullable), `actual_completion_date` (TIMESTAMPTZ nullable), `completed_by` (FK nullable), `completion_e_signature_id` (FK nullable per DEC-27-06), `reason_for_change` (TEXT nullable), `status` (ENUM `pending` / `in_progress` / `completed` / `cancelled`), audit columns.

#### 6.2.5 `regulatory_commitments`

`id`, `tenant_id`, `submission_id` (FK nullable — commitments may exist independent of a submission), `health_authority` (ENUM), `commitment_text`, `commitment_type` (ENUM `post_marketing_requirement` / `post_approval_study` / `stability_commitment` / `capa_commitment` / `rtq_response` / `manufacturing_change` / `safety_update` / `other`), `due_date`, `assigned_to` (FK), `linked_capa_id` (FK to URS-18 nullable), `linked_change_request_id` (FK to URS-13 nullable), `fulfilled_by` (FK nullable), `fulfilled_at` (TIMESTAMPTZ nullable), `fulfillment_e_signature_id` (FK nullable per DEC-27-07), `fulfillment_evidence_json` (JSONB nullable), `closed_by` (FK nullable), `closed_at` (TIMESTAMPTZ nullable), `closure_e_signature_id` (FK nullable), `reminder_lead_times_days` (INTEGER[] DEFAULT `{30, 14, 7}`), `last_reminder_emitted_at` (TIMESTAMPTZ nullable), `is_overdue` (BOOLEAN GENERATED), `status` (ENUM `open` / `in_progress` / `under_review` / `fulfilled` / `closed`), audit columns.

#### 6.2.6 `regulatory_calendar_events`

`id`, `tenant_id`, `event_label`, `event_date`, `event_type` (ENUM), `priority`, `linked_submission_id` (FK nullable), `linked_commitment_id` (FK nullable), `linked_inspection_record_id` (FK nullable), `is_completed` (BOOLEAN), `completed_at` (TIMESTAMPTZ nullable), `completed_by` (FK nullable), `completion_reason` (TEXT nullable per DEC-27-08), audit columns.

#### 6.2.7 `regulatory_inspection_records`

`id`, `tenant_id`, `inspection_calendar_id` (FK to URS-22 nullable per DEC-27-09 cross-boundary linkage), `health_authority`, `agency_inspection_id` (TEXT — agency-issued ID, e.g., FDA EI or 483 number), `inspection_type` (ENUM `fda_routine` / `fda_pai` / `fda_for_cause` / `ema_gmp` / `mhra_gmp` / `cdsco_gmp` / `health_canada` / `pmda` / `notified_body` / `who_pq` / `other`), `inspection_start_date`, `inspection_end_date`, `report_received_date`, `report_document_id` (FK to URS-12 — the agency-issued report), `inspector_names` (TEXT[]), `status` (ENUM `received` / `under_response` / `responded` / `closed`), `closed_by` / `closed_at` / `closure_e_signature_id`, audit columns.

#### 6.2.8 `regulatory_observations`

`id`, `tenant_id`, `inspection_record_id` (FK), `observation_number` (INTEGER), `observation_text`, `severity` (ENUM `critical` / `major` / `minor` / `observation`), `response_text`, `linked_capa_id` (FK to URS-18 nullable), `linked_finding_id` (FK to URS-21 nullable per DEC-27-15), `resolved_by` (FK nullable), `resolved_at` (TIMESTAMPTZ nullable), `resolution_e_signature_id` (FK nullable per DEC-27-10), `closed_by` (FK nullable), `closed_at` (TIMESTAMPTZ nullable), `closure_e_signature_id` (FK nullable), `status` (ENUM `open` / `under_response` / `resolved` / `closed`), audit columns.

#### 6.2.9 `regulatory_ai_summaries`

`id`, `tenant_id`, `summary_type` (ENUM per DEC-27-13), `linked_record_type` (ENUM `feed_item` / `submission` / `commitment` / `inspection_record` / `observation`), `linked_record_id` (UUID), `narrative_text`, `model_id` (TEXT NOT NULL), `model_version` (TEXT NOT NULL), `prompt_version` (TEXT NOT NULL), `confidence` (NUMERIC(3,2)), `citation_snapshot_json` (JSONB), `proposed_at` (TIMESTAMPTZ), `proposed_by_system` (TEXT), `accepted_by` (FK nullable), `accepted_at` (TIMESTAMPTZ nullable), `acceptance_e_signature_id` (FK nullable), `accepted_text_immutable` (TEXT nullable), `rejection_reason` (TEXT nullable), `status` (ENUM `proposed` / `accepted` / `rejected`), audit columns.

#### 6.2.10 RLS

All Module 27 tables have RLS enabled.

### 6.3 API contract

| Route | Method | Permission | Status |
|---|---|---|---|
| `/api/v1/regulatory/feeds` | GET / POST | `regulatory:feed:read` / `regulatory:feed:create` | (typed schema) |
| `/api/v1/regulatory/feeds/:id` | GET / PATCH | `regulatory:feed:read` / `regulatory:feed:update` | |
| `/api/v1/regulatory/feeds/:id/sync` | POST | `regulatory:feed:sync` per DEC-27-03 | target route |
| `/api/v1/regulatory/feeds/:id/items` | GET / POST | `regulatory:feed:item:read` / `regulatory:feed:item:create` (audit per DEC-27-04) | |
| `/api/v1/regulatory/feed-items/:id/archive` | POST | `regulatory:feed:item:archive` | target route |
| `/api/v1/regulatory/submissions` | GET / POST | `regulatory:submission:read` / `regulatory:submission:create` | |
| `/api/v1/regulatory/submissions/:id` | GET / PATCH (status excluded per DEC-27-05) | `regulatory:submission:read` / `regulatory:submission:update` | |
| `/api/v1/regulatory/submissions/:id/submit` | POST | `regulatory_submission_approver_authority` + HITL + bound e-sign per DEC-27-10 | target route |
| `/api/v1/regulatory/submissions/:id/approve` | POST | `regulatory_submission_approver_authority` + HITL + bound e-sign | target route |
| `/api/v1/regulatory/submissions/:id/reject` | POST | `regulatory_submission_approver_authority` + HITL + bound e-sign + reason | target route |
| `/api/v1/regulatory/submissions/:id/withdraw` | POST | `executive_authority` co-sign + HITL + bound e-sign + reason | target route |
| `/api/v1/regulatory/submissions/:id/lock` | POST | system (auto + bound e-sign per DEC-27-23) | target route |
| `/api/v1/regulatory/submissions/:id/reopen` | POST | `executive_authority` co-sign AND `qualified_person_authority` co-sign + HITL + reason per DEC-27-22 | target route |
| `/api/v1/regulatory/submissions/:id/milestones` | GET / POST | `regulatory:milestone:read` / `regulatory:milestone:create` | |
| `/api/v1/regulatory/milestones/:id/complete` | POST | `regulatory_milestone_authority` + reason-for-change per DEC-27-06 | target route |
| `/api/v1/regulatory/commitments` | GET / POST | `regulatory:commitment:read` / `regulatory:commitment:create` | |
| `/api/v1/regulatory/commitments/:id` | GET / PATCH | `regulatory:commitment:read` / `regulatory:commitment:update` | |
| `/api/v1/regulatory/commitments/:id/fulfill` | POST | `regulatory_commitment_fulfillment_authority` + HITL + bound e-sign + fulfillment evidence per DEC-27-07 | target route |
| `/api/v1/regulatory/commitments/:id/link-capa` | POST | `regulatory_commitment_owner_authority` (emits `regulatory_commitment_capa_linked`) | target route per DEC-27-16 |
| `/api/v1/regulatory/commitments/:id/close` | POST | `regulatory_commitment_owner_authority` + HITL + bound e-sign | target route |
| `/api/v1/regulatory/calendar-events` | GET / POST | `regulatory:calendar:read` / `regulatory:calendar:create` | |
| `/api/v1/regulatory/calendar-events/:id` | GET / PATCH | `regulatory:calendar:read` / `regulatory:calendar:update` | |
| `/api/v1/regulatory/calendar-events/:id/complete` | POST | `regulatory:calendar:complete` (with explicit completion criteria per DEC-27-08) | target route |
| `/api/v1/regulatory/inspection-records` | GET / POST | `regulatory:inspection_record:read` / `regulatory:inspection_record:create` (external-agency artifact only per DEC-27-09) | |
| `/api/v1/regulatory/inspection-records/:id` | GET / PATCH | `regulatory:inspection_record:read` / `regulatory:inspection_record:update` | |
| `/api/v1/regulatory/inspection-records/:id/observations` | GET / POST | `regulatory:observation:read` / `regulatory:observation:create` (audit per DEC-27-11) | |
| `/api/v1/regulatory/observations/:id/resolve` | POST | `regulatory_observation_closure_authority` + HITL + bound e-sign per DEC-27-10 | target route |
| `/api/v1/regulatory/observations/:id/close` | POST | `regulatory_observation_closure_authority` + HITL + bound e-sign | target route |
| `/api/v1/regulatory/ai-summaries` | GET / POST | `regulatory:ai_summary:read` / `regulatory:ai_summary:propose` (advisory only per DEC-27-13) | target route |
| `/api/v1/regulatory/ai-summaries/:id/accept` | POST | `regulatory:ai_summary:accept` + HITL + bound e-sign per DEC-27-13 | target route |
| `/api/v1/regulatory/ai-summaries/:id/reject` | POST | `regulatory:ai_summary:reject` (with reason) | target route |
| `/api/v1/regulatory/predicate-rules` | GET | `regulatory:predicate_rule:read` (consumes URS-12 per DEC-27-18) | target route |

### 6.4 Workflow

#### 6.4.1 Submission lifecycle

```mermaid
stateDiagram-v2
 [*] --> draft: create
 draft --> in_progress: start
 in_progress --> under_review: review
 under_review --> submitted: submit (regulatory_submission_approver_authority + HITL + bound e-sign — DEC-27-10)
 submitted --> under_agency_review: agency acknowledges
 under_agency_review --> approved: agency approves (HITL + bound e-sign)
 under_agency_review --> rejected: agency rejects (HITL + bound e-sign + reason)
 submitted --> withdrawn: withdraw (executive co-sign + HITL + reason)
 under_agency_review --> withdrawn: withdraw (executive co-sign + HITL + reason)
 approved --> locked: auto-lock + bound e-sign
 rejected --> locked: auto-lock + bound e-sign
 withdrawn --> locked: auto-lock + bound e-sign
 locked --> in_progress: governed reopen (executive + QP co-sign + reason — DEC-27-22)
```

#### 6.4.2 Commitment lifecycle

```mermaid
stateDiagram-v2
 [*] --> open: create
 open --> in_progress: start
 in_progress --> under_review: submit for review
 under_review --> fulfilled: fulfill (regulatory_commitment_fulfillment_authority + HITL + bound e-sign + evidence — DEC-27-07)
 fulfilled --> closed: close (HITL + bound e-sign)
```

#### 6.4.3 Reminder/escalation lifecycle (commitment)

```mermaid
stateDiagram-v2
 [*] --> scheduled: commitment created
 scheduled --> due_soon_30: 30 days before due
 due_soon_30 --> due_soon_14: 14 days before due
 due_soon_14 --> due_soon_7: 7 days before due
 due_soon_7 --> overdue: due date passed (emits regulatory_commitment_overdue + regulatory_finding_created — DEC-27-07 / DEC-27-15)
 due_soon_7 --> fulfilled: commitment fulfilled before due
```

#### 6.4.4 Inspection record + observation lifecycle

```mermaid
stateDiagram-v2
 [*] --> received: external-agency report received
 received --> under_response: response in progress
 under_response --> responded: response submitted
 responded --> closed: agency closes (HITL + bound e-sign)
 state observation_lifecycle {
 [*] --> open: addObservation (audit per DEC-27-11)
 open --> under_response: response captured
 under_response --> resolved: resolve (regulatory_observation_closure_authority + HITL + bound e-sign — DEC-27-10)
 resolved --> closed: close (HITL + bound e-sign)
 }
```

### 6.5 Business rules

- BR-27-01: Feed lifecycle is `draft → active → suspended → archived` per DEC-27-03.
- BR-27-02: Feed sync persists `sync_mode`, `last_sync_at`, `last_sync_initiated_by`, `last_sync_outcome` per DEC-27-03.
- BR-27-03: Feed-item deduplication via UNIQUE `(tenant_id, feed_id, source_item_hash)` per DEC-27-04.
- BR-27-04: `addFeedItem` emits explicit audit-trail entry per DEC-27-04 / DEC-27-11.
- BR-27-05: Submission lifecycle is `draft → in_progress → under_review → submitted → under_agency_review → approved | rejected | withdrawn → locked` per DEC-27-05.
- BR-27-06: Direct PATCH cannot set submission `status` to `approved` / `rejected` / `withdrawn` / `locked` per DEC-27-05.
- BR-27-07: Submission `version` increments on material update per DEC-27-05.
- BR-27-08: Submission approval / rejection / withdrawal require `regulatory_submission_approver_authority` + HITL + bound e-signature per DEC-27-10.
- BR-27-09: Submission withdrawal requires `executive_authority` co-sign + reason per DEC-27-23.
- BR-27-10: Milestone completion requires `regulatory_milestone_authority` + reason-for-change per DEC-27-06.
- BR-27-11: Commitment fulfillment requires `regulatory_commitment_fulfillment_authority` + HITL + bound e-signature + fulfillment evidence per DEC-27-07.
- BR-27-12: Reminder engine emits `regulatory_commitment_due_soon` events at configurable lead times (default 30 / 14 / 7 days) per DEC-27-07.
- BR-27-13: Reminder engine emits `regulatory_commitment_overdue` events on due-date passage per DEC-27-07.
- BR-27-14: Overdue commitments emit `regulatory_finding_created` to URS-21 per DEC-27-15.
- BR-27-15: Commitment-CAPA linkage emits `regulatory_commitment_capa_linked` to URS-18 per DEC-27-16.
- BR-27-16: Calendar event completion requires explicit completion criteria + audit reason per DEC-27-08.
- BR-27-17: Regulatory inspection records are scoped to external-agency artifacts only per DEC-27-09.
- BR-27-18: `addObservation` emits explicit audit-trail entry per DEC-27-09 / DEC-27-11.
- BR-27-19: Observation closure / resolution requires `regulatory_observation_closure_authority` + HITL + bound e-signature per DEC-27-10.
- BR-27-20: Auto-lock 24h after `approved` / `rejected` / `withdrawn` with bound e-signature per DEC-27-23.
- BR-27-21: Submission reopen `locked → in_progress` requires `executive_authority` co-sign AND `qualified_person_authority` co-sign + reason per DEC-27-22.
- BR-27-22: AI summaries are advisory until human-accepted; promotion to system-of-record requires bound e-signature per DEC-27-13.
- BR-27-23: Module 27 is **tenant-wide by default** with optional study/product narrowing per DEC-27-12.
- BR-27-24: `platform_admin` / `super_admin` are support / break-glass only paths per DEC-27-20.
- BR-27-25: **AI cannot finalize regulatory submission approval, dispose a commitment, sign an observation closure, or finalize observation resolution**; AI may draft advisory text only.

### 6.6 Audit trail

Every Module 27 record mutation persists an audit-trail entry. Material updates after draft persist `reason_for_change` per DEC-27-21. Regulated final actions persist a bound e-signature via the `electronic_signatures` substrate. Append-only.

### 6.7 Error handling

| Code | HTTP | Meaning |
|---|---|---|
| `REG_VALIDATION_FAILED` | 400 | Schema validation failure |
| `REG_UNAUTHORIZED` | 401 | Authentication required |
| `REG_FORBIDDEN` | 403 | RBAC denied |
| `REG_NOT_FOUND` | 404 | Resource not found |
| `REG_DUPLICATE_KEY` | 409 | Uniqueness violation |
| `REG_FEED_ITEM_DUPLICATE` | 409 | `(tenant_id, feed_id, source_item_hash)` already exists per DEC-27-04 |
| `REG_INVALID_TRANSITION` | 422 | Lifecycle transition not permitted |
| `REG_TERMINAL_STATE_PATCH_FORBIDDEN` | 422 | Direct PATCH attempted on terminal status per DEC-27-05 |
| `REG_AUTHORITY_REQUIRED` | 422 | Authority Profile missing |
| `REG_HITL_DECISION_REQUIRED` | 422 | HITL decision capture missing |
| `REG_E_SIGNATURE_REQUIRED` | 422 | Bound e-signature persistence missing |
| `REG_REASON_FOR_CHANGE_REQUIRED` | 422 | Material update / terminal transition without reason-for-change |
| `REG_COMMITMENT_EVIDENCE_REQUIRED` | 422 | Commitment fulfillment without evidence per DEC-27-07 |
| `REG_CALENDAR_COMPLETION_CRITERIA_REQUIRED` | 422 | Calendar event completion without explicit criteria per DEC-27-08 |
| `REG_INSPECTION_BOUNDARY_VIOLATION` | 422 | Attempt to use regulatory inspection record for inspection-readiness execution (URS-22 boundary) per DEC-27-09 |
| `REG_AI_SUMMARY_NOT_ACCEPTED` | 422 | Attempt to promote AI summary to system-of-record without human acceptance per DEC-27-13 |
| `REG_AI_CANNOT_SIGN_TERMINAL_ACTION` | 422 | AI service attempted to approve / dispose / sign-closure / resolve per ARCH-AI-001 |
| `REG_REOPEN_AUTHORITY_REQUIRED` | 422 | Reopen attempted without executive AND QP co-sign per DEC-27-22 |
| `REG_WITHDRAWAL_AUTHORITY_REQUIRED` | 422 | Withdrawal attempted without executive co-sign |
| `REG_CONTEXT_FILTER_MISMATCH` | 422 | Query against context column not present in schema |
| `REG_INTERNAL` | 500 | Sanitized server error |

### 6.8 Configuration rules

- Reminder lead times (default `{30, 14, 7}` days) configurable per tenant per commitment per DEC-27-07.
- Auto-lock interval (default 24h) configurable per tenant.
- Feed sync schedule (default daily) configurable per feed.
- Health authority enumerations and submission-type enumerations configured at platform level.

---

## 7. Non-functional Requirements

- NFR-27-01: List pagination (default 50, max 200).
- NFR-27-02: List p95 < 800ms (10k feed items, 1k submissions, 10k commitments per tenant).
- NFR-27-03: Feed sync p95 < 60s for 1000-item payload.
- NFR-27-04: Reminder engine emission p95 < 30s after scheduled time.
- NFR-27-05: Submission detail (with milestones, linked CRs, AI summaries) p95 < 1s.
- NFR-27-06: Audit-trail append p99 < 200ms.
- NFR-27-07: Concurrent regulatory affairs users per tenant: 30.
- NFR-27-08: Storage scalability: 1M feed items per tenant; 100k commitments per tenant.
- NFR-27-09: Backup / restore RPO ≤ 15 min; RTO ≤ 4 hours per URS-35.
- NFR-27-10: Bound e-signature persistence transaction p95 < 1.5s.

---

## 8. Localization

English (en-US, en-GB), Hindi (hi-IN), Marathi (mr-IN), Japanese (ja-JP) at launch.

---

## 9. Migration

### 9.1 Migration scope

Greenfield at launch.

### 9.2 Schema migration

Migration 038 baseline; target migrations (039+) add `source_url_hash`, `sync_mode`, `last_sync_initiated_by`, `last_sync_outcome`, `last_sync_error` columns on `regulatory_feeds` per DEC-27-03; add `source_item_hash`, `ingested_by_system`, `ingestion_provenance_json`, `archived_at`, `archived_by` columns on `regulatory_feed_items` per DEC-27-04 + UNIQUE `(tenant_id, feed_id, source_item_hash)`; add `linked_change_request_ids`, `linked_complaint_ids`, `linked_oos_ids`, `linked_deviation_ids` arrays on `regulatory_submissions`; add controlled lifecycle / e-signature FK columns on `regulatory_submissions`; add reopen columns on `regulatory_submissions` per DEC-27-22; add `reminder_lead_times_days`, `last_reminder_emitted_at`, `is_overdue` (generated) on `regulatory_commitments` per DEC-27-07; add e-signature FK columns on `regulatory_commitments`, `regulatory_milestones`, `regulatory_observations`; add `regulatory_ai_summaries` table per DEC-27-13; add `inspection_calendar_id` FK to URS-22 on `regulatory_inspection_records` per DEC-27-09; reconcile `MODULE_CONTEXT_CONFIG.regulatory` to declare both `study_id` and `product_id` filtering per DEC-27-12.

### 9.3 Migration evidence gate (URS-27-VAL-008)

(a) all migrations applied; (b) RLS verified; (c) typed schema validation verified; (d) feed sync workflow verified; (e) feed-item deduplication + audit-trail emission verified; (f) terminal-state patch-bypass prevention verified; (g) controlled lifecycle endpoints + bound e-signature verified for submissions / commitments / observations; (h) reminder engine due-soon + overdue emission verified; (i) calendar completion governance verified; (j) external-agency inspection-record boundary verified (URS-22 cross-boundary linkage tested); (k) `addObservation` audit-trail emission verified; (l) AI summary substrate provenance + acceptance verified; (m) cross-module event emission verified (URS-13, URS-18, URS-21, URS-22, URS-26, URS-30); (n) audit-trail coverage on every mutation verified; (o) governed reopen append-only verified; (p) frontend route surface alignment verified; (q) §17 validation evidence pack signed.

---

## 10. Decommissioning

Module 27 records subject to platform record-retention policy: retained for the longer of (a) 30 years from submission lock (FDA 21 CFR §211.180) or (b) 50 years from product expiry (EU GMP). On tenant decommissioning, records exported per URS-35.

---

## 11. Decisions, Dependencies, Risks, and Error Handling
### 11.1 Closed decision posture

**No Module 27 internal decisions outstanding.** Launch decisions are captured in the locked decisions above.

### 11.2 External dependencies

- URS-12 Document Control must support predicate-rule citation registry per DEC-27-18.
- URS-13 change-control register must support `regulatory_submission_id` linkage per DEC-27-17.
- URS-18 CAPA register must accept `regulatory_commitment` source type per DEC-27-16.
- URS-21 findings register must accept `regulatory_intelligence` source type per DEC-27-15.
- URS-22 Inspection Mgmt must support cross-boundary `inspection_calendar_id` linkage from Module 27 per DEC-27-09.
- URS-26 APQR must consume regulatory feed items / commitments / submissions for periodic review.
- URS-30 Notifications must consume `regulatory_commitment_due_soon` and `regulatory_commitment_overdue` events per DEC-27-07.
- URS-32 MIRA AI must support read-only `useMiraRecord(.)` mappings; AI advisory drafting only with mandatory human acceptance.

### 11.3 Risks

- Risk-27-01: Vendor-specific feed parsing reliability — different feed sources have different schemas; Mitigation: parser abstraction layer; reconciliation log for parsing failures; manual fallback.
- Risk-27-02: Reminder/escalation engine latency under high tenant load. Mitigation: NFR-27-04 latency budget; configurable reminder lead times.
- Risk-27-03: AI summary acceptance rate may be high if reviewers rubber-stamp; could bypass advisory-only intent. Mitigation: acceptance-rate audit; periodic review by RA Head + Validation Head + Founder.
- Risk-27-04: Reopen workflow gravity (executive + QP co-sign) may delay urgent post-marketing investigation. Mitigation: documented reopen SLA.
- Risk-27-05: URS-22 / URS-27 boundary confusion at user level. Mitigation: clear documented training; UX language reinforcing boundary; cross-boundary linkage badge.

### 11.4 Out-of-scope risks tracked elsewhere

- Direct agency portal integration (FDA ESG, EMA EudraVigilance) — future-state.
- Vendor-specific intelligence connectors (Cortellis, Reuters Regulatory) — future-state.

### 11.5 Risk owner

Module-27 risk register owned by Quality / Regulatory Intelligence Squad with quarterly review by RA Head + QA Head + Validation Head + Qualified Person Authority.

### 11.6 Decision discipline

No Module 27 internal decisions outstanding.

### 11.7 Error Handling and Negative Paths

This section defines the controlled error envelope, the enumerated machine-code catalogue, and the negative-path response contract required for this module. The error envelope is the standard platform envelope (human message, machine code in upper-snake-case, optional structured details, correlation identifier). Errors are returned with the appropriate HTTP status; the UI surfaces inline errors at the field of cause where applicable, otherwise a controlled error toast or modal. Every error path is logged to the URS-06 audit substrate when the originating action is regulated; errors that occur before authentication are logged without `userId`. Audit-trail write failure on a state-changing action MUST cause the originating action to NOT commit (atomic write per URS-04 BR-04-15). The enumerated machine codes for this module's negative paths are defined alongside the corresponding lifecycle gates, segregation-of-duties controls, and authority-resolution outcomes throughout §6 (Back-end Requirements) and §13 (Segregation of Duties); engineering MUST surface every enumerated machine code through the standard envelope and MUST NOT swallow errors silently. Cross-module error propagation follows the §20 Cross-Module Event Contract.


---

## 12. Security

- SEC-27-01: Tenant isolation enforced at RLS on every Module 27 table.
- SEC-27-02: RBAC enforced on every route via `requirePermission(.)`.
- SEC-27-03: Authority resolution enforced on regulated final actions before HITL + e-signature.
- SEC-27-04: HITL decision capture enforced before bound e-signature persistence.
- SEC-27-05: Bound e-signature persistence via `electronic_signatures` substrate.
- SEC-27-06: PII redaction in logs.
- SEC-27-07: Audit-trail integrity via URS-06 hash chain.
- SEC-27-08: AI-request provenance via `ai_requests` linked to `regulatory_ai_summaries`; **AI cannot sign approval steps; AI cannot finalize submission / commitment / observation disposition**; AI may draft advisory only.
- SEC-27-09: `platform_admin` / `super_admin` break-glass actions logged per DEC-27-20.
- SEC-27-10: Feed-item provenance via `source_item_hash` + `ingestion_provenance_json` per DEC-27-04.
- SEC-27-11: Cross-boundary linkage to URS-22 audited and immutable post-creation.

---

## 13. Segregation of Duties

| SoD ID | Constraint |
|---|---|
| SoD-27-01 | The submission author MUST NOT be the submission approver (final approval requires SoD-distinct `regulatory_submission_approver_authority` per DEC-27-10). |
| SoD-27-02 | The commitment owner MUST NOT be the commitment fulfillment authority. |
| SoD-27-03 | The observation responder MUST NOT be the observation closure authority. |
| SoD-27-04 | The submission withdrawal co-signer (executive authority) MUST NOT be the original submission approver. |
| SoD-27-05 | The AI-summary acceptor MAY be the regulatory affairs owner; AI-summary acceptance is a content-curation action, not a regulated final approval. |
| SoD-27-06 | The reopen co-signers (executive AND Qualified Person per DEC-27-22) MUST NOT be the original lock-and-approve signers. |
| SoD-27-07 | The `platform_admin` / `super_admin` support / break-glass action MUST NOT be a regulated production action; logged and reviewed per DEC-27-20. |

---

## 14. Regulatory Mapping

| Predicate rule | Section | Module 27 binding |
|---|---|---|
| FDA 21 CFR Part 11 | §11.10(a), §11.10(d), §11.10(e), §11.50, §11.70 | URS-27-VAL-008 + bound e-sign on every regulated final action + audit-trail on every mutation |
| **FDA 21 CFR Part 314** | NDA / ANDA | Submission lifecycle for NDA / ANDA |
| **FDA 21 CFR Part 312** | IND | Submission lifecycle for IND |
| **FDA 21 CFR Part 600 / 601** | BLA | Submission lifecycle for BLA |
| **FDA 21 CFR Part 803** | Medical Device Reports | MDR submission |
| **FDA 21 CFR Part 314.81** | Field Alert Reports | FAR submission |
| **FDA 21 CFR Part 314.80** | Adverse Drug Experience Reports | ADR submission |
| FDA Draft Guidance (January 2025) | AI to Support Regulatory Decision-Making for Drug and Biological Products | Internal forward-looking advisory predicate; AI advisory only with human acceptance |
| EU GMP Annex 11 | §1, §4, §9, §12, §16 | Risk; validation; audit trails; security; incident management |
| **EU Directive 2001/83/EC** | Marketing Authorisation | MAA submission |
| **EU Variation Regulation (EC) No 1234/2008** | Type II Variations | Variation submission |
| EU GMP Annex 22 Draft 2025 | §7 — HITL / GenAI advisory only | Internal forward-looking control |
| EU AI Act (Regulation 2024/1689) | Annex III; Art. 13 transparency | Internal forward-looking control |
| MHRA Data Integrity Guidance | ALCOA+ | Audit-trail; bound e-signature; record retention |
| GAMP 5 Cat 5 | Custom-application validation lifecycle | URS-27 validation evidence pack per URS-27-VAL-008 |
| **ICH M4** | Common Technical Document | CTD submission format |
| ICH E2B(R3) | ICSR Reporting | ICSR submission |
| ICH E6(R3) | GCP | GCP-related regulatory submissions |
| **ICH Q12** | Lifecycle Management | Lifecycle management commitments |
| **India CDSCO NDCT 2019** | New Drugs and Clinical Trials Rules | India new-drug submission |
| **India CDSCO Schedule Y** | New Drug application data | India submission data requirements |
| India D&C Act 1940 / Drugs Rules 1945 | Predicate drug-control framework | India operations regulatory baseline |
| India CDSCO Schedule M (Revised) §17 | PQR | Linked to URS-26 |
| India Medical Devices Rules 2017 | Medical device submissions | India MD submission |

---

## 15. Code Modules

| Code module | Path | Status |
|---|---|---|
| `regulatory` plugin | `packages/backend/src/modules/regulatory/plugin.ts` | (canonical mount) |
| `regulatory` routes | `packages/backend/src/modules/regulatory/routes.ts` | (typed schemas; route additions per §6.3; status excluded from PATCH) |
| `regulatory` service | `packages/backend/src/modules/regulatory/service.ts` | (terminal-state patch-bypass; controlled lifecycle endpoints; reminder/escalation engine; AI summary substrate; addFeedItem / addObservation audit gaps closed; reason-for-change discipline) |
| `regulatory` schemas | `packages/backend/src/modules/regulatory/schemas.ts` | |
| `regulatory` events | `packages/backend/src/modules/regulatory/events.ts` | target route |
| `regulatory` reminder engine | `packages/backend/src/modules/regulatory/reminder-engine.ts` | target route per DEC-27-07 |
| Migration 038 | `packages/backend/src/db/migrations/038_regulatory_intelligence.sql` | (039+ migrations add sync provenance, feed-item dedup + provenance, controlled lifecycle e-sign FKs, reminder engine columns, AI summary table, inspection-calendar FK, context-config alignment) |
| Shared types | `packages/shared/src/types/regulatory.ts` | |
| Shared schemas | `packages/shared/src/schemas/regulatory.schema.ts` | |
| Frontend hooks | `packages/frontend/src/api/hooks/useRegulatory.ts` | (canonical relative `/regulatory/*`) |
| Frontend dashboard | `packages/frontend/src/pages/RegulatoryDashboard.tsx` | (CTAs resolve to real routes) |
| Frontend submission detail | `packages/frontend/src/pages/RegulatorySubmissionDetail.tsx` | |
| Frontend feed console | `packages/frontend/src/pages/RegulatoryFeeds.tsx` | target route per DEC-27-02 |
| Frontend submission console | `packages/frontend/src/pages/RegulatorySubmissions.tsx` | target route per DEC-27-02 |
| Frontend commitment console | `packages/frontend/src/pages/RegulatoryCommitments.tsx` | target route per DEC-27-02 / DEC-27-07 |
| Frontend calendar console | `packages/frontend/src/pages/RegulatoryCalendar.tsx` | target route per DEC-27-02 / DEC-27-08 |
| Frontend inspection record console | `packages/frontend/src/pages/RegulatoryInspectionRecords.tsx` | target route per DEC-27-02 / DEC-27-09 |
| Frontend AI summary console | `packages/frontend/src/pages/RegulatoryAISummaries.tsx` | target route per DEC-27-13 |
| Frontend predicate-rule lookup | `packages/frontend/src/pages/RegulatoryPredicateRules.tsx` | target route per DEC-27-18 |
| App routing | `packages/frontend/src/App.tsx` | (per DEC-27-02) |

---

## 16. Test Cases

### 16.1 Unit tests

- TC-27-U-001: Feed lifecycle uniqueness rejects duplicate `feed_code` per tenant.
- TC-27-U-002: Feed-item duplicate `(tenant_id, feed_id, source_item_hash)` rejects with `REG_FEED_ITEM_DUPLICATE`.
- TC-27-U-003: `addFeedItem` emits audit-trail entry per DEC-27-04 / DEC-27-11.
- TC-27-U-004: Submission direct PATCH to `status = approved` rejects with `REG_TERMINAL_STATE_PATCH_FORBIDDEN`.
- TC-27-U-005: Submission approval without authority rejects with `REG_AUTHORITY_REQUIRED`.
- TC-27-U-006: Submission withdrawal without executive co-sign rejects with `REG_WITHDRAWAL_AUTHORITY_REQUIRED`.
- TC-27-U-007: Milestone completion without `regulatory_milestone_authority` rejects.
- TC-27-U-008: Commitment fulfillment without evidence rejects with `REG_COMMITMENT_EVIDENCE_REQUIRED`.
- TC-27-U-009: Reminder engine emits `regulatory_commitment_due_soon` events at configured lead times.
- TC-27-U-010: Reminder engine emits `regulatory_commitment_overdue` event on due-date passage.
- TC-27-U-011: Overdue commitment emits `regulatory_finding_created` to URS-21.
- TC-27-U-012: Commitment-CAPA linkage emits `regulatory_commitment_capa_linked` to URS-18 with `regulatory_commitment` source type.
- TC-27-U-013: Calendar event completion without explicit criteria rejects with `REG_CALENDAR_COMPLETION_CRITERIA_REQUIRED`.
- TC-27-U-014: `addObservation` emits audit-trail entry per DEC-27-09 / DEC-27-11.
- TC-27-U-015: Observation closure without authority rejects with `REG_AUTHORITY_REQUIRED`.
- TC-27-U-016: AI summary promotion without acceptance rejects with `REG_AI_SUMMARY_NOT_ACCEPTED`.
- TC-27-U-017: AI service signing approval / disposition rejects with `REG_AI_CANNOT_SIGN_TERMINAL_ACTION`.
- TC-27-U-018: Reopen without executive AND QP co-sign rejects with `REG_REOPEN_AUTHORITY_REQUIRED`.
- TC-27-U-019: Reopen appends new iteration; prior locked evidence not mutated.
- TC-27-U-020: Submission `version` increments on material update per DEC-27-05.

### 16.2 Integration tests

- TC-27-I-001: FDA Drug Safety Communication ingest → AI summary → URS-13 CR per Worked Example 1.
- TC-27-I-002: Full NDA submission lifecycle per Worked Example 2.
- TC-27-I-003: Post-marketing commitment with reminder/escalation chain per Worked Example 3.
- TC-27-I-004: External-agency FDA Form 483 inspection record + URS-22 boundary per Worked Example 4.
- TC-27-I-005: Governed reopen of locked submission per Worked Example 5.
- TC-27-I-006: Feed sync workflow with manual / scheduled / on_demand modes.
- TC-27-I-007: Cross-module event emission (URS-13, URS-18, URS-21, URS-22, URS-26, URS-30).
- TC-27-I-008: AI summary propose + accept ceremony with bound e-signature.
- TC-27-I-009: Boundary linkage to URS-22 inspection-calendar verified.
- TC-27-I-010: Calendar event completion linked to milestone / commitment / inspection record.
- TC-27-I-011: MIRA copilot read-only context; advisory drafting only; no GenAI in critical decisions.
- TC-27-I-012: Cross-tenant `platform_admin` break-glass logged per DEC-27-20.
- TC-27-I-013: Tenant-wide visibility default + optional study/product narrowing per DEC-27-12.
- TC-27-I-014: URS-12 predicate-rule citation lookup per DEC-27-18.
- TC-27-I-015: URS-26 APQR consumes regulatory feed items + commitments + submissions.

### 16.3 End-to-end tests

- TC-27-E-001: FDA Drug Safety Communication ingest scenario per Worked Example 1.
- TC-27-E-002: Full NDA submission scenario per Worked Example 2.
- TC-27-E-003: Post-marketing commitment scenario per Worked Example 3.
- TC-27-E-004: Inspection record + URS-22 boundary scenario per Worked Example 4.
- TC-27-E-005: Reopen scenario per Worked Example 5.
- TC-27-E-006: Concurrent regulatory affairs users — 30 users — NFR-27-07 verification.
- TC-27-E-007: India CDSCO NDCT 2019 / Schedule Y submission scenario.

### 16.4 Performance tests

- TC-27-P-001: List p95 latency (NFR-27-02).
- TC-27-P-002: Feed sync p95 latency (NFR-27-03).
- TC-27-P-003: Reminder engine emission p95 latency (NFR-27-04).
- TC-27-P-004: Submission detail p95 latency (NFR-27-05).
- TC-27-P-005: Bound e-signature p95 latency (NFR-27-10).

### 16.5 Security tests

- TC-27-S-001: Cross-tenant access rejected by RLS.
- TC-27-S-002: Missing RBAC rejected.
- TC-27-S-003: Missing Authority Profile rejected on regulated final action.
- TC-27-S-004: Missing HITL rejected.
- TC-27-S-005: Missing bound e-signature rejected.
- TC-27-S-006: SQL injection against typed-schema route rejected.
- TC-27-S-007: Audit-trail UPDATE / DELETE rejected at DB level.
- TC-27-S-008: AI service attempting submission approval rejected.
- TC-27-S-009: PII redaction in logs verified.
- TC-27-S-010: Direct PATCH on terminal status rejected.

---

## 17. Validation Evidence

### 17.1 URS-27-VAL-001: Requirements traceability matrix

Complete RTM mapping every URS-27 requirement (DEC-27-01.DEC-27-23, BR-27-01.BR-27-25, NFR-27-01.NFR-27-10, SoD-27-01.SoD-27-07, SEC-27-01.SEC-27-11) to test cases (TC-27-U-001.TC-27-U-020, TC-27-I-001.TC-27-I-015, TC-27-E-001.TC-27-E-007, TC-27-P-001.TC-27-P-005, TC-27-S-001.TC-27-S-010) and code modules (§15).

### 17.2 URS-27-VAL-002: Design qualification (DQ)

Architecture, data model, API contract, workflow, business rules, audit trail, security, integration; signed by Validation Head, QA Head, RA Head (Primary Owner), Manufacturing Head, Qualified Person Authority.

### 17.3 URS-27-VAL-003: Installation qualification (IQ)

Migration application + RLS verification + route mount verification + frontend hook resolution + frontend route surface verification.

### 17.4 URS-27-VAL-004: Operational qualification (OQ)

Happy-path execution of every test case with evidence captures.

### 17.5 URS-27-VAL-005: Performance qualification (PQ)

NFR-27-01.NFR-27-10 verification.

### 17.6 URS-27-VAL-006: AI/ML governance evidence

Per ARCH-AI-001: (a) MIRA read-only context integration; (b) AI advisory drafting only with mandatory human acceptance via `regulatory_ai_summaries`; (c) **AI cannot sign approval steps; AI cannot finalize submission / commitment / observation disposition** verification; (d) Annex 22 §7 + EU AI Act Annex III + FDA Draft Guidance (January 2025) internal forward-looking control compliance evidence.

### 17.7 URS-27-VAL-007: Regulatory mapping evidence

FDA 21 CFR Part 11 + 312 + 314 + 600 + 601 + 803 + 314.80 + 314.81, FDA Draft Guidance (January 2025) AI for Regulatory Decision-Making, EU GMP Annex 11, EU GMP Annex 22 Draft 2025 §7, EU AI Act Art. 13 / Annex III, EU Directive 2001/83/EC, EU Variation Regulation (EC) 1234/2008, MHRA Data Integrity (ALCOA+), GAMP 5 Cat 5, ICH M4, ICH E2B(R3), ICH E6(R3), ICH Q12, India CDSCO NDCT 2019 / Schedule Y / D&C Act 1940 / Schedule M (Revised) §17 / Medical Devices Rules 2017.

### 17.8 URS-27-VAL-008: Migration evidence gate

Per §9.3.

### 17.9 URS-27-VAL-009: Signature manifest

QA Head, RA Head (Primary Owner), Validation Head, Manufacturing Head, Qualified Person Authority, Information Security Head, Site Quality Lead, Founder / Chairman & MD per §19.

### 17.10 URS-27-VAL-010: Post-launch periodic-review pack

(a) Regulatory metrics (feeds per tenant, submission cycle time, commitment due-soon / overdue rate, observation resolution time); (b) AI-summary acceptance rate by reviewer; (c) audit-trail integrity; (d) reopen-event audit; (e) cross-tenant break-glass audit; (f) cross-module event integrity (URS-13, URS-18, URS-21, URS-22, URS-26, URS-30); (g) reminder engine reliability; (h) URS-22 boundary linkage compliance; periodic review at quarterly cadence by RA Head + QA Head + Validation Head + Qualified Person Authority.

---

## 18. Document Change History

| Version | Date | Author | Change Summary |
|---|---|---|---|
| 1.0 | 2026-05-07 | Founder Doctrine — Verixa URS Cell | First issued user requirements specification for Module 27. |

---

## 19. Document Approval

| Role | Name | Signature | Date |
|---|---|---|---|
| Founder / Chairman & MD | Vimal | __________ | __________ |
| QA Head | __________ | __________ | __________ |
| RA Head (Primary Owner) | __________ | __________ | __________ |
| Validation Head | __________ | __________ | __________ |
| Manufacturing Head | __________ | __________ | __________ |
| Qualified Person Authority | __________ | __________ | __________ |
| Information Security Head | __________ | __________ | __________ |
| Site Quality Lead | __________ | __________ | __________ |

---

## 20. Cross-Module Event Contract

| Event | Emitter | Consumer | Payload key fields |
|---|---|---|---|
| `regulatory_feed_created` | Module 27 | URS-30 | `feed_id`, `tenant_id`, `feed_type`, `health_authority` |
| `regulatory_feed_synced` | Module 27 | URS-30 | `feed_id`, `sync_mode`, `last_sync_outcome`, `items_ingested` |
| `regulatory_feed_item_ingested` | Module 27 | URS-30, URS-26 (APQR consumer) | `feed_item_id`, `feed_id`, `source_item_hash`, `ingested_at` |
| `regulatory_feed_item_archived` | Module 27 | URS-30 | `feed_item_id`, `archived_by`, `archived_at` |
| `regulatory_submission_created` | Module 27 | URS-30 | `submission_id`, `tenant_id`, `health_authority`, `submission_type`, `created_by` |
| `regulatory_submission_status_changed` | Module 27 | URS-30 | `submission_id`, `from_status`, `to_status`, `changed_by` |
| `regulatory_submission_approved` | Module 27 | URS-30 | `submission_id`, `approved_by`, `approval_e_signature_id` |
| `regulatory_submission_rejected` | Module 27 | URS-30 | `submission_id`, `rejected_by`, `rejection_e_signature_id` |
| `regulatory_submission_withdrawn` | Module 27 | URS-30 | `submission_id`, `withdrawn_by`, `executive_co_signer`, `withdrawal_reason` |
| `regulatory_submission_locked` | Module 27 | URS-30 | `submission_id`, `locked_by`, `lock_e_signature_id` |
| `regulatory_submission_reopened` | Module 27 | URS-30, URS-21 (governed-reopen audit) | `submission_id`, `reopened_by`, `executive_co_signer`, `qp_co_signer`, `reopen_reason` |
| `regulatory_milestone_created` | Module 27 | URS-30 | `milestone_id`, `submission_id` |
| `regulatory_milestone_completed` | Module 27 | URS-30 | `milestone_id`, `completed_by` |
| `regulatory_commitment_created` | Module 27 | URS-30 | `commitment_id`, `tenant_id`, `health_authority`, `due_date` |
| `regulatory_commitment_due_soon` | Module 27 | **URS-30 Notifications (primary consumer)** | `commitment_id`, `lead_time_days`, `due_date` |
| `regulatory_commitment_overdue` | Module 27 | **URS-30 Notifications (primary consumer)**, URS-21 | `commitment_id`, `due_date`, `days_overdue` |
| `regulatory_commitment_fulfilled` | Module 27 | URS-30 | `commitment_id`, `fulfilled_by`, `fulfillment_e_signature_id` |
| `regulatory_commitment_capa_linked` | Module 27 | **URS-18 (CAPA — primary consumer)**, URS-30 | `commitment_id`, `capa_id`, `linked_by`, `source_type = regulatory_commitment` |
| `regulatory_calendar_event_created` | Module 27 | URS-30 | `event_id`, `event_date`, `priority` |
| `regulatory_calendar_event_completed` | Module 27 | URS-30 | `event_id`, `completed_by`, `completion_reason` |
| `regulatory_inspection_record_created` | Module 27 | URS-30, URS-22 (boundary audit) | `inspection_record_id`, `agency_inspection_id`, `inspection_calendar_id` (optional cross-boundary) |
| `regulatory_observation_added` | Module 27 | URS-30 | `observation_id`, `inspection_record_id`, `severity` |
| `regulatory_observation_resolved` | Module 27 | URS-30 | `observation_id`, `resolved_by`, `resolution_e_signature_id` |
| `regulatory_ai_summary_proposed` | Module 27 | URS-30 | `summary_id`, `summary_type`, `model_id`, `model_version`, `confidence` |
| `regulatory_ai_summary_accepted` | Module 27 | URS-30 | `summary_id`, `accepted_by`, `acceptance_e_signature_id` |
| `regulatory_finding_created` | Module 27 | **URS-21 (Findings — primary consumer)**, URS-30 | `finding_id` (URS-21), `severity`, `finding_type`, `source_record_id` |

---

## 21. References

- ARCH-AI-001 — AI Optionality and Manual Continuity (binding architecture)
- VRX-SPEC-URS-027-Regulatory-Intelligence-and-Submission-Governance.md (Module specification)
- URS-01.URS-26, URS-28.URS-35 (cross-module contracts)
- FDA 21 CFR Part 11
- **FDA 21 CFR Part 312** IND
- **FDA 21 CFR Part 314** NDA / ANDA
- **FDA 21 CFR Part 600 / 601** BLA
- **FDA 21 CFR Part 803** MDR
- **FDA 21 CFR Part 314.80** ADR
- **FDA 21 CFR Part 314.81** FAR
- **FDA Draft Guidance (January 2025)** — AI to Support Regulatory Decision-Making for Drug and Biological Products — internal forward-looking advisory predicate
- EU GMP Annex 11
- EU GMP Annex 22 (Draft 2025) §7 — internal forward-looking control
- EU AI Act (Regulation 2024/1689) Art. 13 / Annex III — internal forward-looking control
- **EU Directive 2001/83/EC** Marketing Authorisation
- **EU Variation Regulation (EC) No 1234/2008**
- MHRA Data Integrity Guidance (2018) — ALCOA+
- GAMP 5 Cat 5
- **ICH M4** Common Technical Document
- ICH E2B(R3) ICSR Reporting
- ICH E6(R3) GCP
- **ICH Q12** Lifecycle Management
- **India CDSCO NDCT 2019 §27** New Drugs and Clinical Trials Rules
- **India CDSCO Schedule Y** New Drug Application Data
- India D&C Act 1940 / Drugs Rules 1945
- India CDSCO Schedule M (Revised) §17
- India Medical Devices Rules 2017

---

**END OF VRX-URS-27 — REGULATORY INTELLIGENCE AND SUBMISSION GOVERNANCE — VERSION 1.0**
