# Verixa — User Requirements Specification

# Module 33: GMP Manufacturing Operations and Controls

| Field | Value |
|---|---|
| Document ID | VRX-URS-33 |
| Version | 1.0 |
| Status | Final — ready for QA, Validation, Regulatory Affairs, Information Security, **Manufacturing Head (Primary Owner)**, Site Quality Lead, Qualified Person Authority, and Founder approval. URS approval is separate from validation execution. This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" only after signature capture in the Document Approval block. It becomes "Released for validation execution" only after the module migration evidence gate (URS-33-VAL-008) and validation evidence pack are satisfied. |
| Document Type | User Requirements Specification (URS) |
| GAMP 5 Category | Category 5 — Custom Application |
| Code Modules | Target implementation binding: expected primary code module `gmp` (with its `routes.ts`, `service.ts`, `workflow.ts`, `schemas.ts`), expected supporting modules `batch` (URS-23 — consumed not duplicated), `audit-trail`, `auth/rbac`, `electronic_signatures`, `hitl`, `documents` (URS-12), `authority-check`, `context-filter`, expected API mounts `/api/v1/gmp/*` (canonical) consuming `/api/v1/batch/*` for batch execution per URS-23, expected event-bus emission for `gmp_batch_review_started`, `gmp_batch_review_completed`, `gmp_batch_review_rejected`, `gmp_batch_disposition_proposed`, `gmp_batch_disposition_approved`, `gmp_batch_disposition_rejected`, `gmp_batch_qp_certified`, `gmp_material_received`, `gmp_material_quarantined`, `gmp_material_released_for_use`, `gmp_material_rejected`, `gmp_label_issued`, `gmp_label_reconciled`, `gmp_label_destroyed`, `gmp_label_variance_flagged`, `gmp_ipc_recorded`, `gmp_ipc_failure_escalated`, `gmp_equipment_qualified`, `gmp_equipment_expired`, `gmp_equipment_decommissioned`, `gmp_process_validation_completed`, `gmp_process_validation_expired`, `gmp_cleaning_validation_completed`, `gmp_cleaning_validation_expired`, `gmp_manufacturing_deviation_opened`, `gmp_manufacturing_deviation_closed`, `gmp_program_locked`, `gmp_program_reopened`, expected MIRA context integration through `useMiraRecord('gmp_batch_review', id)`, `useMiraRecord('gmp_batch_disposition', id)`, `useMiraRecord('gmp_material_receipt', id)`, `useMiraRecord('gmp_label_control', id)`, `useMiraRecord('gmp_equipment_qualification', id)`, and `useMiraRecord('gmp_validation', id)` mappings, expected URS-23 Batch Records consumer integration (URS-33 governs batch review + disposition + release certification but does NOT duplicate URS-23 batch execution per DEC-33-01 module boundary), expected URS-24 Stability consumer integration, expected URS-25 Environmental Monitoring consumer integration, expected URS-15 OOS / URS-16 Deviations / URS-17 RCA / URS-18 CAPA outbound emission for manufacturing-precipitated deviations / OOS / RCA / CAPA, expected URS-21 Findings outbound emission for chronic GMP control failures, expected URS-13 Change Control linkage for equipment qualification / process validation / cleaning validation effective release, expected URS-12 Document Control linkage for batch record certification / validation report storage, expected URS-22 Inspection Mgmt back-room evidence retrieval source, expected URS-26 APQR data consumer for periodic GMP summary, expected URS-28 training qualification-gate consumer for QP / QA reviewer / production reviewer / batch releaser authority, expected URS-30 Notifications outbound consumer for material quarantine / label variance / IPC failure / equipment expiry / validation expiry alerts, expected URS-32 MIRA outcome-label inbound emission per URS-32 DEC-32-23 (every GMP record MIRA influences carries `mira_outcome_label`), expected Authority Profile + HITL + e-signature integration for non-bypassable batch review certification / batch disposition approval / QP release / material release-for-use / label reconciliation closure / equipment qualification release / process validation release / cleaning validation release / program lock / reopen, expected platform_admin / super_admin support / break-glass only paths. Implementation evidence remains subject to repository verification and validation evidence. |
| Architecture Bindings | This module is subject to **ARCH-AI-001 AI Optionality and Manual Continuity** (canonical binding explicitly stated in Module specification: "every AI, MIRA, OCR-assist, recommendation, risk-scoring, and insight surface touching GMP manufacturing shall remain assistive only. Manual execution, review, disposition, certification, and release paths shall remain fully operable when AI is disabled, unavailable, degraded, rejected by policy, or bypassed by the user. **No generative AI or agent may be the sole path to complete a regulated manufacturing action, quality decision, batch disposition, or release decision.**"). Verixa adopts internal forward-looking AI governance for this AI surface, aligned with the classification approach in **EU AI Act (Regulation 2024/1689) Annex III** (GMP manufacturing decisions are critical pharmaceutical regulated decisions with patient-safety implications). AI-assisted GMP surfaces (manufacturing deviation classification suggestions, OOS impact prediction, batch disposition recommendation, IPC trend detection, equipment qualification expiry prediction, validation status advisory, MIRA GMP copilot) are advisory only under internal AI governance aligned with EU AI Act Article 13 transparency principles + Article 14 human oversight. Every AI surface shall provide a fully functional manual execution / review / disposition / certification / release path; batch review + disposition + QP certification + material receipt + quarantine + release-for-use + label issuance + label reconciliation + IPC recording + escalation + equipment qualification + process validation + cleaning validation shall be executable when AI services are disabled, degraded, or overridden by the human operator. **No AI service shall be the sole path to certify a batch, approve a disposition, sign QP release, release material for use, close label reconciliation, qualify equipment, validate a process, or close cleaning validation.** This module binds ARCH-AI-001 AC-1, AC-2, AC-3, AC-4, AC-6, and AC-7. Verixa treats **EU GMP Annex 22 Draft 2025 §7** as an internal forward-looking architectural control (not an enacted predicate rule); under that internal control, only static deterministic AI is permitted in critical GMP decisions; **generative / probabilistic AI is PROHIBITED in batch disposition decisions, QP release decisions, material release-for-use decisions, label reconciliation closure decisions, equipment qualification decisions, process validation decisions, and cleaning validation decisions**. Static deterministic AI may surface similar prior batches, prior-deviation patterns, IPC trends, and historical material receipt patterns as advisory help. Jurisdiction-specific legal enforceability of Annex 22 and the EU AI Act remains subject to a future jurisdiction-specific legal assessment. |
| Regulatory Classification | Critical infrastructure substrate — operates the canonical GMP Manufacturing Operations and Controls layer covering: (a) the **canonical module boundary** per DEC-33-01 — URS-33 is the GMP manufacturing-control layer **over** URS-23 Batch Records (consumed not duplicated), URS-24 Stability (consumed), URS-25 Environmental Monitoring (consumed); URS-33 governs the GMP-critical review / disposition / release / escalation / manufacturing-use gating decisions; (b) the **non-bypassable lifecycle transitions** per DEC-33-02 — every lifecycle state transition for GMP records executed only through dedicated transition routes; generic update schemas exclude lifecycle status fields; status mutation through generic PATCH rejected; (c) the **attributable GMP audit logging** per DEC-33-03 — every GMP audit-trail entry MUST persist `userId` from the authenticated session context; blank `userId` rejected; (d) the **typed DB schema enforcement** per DEC-33-04 — every GMP DB query MUST use typed schema; `db as any` access patterns rejected; (e) the **batch review and QP certification staged workflow** per DEC-33-05 — non-bypassable staged workflow: Production Review → QC Review → QA Review → QP Certification with bound e-signature at each stage and segregation-of-duties enforced; (f) the **batch disposition lifecycle** per DEC-33-06 — `proposed → under_review → approved | rejected | conditional_release` with `gmp_batch_disposition_authority` + HITL + bound e-signature; (g) the **material receipt + quarantine + release-for-use control** per DEC-33-07 — material lifecycle `received → quarantined → testing → released_for_use | rejected | destroyed`; quarantine BLOCKS manufacturing use until controlled disposition with `gmp_material_release_authority` + HITL + bound e-signature; cross-module gate: URS-23 batch execution rejects use of materials not in `released_for_use` state; (h) the **label control + reconciliation + variance handling** per DEC-33-08 — label lifecycle `issued → applied → reconciled | destroyed | variance_flagged`; reconciliation MUST close with arithmetic verification (issued = applied + destroyed + remaining); variance ≥ configurable threshold triggers escalation to `gmp_label_variance_authority` + HITL + bound e-signature; (i) the **IPC governance + escalation** per DEC-33-09 — IPC failures trigger controlled escalation linked to URS-23 batch record + URS-15 OOS + URS-16 deviation; IPC failure cannot disappear in generic edits; (j) the **equipment qualification gating** per DEC-33-10 — equipment lifecycle `unqualified → qualified → expiring_soon → expired → decommissioned` with URS-13 CR linkage on qualification release; equipment in `expired` / `decommissioned` state BLOCKS manufacturing use; cross-module gate: URS-23 batch execution rejects use of unqualified / expired / decommissioned equipment; (k) the **process validation + cleaning validation gating** per DEC-33-11 — validation lifecycle `protocol_authored → execution_in_progress → execution_complete → under_review → validated → expired` with URS-13 CR linkage on validation release; expired validation BLOCKS manufacturing use; cross-module gate: URS-23 batch execution rejects manufacturing without active validated process / clean state; (l) the **manufacturing deviation linkage to URS-16** per DEC-33-12 — manufacturing deviations emit `manufacturing_deviation_created` event consumed by URS-16; (m) the **OOS-to-manufacturing-impact disposition linkage to URS-15** per DEC-33-12 — OOS results affecting manufacturing emit linkage events to URS-15 and to batch disposition; (n) the multi-dimensional context capture (`tenant_id` mandatory, `study_id` optional, `product_id` mandatory at batch-level, `site_id` mandatory, `batch_id` mandatory at GMP-batch-record level, `material_id` for material control, `label_set_id` for label control, `equipment_id` for equipment qualification, `validation_id` for process / cleaning validation); (o) the canonical API contract `/api/v1/gmp/*` per DEC-33-01; (p) the typed schema validation across every route per DEC-33-04; (q) the controlled frontend route surface per DEC-33-15; (r) the audit-trail coverage with reason-for-change discipline per DEC-33-03; (s) the **Authority/HITL/e-signature consistency** across all GMP critical decisions per DEC-33-14 — extends the URS-23 batch-release stronger pattern (`withAuthority(.)` + HITL + bound e-signature) consistently across batch review certification + batch disposition approval + material release-for-use + label reconciliation closure + equipment qualification release + process validation release + cleaning validation release; (t) the AI/MIRA assistive-only constraint per DEC-33-15 — AI/MIRA remains assistive only; never the sole path to complete a regulated manufacturing action; (u) the post-locked record immutability across the GMP program; (v) the controlled reopen workflow with executive authority co-sign and Qualified Person co-sign per DEC-33-22; (w) the canonical findings-source emission to URS-21 per DEC-33-16; (x) the canonical CAPA-source emission to URS-18 for chronic GMP control failures per DEC-33-17; (y) the URS-26 APQR consumer integration per DEC-33-18; (z) the URS-28 training qualification-gate inbound consumer for QP / QA reviewer / production reviewer / batch releaser authority per DEC-33-19; (aa) the URS-30 Notifications outbound consumer for GMP critical alerts per DEC-33-20; (bb) the URS-32 MIRA outcome-label inbound emission per URS-32 DEC-32-23 — every GMP record MIRA influences carries `mira_outcome_label`; and the per-jurisdictional regulatory expectations under FDA 21 CFR Part 11 (§11.10(a)/(d)/(e), 11.50, 11.70, 11.200); **FDA 21 CFR Part 210 (cGMP general) + FDA 21 CFR Part 211 (cGMP for Finished Pharmaceuticals)** — primary FDA predicate (full Part 211 subparts: §211.22 QC Unit, §211.25 Personnel Qualifications, §211.42–§211.46 Buildings/Facilities, §211.63–§211.72 Equipment, §211.80–§211.94 Components/Containers/Closures, §211.100–§211.115 Production and Process Controls, §211.122–§211.137 Packaging/Labeling, §211.142–§211.150 Holding/Distribution, §211.160–§211.176 Laboratory Controls, §211.180–§211.198 Records and Reports, §211.204–§211.208 Returned/Salvaged); EU GMP Annex 11 (§§4, 5, 9, 12, 14, 16); **EU GMP Chapters 1, 2, 3, 4, 5, 6, 7, 8** (Pharmaceutical Quality System, Personnel, Premises and Equipment, Documentation, Production, Quality Control, Outsourced Activities, Complaints and Product Recall — primary EU predicate); EU GMP Annex 22 Draft 2025 §7 (HITL — internal forward-looking control); EU AI Act (Regulation 2024/1689) Annex III + Articles 13/14 (adopted as internal forward-looking AI governance); MHRA Data Integrity Guidance (ALCOA+); GAMP 5 Cat 5; **ICH Q7** (GMP for APIs); **ICH Q9 R1** (Quality Risk Management); **ICH Q10** (Pharmaceutical Quality System); **ICH Q11** (Development and Manufacture of Drug Substances); **ICH Q12** (Lifecycle Management); **WHO TRS 986 Annex 2** (WHO GMP for Pharmaceutical Products: Main Principles); **PIC/S PE 009-17** (international harmonization with EU GMP); and **India CDSCO Schedule M (Revised)** §§1–17 (full revised Schedule M for pharmaceutical manufacturing) + Schedule M-III (Medical Devices) + D&C Act 1940 / Drugs Rules 1945 / Medical Devices Rules 2017 — **primary India predicate for GMP launch scope** subject to a future jurisdiction-specific legal assessment for Verixa's exact CDSCO obligations. |
| Date of Issue | 2026-05-07 |
| Module Owner (Engineering) | Manufacturing / GMP Squad |
| Module Owner (Quality Validation) | CSV / CSA Lead — GMP Manufacturing |
| Module Owner (Compliance) | **Manufacturing Head (Primary Owner)**, Quality Assurance, Regulatory Affairs, Qualified Person Authority, Information Security |
| Approving Authority | Founder / Chairman & MD; QA Head; **Manufacturing Head (Primary Owner)**; Validation Head; RA Head; Information Security Head; Qualified Person (QP) Authority; Site Quality Lead |

---

## 0. Document Framing

### 0.1 Purpose of this document

This URS defines the target expected state for Verixa's GMP Manufacturing Operations and Controls module (Module 33). It is the binding contract between product, engineering, quality validation, regulatory affairs, **manufacturing (primary owner)**, the Qualified Person authority, distribution, laboratory operations, information security, and the executive authority for the design, implementation, validation, release, and on-going periodic review of the regulated GMP manufacturing-control substrate: the **canonical module boundary** as the GMP manufacturing-control layer over URS-23 / URS-24 / URS-25 (consumed not duplicated) per DEC-33-01; the **non-bypassable lifecycle transitions** per DEC-33-02; the **attributable GMP audit logging** per DEC-33-03 (closes the canonical blank-`userId` gap); the **typed DB schema enforcement** per DEC-33-04 (closes the canonical `db as any` gap); the **batch review and QP certification staged workflow** per DEC-33-05; the batch disposition lifecycle per DEC-33-06; the **material receipt + quarantine + release-for-use control** with cross-module gate to URS-23 per DEC-33-07; the **label control + reconciliation + variance handling** per DEC-33-08; the **IPC governance + escalation** per DEC-33-09; the **equipment qualification gating** with cross-module gate to URS-23 per DEC-33-10; the **process validation + cleaning validation gating** with cross-module gate to URS-23 per DEC-33-11; the manufacturing deviation linkage to URS-16 per DEC-33-12; the OOS-to-manufacturing-impact disposition linkage to URS-15 per DEC-33-12; the multi-dimensional context capture; the canonical API contract `/api/v1/gmp/*`; the typed schema validation; the controlled frontend route surface; the audit-trail coverage with reason-for-change discipline; the **Authority/HITL/e-signature consistency** across all GMP critical decisions per DEC-33-14 (closes the canonical inconsistent-control-pattern gap); the AI/MIRA assistive-only constraint per DEC-33-15; the post-locked record immutability; the controlled reopen workflow per DEC-33-22; the canonical findings emission to URS-21 per DEC-33-16; the canonical CAPA emission to URS-18 per DEC-33-17; the URS-26 APQR consumer integration; the URS-28 training qualification-gate inbound consumer for QP / QA reviewer / production reviewer / batch releaser authority per DEC-33-19; the URS-30 Notifications outbound consumer per DEC-33-20; the URS-32 MIRA outcome-label inbound emission per URS-32 DEC-32-23; the audit trail coverage with reason-for-change discipline; and the per-jurisdictional regulatory expectations including the **full FDA 21 CFR Part 211 subpart set** + **EU GMP Chapters 1–8** + **ICH Q7/Q9/Q10/Q11/Q12** + **WHO TRS 986 Annex 2** + **PIC/S PE 009-17** + **India CDSCO Schedule M (Revised) — primary India predicate**. Compliance with this URS is mandatory.

### 0.2 Audience

Engineering, QA, RA, **Manufacturing (primary owner)**, Qualified Person Authority, Distribution, Laboratory Operations, Validation, Information Security, executive authority, the platform's Implementation team, internal and external auditors, and inspectors from regulatory bodies (FDA, EMA, MHRA, Health Canada, **CDSCO (India launch scope)**, PIC/S, PMDA, WHO). The plain-language primer (§0.4) and worked examples (§3.5) make Module 33 accessible to non-domain engineers, product owners, validation engineers, and quality investigators.

### 0.3 Cross-references

- **URS-01** Authentication, Session & Access Control — identity envelope for every GMP mutation
- **URS-02** RBAC & Permissions — the `gmp:*` permission set: `gmp:batch_review:*`, `gmp:batch_disposition:*`, `gmp:material:*`, `gmp:label:*`, `gmp:ipc:*`, `gmp:equipment_qualification:*`, `gmp:process_validation:*`, `gmp:cleaning_validation:*`, `gmp:manufacturing_deviation:*`
- **URS-03** Context Gate & Approval Scope — context-gate enforcement for GMP scope dimensions
- **URS-04** Workflow / HITL / E-Signature / Approval Authority — Controlled Approval Modal contract for batch review certification / batch disposition approval / QP release / material release-for-use / label reconciliation closure / equipment qualification release / process validation release / cleaning validation release / program lock / reopen
- **URS-05** Authority Profile / Delegation / SoD — Authority Profiles consumed (`gmp_production_reviewer_authority`, `gmp_qc_reviewer_authority`, `gmp_qa_reviewer_authority`, `gmp_qp_release_authority`, `gmp_batch_disposition_authority`, `gmp_material_release_authority`, `gmp_label_variance_authority`, `gmp_label_reconciliation_authority`, `gmp_equipment_qualification_authority`, `gmp_process_validation_authority`, `gmp_cleaning_validation_authority`, `qualified_person_authority`, `final_quality_approver`, `executive_authority`)
- **URS-06** Audit Trail / Hash Chain / Tamper-Evident — append-only audit substrate; **attributable audit per DEC-33-03**
- **URS-07** Study Management — optional study-scope dimension
- **URS-08** Tenant Management Lifecycle — tenant context for GMP records
- **URS-09** Site / Facility Management — **mandatory site-scope dimension** at GMP record level
- **URS-10** Product / SKU / Drug Master Data — mandatory product-scope dimension at batch level
- **URS-11** Supplier Management — supplier-material linkage for material receipt
- **URS-12** Document Control / SOP — primary linkage: batch record certification + validation report storage
- **URS-13** Change Control — equipment qualification + process validation + cleaning validation effective release linkage
- **URS-14** Complaints — outbound provenance consumer
- **URS-15** OOS / OOT — outbound emission for OOS-to-manufacturing-impact disposition per DEC-33-12
- **URS-16** Deviations — outbound emission for manufacturing deviations per DEC-33-12
- **URS-17** RCA — outbound consumer
- **URS-18** CAPA — outbound emission for chronic GMP control failure CAPA per DEC-33-17
- **URS-19** Risk Assessment — outbound consumer
- **URS-20** Reviews — outbound consumer
- **URS-21** Findings — outbound emission for chronic GMP control failures per DEC-33-16
- **URS-22** Inspection Mgmt — back-room evidence retrieval source
- **URS-23** Batch Records — **primary consumed module** per DEC-33-01 (URS-33 governs but does NOT duplicate URS-23 batch execution; URS-23 batch execution rejects use of materials / equipment / validations not in active state per DEC-33-07 / DEC-33-10 / DEC-33-11)
- **URS-24** Stability — consumed module per DEC-33-01
- **URS-25** Environmental Monitoring — consumed module per DEC-33-01
- **URS-26** APQR — primary periodic GMP-summary consumer
- **URS-27** Regulatory Intelligence — outbound provenance consumer
- **URS-28** Training — **primary inbound qualification-gate consumer** for QP / QA reviewer / production reviewer / batch releaser authority per DEC-33-19
- **URS-29** Screen Reader / Data Capture — outbound provenance consumer
- **URS-30** Notifications — primary outbound consumer for material quarantine / label variance / IPC failure / equipment expiry / validation expiry alerts per DEC-33-20
- **URS-31** DQG — outbound provenance consumer
- **URS-32** MIRA AI — read-only MIRA copilot context integration; **MIRA outcome-label inbound emission per URS-32 DEC-32-23** — every GMP record MIRA influences carries `mira_outcome_label`
- **URS-34** GDP Distribution — released-batch distribution context
- **URS-35** Infrastructure / Backup-Restore — operational continuity

### 0.4 Plain-language primer

In a regulated pharmaceutical operation, **GMP Manufacturing Operations and Controls (Module 33)** is the manufacturing-control and quality-governance layer that sits **above and across** batch records (URS-23), stability (URS-24), and environmental monitoring (URS-25). Module 33 governs the parts of manufacturing that decide whether a batch, material, label set, qualification state, validation record, or review state is acceptable for continued controlled use. Module 33 is in regulatory scope under: **FDA 21 CFR Parts 210 + 211** (full cGMP subpart set — primary FDA predicate); **EU GMP Chapters 1–8** (Pharmaceutical Quality System, Personnel, Premises and Equipment, Documentation, Production, Quality Control, Outsourced Activities, Complaints and Product Recall — primary EU predicate); **ICH Q7** (GMP for APIs); **ICH Q9 R1** (Quality Risk Management); **ICH Q10** (Pharmaceutical Quality System); **ICH Q11** (Development and Manufacture of Drug Substances); **ICH Q12** (Lifecycle Management); **WHO TRS 986 Annex 2** (WHO GMP); **PIC/S PE 009-17**; and **India CDSCO Schedule M (Revised) §§1–17** (primary India predicate for GMP launch scope). Module 33 is the target specification for this regulated workflow.

The most consequential locked GMP controls in this URS are: (a) **attributable GMP audit logging** — every GMP service create / update / transition method MUST persist authenticated `userId` from session context in the audit-trail entry; blank `userId` is rejected (DEC-33-03); (b) **typed DB schema enforcement** — every GMP DB query MUST use typed schema (drizzle / typed query builder); `db as any` access patterns prohibited; static type-checking enforced via TypeScript strict mode (DEC-33-04); (c) **non-bypassable lifecycle transitions** — lifecycle status fields MUST NOT be mutable through generic update schemas or generic PATCH routes; every GMP lifecycle transition MUST go through a dedicated transition route with workflow gates (DEC-33-02); (d) **Authority/HITL/e-signature consistency across all GMP critical decisions** — `withAuthority(.)` + HITL + bound e-signature applied consistently across batch review certification, batch disposition approval, material release-for-use, label reconciliation closure, equipment qualification release, process validation release, and cleaning validation release (DEC-33-14).

The most consequential cross-module enforcement decisions are: (e) **material quarantine BLOCKS manufacturing use** until controlled disposition per DEC-33-07 — URS-23 batch execution rejects materials not in `released_for_use` state; (f) **equipment in `expired` / `decommissioned` state BLOCKS manufacturing use** per DEC-33-10 — URS-23 batch execution rejects unqualified / expired / decommissioned equipment; (g) **expired process / cleaning validation BLOCKS manufacturing use** per DEC-33-11 — URS-23 batch execution rejects manufacturing without active validated process / clean state; (h) **batch review and QP certification is a non-bypassable staged workflow** per DEC-33-05 — Production Review → QC Review → QA Review → QP Certification with bound e-signature at each stage and SoD enforced.

The **AI-assistance** dimension is canonically explicit in the Module specification ARCH-AI-001 binding: "**no generative AI or agent may be the sole path to complete a regulated manufacturing action, quality decision, batch disposition, or release decision.**" Static deterministic AI may surface similar prior batches, prior-deviation patterns, IPC trends, and historical material receipt patterns as advisory help. **Generative AI (LLMs / MIRA copilot) is PROHIBITED in batch disposition decisions, QP release decisions, material release-for-use decisions, label reconciliation closure decisions, equipment qualification decisions, process validation decisions, and cleaning validation decisions** under the internal Annex 22 §7 + EU AI Act Annex III control. MIRA copilot is read-only context only via `useMiraRecord(.)` mappings; every GMP record MIRA influences carries `mira_outcome_label` per URS-32 DEC-32-23. The qualified human production reviewer / QC reviewer / QA reviewer / Qualified Person / material release authority's signed disposition is the system of record.

The **two-step release path** mirrors every other Module: this URS becomes "Approved Controlled URS — released for engineering implementation and validation planning" upon signature capture in the Document Approval block; it becomes "Released for validation execution" only after URS-33-VAL-008 (Migration Evidence Gate) and the §17 validation evidence pack are satisfied.

### 0.5 Conventions

Each requirement has a unique identifier. "MUST" denotes a mandatory requirement; "SHOULD" denotes a strong recommendation; "MAY" denotes an option. The document is self-contained: front end (§5), back end (§6), data model (§6.2), application programming interface (§6.3), workflow (§6.4), business rules (§6.5), audit (§6.6), security (§12), regulatory mapping (§14), test cases (§16), and validation evidence (§17) are all in this single file. Every requirement is mandatory unless explicitly marked SHOULD or MAY.

### 0.6 Glossary

| Term | Definition |
|---|---|
| GMP batch review | The staged review of a batch record (URS-23) by Production Reviewer → QC Reviewer → QA Reviewer per DEC-33-05; precedes QP certification. |
| QP certification | Qualified Person final certification of batch (per EU GMP Annex 16 / India Schedule M-III §10) with bound e-signature; the regulator-facing signature for batch release; gated by URS-28 qualification per DEC-33-19. |
| Batch disposition | The GMP decision to release / reject / conditional-release a batch; lifecycle `proposed → under_review → approved | rejected | conditional_release` per DEC-33-06. |
| Material receipt | The receipt of incoming material from supplier; lifecycle `received → quarantined → testing → released_for_use | rejected | destroyed` per DEC-33-07; quarantine BLOCKS manufacturing use until controlled disposition. |
| Label control | The control of label issuance + application + reconciliation + destruction; lifecycle `issued → applied → reconciled | destroyed | variance_flagged` per DEC-33-08; reconciliation MUST close with arithmetic verification. |
| Label variance | Discrepancy between issued labels and applied + destroyed + remaining; ≥ configurable threshold triggers escalation per DEC-33-08. |
| IPC | In-Process Check; recorded against URS-23 batch execution; failures trigger controlled escalation per DEC-33-09. |
| Equipment qualification | Equipment IQ/OQ/PQ qualification lifecycle `unqualified → qualified → expiring_soon → expired → decommissioned` per DEC-33-10; expired BLOCKS manufacturing use. |
| Process validation | Process Performance Qualification lifecycle `protocol_authored → execution_in_progress → execution_complete → under_review → validated → expired` per DEC-33-11; expired BLOCKS manufacturing use. |
| Cleaning validation | Cleaning validation lifecycle parallel to process validation per DEC-33-11; expired BLOCKS manufacturing use. |
| Manufacturing deviation | Deviation arising from manufacturing operations; emits `manufacturing_deviation_created` to URS-16 per DEC-33-12. |
| Reopen | A governed transition event from `locked → in_progress` requiring `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason; appends a new program iteration without mutating prior locked evidence per DEC-33-22. |
| ARCH-AI-001 | Platform architecture binding requiring manual continuity for every AI surface — canonically explicit binding for this module. |
| Annex 22 | EU GMP Annex 22 (Draft 2025) §7. Verixa treats Annex 22 §7 + EU AI Act Annex III high-risk as internal forward-looking AI governance controls. Static deterministic AI advisory only; GenAI prohibited in batch disposition / QP release / material release / label reconciliation / equipment qualification / process validation / cleaning validation decisions. |
| MIRA | The platform's read-only AI copilot service; for Module 33 MIRA is read-only context with `outcome_label` emission per URS-32 DEC-32-23; no AI advances regulated GMP action. |

### 0.7 Module-33 architectural picture

```mermaid
flowchart TD
 USR[Operator / Reviewer / QP] --> M23[/URS-23 Batch Records — consumed not duplicated/]
 M23 --> BR[/GMP Batch Review — staged Production → QC → QA — DEC-33-05/]
 BR --> QP[/QP Certification — bound e-sign + URS-28 qualification — DEC-33-19/]
 QP --> BD[/GMP Batch Disposition — DEC-33-06/]
 BD --> RELEASED[Released]
 BD --> REJECTED[Rejected]
 BD --> COND[Conditional Release]
 MAT[/Material Receipt → Quarantine → Released for Use — DEC-33-07/]
 MAT -- gate --> M23
 LBL[/Label Control + Reconciliation + Variance — DEC-33-08/]
 M23 --> IPC[/IPC Recording — URS-23/]
 IPC -- failure --> ESC[/IPC Escalation — DEC-33-09/]
 ESC --> M16[URS-16 Deviations]
 ESC --> M15[URS-15 OOS]
 EQ[/Equipment Qualification — DEC-33-10/]
 EQ -- gate --> M23
 PV[/Process Validation — DEC-33-11/]
 PV -- gate --> M23
 CV[/Cleaning Validation — DEC-33-11/]
 CV -- gate --> M23
 M24[URS-24 Stability — consumed]
 M25[URS-25 EM — consumed]
 M24 -.-> BD
 M25 -.-> BD
 AI[MIRA AI — read-only context] -. outcome_label per URS-32 DEC-32-23.-> BR / BD / MAT / LBL / EQ / PV / CV
 M21[URS-21 Findings] <-- chronic GMP control failures per DEC-33-16
 M18[URS-18 CAPA] <-- chronic GMP control failure CAPA per DEC-33-17
 M30[URS-30 Notifications] <-- material quarantine / label variance / IPC failure / equipment expiry / validation expiry per DEC-33-20
 M28[URS-28 Training] -- qualification gate for QP / QA / production / batch releaser --> QP / BR / BD
 M26[URS-26 APQR] <-- periodic GMP summary
 LOCK[Program Lock] --> BR
 LOCK -. governed reopen + executive + QP co-sign.-> BR
```

The platform shall implement: canonical module boundary as GMP control layer over URS-23/24/25 per DEC-33-01; non-bypassable lifecycle transitions per DEC-33-02; attributable GMP audit logging per DEC-33-03 (closes blank-`userId` gap); typed DB schema enforcement per DEC-33-04 (closes `db as any` gap); staged batch review + QP certification per DEC-33-05; batch disposition lifecycle per DEC-33-06; material receipt + quarantine + release-for-use control with cross-module gate to URS-23 per DEC-33-07; label control + reconciliation + variance handling per DEC-33-08; IPC governance + escalation per DEC-33-09; equipment qualification gating with cross-module gate to URS-23 per DEC-33-10; process + cleaning validation gating with cross-module gate to URS-23 per DEC-33-11; manufacturing deviation linkage to URS-16 per DEC-33-12; OOS-to-manufacturing-impact linkage to URS-15 per DEC-33-12; canonical API contract; typed schema validation; controlled frontend route surface; audit-trail coverage with reason-for-change; Authority/HITL/e-signature consistency per DEC-33-14; AI/MIRA assistive-only constraint per DEC-33-15; post-locked record immutability; governed reopen per DEC-33-22; canonical findings/CAPA emission per DEC-33-16/-17; URS-26 APQR consumer; URS-28 qualification-gate inbound consumer per DEC-33-19; URS-30 notifications outbound consumer per DEC-33-20; URS-32 MIRA outcome-label inbound emission; per-jurisdictional regulatory expectations including full FDA 21 CFR Part 211 + EU GMP Chapters 1–8 + ICH Q7/Q9/Q10/Q11/Q12 + WHO TRS 986 Annex 2 + PIC/S PE 009-17 + India CDSCO Schedule M (Revised).

### 0.8 Locked Launch Controls

| Locked control | Authority | Rationale |
|---|---|---|
| Two-step release path: signature → engineering implementation → validation execution | DEC-33-01 / VAL-008 | Mirrors every other Module. |
| "No Module 33 internal decisions outstanding" | §11.6 | Captured in locked decisions DEC-33-01..DEC-33-23 (§3.2). |
| `platform_admin` / `super_admin` support / break-glass only | DEC-33-21 / SoD-33-07 | Operating-tenant GMP ownership is the regulated path. |
| Target implementation binding language | Module bindings | URS specifies expected implementation. |
| **Canonical module boundary as GMP control layer over URS-23/24/25 (consumed not duplicated)** | DEC-33-01 | URS-33 governs but does NOT duplicate URS-23/24/25. |
| AI overclaim posture as **internal forward-looking governance** with **GenAI prohibition in batch disposition / QP release / material release / label reconciliation / equipment qualification / process validation / cleaning validation decisions** | Architecture Bindings | Canonical Module specification explicit ARCH-AI-001 binding. |
| Enumerated error codes | §6.7 | Stable machine-readable error contract. |
| JSON multi-signature evidence as **derived snapshot** | §6.6 | The `electronic_signatures` substrate is the system of record. |
| **India CDSCO Schedule M (Revised) §§1–17 — primary India predicate for GMP launch scope** | §14 | India launch scope canonical priority (subject to a future jurisdiction-specific legal assessment). |
| Version 1.0 posture | Header | First binding version. |
| **Non-bypassable lifecycle transitions** | DEC-33-02 | Generic update schemas exclude lifecycle status fields; status mutation through generic PATCH rejected; dedicated transition routes only. |
| **Attributable GMP audit logging** | DEC-33-03 | Closes canonical "blank `userId`" gap; every GMP audit-trail entry persists authenticated `userId`. |
| **Typed DB schema enforcement** | DEC-33-04 | Closes canonical `db as any` gap; every GMP DB query uses typed schema. |
| **Batch review and QP certification staged workflow** | DEC-33-05 | Production Review → QC Review → QA Review → QP Certification with bound e-signature at each stage and SoD enforced. |
| Batch disposition lifecycle | DEC-33-06 | `proposed → under_review → approved | rejected | conditional_release`. |
| **Material receipt + quarantine + release-for-use control with cross-module gate to URS-23** | DEC-33-07 | Quarantine BLOCKS manufacturing use until controlled disposition; URS-23 rejects materials not in `released_for_use`. |
| **Label control + reconciliation + variance handling** | DEC-33-08 | Reconciliation MUST close with arithmetic verification; variance ≥ threshold triggers escalation. |
| **IPC governance + escalation** | DEC-33-09 | IPC failures cannot disappear in generic edits; controlled escalation linked to URS-15/-16/-23. |
| **Equipment qualification gating with cross-module gate to URS-23** | DEC-33-10 | Expired/decommissioned BLOCKS manufacturing use; URS-23 rejects unqualified equipment. |
| **Process + cleaning validation gating with cross-module gate to URS-23** | DEC-33-11 | Expired validation BLOCKS manufacturing use; URS-23 rejects manufacturing without active validated process / clean state. |
| Manufacturing deviation + OOS linkage | DEC-33-12 | Manufacturing deviations → URS-16; OOS-to-manufacturing-impact → URS-15 + batch disposition. |
| **Authority/HITL/e-signature consistency across all GMP critical decisions** | DEC-33-14 | Extends URS-23 batch-release stronger pattern consistently across batch review certification + batch disposition + material release / label reconciliation / equipment qualification / process validation / cleaning validation. |
| AI/MIRA assistive-only constraint | DEC-33-15 | AI/MIRA never sole path to complete regulated manufacturing action. |
| URS-28 training qualification-gate inbound consumer (target requirement) | DEC-33-19 | QP / QA reviewer / production reviewer / batch releaser must be URS-28 qualified per URS-28 DEC-28-23. |
| URS-32 MIRA outcome-label inbound emission per URS-32 DEC-32-23 (target requirement) | DEC-33-15 / URS-32 DEC-32-23 | Every GMP record MIRA influences carries `mira_outcome_label`. |
| Bound e-signature persistence on every regulated final action | DEC-33-14 / DEC-33-23 | All regulated finals carry bound e-signature. |
| Governed reopen pattern (`locked → in_progress`) | DEC-33-22 / SoD-33-06 | Append-only iteration; executive + QP co-sign; does NOT mutate prior locked evidence. |

---

## 1. Scope and Out-of-Scope

### 1.1 In-scope

- The canonical module boundary as GMP control layer over URS-23/24/25.
- The non-bypassable lifecycle transitions.
- The attributable GMP audit logging.
- The typed DB schema enforcement.
- The batch review and QP certification staged workflow.
- The batch disposition lifecycle.
- The material receipt + quarantine + release-for-use control with cross-module gate to URS-23.
- The label control + reconciliation + variance handling.
- The IPC governance + escalation.
- The equipment qualification gating with cross-module gate to URS-23.
- The process + cleaning validation gating with cross-module gate to URS-23.
- The manufacturing deviation + OOS linkage to URS-16/-15.
- The Authority/HITL/e-signature consistency across all GMP critical decisions.
- The audit-trail coverage with reason-for-change discipline.
- The MIRA copilot read-only context integration (advisory drafting only).
- The findings emission to URS-21.
- The CAPA emission to URS-18.
- The change-control linkage to URS-13 for equipment qualification + process / cleaning validation effective release.
- The URS-12 Document Control linkage for batch certification + validation reports.
- The URS-26 APQR consumer integration.
- The URS-28 training qualification-gate inbound consumer.
- The URS-30 Notifications outbound consumer.
- The URS-32 MIRA outcome-label inbound emission.
- The governed reopen workflow.
- The per-jurisdictional regulatory expectations including the full FDA 21 CFR Part 211 + EU GMP Chapters 1–8 + ICH Q7/Q9/Q10/Q11/Q12 + WHO TRS 986 Annex 2 + PIC/S PE 009-17 + India CDSCO Schedule M (Revised).

### 1.2 Out-of-scope

- **Authoring base batch execution** — owned by URS-23 (consumed not duplicated per DEC-33-01).
- **Stability authoring lifecycle** — owned by URS-24 (consumed).
- **Environmental monitoring authoring lifecycle** — owned by URS-25 (consumed).
- **Standalone deviation / RCA / CAPA master modules** — owned by URS-16 / -17 / -18.
- The CAPA register itself (URS-18).
- The change-control register itself (URS-13).
- The findings register itself (URS-21).
- The document-control register itself (URS-12).
- The training register itself (URS-28).
- The notifications dispatcher itself (URS-30).
- The MIRA copilot service itself (URS-32).

---

## 2. Preconditions, Dependencies, Constraints

### 2.1 Operating preconditions

The following preconditions MUST hold for this URS to apply at validation time. Each bullet is a binding precondition; deviations require a controlled exception per URS-13 Change Control.

- The platform's authentication and session substrate (URS-01), RBAC (URS-02), context gate (URS-03), HITL / e-sign (URS-04), Authority Profile registry (URS-05), audit-trail hash-chain (URS-06), document-control (URS-12), change-control (URS-13), batch records (URS-23), stability (URS-24), environmental monitoring (URS-25), training qualification-gate (URS-28), notifications (URS-30), MIRA AI (URS-32), and infrastructure secret-store (URS-35) are released and operational at validation time.
- Production reviewers, QC reviewers, QA reviewers, Qualified Person, material release authority, label variance authority, equipment qualification authority, process / cleaning validation authority are trained, attributable users with documented authority.
- QP / QA reviewers / production reviewers / batch releasers are URS-28 qualified per DEC-33-19.
- AI-assisted GMP surfaces are advisory only.
- The tenant operating jurisdiction(s) are configured, with **India CDSCO as a primary launch scope jurisdiction**.

### 2.2 Dependencies

- URS-01.URS-32, URS-34.URS-35 platform contracts.
- The `electronic_signatures` substrate.
- The `authority` substrate.
- The `hitl` substrate.
- The `audit_trail` substrate.
- The `documents` substrate (URS-12).
- The `batch` substrate (URS-23 — consumed).
- The `stability` substrate (URS-24 — consumed).
- The `environmental` substrate (URS-25 — consumed).
- The `change_control` substrate (URS-13).
- The training `qualification-gate` substrate (URS-28).
- The `notifications` substrate (URS-30).
- The MIRA `outcome_label` outbound emission per URS-32 DEC-32-23.

### 2.3 Constraints

- The canonical API mount is `/api/v1/gmp/*`.
- **URS-33 is artifact / control-decision layer over URS-23/24/25; URS-33 does NOT duplicate URS-23/24/25 record models** per DEC-33-01.
- AI-assisted content is advisory-only; **no AI service is the sole path to complete a regulated manufacturing action, quality decision, batch disposition, or release decision**.
- Generative AI / LLMs are prohibited in batch disposition / QP release / material release / label reconciliation / equipment qualification / process validation / cleaning validation decisions.
- Lifecycle status mutation through generic update schemas / generic PATCH rejected per DEC-33-02.
- GMP audit-trail entries MUST persist authenticated `userId` per DEC-33-03; blank `userId` rejected.
- Every GMP DB query MUST use typed schema per DEC-33-04; `db as any` rejected.
- Material in quarantine BLOCKS manufacturing use per DEC-33-07.
- Equipment in expired / decommissioned state BLOCKS manufacturing use per DEC-33-10.
- Expired process / cleaning validation BLOCKS manufacturing use per DEC-33-11.
- QP / QA / production reviewer / batch releaser MUST satisfy URS-28 qualification-gate per DEC-33-19.

---

## 3. Closed Launch Decisions

### 3.1 Decision register

| Decision ID | Title | Locked decision |
|---|---|---|
| DEC-33-01 | Two-step release path + canonical API contract + **canonical module boundary** | Module 33 follows the same two-step release path; canonical API mount `/api/v1/gmp/*`; **URS-33 is the GMP manufacturing-control layer over URS-23 (consumed) / URS-24 (consumed) / URS-25 (consumed) — URS-33 does NOT duplicate batch execution / stability authoring / environmental-monitoring authoring record models; URS-33 governs the GMP-critical review / disposition / release / escalation / manufacturing-use-gating decisions**. |
| DEC-33-02 | **Non-bypassable lifecycle transitions** | Every lifecycle state transition for GMP records (manufacturing deviations, OOS, batch dispositions, equipment qualifications, material receipts, batch record reviews, label controls, lab samples, IPC, process validations, cleaning validations, stability studies) executed only through dedicated transition routes that validate current state, requested next state, required fields, role/authority, and audit requirements against `gmp/workflow.ts` rule set; **update schemas exclude lifecycle status fields**; status mutation through generic PATCH or generic service update method rejected with `GMP_TERMINAL_STATE_PATCH_FORBIDDEN`. |
| DEC-33-03 | **Attributable GMP audit logging** | Every GMP service create / update / transition method MUST persist authenticated `userId` from session context in the audit-trail entry; **blank `userId` is rejected with `GMP_AUDIT_USER_ID_REQUIRED`**; ; ensures ALCOA+ Attributable principle compliance. |
| DEC-33-04 | **Typed DB schema enforcement** | Every GMP DB query MUST use typed schema (drizzle / typed query builder); **`db as any` access patterns prohibited**; static type-checking enforced via TypeScript strict mode + lint rule rejecting `as any` on `db.*` calls; . |
| DEC-33-05 | **Batch review and QP certification staged workflow** | Batch review is a non-bypassable staged workflow: `production_review_pending → production_reviewed → qc_review_pending → qc_reviewed → qa_review_pending → qa_reviewed → qp_certification_pending → qp_certified` with bound e-signature at each stage; segregation-of-duties enforced (production reviewer ≠ QC reviewer ≠ QA reviewer ≠ QP); each stage requires the respective authority profile (`gmp_production_reviewer_authority`, `gmp_qc_reviewer_authority`, `gmp_qa_reviewer_authority`, `gmp_qp_release_authority`); QP certification additionally requires URS-28 qualification per DEC-33-19; QP certification is the regulator-facing release signature for batch (per EU GMP Annex 16 / India Schedule M-III §10). |
| DEC-33-06 | Batch disposition lifecycle | Batch disposition lifecycle is `proposed → under_review → approved | rejected | conditional_release`; transition `under_review → approved` requires `gmp_batch_disposition_authority` + HITL + bound e-signature; transition `under_review → rejected` requires reason; transition `under_review → conditional_release` requires explicit conditions + URS-13 CR for the conditional-release exception. |
| DEC-33-07 | **Material receipt + quarantine + release-for-use control with cross-module gate to URS-23** | Material lifecycle is `received → quarantined → testing → released_for_use | rejected | destroyed`; **quarantine BLOCKS manufacturing use until controlled disposition** with `gmp_material_release_authority` + HITL + bound e-signature; cross-module gate: **URS-23 batch execution rejects use of materials not in `released_for_use` state** with `BAT_MATERIAL_NOT_RELEASED_FOR_USE`; rejected materials require disposition reason; destroyed materials require destruction certificate document linkage. |
| DEC-33-08 | **Label control + reconciliation + variance handling** | Label lifecycle is `issued → applied → reconciled | destroyed | variance_flagged`; **reconciliation MUST close with arithmetic verification: `issued = applied + destroyed + remaining`**; arithmetic mismatch → `variance_flagged`; variance ≥ configurable threshold (default 0.5%) triggers escalation to `gmp_label_variance_authority` + HITL + bound e-signature; reconciliation closure requires `gmp_label_reconciliation_authority` + HITL + bound e-signature. |
| DEC-33-09 | **IPC governance + escalation** | IPC recordings are owned by URS-23 batch execution; URS-33 governs IPC follow-up: IPC failures (out-of-spec results, action-limit exceedance, alert-limit exceedance) trigger controlled escalation linked to URS-23 batch record + URS-15 OOS (where OOS classification applies) + URS-16 deviation (where deviation classification applies); IPC failure record cannot disappear via generic edit per DEC-33-02; IPC follow-up tied to batch review/disposition rigor per DEC-33-05/-06. |
| DEC-33-10 | **Equipment qualification gating with cross-module gate to URS-23** | Equipment qualification lifecycle is `unqualified → qualified → expiring_soon → expired → decommissioned`; transition to `qualified` requires `gmp_equipment_qualification_authority` + HITL + bound e-signature + URS-13 CR; `expiring_soon` triggered configurable lead time before expiry (default 30 days); URS-30 Notifications dispatched per DEC-33-20; `expired` triggered automatically on expiry date passage; **cross-module gate: URS-23 batch execution rejects use of equipment in `unqualified` / `expired` / `decommissioned` state** with `BAT_EQUIPMENT_NOT_QUALIFIED`. |
| DEC-33-11 | **Process + cleaning validation gating with cross-module gate to URS-23** | Process validation lifecycle is `protocol_authored → execution_in_progress → execution_complete → under_review → validated → expired`; transition to `validated` requires `gmp_process_validation_authority` + HITL + bound e-signature + URS-13 CR; cleaning validation lifecycle parallel with `gmp_cleaning_validation_authority`; expired lifecycle triggered configurable interval after `validated` (default 12 months); **cross-module gate: URS-23 batch execution rejects manufacturing without active validated process state for product/site AND active validated cleaning state for equipment train** with `BAT_PROCESS_VALIDATION_EXPIRED` / `BAT_CLEANING_VALIDATION_EXPIRED`. |
| DEC-33-12 | Manufacturing deviation + OOS linkage | Manufacturing deviations emit `manufacturing_deviation_created` event consumed by URS-16 with `manufacturing_deviation` source type per URS-16 declared source set; OOS results affecting manufacturing emit linkage events to URS-15 (per URS-15 OOS lifecycle) and to batch disposition (per DEC-33-06) — OOS in `confirmed` status MUST be considered in batch disposition decision. |
| DEC-33-13 | Multi-dimensional context model | `tenant_id` mandatory, `study_id` optional, `product_id` mandatory at batch level, `site_id` mandatory at GMP record level, `batch_id` mandatory at GMP-batch-record level, `material_id` for material control, `label_set_id` for label control, `equipment_id` for equipment qualification, `validation_id` for process / cleaning validation. |
| DEC-33-14 | **Authority/HITL/e-signature consistency across all GMP critical decisions** | Extends the URS-23 batch-release stronger pattern (`withAuthority(.)` + HITL + bound e-signature) consistently across **all GMP critical decisions**: batch review certification (per stage per DEC-33-05) + batch disposition approval (DEC-33-06) + QP release (DEC-33-05) + material release-for-use (DEC-33-07) + label reconciliation closure (DEC-33-08) + label variance escalation (DEC-33-08) + equipment qualification release (DEC-33-10) + process validation release (DEC-33-11) + cleaning validation release (DEC-33-11) + manufacturing deviation closure (DEC-33-12) + program lock + reopen; . |
| DEC-33-15 | AI/MIRA assistive-only constraint + URS-32 MIRA outcome-label inbound emission | AI/MIRA remains assistive only per ARCH-AI-001 binding; **MIRA never the sole path to complete a regulated manufacturing action**; advisory-only labeling on AI surfaces; AI suggestion fields in manufacturing deviation classification, batch disposition recommendation, IPC trend detection, equipment expiry prediction, and validation status advisory are advisory only; **every GMP record MIRA influences carries `mira_outcome_label`** per URS-32 DEC-32-23 inbound emission — the `mira_outcome_label` column is added to every GMP primary record table (`gmp_batch_reviews`, `gmp_batch_dispositions`, `gmp_material_receipts`, `gmp_label_controls`, `gmp_equipment_qualifications`, `gmp_validations`, `gmp_manufacturing_deviations`); GenAI prohibited in batch disposition / QP release / material release / label reconciliation / equipment qualification / process validation / cleaning validation decisions per Annex 22 §7 internal control. |
| DEC-33-16 | Findings emission to URS-21 | Chronic GMP control failures (recurring batch dispositions rejected, recurring material rejections, recurring label variances ≥ threshold, recurring IPC failures, equipment expired without re-qualification, validation expired without re-validation) emit `gmp_finding_created` event to URS-21 with `gmp_manufacturing_control` source type. |
| DEC-33-17 | CAPA emission to URS-18 | Chronic GMP control failures escalated to CAPA emit `gmp_capa_linked` event consumed by URS-18 (`gmp_manufacturing_control` source type per URS-18 declared source set). |
| DEC-33-18 | URS-26 APQR periodic GMP-summary consumer | URS-26 APQR consumes periodic GMP-control summary (batch disposition rate, material rejection rate, label variance rate, IPC failure rate, equipment qualification status, validation status) for periodic product quality review per URS-26 lifecycle. |
| DEC-33-19 | **URS-28 training qualification-gate inbound consumer for QP / QA reviewer / production reviewer / batch releaser authority** | The QP certification authority + batch release authority + QA reviewer authority + production reviewer authority + QC reviewer authority MUST satisfy URS-28 qualification-gate per URS-28 DEC-28-23 — `GET /training/qualification/:userId/qp_release` for QP certification; `GET /training/qualification/:userId/qa_reviewer` for QA review; `GET /training/qualification/:userId/qc_reviewer` for QC review; `GET /training/qualification/:userId/production_reviewer` for production review; `GET /training/qualification/:userId/material_release` for material release-for-use; `GET /training/qualification/:userId/equipment_qualifier` for equipment qualification; etc.; qualification-gate failure rejects with `GMP_AUTHORITY_QUALIFICATION_GATE_FAILED`. |
| DEC-33-20 | URS-30 Notifications outbound consumer for GMP critical alerts | DQG critical alerts (material quarantine status changes, label variance ≥ threshold, IPC failure, equipment expiring_soon / expired, validation expiring / expired, batch disposition decisions, QP certification, manufacturing deviation closure) emitted as events consumed by URS-30 Notifications dispatcher per DEC-33-20 + URS-30 mandatory-alert allowlist per URS-30 DEC-30-05 (these are mandatory alerts forced regardless of user preferences). |
| DEC-33-21 | platform_admin / super_admin | `platform_admin` / `super_admin` are support / break-glass only paths. |
| DEC-33-22 | GMP program reopen as governed transition | Program `locked → in_progress` requires `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason; appends a new program iteration without mutating prior locked evidence (consistent with M14.M32 reopen pattern). |
| DEC-33-23 | Bound e-signature persistence on every regulated final action | Every regulated final action (batch review per stage, QP certification, batch disposition approval, material release-for-use, label reconciliation closure, label variance escalation, equipment qualification release, process validation release, cleaning validation release, manufacturing deviation closure, program lock, governed reopen) carries bound e-signature persisted via `electronic_signatures` substrate. |

### 3.2 Locked-decision rationale narrative

The decisions above define the binding launch posture for Module 33 v1.0. The most consequential locked controls are: (a) **DEC-33-01 anchors the canonical module boundary** as GMP control layer over URS-23/24/25 — making URS-33 the governance layer rather than a duplicate; (b) **DEC-33-02 mandates dedicated transition routes** for every GMP lifecycle transition; (c) **DEC-33-03 mandates attributable audit logging** with authenticated `userId` on every entry; (d) **DEC-33-04 mandates typed schema enforcement** across every GMP DB query; (e) **DEC-33-05 mandates non-bypassable staged batch review workflow + SoD**; (f) **DEC-33-07 / DEC-33-10 / DEC-33-11 introduce the keystone cross-module gates to URS-23** — material in quarantine BLOCKS manufacturing use, equipment in expired/decommissioned BLOCKS manufacturing use, expired validation BLOCKS manufacturing use; (g) **DEC-33-14 mandates Authority/HITL/e-signature consistency** across all GMP critical decisions; (h) **DEC-33-15 binds AI/MIRA to assistive-only** with `mira_outcome_label` per URS-32 DEC-32-23 inbound emission; (i) **DEC-33-19 introduces URS-28 qualification-gate inbound consumption** for QP / QA reviewer / production reviewer / batch releaser authority; (j) DEC-33-22 defines reopen as a governed append-only transition consistent with the Module-14..-32 reopen pattern.

### 3.3 Closed launch decisions: cross-link to items

| Specification item ID | Specification item | Locked decision |
|---|---|---|
| GMP-001 | Separate GMP module | DEC-33-01 (retained) |
| GMP-002 | Batch control layer separate | DEC-33-01 (retained) |
| GMP-003 | Workflow state machines exist | DEC-33-02 (hardened) |
| GMP-004 | Generic update routes bypass lifecycle | DEC-33-02 |
| GMP-005 | Audit not attributable | DEC-33-03 |
| GMP-006 | Typed DB schema coverage missing | DEC-33-04 |
| GMP-007 | Authority/HITL/e-sign inconsistent | DEC-33-14 |
| GMP-008 | Batch review + QP certification staging weak | DEC-33-05 |
| GMP-009 | Material quarantine → use gating not explicit | DEC-33-07 |
| GMP-010 | Label reconciliation arithmetic + closure not explicit | DEC-33-08 |
| GMP-011 | IPC failure escalation not tied to batch review/disposition | DEC-33-09 |
| GMP-012 | Equipment qualification gating to use not enforced | DEC-33-10 |
| GMP-013 | Process / cleaning validation gating to use not enforced | DEC-33-11 |
| GMP-014 | AI/MIRA assistive-only constraint | DEC-33-15 |

### 3.4 Locked-decision authority

Each locked decision is approved by the Founder / Chairman & MD on signature capture in the Document Approval block of this URS (§19). Decisions cannot be unlocked except through controlled URS revision under the URS change-control process and re-approval.

### 3.5 Worked examples

**Worked example 1 — Batch review staged workflow + QP certification.**
A tablet batch `BR-PTabs-2026-08-12-001` completes execution in URS-23. URS-33 GMP batch review opens in `production_review_pending` state. The Production Reviewer (URS-28 qualified per DEC-33-19) reviews the batch record with bound e-signature per DEC-33-05; transitions to `production_reviewed → qc_review_pending`. The QC Reviewer (URS-28 qualified, SoD-distinct from Production Reviewer) reviews QC data with bound e-signature; transitions to `qc_reviewed → qa_review_pending`. The QA Reviewer (URS-28 qualified, SoD-distinct from QC Reviewer) reviews QA aspects with bound e-signature; transitions to `qa_reviewed → qp_certification_pending`. The Qualified Person (URS-28 qualified per `qp_release` role, SoD-distinct from QA Reviewer) reviews and certifies the batch with bound e-signature per EU GMP Annex 16 / India Schedule M-III §10; transitions to `qp_certified`. The batch disposition then proceeds per DEC-33-06: `proposed → under_review → approved` with `gmp_batch_disposition_authority` + bound e-signature. URS-26 APQR consumes the GMP-control summary per DEC-33-18.

**Worked example 2 — Material quarantine blocking manufacturing use.**
Incoming material `MAT-API-PTabs-2026-08-01` is received per DEC-33-07; lifecycle `received → quarantined`. Operator A in URS-23 attempts to start a batch using this material. Per DEC-33-07 cross-module gate, URS-23 batch execution rejects with `BAT_MATERIAL_NOT_RELEASED_FOR_USE`. After QC testing completes successfully, the `gmp_material_release_authority` (URS-28 qualified) transitions material to `released_for_use` with HITL + bound e-signature. Operator A retries and URS-23 batch execution succeeds.

**Worked example 3 — Label reconciliation arithmetic + variance escalation.**
A label set `LBL-PTabs-Lot-001` is issued (10,000 labels). After packaging, the operator records: `applied = 9,920`, `destroyed = 70`, `remaining = 8`. Arithmetic: `9,920 + 70 + 8 = 9,998 ≠ 10,000` (2 labels missing — variance 0.02% below threshold). System auto-flags variance per DEC-33-08; investigator records discrepancy reason; reconciliation closes with `gmp_label_reconciliation_authority` + HITL + bound e-signature (under-threshold case). Compare: a different lot reports `applied = 9,500, destroyed = 100, remaining = 0` → `applied + destroyed + remaining = 9,600 ≠ 10,000` (400 labels missing — variance 4% above threshold); transitions to `variance_flagged`; escalation to `gmp_label_variance_authority` + HITL + bound e-signature + investigation per DEC-33-08.

**Worked example 4 — Equipment expiring → URS-30 alert → URS-23 manufacturing-use rejection.**
Equipment `EQ-Mixer-001` qualification expires `2026-09-15`. On `2026-08-16` (30 days lead time per DEC-33-10), system transitions equipment to `expiring_soon` and emits URS-30 notification per DEC-33-20. The operator does not re-qualify in time. On `2026-09-16` system transitions equipment to `expired` and emits URS-30 notification. Operator B in URS-23 attempts batch using equipment `EQ-Mixer-001`. Per DEC-33-10 cross-module gate, URS-23 batch execution rejects with `BAT_EQUIPMENT_NOT_QUALIFIED`. Re-qualification proceeds with `gmp_equipment_qualification_authority` + HITL + bound e-signature + URS-13 CR; equipment transitions to `qualified`; operator retries and URS-23 batch execution succeeds.

**Worked example 5 — IPC failure escalation linked to URS-15 OOS + URS-16 deviation.**
During batch execution in URS-23, IPC `IPC-Assay-Step8` fails (assay 98.2% vs spec 99.0–101.0%). Per DEC-33-09 IPC failure cannot disappear via generic edit; controlled escalation triggers: URS-15 OOS investigation opened (linked to IPC + batch); URS-16 manufacturing deviation opened (linked to IPC + batch); IPC follow-up record persisted. Batch disposition per DEC-33-06 considers OOS in `confirmed` status; QP certification per DEC-33-05 requires OOS resolution before QP certification.

**Worked example 6 — AI/MIRA assistive-only with `outcome_label`.**
MIRA proposes a batch disposition recommendation via `dqg_ai_assistance` (advisory). The QP reviews the AI suggestion with bound e-signature ceremony per DEC-33-05 (the QP is URS-28 qualified per DEC-33-19); the QP modifies the recommendation slightly and accepts. The batch disposition is created with `mira_outcome_label = ai_assisted_overridden` per URS-32 DEC-32-23 inbound emission per DEC-33-15. **AI cannot finalize the batch disposition on its own** per ARCH-AI-001 binding.

**Worked example 7 — India CDSCO Schedule M (Revised) batch certification.**
A batch manufactured at India site `Site-Mumbai` for India CDSCO market follows India CDSCO Schedule M (Revised) §§1–17 (primary India predicate per DEC-33-01). The QP certification per DEC-33-05 follows India Schedule M-III §10 (Approved Authorised Person for batch certification); URS-28 qualification-gate verified per DEC-33-19. The batch certification is the regulator-facing release for India CDSCO.

**Worked example 8 — Governed reopen of locked GMP program.**
On `2027-04-15` an inspection finding (URS-22) reveals a previously locked GMP program may have under-recorded one QP certification. The Manufacturing Head initiates a reopen; per DEC-33-22 + SoD-33-06, both `executive_authority` co-sign AND `qualified_person_authority` co-sign + documented reason are required. On both co-signs the program transitions `locked → in_progress` and a new program iteration is appended; the prior locked evidence is NOT mutated.

---

## 4. End-to-End User Journeys (28 launch journeys)

| # | Journey | Actor | Pre-condition | Path | Post-condition |
|---|---|---|---|---|---|
| 1 | Open GMP batch review | Production Reviewer (URS-28 qualified per DEC-33-19) | URS-23 batch execution complete | Open review in `production_review_pending` per DEC-33-05 | Review opened; audit attributed per DEC-33-03 |
| 2 | Production review completion | Production Reviewer (URS-28 qualified) | Review `production_review_pending` | Bound e-sign per DEC-33-05; transition to `production_reviewed → qc_review_pending` | Production review signed |
| 3 | QC review completion | QC Reviewer (URS-28 qualified, SoD-distinct from Production Reviewer) | Review `qc_review_pending` | Bound e-sign per DEC-33-05 | QC review signed |
| 4 | QA review completion | QA Reviewer (URS-28 qualified, SoD-distinct from QC Reviewer) | Review `qa_review_pending` | Bound e-sign per DEC-33-05 | QA review signed |
| 5 | QP certification | Qualified Person (URS-28 qualified, SoD-distinct from QA Reviewer) | Review `qp_certification_pending` | Bound e-sign per EU GMP Annex 16 / India Schedule M-III §10 + DEC-33-05 + DEC-33-19 | QP certified; bound e-signature |
| 6 | Batch disposition propose | Manufacturing Operator | QP certified | Propose disposition per DEC-33-06 | Disposition `proposed` |
| 7 | Batch disposition approval | `gmp_batch_disposition_authority` (URS-28 qualified) | Disposition `under_review` | HITL + bound e-sign per DEC-33-06 | Disposition `approved` |
| 8 | Batch disposition rejection | `gmp_batch_disposition_authority` | Disposition `under_review` | HITL + bound e-sign + reason | Disposition `rejected` |
| 9 | Batch disposition conditional release | `gmp_batch_disposition_authority` + URS-13 CR | Disposition `under_review`; explicit conditions | HITL + bound e-sign + URS-13 CR per DEC-33-06 | Disposition `conditional_release` |
| 10 | Material receipt | Warehouse / Material Receiver | Material delivered | Create receipt with `received → quarantined` per DEC-33-07 | Material `quarantined`; URS-30 notification per DEC-33-20 |
| 11 | URS-23 batch execution rejected — material not released | System (cross-module gate per DEC-33-07) | Material in `quarantined` state | URS-23 rejects with `BAT_MATERIAL_NOT_RELEASED_FOR_USE` | Operation rejected |
| 12 | Material released for use | `gmp_material_release_authority` (URS-28 qualified) | Material `testing` complete | HITL + bound e-sign per DEC-33-07 | Material `released_for_use` |
| 13 | Material rejected | `gmp_material_release_authority` | Material fails testing | HITL + bound e-sign + reason | Material `rejected` |
| 14 | Material destroyed | `gmp_material_release_authority` | Material `rejected`; destruction certificate | HITL + bound e-sign + destruction certificate document linkage | Material `destroyed` |
| 15 | Label issued | Label Custodian | Packaging operation start | Label issuance recorded per DEC-33-08 | Labels `issued` |
| 16 | Label reconciliation arithmetic verification | System (validation per DEC-33-08) | Reconciliation entry | Compute `applied + destroyed + remaining = issued` | Match: `reconciled`; mismatch: `variance_flagged` |
| 17 | Label variance escalation | `gmp_label_variance_authority` (URS-28 qualified) | `variance_flagged` ≥ threshold | HITL + bound e-sign + investigation per DEC-33-08 | Variance escalated; URS-30 notification per DEC-33-20 |
| 18 | Label reconciliation closure | `gmp_label_reconciliation_authority` (URS-28 qualified) | All variances resolved | HITL + bound e-sign per DEC-33-08 | Reconciliation closed |
| 19 | IPC failure escalation | System (per DEC-33-09) | IPC out-of-spec / action-limit exceeded | Trigger controlled escalation to URS-15 OOS + URS-16 deviation per DEC-33-09 | Escalation triggered; URS-30 notification |
| 20 | Equipment qualification release | `gmp_equipment_qualification_authority` (URS-28 qualified) | Qualification protocol complete; URS-13 CR | HITL + bound e-sign + URS-13 CR per DEC-33-10 | Equipment `qualified` |
| 21 | Equipment expiring_soon → URS-30 notification | System (scheduled per DEC-33-10) | Equipment expiry within 30 days | Transition `qualified → expiring_soon`; emit URS-30 notification per DEC-33-20 | Notification dispatched |
| 22 | Equipment expired → URS-23 batch execution rejected | System (cross-module gate per DEC-33-10) | Equipment expired | URS-23 rejects with `BAT_EQUIPMENT_NOT_QUALIFIED` | Operation rejected |
| 23 | Process validation release | `gmp_process_validation_authority` (URS-28 qualified) | Process validation execution complete; URS-13 CR | HITL + bound e-sign + URS-13 CR per DEC-33-11 | Validation `validated` |
| 24 | Cleaning validation release | `gmp_cleaning_validation_authority` (URS-28 qualified) | Cleaning validation execution complete; URS-13 CR | HITL + bound e-sign + URS-13 CR per DEC-33-11 | Validation `validated` |
| 25 | Validation expired → URS-23 batch execution rejected | System (cross-module gate per DEC-33-11) | Validation expired | URS-23 rejects with `BAT_PROCESS_VALIDATION_EXPIRED` / `BAT_CLEANING_VALIDATION_EXPIRED` | Operation rejected |
| 26 | Reject direct PATCH on lifecycle status | System (validation per DEC-33-02) | Generic PATCH attempt setting lifecycle status | Reject with `GMP_TERMINAL_STATE_PATCH_FORBIDDEN` | Operation rejected |
| 27 | Reject blank `userId` in audit write | System (validation per DEC-33-03) | Audit-trail write with blank `userId` | Reject with `GMP_AUDIT_USER_ID_REQUIRED` | Operation rejected |
| 28 | Reopen locked GMP program (governed transition) | Manufacturing Head + Executive Authority + Qualified Person | Program `locked` | Executive co-sign AND QP co-sign + reason; transition `locked → in_progress`; append new iteration per DEC-33-22 | Program `in_progress`; new iteration appended; prior locked evidence NOT mutated |

---

## 5. Front-end Requirements

### 5.1 GMP Dashboard

The dashboard (URS-33-FE-001) renders summary cards (open batch reviews by stage, pending dispositions, material quarantine queue, label variance count, IPC escalations, equipment expiring within 30 days, validations expiring) with filters; uses canonical `/gmp/*` hooks per DEC-33-01.

### 5.2 Batch Review Console

The batch review console (URS-33-FE-002) renders the staged workflow (Production → QC → QA → QP) with per-stage HITL + bound e-sign ceremony per DEC-33-05; URS-28 qualification-gate UI feedback per DEC-33-19; SoD enforcement display.

### 5.3 Batch Disposition Console

The batch disposition console (URS-33-FE-003) renders disposition lifecycle with HITL + bound e-sign per DEC-33-06; conditional-release URS-13 CR linkage UI.

### 5.4 Material Receipt Console

The material receipt console (URS-33-FE-004) renders material lifecycle with quarantine status; release-for-use ceremony with HITL + bound e-sign per DEC-33-07; rejection / destruction certificate UI.

### 5.5 Label Control Console

The label control console (URS-33-FE-005) renders label issuance + reconciliation with **arithmetic verification UI** per DEC-33-08; variance escalation ceremony with HITL + bound e-sign.

### 5.6 IPC Console

The IPC console (URS-33-FE-006) renders IPC recordings (consumed from URS-23) with failure escalation linkage to URS-15 / URS-16 per DEC-33-09.

### 5.7 Equipment Qualification Console

The equipment qualification console (URS-33-FE-007) renders qualification lifecycle with expiry monitoring; release ceremony with HITL + bound e-sign + URS-13 CR per DEC-33-10.

### 5.8 Process Validation Console

The process validation console (URS-33-FE-008) renders process validation lifecycle with release ceremony per DEC-33-11.

### 5.9 Cleaning Validation Console

The cleaning validation console (URS-33-FE-009) renders cleaning validation lifecycle with release ceremony per DEC-33-11.

### 5.10 Manufacturing Deviation Console

The manufacturing deviation console (URS-33-FE-010) renders deviations with linkage to URS-16 per DEC-33-12.

### 5.11 GMP Metrics Dashboard

The metrics dashboard (URS-33-FE-011) renders GMP control metrics consumed by URS-26 APQR per DEC-33-18.

### 5.12 MIRA Copilot Integration

MIRA copilot (URS-33-FE-012) is read-only context. **AI-generated content is advisory only per DEC-33-15; every GMP record MIRA influences carries `mira_outcome_label` per URS-32 DEC-32-23.**

### 5.13 Accessibility

WCAG 2.1 AA accessible.

---

## 6. Back-end Requirements

### 6.1 Module structure

`packages/backend/src/modules/gmp/` with `plugin.ts`, `routes.ts` (typed schemas — per DEC-33-04; lifecycle status fields excluded from update schemas per DEC-33-02), `service.ts` (attributable audit logging per DEC-33-03 — every method persists authenticated `userId`; typed schema enforcement per DEC-33-04), `workflow.ts` (state machine definitions retained), `schemas.ts` (typed schemas —), `events.ts`, `cross-module-gate.ts` (per DEC-33-07 / DEC-33-10 / DEC-33-11 — gates URS-23 batch execution).

### 6.2 Data model

#### 6.2.1 `gmp_batch_reviews`

`id`, `tenant_id`, `site_id` (FK NOT NULL per DEC-33-13), `batch_id` (FK to URS-23), `production_reviewed_by` / `production_reviewed_at` / `production_review_e_signature_id` per DEC-33-05, `qc_reviewed_by` / `qc_reviewed_at` / `qc_review_e_signature_id`, `qa_reviewed_by` / `qa_reviewed_at` / `qa_review_e_signature_id`, `qp_certified_by` / `qp_certified_at` / `qp_certification_e_signature_id`, `status` (ENUM `production_review_pending` / `production_reviewed` / `qc_review_pending` / `qc_reviewed` / `qa_review_pending` / `qa_reviewed` / `qp_certification_pending` / `qp_certified` / `rejected_at_stage`), `mira_outcome_label` (ENUM per URS-32 DEC-32-23), audit columns (with `created_by` / `updated_by` MANDATORY per DEC-33-03). RLS enabled.

#### 6.2.2 `gmp_batch_dispositions`

`id`, `tenant_id`, `site_id`, `batch_id`, `batch_review_id` (FK to `gmp_batch_reviews`), `disposition_type` (ENUM `released` / `rejected` / `conditional_release`), `disposition_conditions` (TEXT — for conditional_release), `urs13_change_request_id` (FK nullable — for conditional_release), `proposed_by` / `proposed_at`, `approved_by` / `approved_at` / `approval_e_signature_id`, `rejected_by` / `rejected_at` / `rejection_reason`, `status` (ENUM `proposed` / `under_review` / `approved` / `rejected` / `conditional_release`), `mira_outcome_label`, audit columns.

#### 6.2.3 `gmp_material_receipts`

`id`, `tenant_id`, `site_id`, `material_id` (FK), `supplier_id` (FK to URS-11), `received_at`, `quarantined_at`, `testing_at`, `released_for_use_by` / `released_at` / `release_e_signature_id` per DEC-33-07, `rejected_by` / `rejected_at` / `rejection_reason`, `destroyed_by` / `destroyed_at` / `destruction_certificate_document_id` (FK to URS-12), `status` (ENUM `received` / `quarantined` / `testing` / `released_for_use` / `rejected` / `destroyed`), `mira_outcome_label`, audit columns.

#### 6.2.4 `gmp_label_controls`

`id`, `tenant_id`, `site_id`, `label_set_id`, `batch_id` (FK to URS-23), `issued_count` (INTEGER), `applied_count` (INTEGER), `destroyed_count` (INTEGER), `remaining_count` (INTEGER), `variance_count` (INTEGER GENERATED), `variance_pct` (NUMERIC GENERATED per DEC-33-08), `variance_threshold_pct` (NUMERIC), `variance_flagged_at`, `variance_authority_signoff_by` / `variance_e_signature_id`, `reconciled_by` / `reconciled_at` / `reconciliation_e_signature_id` per DEC-33-08, `status` (ENUM `issued` / `applied` / `reconciled` / `destroyed` / `variance_flagged`), `mira_outcome_label`, audit columns.

#### 6.2.5 `gmp_ipc_followups`

`id`, `tenant_id`, `site_id`, `batch_id`, `ipc_check_id` (FK to URS-23 IPC record), `failure_type` (ENUM `out_of_spec` / `action_limit_exceeded` / `alert_limit_exceeded`), `linked_oos_id` (FK to URS-15), `linked_deviation_id` (FK to URS-16), `escalation_status` (ENUM `pending` / `escalated` / `closed`), `mira_outcome_label`, audit columns.

#### 6.2.6 `gmp_equipment_qualifications`

`id`, `tenant_id`, `site_id`, `equipment_id` (FK), `qualification_protocol_document_id` (FK to URS-12), `urs13_change_request_id` (FK), `qualified_by` / `qualified_at` / `qualification_e_signature_id` per DEC-33-10, `qualification_expiry_date`, `status` (ENUM `unqualified` / `qualified` / `expiring_soon` / `expired` / `decommissioned`), `decommissioned_by` / `decommissioned_at`, `mira_outcome_label`, audit columns.

#### 6.2.7 `gmp_validations`

`id`, `tenant_id`, `site_id`, `validation_type` (ENUM `process_validation` / `cleaning_validation`), `product_id` (FK for process); `equipment_train_id` (FK for cleaning), `validation_protocol_document_id` (FK to URS-12), `urs13_change_request_id` (FK), `validated_by` / `validated_at` / `validation_e_signature_id` per DEC-33-11, `validation_expiry_date`, `status` (ENUM `protocol_authored` / `execution_in_progress` / `execution_complete` / `under_review` / `validated` / `expired`), `mira_outcome_label`, audit columns.

#### 6.2.8 `gmp_manufacturing_deviations`

`id`, `tenant_id`, `site_id`, `batch_id`, `linked_urs16_deviation_id` (FK per DEC-33-12), `closed_by` / `closed_at` / `closure_e_signature_id`, `status`, `mira_outcome_label`, audit columns.

#### 6.2.9 `gmp_program_locks`

`id`, `tenant_id`, `period_start`, `period_end`, `locked_by`, `locked_at`, `lock_e_signature_id`, `reopened_at`, `reopened_by`, `reopen_executive_co_signer`, `reopen_qp_co_signer`, `reopen_reason`, audit columns.

#### 6.2.10 RLS

All Module 33 tables have RLS enabled.

### 6.3 API contract

| Route | Method | Permission | Status |
|---|---|---|---|
| `/api/v1/gmp/batch-reviews` | GET / POST | `gmp:batch_review:read` / `gmp:batch_review:create` | (typed schema; lifecycle status excluded from update) |
| `/api/v1/gmp/batch-reviews/:id` | GET / PATCH (status excluded per DEC-33-02) | `gmp:batch_review:read` / `gmp:batch_review:update` | |
| `/api/v1/gmp/batch-reviews/:id/sign-production` | POST | `gmp_production_reviewer_authority` + URS-28 qualification per DEC-33-19 + HITL + bound e-sign per DEC-33-05 | target route |
| `/api/v1/gmp/batch-reviews/:id/sign-qc` | POST | `gmp_qc_reviewer_authority` + URS-28 qualification + HITL + bound e-sign + SoD per DEC-33-05 | target route |
| `/api/v1/gmp/batch-reviews/:id/sign-qa` | POST | `gmp_qa_reviewer_authority` + URS-28 qualification + HITL + bound e-sign + SoD per DEC-33-05 | target route |
| `/api/v1/gmp/batch-reviews/:id/qp-certify` | POST | `gmp_qp_release_authority` + URS-28 qualification per DEC-33-19 + HITL + bound e-sign per EU GMP Annex 16 / India Schedule M-III §10 + DEC-33-05 | target route |
| `/api/v1/gmp/batch-dispositions` | GET / POST | `gmp:batch_disposition:read` / `gmp:batch_disposition:create` | |
| `/api/v1/gmp/batch-dispositions/:id/approve` | POST | `gmp_batch_disposition_authority` + URS-28 qualification + HITL + bound e-sign per DEC-33-06 | target route |
| `/api/v1/gmp/batch-dispositions/:id/reject` | POST | `gmp_batch_disposition_authority` + HITL + bound e-sign + reason | target route |
| `/api/v1/gmp/batch-dispositions/:id/conditional-release` | POST | `gmp_batch_disposition_authority` + HITL + bound e-sign + URS-13 CR per DEC-33-06 | target route |
| `/api/v1/gmp/material-receipts` | GET / POST | `gmp:material:read` / `gmp:material:create` | |
| `/api/v1/gmp/material-receipts/:id/release-for-use` | POST | `gmp_material_release_authority` + URS-28 qualification + HITL + bound e-sign per DEC-33-07 | target route |
| `/api/v1/gmp/material-receipts/:id/reject` | POST | `gmp_material_release_authority` + HITL + bound e-sign + reason | target route |
| `/api/v1/gmp/material-receipts/:id/destroy` | POST | `gmp_material_release_authority` + HITL + bound e-sign + destruction certificate | target route |
| `/api/v1/gmp/label-controls` | GET / POST | `gmp:label:read` / `gmp:label:create` | |
| `/api/v1/gmp/label-controls/:id/reconcile` | POST | `gmp_label_reconciliation_authority` + URS-28 qualification + HITL + bound e-sign per DEC-33-08 (server validates arithmetic) | target route |
| `/api/v1/gmp/label-controls/:id/variance-escalation` | POST | `gmp_label_variance_authority` + HITL + bound e-sign + investigation per DEC-33-08 | target route |
| `/api/v1/gmp/ipc-followups` | GET / POST | `gmp:ipc:read` / `gmp:ipc:create` | |
| `/api/v1/gmp/equipment-qualifications` | GET / POST | `gmp:equipment_qualification:read` / `gmp:equipment_qualification:create` | |
| `/api/v1/gmp/equipment-qualifications/:id/qualify` | POST | `gmp_equipment_qualification_authority` + URS-28 qualification + HITL + bound e-sign + URS-13 CR per DEC-33-10 | target route |
| `/api/v1/gmp/equipment-qualifications/:id/decommission` | POST | `gmp_equipment_qualification_authority` + HITL + bound e-sign + reason | target route |
| `/api/v1/gmp/process-validations` | GET / POST | `gmp:process_validation:read` / `gmp:process_validation:create` | |
| `/api/v1/gmp/process-validations/:id/release` | POST | `gmp_process_validation_authority` + URS-28 qualification + HITL + bound e-sign + URS-13 CR per DEC-33-11 | target route |
| `/api/v1/gmp/cleaning-validations` | GET / POST | `gmp:cleaning_validation:read` / `gmp:cleaning_validation:create` | |
| `/api/v1/gmp/cleaning-validations/:id/release` | POST | `gmp_cleaning_validation_authority` + URS-28 qualification + HITL + bound e-sign + URS-13 CR per DEC-33-11 | target route |
| `/api/v1/gmp/manufacturing-deviations` | GET / POST | `gmp:manufacturing_deviation:read` / `gmp:manufacturing_deviation:create` | |
| `/api/v1/gmp/manufacturing-deviations/:id/close` | POST | `gmp_qa_reviewer_authority` + HITL + bound e-sign per DEC-33-12 | target route |
| `/api/v1/gmp/program-locks` | POST | `final_quality_approver` + HITL + bound e-sign | target route |
| `/api/v1/gmp/program-locks/:id/reopen` | POST | `executive_authority` co-sign AND `qualified_person_authority` co-sign + HITL + reason per DEC-33-22 | target route |

### 6.4 Workflow

#### 6.4.1 Batch review staged workflow

```mermaid
stateDiagram-v2
 [*] --> production_review_pending: open
 production_review_pending --> production_reviewed: sign-production (gmp_production_reviewer_authority + URS-28 + HITL + bound e-sign — DEC-33-05)
 production_reviewed --> qc_review_pending
 qc_review_pending --> qc_reviewed: sign-qc (gmp_qc_reviewer_authority + URS-28 + HITL + bound e-sign + SoD — DEC-33-05)
 qc_reviewed --> qa_review_pending
 qa_review_pending --> qa_reviewed: sign-qa (gmp_qa_reviewer_authority + URS-28 + HITL + bound e-sign + SoD — DEC-33-05)
 qa_reviewed --> qp_certification_pending
 qp_certification_pending --> qp_certified: qp-certify (gmp_qp_release_authority + URS-28 + HITL + bound e-sign + EU GMP Annex 16 / India Schedule M-III §10 — DEC-33-05 / DEC-33-19)
 production_review_pending --> rejected_at_stage: reject (with reason)
 qc_review_pending --> rejected_at_stage: reject
 qa_review_pending --> rejected_at_stage: reject
 qp_certified --> [*]
 rejected_at_stage --> [*]
```

#### 6.4.2 Material receipt lifecycle with cross-module gate

```mermaid
stateDiagram-v2
 [*] --> received: create
 received --> quarantined: auto
 quarantined --> testing: dispatch to QC
 testing --> released_for_use: gmp_material_release_authority + URS-28 + HITL + bound e-sign — DEC-33-07
 testing --> rejected: failed testing + reason
 rejected --> destroyed: destruction certificate
 note right of quarantined: BLOCKS URS-23 batch execution per DEC-33-07 — BAT_MATERIAL_NOT_RELEASED_FOR_USE
 released_for_use --> [*]
 destroyed --> [*]
```

#### 6.4.3 Equipment qualification lifecycle with cross-module gate

```mermaid
stateDiagram-v2
 [*] --> unqualified
 unqualified --> qualified: qualify (gmp_equipment_qualification_authority + URS-28 + HITL + bound e-sign + URS-13 CR — DEC-33-10)
 qualified --> expiring_soon: scheduled (lead time before expiry)
 expiring_soon --> expired: expiry passed
 qualified --> expired: expiry passed (no lead time warning)
 expired --> qualified: re-qualify
 expired --> decommissioned: decommission
 qualified --> decommissioned: decommission
 note right of expired: BLOCKS URS-23 batch execution per DEC-33-10 — BAT_EQUIPMENT_NOT_QUALIFIED
 note right of decommissioned: BLOCKS URS-23 batch execution per DEC-33-10
 decommissioned --> [*]
```

### 6.5 Business rules

- BR-33-01: Canonical module boundary per DEC-33-01 — URS-33 governs but does NOT duplicate URS-23/24/25.
- BR-33-02: Lifecycle status mutation through generic update / generic PATCH rejected per DEC-33-02.
- BR-33-03: GMP audit-trail entries persist authenticated `userId` per DEC-33-03; blank rejected.
- BR-33-04: GMP DB queries use typed schema per DEC-33-04; `db as any` rejected.
- BR-33-05: Batch review staged workflow (Production → QC → QA → QP) with bound e-sign at each stage per DEC-33-05.
- BR-33-06: Batch review SoD enforced — production reviewer ≠ QC reviewer ≠ QA reviewer ≠ QP per DEC-33-05.
- BR-33-07: QP certification per EU GMP Annex 16 / India Schedule M-III §10 with URS-28 qualification per DEC-33-19.
- BR-33-08: Batch disposition lifecycle per DEC-33-06.
- BR-33-09: Material quarantine BLOCKS manufacturing use per DEC-33-07; URS-23 rejects with `BAT_MATERIAL_NOT_RELEASED_FOR_USE`.
- BR-33-10: Material release-for-use requires `gmp_material_release_authority` + URS-28 + HITL + bound e-sign per DEC-33-07.
- BR-33-11: Label reconciliation arithmetic verification: `applied + destroyed + remaining = issued` per DEC-33-08.
- BR-33-12: Label variance ≥ threshold triggers escalation per DEC-33-08.
- BR-33-13: IPC failures cannot disappear via generic edit per DEC-33-09; controlled escalation to URS-15/-16/-23.
- BR-33-14: Equipment expired/decommissioned BLOCKS manufacturing use per DEC-33-10; URS-23 rejects with `BAT_EQUIPMENT_NOT_QUALIFIED`.
- BR-33-15: Equipment qualification requires URS-28 + HITL + bound e-sign + URS-13 CR per DEC-33-10.
- BR-33-16: Process validation expired BLOCKS manufacturing use per DEC-33-11; URS-23 rejects with `BAT_PROCESS_VALIDATION_EXPIRED`.
- BR-33-17: Cleaning validation expired BLOCKS manufacturing use per DEC-33-11; URS-23 rejects with `BAT_CLEANING_VALIDATION_EXPIRED`.
- BR-33-18: Manufacturing deviation linkage to URS-16 per DEC-33-12.
- BR-33-19: OOS-to-manufacturing-impact linkage to URS-15 per DEC-33-12; OOS in `confirmed` MUST be considered in batch disposition.
- BR-33-20: Authority/HITL/e-signature consistency across all GMP critical decisions per DEC-33-14.
- BR-33-21: AI/MIRA assistive-only constraint per DEC-33-15; `mira_outcome_label` per URS-32 DEC-32-23 inbound emission.
- BR-33-22: **AI cannot finalize batch certification, batch disposition approval, QP release, material release-for-use, label reconciliation closure, equipment qualification, process validation, cleaning validation, or manufacturing deviation closure** per ARCH-AI-001 / DEC-33-15.
- BR-33-23: Findings emission to URS-21 per DEC-33-16.
- BR-33-24: CAPA emission to URS-18 per DEC-33-17.
- BR-33-25: APQR consumer integration per DEC-33-18.
- BR-33-26: URS-28 qualification-gate inbound consumer per DEC-33-19.
- BR-33-27: URS-30 Notifications outbound consumer per DEC-33-20.
- BR-33-28: Material reopen `locked → in_progress` requires `executive_authority` co-sign AND `qualified_person_authority` co-sign + reason per DEC-33-22.
- BR-33-29: `platform_admin` / `super_admin` are support / break-glass only paths per DEC-33-21.
- BR-33-30: Material updates require structured reason-for-change per DEC-33-03.

### 6.6 Audit trail

Every Module 33 record mutation persists an audit-trail entry **with authenticated `userId` mandatory per DEC-33-03**. Material updates persist `reason_for_change`. Regulated final actions persist a bound e-signature via the `electronic_signatures` substrate. Append-only.

### 6.7 Error handling

| Code | HTTP | Meaning |
|---|---|---|
| `GMP_VALIDATION_FAILED` | 400 | Schema validation failure |
| `GMP_UNAUTHORIZED` | 401 | Authentication required |
| `GMP_FORBIDDEN` | 403 | RBAC denied |
| `GMP_NOT_FOUND` | 404 | Resource not found |
| `GMP_DUPLICATE_KEY` | 409 | Uniqueness violation |
| `GMP_INVALID_TRANSITION` | 422 | Lifecycle transition not permitted |
| `GMP_TERMINAL_STATE_PATCH_FORBIDDEN` | 422 | Direct PATCH attempted on lifecycle status per DEC-33-02 |
| `GMP_AUDIT_USER_ID_REQUIRED` | 422 | Audit-trail write with blank `userId` per DEC-33-03 |
| `GMP_DB_ANY_PROHIBITED` | 500 | Service used `db as any` per DEC-33-04 (build-time error preferred) |
| `GMP_AUTHORITY_REQUIRED` | 422 | Authority Profile missing |
| `GMP_AUTHORITY_QUALIFICATION_GATE_FAILED` | 422 | URS-28 qualification gate failed per DEC-33-19 |
| `GMP_HITL_DECISION_REQUIRED` | 422 | HITL decision capture missing |
| `GMP_E_SIGNATURE_REQUIRED` | 422 | Bound e-signature persistence missing |
| `GMP_BATCH_REVIEW_STAGE_SOD_VIOLATION` | 422 | Same person attempted multiple batch review stages per DEC-33-05 |
| `GMP_BATCH_REVIEW_OUT_OF_SEQUENCE` | 422 | Batch review stage signed out of sequence |
| `GMP_LABEL_RECONCILIATION_ARITHMETIC_MISMATCH` | 422 | Label reconciliation arithmetic mismatch + variance under threshold without resolution per DEC-33-08 |
| `GMP_VARIANCE_AUTHORITY_REQUIRED` | 422 | Variance ≥ threshold without `gmp_label_variance_authority` per DEC-33-08 |
| `GMP_REASON_FOR_CHANGE_REQUIRED` | 422 | Material update / terminal transition without reason-for-change |
| `GMP_AI_AS_AUTHORITATIVE_PROHIBITED` | 422 | AI service attempted to advance regulated GMP action per ARCH-AI-001 / DEC-33-15 |
| `GMP_REOPEN_AUTHORITY_REQUIRED` | 422 | Reopen attempted without executive AND QP co-sign per DEC-33-22 |
| `BAT_MATERIAL_NOT_RELEASED_FOR_USE` | 422 | URS-23 cross-module gate rejected per DEC-33-07 |
| `BAT_EQUIPMENT_NOT_QUALIFIED` | 422 | URS-23 cross-module gate rejected per DEC-33-10 |
| `BAT_PROCESS_VALIDATION_EXPIRED` | 422 | URS-23 cross-module gate rejected per DEC-33-11 |
| `BAT_CLEANING_VALIDATION_EXPIRED` | 422 | URS-23 cross-module gate rejected per DEC-33-11 |
| `GMP_INTERNAL` | 500 | Sanitized server error |

### 6.8 Configuration rules

- Equipment qualification expiring-soon lead time (default 30 days) configurable per tenant per DEC-33-10.
- Process / cleaning validation expiry interval (default 12 months) configurable per tenant per DEC-33-11.
- Label variance threshold (default 0.5%) configurable per tenant per DEC-33-08.

---

## 7. Non-functional Requirements

- NFR-33-01: List pagination (default 50, max 200).
- NFR-33-02: List p95 < 800ms (10k batch reviews per tenant).
- NFR-33-03: Cross-module gate evaluation (URS-23 batch execution) p95 < 200ms.
- NFR-33-04: Audit-trail append p99 < 200ms.
- NFR-33-05: Concurrent GMP users per tenant: 100.
- NFR-33-06: Storage scalability: 1M GMP records per tenant.
- NFR-33-07: Backup / restore RPO ≤ 15 min; RTO ≤ 4 hours per URS-35.
- NFR-33-08: Bound e-signature persistence transaction p95 < 1.5s.
- NFR-33-09: URS-28 qualification-gate consumption p95 < 200ms.

---

## 8. Localization

English (en-US, en-GB), Hindi (hi-IN), Marathi (mr-IN), Japanese (ja-JP) at launch. **India launch scope priority** per DEC-33-01.

---

## 9. Migration

### 9.1 Migration scope

Greenfield at launch.

### 9.2 Schema migration

Migration baseline aligned with target migrations columns: add typed schema constraints to all GMP tables per DEC-33-04; add `userId` NOT NULL on all audit-trail entries per DEC-33-03; remove lifecycle status fields from update schemas per DEC-33-02; add `mira_outcome_label` ENUM column to every GMP primary record table per DEC-33-15 / URS-32 DEC-32-23; add cross-module gate hooks to URS-23 batch execution per DEC-33-07 / DEC-33-10 / DEC-33-11; add `gmp_program_locks` table with reopen columns per DEC-33-22; add release_change_request_id FK to URS-13 on equipment qualifications + validations per DEC-33-10 / DEC-33-11.

### 9.3 Migration evidence gate (URS-33-VAL-008)

(a) all migrations applied; (b) RLS verified; (c) typed schema validation verified — `db as any` rejected per DEC-33-04; (d) attributable audit logging verified — blank `userId` rejected per DEC-33-03; (e) lifecycle status patch-bypass prevention verified per DEC-33-02; (f) batch review staged workflow + SoD verified per DEC-33-05; (g) batch disposition lifecycle verified per DEC-33-06; (h) material quarantine cross-module gate to URS-23 verified — URS-23 rejects with `BAT_MATERIAL_NOT_RELEASED_FOR_USE` per DEC-33-07; (i) label reconciliation arithmetic verification + variance escalation verified per DEC-33-08; (j) IPC escalation linkage verified per DEC-33-09; (k) equipment qualification cross-module gate verified — URS-23 rejects with `BAT_EQUIPMENT_NOT_QUALIFIED` per DEC-33-10; (l) process / cleaning validation cross-module gate verified — URS-23 rejects with `BAT_PROCESS_VALIDATION_EXPIRED` / `BAT_CLEANING_VALIDATION_EXPIRED` per DEC-33-11; (m) manufacturing deviation + OOS linkage verified per DEC-33-12; (n) Authority/HITL/e-signature consistency across all critical decisions verified per DEC-33-14; (o) AI/MIRA assistive-only verified per DEC-33-15; (p) URS-28 qualification-gate consumption verified per DEC-33-19; (q) URS-30 notifications outbound verified per DEC-33-20; (r) URS-32 MIRA outcome-label inbound emission verified per DEC-33-15; (s) cross-module event emission verified (URS-12, URS-13, URS-15, URS-16, URS-17, URS-18, URS-21, URS-22, URS-23, URS-24, URS-25, URS-26, URS-28, URS-30, URS-32); (t) governed reopen verified per DEC-33-22; (u) §17 validation evidence pack signed.

---

## 10. Decommissioning

Module 33 records subject to platform record-retention policy (retained per FDA 21 CFR §211.180 longer of 30 years from batch lock or 50 years from product expiry per EU GMP). On tenant decommissioning, records exported per URS-35.

---

## 11. Decisions, Dependencies, Risks, and Error Handling
### 11.1 Closed decision posture

**No Module 33 internal decisions outstanding.** All items captured in locked decisions DEC-33-01.DEC-33-23.

### 11.2 External dependencies

- URS-23 batch execution must consume cross-module gates per DEC-33-07 / DEC-33-10 / DEC-33-11.
- URS-12 Document Control must support batch certification + validation report storage.
- URS-13 change-control register must support equipment qualification + process / cleaning validation effective release linkage.
- URS-15 OOS / URS-16 Deviations must accept linkage events per DEC-33-12.
- URS-18 CAPA register must accept `gmp_manufacturing_control` source type per DEC-33-17.
- URS-21 findings register must accept `gmp_manufacturing_control` source type per DEC-33-16.
- URS-26 APQR must consume periodic GMP-control summary per DEC-33-18.
- URS-28 training must expose qualification-gate API for QP / QA / production / batch releaser authority per DEC-33-19.
- URS-30 Notifications must consume GMP critical alerts per DEC-33-20.
- URS-32 MIRA AI must emit `outcome_label` per URS-32 DEC-32-23 inbound to GMP records.

### 11.3 Risks

- Risk-33-01: Cross-module gate latency (URS-23 batch execution waiting for GMP gate evaluation). Mitigation: NFR-33-03 latency budget; cache layer with TTL.
- Risk-33-02: URS-28 qualification-gate latency at QP certification ceremony. Mitigation: NFR-33-09 latency budget.
- Risk-33-03: India CDSCO Schedule M (Revised) interpretation evolution. Mitigation: per-jurisdictional advisory layer; jurisdiction-specific legal assessment deferred per binding language.
- Risk-33-04: Reopen workflow gravity may delay urgent investigations. Mitigation: documented reopen SLA.

### 11.4 Out-of-scope risks tracked elsewhere

- Batch execution (URS-23).
- Stability authoring (URS-24).
- EM authoring (URS-25).

### 11.5 Risk owner

Module-33 risk register owned by Manufacturing / GMP Squad with quarterly review by **Manufacturing Head (Primary Owner)** + QA Head + Validation Head + Qualified Person Authority + RA Head.

### 11.6 Decision discipline

No Module 33 internal decisions outstanding.

### 11.7 Error Handling and Negative Paths

This section defines the controlled error envelope, the enumerated machine-code catalogue, and the negative-path response contract required for this module. The error envelope is the standard platform envelope (human message, machine code in upper-snake-case, optional structured details, correlation identifier). Errors are returned with the appropriate HTTP status; the UI surfaces inline errors at the field of cause where applicable, otherwise a controlled error toast or modal. Every error path is logged to the URS-06 audit substrate when the originating action is regulated; errors that occur before authentication are logged without `userId`. Audit-trail write failure on a state-changing action MUST cause the originating action to NOT commit (atomic write per URS-04 BR-04-15). The enumerated machine codes for this module's negative paths are defined alongside the corresponding lifecycle gates, segregation-of-duties controls, and authority-resolution outcomes throughout §6 (Back-end Requirements) and §13 (Segregation of Duties); engineering MUST surface every enumerated machine code through the standard envelope and MUST NOT swallow errors silently. Cross-module error propagation follows the §20 Cross-Module Event Contract.


---

## 12. Security

- SEC-33-01: Tenant isolation enforced at RLS on every Module 33 table.
- SEC-33-02: RBAC enforced on every route via `requirePermission(.)` using dedicated `gmp:*` permission set.
- SEC-33-03: Authority resolution enforced on regulated final actions before HITL + e-signature.
- SEC-33-04: HITL decision capture enforced before bound e-signature persistence.
- SEC-33-05: Bound e-signature persistence via `electronic_signatures` substrate.
- SEC-33-06: PII redaction in logs.
- SEC-33-07: Audit-trail integrity via URS-06 hash chain; **`userId` mandatory per DEC-33-03**.
- SEC-33-08: AI-request provenance via `ai_requests`; **AI cannot advance regulated GMP action** per ARCH-AI-001; AI may draft advisory only.
- SEC-33-09: `platform_admin` / `super_admin` break-glass actions logged per DEC-33-21.
- SEC-33-10: Typed DB schema enforcement per DEC-33-04 (closes `db as any` security/integrity gap).
- SEC-33-11: Cross-module gate enforcement at URS-23 batch execution per DEC-33-07 / DEC-33-10 / DEC-33-11.
- SEC-33-12: URS-28 qualification-gate consumed at QP certification + all other authority-gated decisions per DEC-33-19.
- SEC-33-13: SoD enforced across batch review stages per DEC-33-05.

---

## 13. Segregation of Duties

| SoD ID | Constraint |
|---|---|
| SoD-33-01 | The Production Reviewer MUST NOT also be the QC Reviewer or QA Reviewer or QP for the same batch (DB-level constraint per DEC-33-05). |
| SoD-33-02 | The QC Reviewer MUST NOT also be the QA Reviewer or QP for the same batch. |
| SoD-33-03 | The QA Reviewer MUST NOT also be the QP for the same batch. |
| SoD-33-04 | The Material Release authority MUST NOT also be the Material Tester for the same lot. |
| SoD-33-05 | The Equipment Qualification authority MUST be SoD-distinct from the Equipment Operator at qualification time. |
| SoD-33-06 | The reopen co-signers (executive AND Qualified Person per DEC-33-22) MUST NOT be the original lock signer. |
| SoD-33-07 | The `platform_admin` / `super_admin` support / break-glass action MUST NOT be a regulated production action; logged and reviewed per DEC-33-21. |

---

## 14. Regulatory Mapping

| Predicate rule | Section | Module 33 binding |
|---|---|---|
| **FDA 21 CFR Part 11** §§11.10(a)/(d)/(e), 11.50, 11.70, 11.200 | E-records and E-signatures | URS-33-VAL-008 + bound e-sign + audit-trail; **attributable audit per DEC-33-03 closes 21 CFR Part 11 §11.10(e)** |
| **FDA 21 CFR Part 210** | cGMP general | Primary FDA predicate |
| **FDA 21 CFR Part 211 §211.22** | Quality Control Unit | QC reviewer authority per DEC-33-05 |
| **FDA 21 CFR Part 211 §211.25** | Personnel Qualifications | URS-28 qualification per DEC-33-19 |
| **FDA 21 CFR Part 211 §§211.42–§211.46** | Buildings/Facilities | Site-scope per DEC-33-13 |
| **FDA 21 CFR Part 211 §§211.63–§211.72** | Equipment | Equipment qualification per DEC-33-10 |
| **FDA 21 CFR Part 211 §§211.80–§211.94** | Components/Containers/Closures | Material control per DEC-33-07 |
| **FDA 21 CFR Part 211 §§211.100–§211.115** | Production and Process Controls | IPC governance per DEC-33-09; process validation per DEC-33-11 |
| **FDA 21 CFR Part 211 §§211.122–§211.137** | Packaging and Labeling Controls | Label control per DEC-33-08 |
| **FDA 21 CFR Part 211 §§211.142–§211.150** | Holding and Distribution | Material release-for-use per DEC-33-07 |
| **FDA 21 CFR Part 211 §§211.160–§211.176** | Laboratory Controls | OOS linkage per DEC-33-12 |
| **FDA 21 CFR Part 211 §§211.180–§211.198** | Records and Reports | Per-record audit + retention |
| **EU GMP Annex 11** §§4, 5, 9, 12, 14, 16 | Computerised Systems | Validation; data; audit trails; security; e-records; incident management |
| **EU GMP Chapter 1** | Pharmaceutical Quality System | Quality system foundation |
| **EU GMP Chapter 2** | Personnel | URS-28 qualification per DEC-33-19 |
| **EU GMP Chapter 3** | Premises and Equipment | Equipment qualification per DEC-33-10 |
| **EU GMP Chapter 4** | Documentation | URS-12 Document Control linkage |
| **EU GMP Chapter 5** | Production | Production controls + IPC governance |
| **EU GMP Chapter 6** | Quality Control | QC reviewer authority per DEC-33-05 |
| **EU GMP Chapter 7** | Outsourced Activities | Supplier linkage |
| **EU GMP Chapter 8** | Complaints and Product Recall | Complaints / recall integration |
| **EU GMP Annex 16** | Certification by a Qualified Person and Batch Release | QP certification per DEC-33-05 / DEC-33-19 |
| EU GMP Annex 22 Draft 2025 | §7 — HITL / GenAI prohibition in critical GMP decisions | Internal forward-looking control |
| EU AI Act (Regulation 2024/1689) | Annex III + Articles 13/14 | Adopted as internal forward-looking AI governance |
| **MHRA Data Integrity Guidance** | ALCOA+ | Module 33 per-record ALCOA+-compliant; **attributable per DEC-33-03** |
| GAMP 5 Cat 5 | Custom-application validation lifecycle | URS-33 validation evidence pack per URS-33-VAL-008 |
| **ICH Q7** | GMP for APIs | API manufacturing scope |
| **ICH Q9 R1** | Quality Risk Management | Risk-precipitated GMP control |
| **ICH Q10** | Pharmaceutical Quality System | Quality system foundation |
| **ICH Q11** | Development and Manufacture of Drug Substances | API drug substance manufacture |
| **ICH Q12** | Lifecycle Management | Lifecycle management |
| **WHO TRS 986 Annex 2** | WHO GMP for Pharmaceutical Products: Main Principles | WHO GMP scope |
| **PIC/S PE 009-17** | International harmonization with EU GMP | PIC/S members |
| **India CDSCO Schedule M (Revised) §§1–17** | Pharmaceutical manufacturing — primary India predicate for GMP launch scope | India operations subject to a future jurisdiction-specific legal assessment |
| **India CDSCO Schedule M-III §10** | Approved Authorised Person for batch certification | QP certification India scope per DEC-33-05 |
| **India D&C Act 1940 / Drugs Rules 1945** | Predicate drug-control framework | India operations regulatory baseline |
| **India Medical Devices Rules 2017** | Medical device GMP | Medical device GMP scope |

---

## 15. Code Modules

| Code module | Path | Status |
|---|---|---|
| `gmp` plugin | `packages/backend/src/modules/gmp/plugin.ts` | |
| `gmp` routes | `packages/backend/src/modules/gmp/routes.ts` | (typed schemas; lifecycle status excluded from update; transition endpoints added) |
| `gmp` service | `packages/backend/src/modules/gmp/service.ts` | (attributable audit per DEC-33-03; typed schema per DEC-33-04; staged batch review per DEC-33-05; cross-module gate hooks per DEC-33-07 / DEC-33-10 / DEC-33-11) |
| `gmp` workflow | `packages/backend/src/modules/gmp/workflow.ts` | (state machines hardened) |
| `gmp` schemas | `packages/backend/src/modules/gmp/schemas.ts` | (lifecycle status excluded from update schemas) |
| `gmp` events | `packages/backend/src/modules/gmp/events.ts` | target route |
| `gmp` cross-module-gate | `packages/backend/src/modules/gmp/cross-module-gate.ts` | target route per DEC-33-07 / DEC-33-10 / DEC-33-11 (gates URS-23 batch execution) |
| `batch` routes (URS-23 cross-module gate consumer) | `packages/backend/src/modules/batch/routes.ts` | (consumes GMP cross-module gate per DEC-33-07 / DEC-33-10 / DEC-33-11) |
| Migration | `packages/backend/src/db/migrations/.` | (per §9.2) |
| Shared types | `packages/shared/src/types/gmp.ts` | |
| Shared schemas | `packages/shared/src/schemas/gmp.schema.ts` | |
| Frontend hooks | `packages/frontend/src/api/hooks/useGmp.ts` | |
| Frontend dashboard | `packages/frontend/src/pages/gmp/GMPDashboard.tsx` | |
| Frontend batch review console | `packages/frontend/src/pages/gmp/BatchReviewConsole.tsx` | target route per DEC-33-05 |
| Frontend batch disposition console | `packages/frontend/src/pages/gmp/BatchDispositionConsole.tsx` | target route per DEC-33-06 |
| Frontend material receipt console | `packages/frontend/src/pages/gmp/MaterialReceiptConsole.tsx` | target route per DEC-33-07 |
| Frontend label control console | `packages/frontend/src/pages/gmp/LabelControlConsole.tsx` | target route per DEC-33-08 |
| Frontend IPC console | `packages/frontend/src/pages/gmp/IPCConsole.tsx` | target route per DEC-33-09 |
| Frontend equipment qualification console | `packages/frontend/src/pages/gmp/EquipmentQualificationConsole.tsx` | target route per DEC-33-10 |
| Frontend process validation console | `packages/frontend/src/pages/gmp/ProcessValidationConsole.tsx` | target route per DEC-33-11 |
| Frontend cleaning validation console | `packages/frontend/src/pages/gmp/CleaningValidationConsole.tsx` | target route per DEC-33-11 |
| Frontend manufacturing deviation console | `packages/frontend/src/pages/gmp/ManufacturingDeviationConsole.tsx` | target route per DEC-33-12 |
| Frontend GMP metrics dashboard | `packages/frontend/src/pages/gmp/GMPMetricsDashboard.tsx` | target route per DEC-33-18 |

---

## 16. Test Cases

### 16.1 Unit tests

- TC-33-U-001: Lifecycle status mutation through generic PATCH rejected with `GMP_TERMINAL_STATE_PATCH_FORBIDDEN` per DEC-33-02.
- TC-33-U-002: Audit-trail write with blank `userId` rejected with `GMP_AUDIT_USER_ID_REQUIRED` per DEC-33-03.
- TC-33-U-003: Service `db as any` access pattern rejected at build time per DEC-33-04.
- TC-33-U-004: Batch review stage signed by SoD-conflicting user rejected with `GMP_BATCH_REVIEW_STAGE_SOD_VIOLATION` per DEC-33-05.
- TC-33-U-005: Batch review stage signed out of sequence rejected with `GMP_BATCH_REVIEW_OUT_OF_SEQUENCE`.
- TC-33-U-006: QP certification without URS-28 `qp_release` qualification rejected with `GMP_AUTHORITY_QUALIFICATION_GATE_FAILED` per DEC-33-19.
- TC-33-U-007: Material in `quarantined` state — URS-23 batch execution rejected with `BAT_MATERIAL_NOT_RELEASED_FOR_USE` per DEC-33-07.
- TC-33-U-008: Material release-for-use without `gmp_material_release_authority` rejected per DEC-33-07.
- TC-33-U-009: Label reconciliation arithmetic mismatch + variance under threshold without resolution rejected per DEC-33-08.
- TC-33-U-010: Label variance ≥ threshold without `gmp_label_variance_authority` rejected per DEC-33-08.
- TC-33-U-011: IPC failure cannot be edited via generic update per DEC-33-09 (controlled escalation only).
- TC-33-U-012: Equipment in `expired` state — URS-23 batch execution rejected with `BAT_EQUIPMENT_NOT_QUALIFIED` per DEC-33-10.
- TC-33-U-013: Equipment in `decommissioned` state — URS-23 rejects per DEC-33-10.
- TC-33-U-014: Process validation expired — URS-23 rejects with `BAT_PROCESS_VALIDATION_EXPIRED` per DEC-33-11.
- TC-33-U-015: Cleaning validation expired — URS-23 rejects with `BAT_CLEANING_VALIDATION_EXPIRED` per DEC-33-11.
- TC-33-U-016: AI service attempting batch certification / disposition / release rejected with `GMP_AI_AS_AUTHORITATIVE_PROHIBITED` per DEC-33-15.
- TC-33-U-017: Reopen without executive AND QP co-sign rejected per DEC-33-22.

### 16.2 Integration tests

- TC-33-I-001: Batch review staged workflow + QP certification per Worked Example 1.
- TC-33-I-002: Material quarantine blocking manufacturing use per Worked Example 2.
- TC-33-I-003: Label reconciliation arithmetic + variance escalation per Worked Example 3.
- TC-33-I-004: Equipment expiring → URS-30 alert → URS-23 manufacturing-use rejection per Worked Example 4.
- TC-33-I-005: IPC failure escalation linked to URS-15 OOS + URS-16 deviation per Worked Example 5.
- TC-33-I-006: AI/MIRA assistive-only with `outcome_label` per Worked Example 6.
- TC-33-I-007: India CDSCO Schedule M (Revised) batch certification per Worked Example 7.
- TC-33-I-008: Governed reopen per Worked Example 8.
- TC-33-I-009: Cross-module event emission verified (URS-12, URS-13, URS-15, URS-16, URS-18, URS-21, URS-22, URS-23, URS-26, URS-28, URS-30, URS-32).
- TC-33-I-010: URS-26 APQR consumes periodic GMP-control summary per DEC-33-18.

### 16.3 End-to-end tests

- TC-33-E-001 through TC-33-E-008: Worked Examples 1–8 end-to-end.
- TC-33-E-009: Concurrent GMP users — 100 — NFR-33-05.
- TC-33-E-010: India CDSCO Schedule M (Revised) full-batch end-to-end with India site + India product + Schedule M-III §10 QP certification.

### 16.4 Performance tests

- TC-33-P-001: List p95 latency (NFR-33-02).
- TC-33-P-002: Cross-module gate evaluation p95 latency (NFR-33-03).
- TC-33-P-003: Audit-trail append p99 latency (NFR-33-04).
- TC-33-P-004: Bound e-signature p95 latency (NFR-33-08).
- TC-33-P-005: URS-28 qualification-gate p95 latency (NFR-33-09).

### 16.5 Security tests

- TC-33-S-001: Cross-tenant access rejected by RLS.
- TC-33-S-002: Missing RBAC rejected.
- TC-33-S-003: Missing Authority Profile rejected.
- TC-33-S-004: Missing HITL rejected.
- TC-33-S-005: Missing bound e-signature rejected.
- TC-33-S-006: SQL injection rejected.
- TC-33-S-007: Audit-trail UPDATE / DELETE rejected.
- TC-33-S-008: AI service attempting authoritative GMP action rejected per DEC-33-15.
- TC-33-S-009: PII redaction in logs verified.
- TC-33-S-010: Blank `userId` in audit rejected per DEC-33-03.
- TC-33-S-011: `db as any` rejected per DEC-33-04.
- TC-33-S-012: SoD enforcement across batch review stages per DEC-33-05.
- TC-33-S-013: URS-28 qualification-gate enforced.

---

## 17. Validation Evidence

### 17.1 URS-33-VAL-001: Requirements traceability matrix

Complete RTM mapping every URS-33 requirement (DEC-33-01.DEC-33-23, BR-33-01.BR-33-30, NFR-33-01.NFR-33-09, SoD-33-01.SoD-33-07, SEC-33-01.SEC-33-13) to test cases and code modules.

### 17.2 URS-33-VAL-002: Design qualification (DQ)

Architecture, data model, API contract, workflow, business rules, audit trail, security, integration; signed by Validation Head, QA Head, **Manufacturing Head (Primary Owner)**, RA Head, Information Security Head, Qualified Person Authority.

### 17.3 URS-33-VAL-003: Installation qualification (IQ)

Migration application + RLS verification + route mount verification + frontend hook resolution + cross-module gate integration verification.

### 17.4 URS-33-VAL-004: Operational qualification (OQ)

Happy-path execution of every test case with evidence captures.

### 17.5 URS-33-VAL-005: Performance qualification (PQ)

NFR-33-01.NFR-33-09 verification.

### 17.6 URS-33-VAL-006: AI/ML governance evidence

Per ARCH-AI-001: (a) MIRA read-only context integration with `mira_outcome_label` per URS-32 DEC-32-23 inbound emission; (b) AI advisory drafting only; (c) **AI cannot finalize batch certification, batch disposition, QP release, material release, label reconciliation, equipment qualification, process validation, cleaning validation, or manufacturing deviation closure** verification; (d) Annex 22 §7 + EU AI Act Annex III internal forward-looking control compliance evidence.

### 17.7 URS-33-VAL-007: Regulatory mapping evidence

FDA 21 CFR Part 11 + Part 210 + Part 211 (full subpart set §§211.22,.25,.42–.46,.63–.72,.80–.94,.100–.115,.122–.137,.142–.150,.160–.176,.180–.198); EU GMP Annex 11 §§4, 5, 9, 12, 14, 16 + **EU GMP Chapters 1, 2, 3, 4, 5, 6, 7, 8** + **Annex 16** (QP batch release); Annex 22 Draft 2025 §7; EU AI Act Art. 13 / 14 / Annex III; MHRA Data Integrity (ALCOA+); GAMP 5 Cat 5; **ICH Q7, Q9 R1, Q10, Q11, Q12**; **WHO TRS 986 Annex 2**; **PIC/S PE 009-17**; **India CDSCO Schedule M (Revised) §§1–17 + Schedule M-III §10 + D&C Act 1940 + Drugs Rules 1945 + Medical Devices Rules 2017**.

### 17.8 URS-33-VAL-008: Migration evidence gate

Per §9.3.

### 17.9 URS-33-VAL-009: Signature manifest

QA Head, **Manufacturing Head (Primary Owner)**, RA Head, Validation Head, Qualified Person Authority, Information Security Head, Site Quality Lead, Founder / Chairman & MD per §19.

### 17.10 URS-33-VAL-010: Post-launch periodic-review pack

(a) GMP control metrics; (b) attributable audit verification (no blank `userId`); (c) typed schema enforcement verification (no `db as any`); (d) batch review SoD compliance; (e) cross-module gate enforcement at URS-23 (rejection rates); (f) AI-assistance acceptance rate; (g) reopen-event audit; (h) cross-tenant break-glass audit; (i) cross-module event integrity; periodic review at quarterly cadence by Manufacturing Head + QA Head + Validation Head + Qualified Person Authority + RA Head.

---

## 18. Document Change History

| Version | Date | Author | Change Summary |
|---|---|---|---|
| 1.0 | 2026-05-07 | Founder Doctrine — Verixa URS Cell | First issued user requirements specification for Module 33. |

---

## 19. Document Approval

| Role | Name | Signature | Date |
|---|---|---|---|
| Founder / Chairman & MD | Vimal | __________ | __________ |
| QA Head | __________ | __________ | __________ |
| Manufacturing Head (Primary Owner) | __________ | __________ | __________ |
| RA Head | __________ | __________ | __________ |
| Validation Head | __________ | __________ | __________ |
| Information Security Head | __________ | __________ | __________ |
| Qualified Person Authority | __________ | __________ | __________ |
| Site Quality Lead | __________ | __________ | __________ |

---

## 20. Cross-Module Event Contract

| Event | Emitter | Consumer | Payload key fields |
|---|---|---|---|
| `gmp_batch_review_started` | Module 33 | URS-30 | `batch_review_id`, `batch_id` |
| `gmp_batch_review_completed` | Module 33 | URS-30 | `batch_review_id`, `qp_certified_by`, `qp_certification_e_signature_id` |
| `gmp_batch_disposition_approved` | Module 33 | URS-30, URS-34 (GDP) | `disposition_id`, `batch_id`, `disposition_type` |
| `gmp_batch_qp_certified` | Module 33 | URS-30, URS-34 (GDP) | `batch_id`, `qp_certified_by`, `qp_certification_e_signature_id` |
| `gmp_material_quarantined` | Module 33 | URS-30, **URS-23 (cross-module gate consumer)** | `material_id`, `quarantined_at` |
| `gmp_material_released_for_use` | Module 33 | URS-30, URS-23 | `material_id`, `released_by` |
| `gmp_label_variance_flagged` | Module 33 | URS-30 | `label_set_id`, `variance_pct` |
| `gmp_ipc_failure_escalated` | Module 33 | **URS-15 (OOS)**, **URS-16 (Deviations)**, URS-30 | `ipc_check_id`, `batch_id`, `failure_type` |
| `gmp_equipment_expired` | Module 33 | URS-30, **URS-23 (cross-module gate consumer)** | `equipment_id`, `expired_at` |
| `gmp_process_validation_expired` | Module 33 | URS-30, URS-23 | `validation_id`, `expired_at` |
| `gmp_cleaning_validation_expired` | Module 33 | URS-30, URS-23 | `validation_id`, `expired_at` |
| `manufacturing_deviation_created` | Module 33 | **URS-16 (Deviations — primary consumer)** | `deviation_id`, `batch_id`, `severity` |
| `gmp_finding_created` | Module 33 | **URS-21 (Findings — primary consumer)** | `finding_id` (URS-21), `severity`, `finding_type` |
| `gmp_capa_linked` | Module 33 | **URS-18 (CAPA — primary consumer)** | `capa_id`, `linked_by`, `source_type = gmp_manufacturing_control` |
| `gmp_program_locked` | Module 33 | URS-30 | `program_lock_id`, `locked_by`, `lock_e_signature_id` |
| `gmp_program_reopened` | Module 33 | URS-30, URS-21 | `program_lock_id`, `reopened_by`, `executive_co_signer`, `qp_co_signer`, `reopen_reason` |

---

## 21. References

- ARCH-AI-001 — AI Optionality and Manual Continuity (canonical binding architecture)
- VRX-SPEC-URS-033-GMP-Manufacturing-Operations-and-Controls.md (Module specification)
- URS-01.URS-32, URS-34.URS-35 (cross-module contracts)
- **FDA 21 CFR Part 11** §§11.10(a)/(d)/(e), 11.50, 11.70, 11.200
- **FDA 21 CFR Part 210** — cGMP general
- **FDA 21 CFR Part 211** §§211.22, 211.25, 211.42–211.46, 211.63–211.72, 211.80–211.94, 211.100–211.115, 211.122–211.137, 211.142–211.150, 211.160–211.176, 211.180–211.198, 211.204–211.208 — primary FDA predicate (full subpart set)
- **EU GMP Annex 11** §§4, 5, 9, 12, 14, 16
- **EU GMP Chapters 1–8** — primary EU predicate (full chapter set)
- **EU GMP Annex 16** — Certification by a Qualified Person and Batch Release
- EU GMP Annex 22 (Draft 2025) §7 — internal forward-looking control
- EU AI Act (Regulation 2024/1689) Annex III + Articles 13/14 — internal forward-looking control
- **MHRA Data Integrity Guidance (2018)** — ALCOA+
- GAMP 5 Cat 5
- **ICH Q7** — GMP for APIs
- **ICH Q9 R1** — Quality Risk Management
- **ICH Q10** — Pharmaceutical Quality System
- **ICH Q11** — Development and Manufacture of Drug Substances
- **ICH Q12** — Lifecycle Management
- **WHO TRS 986 Annex 2** — WHO GMP for Pharmaceutical Products
- **PIC/S PE 009-17** — international harmonization
- **India CDSCO Schedule M (Revised) §§1–17** — primary India predicate for GMP launch scope
- **India CDSCO Schedule M-III §10** — Approved Authorised Person for batch certification
- **India D&C Act 1940 / Drugs Rules 1945**
- **India Medical Devices Rules 2017**

---

**END OF VRX-URS-33 — GMP MANUFACTURING OPERATIONS AND CONTROLS — VERSION 1.0**
