# Verixa — User Requirements Specification

# Module 37: Equipment / Instrument / Asset Lifecycle — Qualification, Calibration & Preventive Maintenance

| Field | Value |
|---|---|
| Document ID | VRX-URS-37 |
| Version | 1.0 |
| Status | `Draft — not validation-ready`. Greenfield module: no current Verixa code, UI, API, or schema exists for this capability. Every code-module / API / schema / table / endpoint reference in this document is a **TARGET binding** stating the expected implementation, not a description of an implemented system. This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" only after signature capture in the Document Approval block, and "Released for validation execution" only after the module migration evidence gate (URS-37-VAL-008) and the validation evidence pack are satisfied. URS approval is separate from validation execution. |
| Document Type | User Requirements Specification (URS) |
| GAMP 5 Category | Category 5 — Custom Application |
| Code Modules (TARGET / PROPOSED) | Proposed back-end modules `equipment`, `calibration`, `maintenance` (target/proposed names). **Target binding — greenfield module; no current code exists; implementation evidence required.** Whether these are three modules or one module with three domains is an `Implementation detail Unknown — evidence required`. |
| Regulatory Classification | GxP system-of-record substrate — operates the canonical equipment / instrument / asset master register, the equipment qualification (IQ/OQ/PQ) and requalification lifecycle, the calibration schedule and calibration-record register with a due-date engine, the preventive-maintenance schedule and work-order register, the equipment status lifecycle (`registered → in_qualification → qualified/in_service → out_of_service → retired` with `out_of_calibration` and `under_maintenance` modifiers), the out-of-calibration / failed-calibration / overdue-PM impact-assessment workflow with linkage to deviations (URS-16), OOS (URS-15) and batch disposition gating (URS-33), the equipment-status-gate API (EQ-006) consumed by URS-33 / URS-23 / URS-24 / URS-25 / URS-15, and the calibration-due / PM-due / overdue notification and escalation surface (URS-30). This module closes the equipment dimension of the URS-33 §21 execution-gate finding. |
| Date of Issue | 2026-05-29 |
| Module Owner (Engineering) | Equipment & Calibration Squad (proposed; **Target binding — greenfield**) |
| Module Owner (Quality Validation) | CSV / CSA Lead — Equipment / Calibration / PM |
| Module Owner (Compliance) | Quality Assurance, Engineering / Metrology, Manufacturing, Regulatory Affairs |
| Approving Authority | Founder / Chairman & MD; QA Head; Validation Head; Engineering / Metrology Head; RA Head; Information Security Head |

## Document Approval

| Role | Name | Signature | Date |
|---|---|---|---|
| Author — Platform Architecture | _____________________ | _____________________ | __________ |
| Reviewer — Engineering Lead | _____________________ | _____________________ | __________ |
| Reviewer — QA / Validation Lead | _____________________ | _____________________ | __________ |
| Reviewer — Engineering / Metrology Lead | _____________________ | _____________________ | __________ |
| Reviewer — Information Security Lead | _____________________ | _____________________ | __________ |
| Reviewer — Regulatory Affairs Lead | _____________________ | _____________________ | __________ |
| Reviewer — Manufacturing / Operations Lead | _____________________ | _____________________ | __________ |
| Approving Authority — Founder, Chairman & MD | _____________________ | _____________________ | __________ |

## Version History

| Version | Date | Summary |
|---|---|---|
| 0.1 | 2026-05-29 | Tier-1 proposed scaffold (`URS-37_Equipment-Calibration-PM.PROPOSED.Target-State.md`); evidence map, GxP applicability, lifecycle, requirements EQ-001..EQ-009; scope-decision pending. |
| 1.0 | 2026-05-29 | First issued full target-state user requirements specification for Module 37 following founder ratification of Option A (standalone module). Expanded the 0.1 scaffold to full target-state depth (journeys, data model, API, business rules, audit vocabulary, negative paths, regulatory mapping, requirements register, test cases, validation evidence). Greenfield: all code / API / schema references are target bindings. |

---

## 0. Document Framing

### 0.1 Purpose of this document

This URS defines the target expected state for Verixa's Equipment / Instrument / Asset Lifecycle module (Module 37), covering equipment qualification, calibration, and preventive maintenance. It is the binding contract between product, engineering, quality validation, regulatory affairs, engineering / metrology, manufacturing, and the executive authority for the design, implementation, validation, release, and on-going periodic review of the canonical equipment / instrument / asset master register; the equipment qualification (IQ/OQ/PQ) and requalification lifecycle; the calibration schedule and calibration-record register with a due-date engine; the preventive-maintenance schedule and work-order register; the equipment status lifecycle; the out-of-calibration / failed-calibration / overdue-PM impact-assessment workflow; the equipment-status-gate API (EQ-006); and the calibration-due / PM-due / overdue notification and escalation surface. Compliance with this URS is mandatory once approved. This module is **greenfield** — no current Verixa code, UI, API, schema, or migration exists for it; this document states the target, not the present.

### 0.2 Audience

Engineering, QA, Validation, Regulatory Affairs, Engineering / Metrology, Manufacturing / Operations, Information Security, executive authority, the platform's Implementation team, internal and external auditors, and inspectors from regulatory bodies (FDA, EMA, MHRA, Health Canada, CDSCO, PIC/S). The plain-language primer (§0.4) and worked examples (§3.5) make Module 37 accessible to non-domain engineers, product owners, validation engineers, metrology technicians, and quality auditors who have not previously specified an equipment / calibration / preventive-maintenance substrate for a regulated GxP platform.

### 0.3 How to read this document

Each requirement has a unique identifier. "MUST" / "shall" denotes a mandatory requirement; "SHOULD" denotes a strong recommendation; "MAY" denotes an option. The document is self-contained: front end (§5), back end (§6), data model (§6.2), application programming interface (§6.3), workflow (§6.4), business rules (§6.5), audit (§6.6), security (§12), regulatory mapping (§14), test cases (§16), and validation evidence (§17) are all in this single file. Because this is a greenfield module, every reference to a back-end module name, API endpoint, database table, or column is a **target binding** — the design intent, subject to implementation. Where an implementation detail is needed but is not yet knowable, the document writes exactly `Implementation detail Unknown — evidence required`; where a performance number would otherwise be invented, the document writes exactly `Performance threshold Unknown — evidence required`.

### 0.4 Plain-language primer for non-domain readers

In any GMP / GLP / GDP operation, work is gated on equipment being **qualified, in calibration, and not overdue for preventive maintenance**. The consequences of getting this wrong are direct and serious: a balance that is out of calibration invalidates every weighing made on it; an autoclave overdue for preventive maintenance cannot be used to sterilise; a batch cannot be released if a critical instrument's calibration lapsed during manufacture; an HPLC whose qualification expired produces results that cannot be trusted. These are the kinds of failures that produce FDA 483 observations, EU GMP non-compliance notices, and MHRA data-integrity findings.

An **equipment / instrument / asset** is any physical or measurement device used in a regulated operation — balances, pH meters, HPLC and GC systems, autoclaves, lyophilisers, incubators, stability chambers, environmental-monitoring particle counters, bioreactors, filling lines, thermometers, pressure gauges, pipettes, and more. Module 37 owns the canonical register of these assets, scoped by organisation / site / area.

**Qualification** is the documented evidence that a piece of equipment is installed correctly (Installation Qualification — IQ), operates as intended across its operating range (Operational Qualification — OQ), and performs as required for its specific use (Performance Qualification — PQ). Equipment must be **qualified** before it can be placed in service for GxP use. Qualification is periodically renewed (**requalification**).

**Calibration** is the documented comparison of an instrument's measurement against a traceable reference standard, within a defined tolerance, on a defined schedule. Each calibration record captures the result (pass / fail), the as-found and as-left readings, the tolerance, the standard used (with its own traceability), who performed it, and the calibration certificate. When an instrument's calibration is **due**, it must be calibrated before further GxP use; when it is **overdue** or **fails calibration**, every measurement made since the last good calibration is suspect and triggers an impact assessment.

**Preventive maintenance (PM)** is scheduled servicing performed to keep equipment in a state of control before it fails — replacing seals, lubricating, cleaning, replacing filters. Each PM is driven by a schedule and executed through a **work order**. Overdue PM blocks GxP use of the equipment until the PM is completed.

The **status lifecycle** captures where an asset is in its life: `registered` (entered but not yet qualified), `in_qualification` (qualification underway), `qualified` / `in_service` (qualified and available for GxP use), `out_of_service` (temporarily withdrawn), `retired` (permanently decommissioned). Two **modifiers** can apply to an in-service asset without changing its base state: `out_of_calibration` (calibration lapsed or failed) and `under_maintenance` (a PM or repair work order is open and blocks use). Status changes that affect GxP use are authority-gated and electronically signed.

The **out-of-calibration / overdue-PM impact assessment** is the control that makes this module matter: when calibration lapses or fails, or when PM goes overdue, Module 37 automatically opens an impact assessment and a deviation (URS-16), flags the batches and results that used the affected equipment during the suspect window (URS-23), and links any out-of-specification investigation (URS-15) where the instrument calibration check is a standard OOS phase-1 step.

The **equipment-status-gate** (EQ-006) is the read-only question other modules ask Module 37: "Is equipment X qualified, in calibration, and PM-current at time T?" Batch disposition (URS-33), batch execution (URS-23), stability chambers (URS-24), environmental-monitoring instruments (URS-25), and OOS instrument checks (URS-15) all call this gate so that work is not performed — and product is not released — on equipment that was not in a state of control at the point of use.

### 0.5 Equipment lifecycle diagram

```mermaid
stateDiagram-v2
  [*] --> registered : Equipment entered into register
  registered --> in_qualification : Qualification initiated (IQ/OQ/PQ)
  in_qualification --> qualified : Qualification completed and signed (in_service)
  in_qualification --> retired : Qualification abandoned (terminal)
  qualified --> out_of_service : Withdrawn from GxP use (authority-gated, e-signed)
  out_of_service --> qualified : Returned to service after evidence (authority-gated, e-signed)
  qualified --> retired : Permanently decommissioned (authority-gated, e-signed)
  out_of_service --> retired : Decommissioned from out-of-service
  retired --> [*]
  note right of qualified
    Modifiers on the in-service asset (do not change base state):
    out_of_calibration  (calibration lapsed / failed)
    under_maintenance   (open PM / repair work order blocks use)
  end note
```

Diagram 0.5-A — Equipment lifecycle. Base-state transitions that affect GxP use (`in_qualification → qualified`, `qualified → out_of_service`, `out_of_service → qualified`, `qualified/out_of_service → retired`) are authority-gated and electronically signed (substrate-verified, bound signature). The `out_of_calibration` and `under_maintenance` modifiers are applied automatically by the calibration / PM engines and removed when the condition is resolved; while either modifier is active, the EQ-006 status gate returns not-available-for-GxP-use.

### 0.6 Glossary of key terms used in this document

| Term | Definition |
|---|---|
| Asset / equipment / instrument | Any physical or measurement device used in a regulated operation (balance, HPLC, autoclave, stability chamber, particle counter, etc.). |
| As-found / as-left | The instrument reading at the start (as-found) and end (as-left) of a calibration, used to judge drift and to scope the suspect window on failure. |
| Calibration | Documented comparison of an instrument's measurement against a traceable reference standard within a defined tolerance. |
| Calibration certificate | The signed record of a calibration, stored as a URS-12 controlled document. |
| Criticality | The classification of an asset by impact of its failure on product quality / patient safety / data integrity (`critical` / `major` / `minor`). |
| EQ-006 status gate | The read-only API answering "is equipment X qualified + in-calibration + PM-current at time T?". |
| IQ / OQ / PQ | Installation / Operational / Performance Qualification — the documented qualification stages per EU GMP Annex 15. |
| Out of calibration | The modifier applied when an instrument's calibration is lapsed or failed; blocks GxP use. |
| Preventive maintenance (PM) | Scheduled servicing to keep equipment in a state of control before failure; executed through a work order. |
| Qualification | Documented evidence that equipment is installed, operates, and performs as required. |
| Requalification | Periodic re-qualification of equipment at a defined cadence. |
| Suspect window | The period from the last good calibration / PM to the point of detection, during which measurements / use are presumed affected. |
| Tolerance | The acceptable measurement deviation for a calibration to pass. |
| Traceability (metrological) | The unbroken chain of comparisons linking the calibration standard to a national / international reference. |
| Work order | The unit of executed maintenance work (PM or repair) against an asset. |

### 0.7 Module 37 architectural picture (target)

```mermaid
graph LR
  subgraph M37 [Module 37 — Equipment / Calibration / PM]
    REG[Equipment Register]
    QUAL[Qualification IQ/OQ/PQ]
    CAL[Calibration Schedule + Records]
    PM[Preventive Maintenance + Work Orders]
    IMP[Out-of-Cal / Overdue-PM Impact]
    GATE[EQ-006 Status Gate]
    LCY[Status Lifecycle]
  end

  M3[URS-03 Active Scope] <--> REG
  M4[URS-04 Workflow / E-Sign] --> LCY
  M5[URS-05 Authority] --> LCY
  M6[URS-06 Audit Substrate] --> LCY
  M8[URS-08 Tenant Lifecycle] --> REG
  M9[URS-09 Site] <--> REG
  M11[URS-11 Supplier] <--> CAL
  M12[URS-12 Document Control] <--> CAL
  M12 <--> QUAL
  M15[URS-15 OOS] <--> IMP
  M16[URS-16 Deviations] <--> IMP
  M30[URS-30 Notifications] --> CAL
  M30 --> PM
  GATE --> M33[URS-33 GMP Batch Disposition]
  GATE --> M23[URS-23 Batch Records]
  GATE --> M24[URS-24 Stability]
  GATE --> M25[URS-25 Environmental Monitoring]
  GATE --> M15
```

Diagram 0.7-A — Module 37 architecture. **Target binding — greenfield module; no current code; the wiring shown is the intended integration surface, not an implemented one.**

---

## 1. Module Purpose

Module 37 establishes Equipment / Instrument / Asset Lifecycle management as the canonical GxP system-of-record for "is this equipment in a state of control" in Verixa. It owns the per-tenant equipment / instrument / asset master register scoped by organisation / site / area; the equipment criticality classification; the qualification (IQ/OQ/PQ) and requalification lifecycle; the calibration schedule and calibration-record register with a due-date engine; the preventive-maintenance schedule and work-order register; the equipment status lifecycle with `out_of_calibration` and `under_maintenance` modifiers; the out-of-calibration / failed-calibration / overdue-PM impact-assessment workflow; the equipment-status-gate API (EQ-006); and the calibration-due / PM-due / overdue notification and escalation surface.

Module 37 is consumed by URS-33 GMP batch disposition (calls EQ-006 to confirm every critical instrument used in a batch was qualified, in calibration, and PM-current across the manufacturing window — this closes the equipment dimension of the URS-33 §21 "execution gates absent" finding); by URS-23 batch execution (EQ-006 at point of use); by URS-24 stability chambers and URS-25 environmental-monitoring instruments (EQ-006 at point of use); by URS-15 OOS investigations (instrument calibration check is a standard OOS phase-1 step); by URS-16 deviations (auto-raised on out-of-calibration / overdue PM); by URS-03 to compute active-scope intersection on the equipment dimension; by URS-05 / URS-03 to authority-gate and scope status changes; by URS-06 to attribute audit rows; by URS-12 to store calibration certificates and qualification protocols / reports as controlled documents; and by URS-30 to deliver due / overdue notifications and escalations.

Module 37 is the **first-class navigation entry point for equipment qualification, calibration, and maintenance reviews** and for equipment-related regulatory inspections.

**Greenfield statement.** No current Verixa code, UI, API, schema, or migration implements this module. A `gmp_equipment_qualification_created` event is referenced as emitted elsewhere in the platform, but there is no equipment system-of-record today. Everything in §§5–6 is a target binding; **implementation evidence is required** before any requirement can be marked verified.

---

## 2. Scope

### 2.1 In scope

- The equipment / instrument / asset master register per DEC-37-01 covering equipment categories including but not limited to: `weighing_balance`, `ph_meter`, `hplc`, `uplc`, `gc`, `gc_ms`, `lc_ms`, `dissolution_apparatus`, `karl_fischer_titrator`, `spectrophotometer_uv_vis`, `ftir`, `autoclave`, `depyrogenation_oven`, `lyophiliser`, `incubator`, `stability_chamber`, `cold_storage_unit`, `freezer_ultralow`, `particle_counter`, `environmental_monitoring_sampler`, `bioreactor`, `fermenter`, `tangential_flow_filtration_skid`, `filling_line`, `capping_line`, `blister_pack_line`, `tablet_press`, `coating_pan`, `fluid_bed_dryer`, `homogeniser`, `water_system_purified`, `water_system_wfi`, `clean_steam_generator`, `compressed_air_system`, `thermometer`, `pressure_gauge`, `temperature_humidity_logger`, `pipette`, `timer`, `conductivity_meter`, `toc_analyser`, `endotoxin_reader`, `microbiology_identification_system`, `other`. Adding a category is a Class 1 change. A single asset MAY carry sub-classifications (e.g., `gmp_critical`, `data_acquisition_capable`, `21cfr11_relevant`).
- Equipment criticality classification per DEC-37-02: `critical`, `major`, `minor`; criticality is set at registration / qualification and re-evaluated at every requalification; criticality drives qualification rigor (DEC-37-03), requalification cadence (DEC-37-04), calibration interval default (DEC-37-05), PM interval default (DEC-37-06), impact-assessment severity defaults (DEC-37-09), and executive-authority co-sign requirement (DEC-37-16).
- Per-asset identity fields: `id`, `tenant_id`, `equipment_tag` (tenant-unique asset identifier), `display_name`, `category`, `manufacturer`, `model`, `serial_number`, `criticality_classification`, `scope_jsonb` (org / site / area, compatible with URS-05 scope dimensions per DEC-37-22), `location_text`, `status` (base lifecycle state), `out_of_calibration_flag`, `under_maintenance_flag`, `supplier_id` (nullable; FK URS-11 equipment vendor / calibration provider), `vertical_classification_jsonb`, `created_by`, `created_at`.
- Equipment qualification (IQ/OQ/PQ) and requalification per DEC-37-03 / DEC-37-04: qualification stages, status, planned and actual dates, protocol / report evidence links to URS-12 controlled documents; "qualified" is a precondition for `in_service`; requalification cadence per criticality.
- Calibration schedule and calibration-record register per DEC-37-05: per-asset calibration interval, last-calibration date, next-due date, tolerance specification, calibration standard reference (with metrological traceability), result (`pass` / `fail` / `pass_with_adjustment`), as-found / as-left readings, performed-by (internal user or external calibration provider via URS-11), calibration certificate stored as a URS-12 controlled document.
- Preventive-maintenance schedule and work-order register per DEC-37-06: per-asset PM interval, last-PM date, next-due date, PM plan / checklist reference (URS-12), work-order lifecycle (`open → in_progress → completed → verified`), performed-by, parts used, completion evidence.
- Equipment status lifecycle per DEC-37-07: `registered → in_qualification → qualified/in_service → out_of_service → retired`, with `out_of_calibration` and `under_maintenance` modifiers; base-state transitions affecting GxP use are authority-gated and electronically signed.
- Out-of-calibration / failed-calibration / overdue-PM impact assessment per DEC-37-09: on lapsed calibration, failed calibration, or overdue PM, Module 37 auto-creates an impact assessment and a deviation (URS-16), determines the suspect window, flags affected batches / results (URS-23), and links OOS investigations (URS-15) where applicable.
- Equipment-status-gate API (EQ-006) per DEC-37-08: a read-only gate answering "is equipment X qualified + in-calibration + PM-current at time T?", consumed by URS-33 / URS-23 / URS-24 / URS-25 / URS-15.
- Calibration-due / PM-due / overdue notification and escalation per DEC-37-10: URS-30 reminders at configurable horizons; overdue triggers escalation; lapsed sets `regulatory_concern` flag.
- Calibration certificates, qualification protocols / reports, and PM plans / checklists stored as URS-12 controlled documents per DEC-37-11.
- Reports and dashboards: per-tenant equipment register, per-asset detail and history, calibration-due timeline, PM-due timeline, overdue register, qualification status register, impact-assessment register, equipment-status-gate audit log.
- Front-end: equipment register browser, equipment registration wizard, per-asset detail (Overview / Qualification / Calibration / Maintenance / Status & Lifecycle / Impact Assessments / Documents / History), qualification workflow surface, calibration record surface, PM work-order surface, status-change surface, impact-assessment surface.
- Cross-module wiring: URS-03 consumes equipment scope; URS-04 e-signs lifecycle / status transitions; URS-05 authority-gates scoped status changes; URS-06 audits every Module 37 lifecycle event; URS-08 tenant lifecycle gate; URS-09 site reference for asset location; URS-11 equipment-vendor / calibration-provider supplier reference; URS-12 holds certificates / protocols / PM plans; URS-15 OOS instrument-check linkage; URS-16 auto-deviation; URS-23 affected-batch flagging; URS-24 / URS-25 point-of-use gating; URS-30 notifications; URS-33 batch-disposition gate; URS-35 long-term archive.

### 2.2 Out of scope

- Authentication, MFA, password policy, session lifecycle (URS-01).
- Permission matrix and base role catalogue (URS-02).
- Active-context resolution and approval-scope check (URS-03).
- Workflow templates, runtime, e-signature ceremony, HITL lifecycle (URS-04).
- Authority Profile catalogue, assignments, delegations, SoD (URS-05).
- Audit substrate (URS-06; Module 37 is a writer).
- Tenant lifecycle (URS-08; Module 37 mutations gated by tenant `active` state).
- Site catalogue and facility / site licensing (URS-09; Module 37 references sites for asset location only).
- Supplier qualification of the equipment vendor / calibration provider (URS-11; Module 37 references suppliers, does not qualify them).
- Document control (URS-12; Module 37 stores certificates / protocols / PM plans as URS-12 documents).
- The manufacturing batch record itself and batch disposition logic (URS-23 / URS-33; Module 37 supplies the EQ-006 gate they consume).
- The OOS investigation workflow (URS-15; Module 37 links to it).
- The deviation workflow (URS-16; Module 37 auto-raises into it).
- Computerised-system validation of the equipment's own embedded software where that software is a separate GAMP-categorised system (referenced, not owned).
- AI-driven decision-making (explicitly prohibited in this module's quality-critical paths; any AI assist is advisory only per §8).

### 2.3 Closed decisions

| Identifier | Closed decision |
|---|---|
| DEC-37-01 | Equipment categories at launch are the enumerated list in §2.1. Adding a top-level category or sub-classification is a Class 1 change. A single asset MAY carry multiple sub-classifications; the asset's criticality is the most stringent applicable. |
| DEC-37-02 | Equipment criticality classification is exactly three levels: `critical`, `major`, `minor`. Criticality is set at registration / qualification per the impact of the asset's failure on product quality / patient safety / data integrity; criticality is re-evaluated at every requalification; a downgrade requires `regulatory_oversight_admin` co-sign; an upgrade is permitted with QA lead signature. |
| DEC-37-03 | Equipment qualification follows IQ/OQ/PQ per EU GMP Annex 15. The required qualification stages per (category × criticality) are defined in a platform-managed qualification matrix; `critical` GxP equipment requires IQ + OQ + PQ + qualification report before `in_qualification → qualified`; `minor` non-GxP-impacting equipment MAY require a reduced qualification per the matrix. Tenant administrators MAY tighten requirements; tenants MAY NEVER loosen below the matrix. The exact per-cell matrix content is an `Implementation detail Unknown — evidence required` at this stage and is a configuration specification to be authored before validation. |
| DEC-37-04 | Requalification (periodic) cadence default per criticality: `critical` qualification reviewed at least every 12 months and requalified per a documented interval; `major` reviewed at least every 24 months; `minor` reviewed at least every 36 months. The exact requalification intervals per category are an `Implementation detail Unknown — evidence required` and are set in the configuration specification. Tenant administrators MAY configure shorter (more frequent), never longer without controlled regulatory justification and approved change control. |
| DEC-37-05 | Calibration schedule: each calibration-relevant asset has a calibration interval, a last-calibration date, a next-due date computed from interval, a tolerance specification, and a calibration-standard reference with metrological traceability. The default calibration interval per (category × criticality) is platform-managed and tenant-tightenable; the specific default intervals are an `Implementation detail Unknown — evidence required`. Calibration result values are exactly `pass`, `fail`, `pass_with_adjustment`. A `fail` or a lapsed calibration sets the `out_of_calibration` modifier. |
| DEC-37-06 | Preventive-maintenance schedule: each PM-relevant asset has a PM interval, a last-PM date, a next-due date, and a PM plan / checklist (URS-12). Work-order states are exactly `open`, `in_progress`, `completed`, `verified`. An open PM / repair work order sets the `under_maintenance` modifier; the modifier clears when the work order reaches `verified`. Overdue PM blocks GxP use of the asset (EQ-006 returns not-available). Default PM intervals per (category × criticality) are an `Implementation detail Unknown — evidence required`. |
| DEC-37-07 | Equipment status lifecycle base states are exactly five values: `registered`, `in_qualification`, `qualified` (synonymous with `in_service`), `out_of_service`, `retired`. Allowed base-state transitions: `registered → in_qualification`; `in_qualification → qualified | retired`; `qualified → out_of_service | retired`; `out_of_service → qualified | retired`. All other base-state transitions are forbidden. The `out_of_calibration` and `under_maintenance` modifiers are independent boolean conditions on a `qualified` asset, set / cleared by the calibration / PM engines; they do not change the base state. Base-state transitions affecting GxP use are authority-gated and e-signed per DEC-37-12. |
| DEC-37-08 | The equipment-status-gate (EQ-006) is a read-only API that, given an `equipment_id` and a time `T`, returns whether the asset was `qualified` (base state), not `out_of_calibration`, and not `under_maintenance` / not overdue-PM at time `T`, together with the contributing evidence (qualification state, last good calibration with next-due, last verified PM with next-due). The gate is consumed by URS-33, URS-23, URS-24, URS-25, URS-15. The gate is deterministic and rule-based; it contains no AI / ML. |
| DEC-37-09 | Out-of-calibration / failed-calibration / overdue-PM impact assessment: on lapsed calibration, `fail` calibration, or overdue PM, Module 37 auto-creates an impact-assessment record and a linked deviation (URS-16). The impact assessment determines the suspect window (from the last good calibration / verified PM to detection), flags affected batches / results in that window (URS-23), and links OOS investigations (URS-15) where the affected results are under OOS review. Default impact severity is seeded from criticality (`critical` → high; `major` → medium; `minor` → low) and is adjustable by the assessor with signature. |
| DEC-37-10 | Calibration-due / PM-due / overdue notification and escalation: URS-30 reminders are sent at configurable horizons (default T-30, T-7, T-1 for due; on-overdue and daily-while-overdue for overdue). Overdue critical-asset calibration / PM sets a `regulatory_concern` flag and escalates to QA lead and above. The exact escalation ladder is configurable; the default ladder beyond QA lead is an `Implementation detail Unknown — evidence required`. |
| DEC-37-11 | Calibration certificates, qualification protocols / reports, and PM plans / checklists are stored as URS-12 controlled documents; Module 37 holds the references and effective dates, not the document binaries. |
| DEC-37-12 | Base-state transitions affecting GxP use (`in_qualification → qualified`, `qualified → out_of_service`, `out_of_service → qualified`, `qualified/out_of_service → retired`) and criticality downgrades MUST be authority-gated (URS-05) and electronically signed via the regulated e-signature service. The signature MUST be substrate-verified and bound to a single `electronic_signatures` row per the platform e-signature pattern (reference exemplar: the OOS module's e-signature binding pattern at `oos-oot/service.ts:710` — **cited as the platform exemplar pattern; the Module 37 binding is a target binding, implementation evidence required**). |
| DEC-37-13 | Executive-authority (Founder) co-sign is required at: `critical`-asset `in_qualification → qualified` (initial qualification of critical GxP equipment); `critical`-asset retirement; return-to-service of a `critical` asset from a `regulatory_concern` out-of-service. Multi-factor step-up is required for every executive-authority co-sign. (Renumbered reference DEC-37-16 in the scaffold; the binding identifier is DEC-37-13.) |
| DEC-37-14 | Hard delete of equipment, calibration, PM, qualification, or impact-assessment records is prohibited. Retirement is a lifecycle state, not a delete; retired assets and all their history remain query-accessible for inspection. Soft-delete applies only to erroneous draft registrations not yet qualified, preserving `deleted_at` / `deleted_by` and an audit entry. |
| DEC-37-15 | Snapshot pinning: an EQ-006 gate evaluation consumed by an in-flight regulated decision (batch disposition, batch step, OOS) is captured as a pinned evidence snapshot referencing the asset's qualification / calibration / PM state effective at the evaluated time `T`, so that later state changes do not retroactively alter the recorded decision basis. |
| DEC-37-16 | Equipment scope uses `scope_jsonb` (org / site / area) compatible with URS-05 scope dimensions; visibility and authority for status changes are resolved at decision time with `scopeSource: 'context'` (active scope from URS-03). |
| DEC-37-17 | The EQ-006 gate, the calibration due-date engine, the PM due-date engine, and the impact-assessment trigger are all **static / deterministic** (same inputs → same outputs). No generative AI, LLM, or probabilistic model participates in any quality-critical path of this module, per CLAUDE.md QS-21 / EU Annex 22 (draft). Any AI assist is advisory only per §8. |

---

## 3. User Roles and Permissions

### 3.1 Architecture

Module 37 consumes Layer 1 (base role) and Layer 2 (permission matrix) from URS-02; consumes the Authority Profile catalogue and resolver from URS-05; consumes the active scope from URS-03. Module 37 owns three administrative surfaces: (a) the per-tenant equipment register and registration wizard, (b) the per-asset detail with qualification / calibration / maintenance / lifecycle surfaces, and (c) the impact-assessment surface. Module 37 layers an **asset-level role overlay** (`equipment_owner`, `metrology_lead`, `maintenance_lead`) for accountability on each asset. **Target binding — greenfield; the overlay design is the intended model, implementation evidence required.**

### 3.2 Role definitions

The five tenant-level base roles defined by URS-02 (`admin`, `quality_lead`, `reviewer`, `auditor`, `viewer`) and the cross-tenant platform identities apply unchanged. Module 37 introduces three **asset-level roles**:

| Asset role | Description | Cardinality per asset |
|---|---|---|
| `equipment_owner` | The named accountable user (typically Engineering / area owner) for the asset record; initiates and signs status / lifecycle transitions. | Exactly 1 (when `registered` or beyond) |
| `metrology_lead` | The named accountable user for calibration of the asset; signs calibration records and out-of-calibration impact decisions. | Exactly 1 (when calibration-relevant) |
| `maintenance_lead` | The named accountable user for preventive maintenance of the asset; signs PM work-order verification. | Exactly 1 (when PM-relevant) |

### 3.3 Authority Profiles consumed by Module 37

| Authority Profile | Module 37 action gated |
|---|---|
| `tenant_admin_authority` | Read equipment register; create assets; configure tenant-level qualification / calibration / PM interval preferences (within DEC-37 minimums). |
| `engineering_metrology_authority` (Tier 1; new in Module 37) | Initiate qualification; sign calibration records; manage `metrology_lead` / `maintenance_lead` overlays. |
| `final_quality_approver` | Co-sign initial qualification; co-sign return-to-service; co-sign out-of-calibration / overdue-PM impact-assessment closure; co-sign criticality downgrade. |
| `validation_approver` | Co-sign qualification (IQ/OQ/PQ) completion. |
| `regulatory_oversight_admin` | Co-sign criticality downgrade; co-sign return-to-service from `regulatory_concern` out-of-service. |
| executive authority (Founder) | Co-sign critical-asset initial qualification, critical-asset retirement, return-to-service of a critical asset from regulatory-concern out-of-service per DEC-37-13. |

**Target binding — greenfield.** The exact Authority Profile names beyond those already established in URS-05 are proposed; `engineering_metrology_authority` is a new Tier-1 profile requiring URS-05 catalogue addition. Implementation evidence required.

### 3.4 Segregation-of-Duties rules

| SoD rule | Module 37 application |
|---|---|
| `AUTHOR_NEQ_APPROVER` | The user who registers an asset or executes a calibration cannot also sign its qualification approval; the qualification approver MUST be a different user. |
| `CALIBRATOR_NEQ_IMPACT_CLOSER` (Tier 1, asset-specific) | The user who performed a failed calibration cannot be the sole signer of the out-of-calibration impact-assessment closure. |
| `EQUIPMENT_OWNER_NEQ_METROLOGY_LEAD` (Tier 1, asset-specific) | The `equipment_owner` and `metrology_lead` SHOULD be distinct users where the tenant headcount permits; where a single qualified user holds both, a compensating independent reviewer MUST sign qualification / impact closure. `Implementation detail Unknown — evidence required` for the small-tenant compensating-control configuration. |
| `MAINTAINER_NEQ_PM_VERIFIER` (Tier 1, asset-specific) | The user who executed a PM work order cannot be the sole verifier that moves it to `verified`. |

### 3.5 Worked examples

#### Worked example A — Critical HPLC qualification

A QC laboratory acquires a new HPLC for assay testing. The `equipment_owner` (Engineering) registers the asset (state `registered`); category `hplc`; criticality `critical` (release-testing instrument); scope set to the QC lab area; supplier linked to the qualified instrument vendor (URS-11). The `equipment_owner` initiates qualification (state `in_qualification`). IQ, OQ, and PQ protocols are executed; protocols and reports are uploaded as URS-12 controlled documents and referenced. The `validation_approver` signs qualification completion; the `final_quality_approver` co-signs; because the asset is `critical`, the executive authority co-signs with MFA per DEC-37-13. State moves to `qualified` / `in_service`. A calibration schedule (interval, tolerance, standard) and a PM schedule are activated. The asset is now available; EQ-006 returns available-for-GxP-use.

#### Worked example B — Routine calibration (pass)

A balance is due for calibration. URS-30 alerted at T-30, T-7, T-1. The `metrology_lead` (or an external calibration provider via URS-11) performs the calibration against a traceable reference, records as-found and as-left readings within tolerance, result `pass`, uploads the calibration certificate to URS-12, and signs the calibration record. The next-due date advances by the interval. EQ-006 continues to return available.

#### Worked example C — Failed calibration → impact assessment → deviation

A pH meter used in in-process testing fails its scheduled calibration (as-found reading outside tolerance). Module 37 records result `fail`, sets the `out_of_calibration` modifier, and EQ-006 immediately returns not-available for this asset. The system auto-creates an impact-assessment record and a linked deviation (URS-16), computes the suspect window from the last good calibration to detection, and flags every batch / result that used this instrument in that window (URS-23). One affected result is already under an OOS investigation; the impact assessment links to that OOS record (URS-15). The `metrology_lead` and `final_quality_approver` (independent of the calibrator per `CALIBRATOR_NEQ_IMPACT_CLOSER`) assess and sign the impact decision. The instrument is re-calibrated successfully; the `out_of_calibration` modifier clears; EQ-006 returns available again.

#### Worked example D — Overdue preventive maintenance blocks use

An autoclave's PM is not completed within its interval and goes overdue. Module 37 sets the `under_maintenance` / overdue-PM condition; EQ-006 returns not-available; URS-30 escalates to the `maintenance_lead`, `equipment_owner`, and QA lead with a `regulatory_concern` flag. A PM work order is executed (`open → in_progress → completed`), and an independent verifier moves it to `verified` per `MAINTAINER_NEQ_PM_VERIFIER`. The overdue condition clears; EQ-006 returns available.

#### Worked example E — Batch disposition gate (closes URS-33 §21 finding)

During URS-33 GMP batch disposition, the disposition workflow calls EQ-006 for every critical instrument used during the manufacturing window of the batch. For one balance, EQ-006 reports that its calibration lapsed for three days inside the manufacturing window. URS-33 receives a not-available result with the contributing evidence and the suspect window; the disposition is blocked pending impact assessment, and the linkage to the auto-raised deviation (URS-16) is surfaced. Before this module existed, this lapse could not be detected at disposition — this is the URS-33 §21 execution-gate finding being closed for the equipment dimension.

### 3.6 Role-permission matrix (Module 37 administrative surface only)

| Action | viewer | reviewer | quality_lead | auditor | admin | platform_admin | super_admin | Founder | Authority Profile / Asset role |
|---|:-:|:-:|:-:|:-:|:-:|:-:|:-:|:-:|---|
| Read equipment register | — | ✓ | ✓ | ✓ | ✓ | support / break-glass only | support / break-glass only | ✓ | — |
| Register asset | — | — | ✓ + sign | — | ✓ + sign | — | — | — | `tenant_admin_authority` / `engineering_metrology_authority` |
| Initiate qualification | — | — | equipment_owner + sign | — | equipment_owner + sign | — | — | — | `equipment_owner` / `engineering_metrology_authority` |
| Sign qualification (non-critical) | — | — | independent of registrar + sign + validation + final_quality_approver | — | independent of registrar + sign + validation + final_quality_approver | — | — | — | `validation_approver` + `final_quality_approver` |
| Sign qualification (critical) | — | — | — | — | — | — | — | ✓ + sign + MFA | `validation_approver` + `final_quality_approver` + executive authority |
| Record calibration | — | — | metrology_lead + sign | — | metrology_lead + sign | — | — | — | `metrology_lead` / `engineering_metrology_authority` |
| Close out-of-calibration impact assessment | — | — | metrology_lead + sign + final_quality_approver (independent of calibrator) | — | metrology_lead + sign + final_quality_approver | — | — | — | `metrology_lead` + `final_quality_approver` per `CALIBRATOR_NEQ_IMPACT_CLOSER` |
| Create / progress PM work order | — | — | maintenance_lead + sign | — | maintenance_lead + sign | — | — | — | `maintenance_lead` / `engineering_metrology_authority` |
| Verify PM work order | — | — | independent verifier + sign | — | independent verifier + sign | — | — | — | independent per `MAINTAINER_NEQ_PM_VERIFIER` |
| Take asset out of service | — | — | equipment_owner + sign | — | equipment_owner + sign | — | — | — | `equipment_owner` (+ QA for GxP-critical) |
| Return asset to service | — | — | equipment_owner + sign + final_quality_approver | — | equipment_owner + sign + final_quality_approver | — | — | ✓ + sign for regulatory-concern | `equipment_owner` + `final_quality_approver` (+ executive authority for regulatory-concern critical) |
| Retire asset (non-critical) | — | — | equipment_owner + sign + final_quality_approver | — | equipment_owner + sign + final_quality_approver | — | — | — | `equipment_owner` + `final_quality_approver` |
| Retire asset (critical) | — | — | — | — | — | — | — | ✓ + sign + MFA | `equipment_owner` + `final_quality_approver` + executive authority |
| Downgrade criticality | — | — | quality_lead + sign + regulatory_oversight_admin co-sign | — | quality_lead + sign + regulatory_oversight_admin | — | — | — | `regulatory_oversight_admin` |
| Read EQ-006 gate result | — | ✓ | ✓ | ✓ | ✓ | support / break-glass only | support / break-glass only | ✓ | consumed by URS-33/23/24/25/15 service identities |
| Export equipment / calibration / PM register | — | — | — | — | ✓ + sign + `audit:export` | support / break-glass only | support / break-glass only | — | `equipment_owner` + `audit:export` |
| Configure interval / qualification preferences | — | — | — | — | ✓ + sign | support / break-glass only | support / break-glass only | — | `tenant_admin_authority` |

External identities cannot reach Module 37 administrative surfaces. **Target binding — greenfield; the matrix states the intended gating, implementation evidence required.**

#### 3.6.1 Platform-identity tenant actions — controlled support / break-glass posture

Per URS-02 §3.6.1 and URS-08 §3.6.1, platform identities MAY perform tenant-scoped Module 37 actions only under controlled support / break-glass posture: target tenant identifier, business-justification, support-ticket / customer-reference, electronic signature, `PLATFORM_TENANT_ACCESS_USED`, SOC alert, customer notification within 24 hours.

---

## 4. End-to-End User Journeys

### J-01 — Asset registration

- Trigger: tenant administrator / `equipment_owner` registers a new asset.
- Steps: opens equipment register; creates asset with category, criticality, identity (tag / manufacturer / model / serial), scope (org / site / area), supplier link; signs; asset enters `registered`.
- Audit: `EQUIPMENT_REGISTERED`.

### J-02 — Qualification initiated

- Trigger: registered asset moves to qualification.
- Steps: `equipment_owner` initiates qualification; state `in_qualification`; IQ/OQ/PQ protocols referenced (URS-12).
- Audit: `EQUIPMENT_QUALIFICATION_INITIATED`.

### J-03 — Qualification completed and signed (non-critical)

- Trigger: IQ/OQ/PQ executed; qualification report ready.
- Steps: `validation_approver` signs completion; `final_quality_approver` co-signs (independent of registrar per `AUTHOR_NEQ_APPROVER`); state moves to `qualified`; calibration / PM schedules activated.
- Audit: `EQUIPMENT_QUALIFIED`.

### J-04 — Qualification completed and signed (critical)

- Trigger: critical asset qualification ready.
- Steps: `validation_approver` + `final_quality_approver` + executive authority co-sign with MFA per DEC-37-13; state moves to `qualified`.
- Audit: `EQUIPMENT_QUALIFIED` with `criticality = critical` and executive-authority co-sign reference.

```mermaid
sequenceDiagram
  autonumber
  participant EO as Equipment Owner
  participant API as Module 37 API (target)
  participant U12 as URS-12 Document Control
  participant VAL as Validation Approver
  participant QA as Final Quality Approver
  participant FDR as Executive Authority
  participant LOG as URS-06 Audit

  EO->>API: POST /equipment/:id/qualification/initiate
  API->>LOG: EQUIPMENT_QUALIFICATION_INITIATED
  Note over EO: IQ/OQ/PQ executed
  EO->>U12: Upload qualification protocols + report
  EO->>API: POST /equipment/:id/qualification/complete
  VAL->>API: validation_approver sign
  QA->>API: final_quality_approver co-sign
  FDR->>API: executive authority co-sign + MFA (critical only)
  API->>LOG: EQUIPMENT_QUALIFIED
```

### J-05 — Calibration scheduled

- Trigger: asset qualified; calibration schedule activated.
- Steps: system sets interval, tolerance, standard reference, next-due date.
- Audit: `EQUIPMENT_CALIBRATION_SCHEDULED`.

### J-06 — Calibration recorded (pass)

- Trigger: calibration performed on / before due date.
- Steps: `metrology_lead` (or external provider via URS-11) records as-found / as-left readings, result `pass`, uploads certificate (URS-12); signs; next-due advances.
- Audit: `EQUIPMENT_CALIBRATION_RECORDED` with result `pass`.

### J-07 — Calibration recorded (fail) → out-of-calibration

- Trigger: calibration outside tolerance.
- Steps: `metrology_lead` records result `fail`; system sets `out_of_calibration` modifier; EQ-006 returns not-available; auto impact assessment + deviation created (J-12).
- Audit: `EQUIPMENT_CALIBRATION_RECORDED` (result `fail`), `EQUIPMENT_OUT_OF_CALIBRATION_FLAGGED`.

### J-08 — Calibration lapsed (overdue) → out-of-calibration

- Trigger: next-due date passed without a recorded calibration.
- Steps: scheduled job sets `out_of_calibration` modifier; EQ-006 returns not-available; `regulatory_concern` flag set for critical; auto impact assessment + deviation created.
- Audit: `EQUIPMENT_CALIBRATION_LAPSED`, `EQUIPMENT_OUT_OF_CALIBRATION_FLAGGED`.

### J-09 — PM scheduled

- Trigger: asset qualified; PM schedule activated.
- Steps: system sets PM interval, PM plan reference (URS-12), next-due date.
- Audit: `EQUIPMENT_PM_SCHEDULED`.

### J-10 — PM work order executed and verified

- Trigger: PM performed on / before due date.
- Steps: `maintenance_lead` opens work order (`open → in_progress → completed`); independent verifier signs (`completed → verified`) per `MAINTAINER_NEQ_PM_VERIFIER`; next-due advances; `under_maintenance` modifier clears.
- Audit: `EQUIPMENT_PM_WORK_ORDER_OPENED`, `EQUIPMENT_PM_WORK_ORDER_COMPLETED`, `EQUIPMENT_PM_WORK_ORDER_VERIFIED`.

### J-11 — PM overdue → blocks use

- Trigger: PM next-due date passed without a verified work order.
- Steps: scheduled job sets overdue-PM condition; EQ-006 returns not-available; `regulatory_concern` flag for critical; URS-30 escalates.
- Audit: `EQUIPMENT_PM_OVERDUE`.

### J-12 — Out-of-calibration / overdue-PM impact assessment

- Trigger: failed / lapsed calibration or overdue PM.
- Steps: system auto-creates impact assessment; computes suspect window; flags affected batches / results (URS-23); links OOS (URS-15) where applicable; auto-raises deviation (URS-16); assessor + `final_quality_approver` (independent per `CALIBRATOR_NEQ_IMPACT_CLOSER`) sign closure.
- Audit: `EQUIPMENT_IMPACT_ASSESSMENT_OPENED`, `EQUIPMENT_IMPACT_ASSESSMENT_CLOSED`.

```mermaid
flowchart TD
  A([Failed / lapsed calibration OR overdue PM]) --> B[Set out_of_calibration / overdue-PM condition]
  B --> C[EQ-006 returns not-available]
  C --> D[Auto-create impact assessment; compute suspect window]
  D --> E[Auto-raise deviation URS-16]
  D --> F[Flag affected batches/results URS-23]
  D --> G[Link OOS URS-15 where applicable]
  E --> H[Assessor + final_quality_approver sign closure independent of calibrator]
  F --> H
  G --> H
  H --> I[EQUIPMENT_IMPACT_ASSESSMENT_CLOSED]
```

### J-13 — Take asset out of service

- Trigger: asset withdrawn from GxP use.
- Steps: `equipment_owner` opens out-of-service; reason; signs; QA co-sign for GxP-critical; state `out_of_service`; EQ-006 returns not-available.
- Audit: `EQUIPMENT_TAKEN_OUT_OF_SERVICE` with reason.

### J-14 — Return asset to service

- Trigger: out-of-service condition resolved.
- Steps: `equipment_owner` submits evidence; `final_quality_approver` co-signs; executive authority co-signs for regulatory-concern critical assets per DEC-37-13; state `qualified`; EQ-006 returns available.
- Audit: `EQUIPMENT_RETURNED_TO_SERVICE`.

### J-15 — Periodic requalification due

- Trigger: requalification due per DEC-37-04 cadence.
- Steps: URS-30 alerts T-90, T-30, T-7; `equipment_owner` initiates requalification; protocols / reports referenced; co-signs per criticality.
- Audit: `EQUIPMENT_REQUALIFICATION_INITIATED`, `EQUIPMENT_REQUALIFIED`.

### J-16 — Requalification missed → regulatory concern

- Trigger: requalification not completed within grace window.
- Steps: scheduled job sets `regulatory_concern` flag and takes the asset out-of-service (GxP use blocked); URS-30 escalates.
- Audit: `EQUIPMENT_REQUALIFICATION_MISSED`.

### J-17 — Retire asset

- Trigger: asset permanently decommissioned.
- Steps: `equipment_owner` opens retirement; reason; `final_quality_approver` co-signs; executive authority for critical; state `retired`; history preserved.
- Audit: `EQUIPMENT_RETIRED`.

### J-18 — EQ-006 gate consumed by batch disposition (URS-33)

- Trigger: URS-33 disposition evaluates a batch.
- Steps: URS-33 calls EQ-006 for each critical instrument across the manufacturing window; Module 37 returns available / not-available with contributing evidence and pinned snapshot (DEC-37-15); URS-33 blocks disposition on any not-available result.
- Audit: `EQUIPMENT_STATUS_GATE_EVALUATED` (coarse, with consuming module + pinned snapshot reference).

### J-19 — EQ-006 gate consumed at point of use (URS-23 / URS-24 / URS-25)

- Trigger: batch step / stability read / EM read about to use an asset.
- Steps: consuming module calls EQ-006 at point of use; Module 37 returns available / not-available; consuming module blocks the step on not-available.
- Audit: `EQUIPMENT_STATUS_GATE_EVALUATED`.

### J-20 — OOS instrument-calibration check (URS-15)

- Trigger: OOS phase-1 investigation checks instrument calibration.
- Steps: URS-15 queries EQ-006 / the calibration history for the instrument used; if a lapse / fail is found in the result window, the impact assessment (J-12) links the OOS record.
- Audit: `EQUIPMENT_IMPACT_ASSESSMENT_LINKED_TO_OOS`.

### J-21 — Equipment-bound regulated-record discovery

- Trigger: auditor / owner opens discovery view for an asset.
- Steps: system computes URS-03 active-scope intersection on the equipment dimension; returns batches / results / deviations / OOS records that used or referenced the asset.
- Audit: `EQUIPMENT_DISCOVERY_VIEW_OPENED` once per session.

### J-22 — Auditor reads asset history as inspection-ready

- Trigger: inspection focused on equipment qualification / calibration / maintenance.
- Steps: auditor opens asset detail full lifetime; exports through the Controlled Approval Modal; receives PDF + JSON bundle with integrity manifest.
- Audit: `EQUIPMENT_REGISTER_EXPORTED`.

### J-23 — Criticality downgrade

- Trigger: asset's GxP impact re-assessed lower.
- Steps: `quality_lead` opens criticality change; `regulatory_oversight_admin` co-signs downgrade; recorded.
- Audit: `EQUIPMENT_CRITICALITY_CHANGED`.

### J-24 — Executive break-glass equipment hold

- Trigger: serious equipment-related quality signal.
- Steps: Founder issues immediate out-of-service via override ceremony (URS-04); URS-30 alerts; asset moves to `out_of_service` with override reference.
- Audit: `EQUIPMENT_TAKEN_OUT_OF_SERVICE` with `override_authority_profile_used`.

---

## 5. Front-End Expected State

**Target binding — greenfield; no UI exists. The following routes and components are the intended front-end, implementation evidence required.**

### 5.1 Routes

| Route | Surface | Role / Authority gate |
|---|---|---|
| `/equipment` | Equipment register browser | tenant base role + `audit:read` |
| `/equipment/new` | Asset registration wizard | `tenant_admin_authority` / `engineering_metrology_authority` |
| `/equipment/:id` | Per-asset detail (Overview / Qualification / Calibration / Maintenance / Status & Lifecycle / Impact Assessments / Documents / History) | asset-role overlay |
| `/equipment/:id/qualification` | Qualification workflow surface | `equipment_owner` + co-signers |
| `/equipment/:id/calibration` | Calibration schedule + records | `metrology_lead` for write |
| `/equipment/:id/maintenance` | PM schedule + work orders | `maintenance_lead` for write |
| `/equipment/:id/lifecycle` | Status / lifecycle transitions | `equipment_owner` + co-signers |
| `/equipment/:id/impact-assessments` | Out-of-cal / overdue-PM impact | `metrology_lead` + `final_quality_approver` |
| `/equipment/:id/discovery` | Equipment-bound discovery | asset-role or `audit:read` |
| `/admin/equipment/calibration-calendar` | Cross-asset calibration-due timeline | `tenant_admin_authority` |
| `/admin/equipment/pm-calendar` | Cross-asset PM-due timeline | `tenant_admin_authority` |
| `/admin/equipment/overdue-register` | Overdue calibration / PM register | `tenant_admin_authority` |
| `/admin/equipment/interval-preferences` | Tenant-level interval / qualification preferences | `tenant_admin_authority` |

### 5.2 Component requirements

- **Equipment register browser** — high-density list with category chips, criticality badges, base-state labels, `out_of_calibration` / `under_maintenance` modifier badges, calibration-due and PM-due indicators; filters by category, criticality, status, scope (site / area), calibration-due window, PM-due window, overdue.
- **Asset registration wizard** — multi-step: identity (tag / manufacturer / model / serial) → category → criticality → scope (org / site / area) → supplier link → review → submit. Critical flag visible.
- **Per-asset detail (tabbed)** — Overview, Qualification, Calibration, Maintenance, Status & Lifecycle, Impact Assessments, Documents, History. Status banner across top showing base state plus active modifiers and EQ-006 availability.
- **Qualification workflow** — IQ/OQ/PQ stage checklist; protocol / report links to URS-12; co-sign gates.
- **Calibration record surface** — schedule with next-due; record form capturing as-found / as-left, tolerance, standard reference, result, certificate link; fail clearly highlighted.
- **PM work-order surface** — schedule with next-due; work-order lifecycle board (`open → in_progress → completed → verified`); overdue highlighted.
- **Status / lifecycle surface** — allowed transitions only; reason capture; co-sign gates; override path for break-glass.
- **Impact-assessment surface** — auto-created records; suspect-window display; affected-batch / result list (URS-23 deep-links); OOS link (URS-15); deviation link (URS-16); closure with independent co-sign.
- **Discovery view** — paginated list of records intersecting the asset scope.

### 5.3 Accessibility and internationalisation

- WCAG 2.1 Level AA across all surfaces.
- Equipment tags / serials rendered as-is; identifiers canonical.
- Date / time displayed in user time zone; stored UTC; ISO 8601. Calibration / PM due dates computed in UTC and displayed in tenant / user time zone.

---

## 6. Back-End Expected State

**Target binding — greenfield; no back-end, schema, or migration exists. §§6.1–6.7 state the intended design. Implementation evidence required for every entity, column, endpoint, and rule.**

### 6.1 Domain entities

- `equipment` — canonical asset record per DEC-37-01..02, DEC-37-07.
- `equipment_qualifications` — per-asset qualification (IQ/OQ/PQ) and requalification records per DEC-37-03/04.
- `equipment_calibration_schedules` — per-asset calibration schedule per DEC-37-05.
- `equipment_calibration_records` — per-asset calibration result records per DEC-37-05.
- `equipment_pm_schedules` — per-asset PM schedule per DEC-37-06.
- `equipment_pm_work_orders` — per-asset PM work orders per DEC-37-06.
- `equipment_status_events` — append-only base-state / modifier transition log.
- `equipment_impact_assessments` — out-of-cal / overdue-PM impact assessments per DEC-37-09.
- `equipment_status_gate_evaluations` — append-only EQ-006 evaluation log with pinned snapshots per DEC-37-08/15.
- `equipment_role_roster` — asset-level role overlay (`equipment_owner`, `metrology_lead`, `maintenance_lead`).

#### 6.1.1 Diagram 6.1-A — Module 37 entity-relationship overview (target)

```mermaid
erDiagram
  EQUIPMENT ||--o{ EQUIPMENT_QUALIFICATIONS : qualified_via
  EQUIPMENT ||--o| EQUIPMENT_CALIBRATION_SCHEDULES : calibrated_per
  EQUIPMENT_CALIBRATION_SCHEDULES ||--o{ EQUIPMENT_CALIBRATION_RECORDS : records
  EQUIPMENT ||--o| EQUIPMENT_PM_SCHEDULES : maintained_per
  EQUIPMENT_PM_SCHEDULES ||--o{ EQUIPMENT_PM_WORK_ORDERS : work_orders
  EQUIPMENT ||--o{ EQUIPMENT_STATUS_EVENTS : status_log
  EQUIPMENT ||--o{ EQUIPMENT_IMPACT_ASSESSMENTS : impacted_by
  EQUIPMENT ||--o{ EQUIPMENT_STATUS_GATE_EVALUATIONS : gate_log
  EQUIPMENT ||--o{ EQUIPMENT_ROLE_ROSTER : role_overlay
  EQUIPMENT_QUALIFICATIONS }o--|| URS_12_DOCUMENTS : protocol_report
  EQUIPMENT_CALIBRATION_RECORDS }o--|| URS_12_DOCUMENTS : certificate
  EQUIPMENT_PM_WORK_ORDERS }o--|| URS_12_DOCUMENTS : pm_plan
  EQUIPMENT_IMPACT_ASSESSMENTS }o--o| URS_16_DEVIATIONS : raises
  EQUIPMENT_IMPACT_ASSESSMENTS }o--o| URS_15_OOS : links
  EQUIPMENT }o--o| URS_11_SUPPLIERS : vendor_or_calibration_provider
  EQUIPMENT }o--o| URS_09_SITES : located_at
```

#### 6.1.2 Diagram 6.1-B — Equipment base-state machine (target)

```mermaid
stateDiagram-v2
  [*] --> registered : EQUIPMENT_REGISTERED
  registered --> in_qualification : EQUIPMENT_QUALIFICATION_INITIATED
  in_qualification --> qualified : EQUIPMENT_QUALIFIED
  in_qualification --> retired : EQUIPMENT_RETIRED (abandoned)
  qualified --> out_of_service : EQUIPMENT_TAKEN_OUT_OF_SERVICE
  out_of_service --> qualified : EQUIPMENT_RETURNED_TO_SERVICE
  qualified --> retired : EQUIPMENT_RETIRED
  out_of_service --> retired : EQUIPMENT_RETIRED
  retired --> [*]
  note right of qualified
    Modifiers (independent booleans on a qualified asset):
    out_of_calibration  (set on fail/lapse; clears on good calibration)
    under_maintenance / overdue_pm  (set on open WO/overdue; clears on verified)
    While any modifier active, EQ-006 returns not-available.
  end note
```

#### 6.1.3 Diagram 6.1-C — Calibration due-date engine (target, deterministic)

```mermaid
flowchart TD
  A[Calibration recorded result pass] --> B[next_due = record_date + interval]
  C[Calibration recorded result fail] --> D[set out_of_calibration; trigger impact assessment]
  E[Scheduled job daily] --> F{now > next_due?}
  F -- yes --> G[set out_of_calibration; EQUIPMENT_CALIBRATION_LAPSED; trigger impact assessment]
  F -- no --> H{now within reminder horizons?}
  H -- yes --> I[URS-30 reminder T-30/T-7/T-1]
  H -- no --> J[no action]
```

#### 6.1.4 Diagram 6.1-D — EQ-006 status-gate decision (target, deterministic)

```mermaid
flowchart TD
  A([EQ-006 query equipment_id, T]) --> B{base_state qualified at T?}
  B -- no --> X[not-available: not qualified]
  B -- yes --> C{good calibration covering T? next_due >= T and last result pass}
  C -- no --> Y[not-available: out_of_calibration at T]
  C -- yes --> D{PM current at T? verified WO and not overdue at T}
  D -- no --> Z[not-available: overdue_pm / under_maintenance at T]
  D -- yes --> AV[available-for-GxP-use + contributing evidence + pinned snapshot]
```

### 6.2 Data model requirements

**Target binding — greenfield; columns are the intended model, implementation evidence required. `Implementation detail Unknown — evidence required` for any column whose exact type / constraint is not yet fixed.**

| Entity | Purpose | Key fields | Required | Unique | Tenant isolation | Versioning | Retention | Soft-delete | Audit | E-sig link |
|---|---|---|---|---|---|---|---|---|---|---|
| `equipment` | Canonical asset record | `id`, `tenant_id`, `equipment_tag`, `display_name`, `category`, `manufacturer`, `model`, `serial_number`, `criticality_classification`, `scope_jsonb`, `location_text`, `status` (base state), `out_of_calibration_flag`, `under_maintenance_flag`, `overdue_pm_flag`, `regulatory_concern_flag`, `supplier_id` (nullable FK URS-11), `vertical_classification_jsonb`, `created_by`, `created_at`, `qualified_at` (nullable), `retired_at` (nullable), `deleted_at` (nullable), `deleted_by` (nullable) | per state | unique(`tenant_id`, `equipment_tag`); unique(`tenant_id`, `manufacturer`, `model`, `serial_number`) | RLS on `tenant_id` | stateful + append-only audit | retain (long-term) | yes (draft pre-qualification only; retired preserved) | yes | yes |
| `equipment_qualifications` | Qualification / requalification records | `id`, `equipment_id`, `qualification_type` (`iq` / `oq` / `pq` / `requalification`), `planned_date`, `actual_date`, `outcome` (`pass` / `fail` / `pass_with_conditions`), `protocol_document_id` (FK URS-12), `report_document_id` (FK URS-12), `signed_e_sig_id`, `cosign_e_sig_ids_jsonb` (derived read snapshot; authoritative signatures in module signature-slot table) | core required | unique(`equipment_id`, `qualification_type`, `actual_date`) | RLS via equipment | stateful | retain (long-term) | not applicable | yes | yes |
| `equipment_calibration_schedules` | Per-asset calibration schedule | `id`, `equipment_id`, `interval_value`, `interval_unit`, `tolerance_spec_jsonb`, `standard_reference`, `standard_traceability_jsonb`, `last_calibration_date` (nullable), `next_due_date`, `active` | core required | unique active(`equipment_id`) | RLS via equipment | stateful | retain (long-term) | not applicable | yes | yes |
| `equipment_calibration_records` | Per-calibration result | `id`, `equipment_id`, `schedule_id`, `performed_at`, `performed_by_user_id` (nullable), `performed_by_supplier_id` (nullable FK URS-11), `as_found_jsonb`, `as_left_jsonb`, `result` (`pass` / `fail` / `pass_with_adjustment`), `certificate_document_id` (FK URS-12), `signed_e_sig_id` | core required | unique(`equipment_id`, `performed_at`) | RLS via equipment | append-only | retain (long-term) | not applicable | yes | yes |
| `equipment_pm_schedules` | Per-asset PM schedule | `id`, `equipment_id`, `interval_value`, `interval_unit`, `pm_plan_document_id` (FK URS-12), `last_pm_date` (nullable), `next_due_date`, `active` | core required | unique active(`equipment_id`) | RLS via equipment | stateful | retain (long-term) | not applicable | yes | yes |
| `equipment_pm_work_orders` | PM / repair work order | `id`, `equipment_id`, `schedule_id` (nullable for repair), `work_order_type` (`preventive` / `repair`), `state` (`open` / `in_progress` / `completed` / `verified`), `opened_at`, `completed_at` (nullable), `verified_at` (nullable), `performed_by_user_id` (nullable), `performed_by_supplier_id` (nullable), `verifier_user_id` (nullable), `parts_used_jsonb`, `completion_evidence_document_id` (nullable FK URS-12), `completed_e_sig_id` (nullable), `verified_e_sig_id` (nullable) | core required | unique(`equipment_id`, `id`) | RLS via equipment | stateful | retain (long-term) | not applicable | yes | yes |
| `equipment_status_events` | Append-only status / modifier log | `id`, `equipment_id`, `from_state`, `to_state`, `modifier_changed` (nullable), `event_code`, `reason_jsonb`, `signature_set_jsonb` (derived read snapshot), `audit_log_id` (FK URS-06), `triggered_at`, `previous_hash`, `record_hash` | all | unique(`equipment_id`, `id`); unique(`record_hash`) | RLS via equipment | append-only | retain (long-term) | not applicable | yes | yes |
| `equipment_impact_assessments` | Out-of-cal / overdue-PM impact | `id`, `equipment_id`, `trigger_type` (`calibration_fail` / `calibration_lapse` / `pm_overdue`), `suspect_window_start`, `suspect_window_end`, `severity` (`high` / `medium` / `low`), `deviation_id` (FK URS-16), `linked_oos_ids_jsonb` (FK URS-15), `affected_records_jsonb` (URS-23 references), `assessor_user_id`, `closed_e_sig_id` (nullable; independent of calibrator per `CALIBRATOR_NEQ_IMPACT_CLOSER`), `closure_cosign_e_sig_id` (nullable), `state` (`open` / `closed`) | core required | unique(`equipment_id`, `trigger_type`, `suspect_window_start`) | RLS via equipment | stateful | retain (long-term) | not applicable | yes | yes |
| `equipment_status_gate_evaluations` | EQ-006 evaluation log + pinned snapshot | `id`, `equipment_id`, `evaluated_at`, `evaluated_for_time_T`, `consuming_module`, `consuming_record_ref`, `result` (`available` / `not_available`), `reason_code` (nullable), `pinned_snapshot_jsonb` (qualification + calibration + PM state at T), `record_hash` | core required | unique(`equipment_id`, `id`) | RLS via equipment | append-only | retain (long-term) | not applicable | yes | not applicable |
| `equipment_role_roster` | Asset-level role overlay | `id`, `equipment_id`, `user_id`, `asset_role` (`equipment_owner` / `metrology_lead` / `maintenance_lead`), `effective_from`, `effective_to` (nullable), `assigned_e_sig_id`, `removed_at` (nullable) | core required | unique active(`equipment_id`, `asset_role`) | RLS via equipment | stateful | per equipment retention | yes | yes | yes |

### 6.3 API requirements

**Target binding — greenfield; endpoint paths are proposed, implementation evidence required.**

#### 6.3.1 Register and lifecycle

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| GET | `/equipment` | tenant-scoped | filters | `Equipment[]` | tenant base role + `audit:read` | `EQUIPMENT_REGISTER_VIEW_OPENED` once per session | none |
| GET | `/equipment/:id` | tenant-scoped | none | full asset detail | asset-role overlay | none | `NOT_FOUND` |
| POST | `/equipment` | administrator / owner | asset fields (electronic-signed) | `201` | `tenant_admin_authority` / `engineering_metrology_authority` | `EQUIPMENT_REGISTERED` | validation |
| POST | `/equipment/:id/qualification/initiate` | equipment owner | reason (electronic-signed) | `200` | `equipment_owner` | `EQUIPMENT_QUALIFICATION_INITIATED` | `STATE_NOT_REGISTERED` |
| POST | `/equipment/:id/qualification/complete` | validation + QA (+ Founder for critical) | qualification refs + reason (electronic-signed + co-signs + MFA for critical) | `200` | `validation_approver` + `final_quality_approver` (+ executive authority for critical) | `EQUIPMENT_QUALIFIED` | `STATE_NOT_IN_QUALIFICATION`, `APPROVER_IS_REGISTRAR`, `MISSING_FOUNDER_COSIGN`, `QUALIFICATION_EVIDENCE_INCOMPLETE` |
| POST | `/equipment/:id/out-of-service` | equipment owner | `{reason}` (electronic-signed + QA co-sign for GxP-critical) | `200` | `equipment_owner` (+ `final_quality_approver`) | `EQUIPMENT_TAKEN_OUT_OF_SERVICE` | `STATE_NOT_QUALIFIED` |
| POST | `/equipment/:id/return-to-service` | equipment owner + co-signers | evidence (electronic-signed + co-signs + Founder for regulatory-concern critical) | `200` | `equipment_owner` + `final_quality_approver` (+ executive authority) | `EQUIPMENT_RETURNED_TO_SERVICE` | `STATE_NOT_OUT_OF_SERVICE`, `RESOLUTION_EVIDENCE_MISSING` |
| POST | `/equipment/:id/retire` | equipment owner + co-signers | reason (electronic-signed + co-signs + Founder for critical) | `200` | `equipment_owner` + `final_quality_approver` (+ executive authority for critical) | `EQUIPMENT_RETIRED` | `STATE_NOT_RETIREABLE`, `MISSING_FOUNDER_COSIGN` |
| POST | `/equipment/:id/criticality` | quality lead + RA co-sign | `{criticality, reason}` (electronic-signed + co-sign) | `200` | `regulatory_oversight_admin` for downgrade | `EQUIPMENT_CRITICALITY_CHANGED` | `MISSING_RA_COSIGN` |

#### 6.3.2 Qualification, calibration, PM

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| GET | `/equipment/:id/qualifications` | tenant-scoped | none | qualification register | asset-role | none | none |
| POST | `/equipment/:id/calibration/schedule` | metrology lead | schedule fields (electronic-signed) | `201` | `metrology_lead` | `EQUIPMENT_CALIBRATION_SCHEDULED` | validation |
| POST | `/equipment/:id/calibration/records` | metrology lead / provider | calibration result + certificate ref (electronic-signed) | `201` | `metrology_lead` | `EQUIPMENT_CALIBRATION_RECORDED` (+ `EQUIPMENT_OUT_OF_CALIBRATION_FLAGGED` on `fail`) | validation |
| POST | `/equipment/:id/pm/schedule` | maintenance lead | schedule fields (electronic-signed) | `201` | `maintenance_lead` | `EQUIPMENT_PM_SCHEDULED` | validation |
| POST | `/equipment/:id/pm/work-orders` | maintenance lead | work-order fields (electronic-signed) | `201` | `maintenance_lead` | `EQUIPMENT_PM_WORK_ORDER_OPENED` | validation |
| POST | `/equipment/:id/pm/work-orders/:woId/complete` | maintenance lead | completion evidence (electronic-signed) | `200` | `maintenance_lead` | `EQUIPMENT_PM_WORK_ORDER_COMPLETED` | `STATE_NOT_IN_PROGRESS` |
| POST | `/equipment/:id/pm/work-orders/:woId/verify` | independent verifier | verification (electronic-signed) | `200` | independent per `MAINTAINER_NEQ_PM_VERIFIER` | `EQUIPMENT_PM_WORK_ORDER_VERIFIED` | `MISSING_INDEPENDENT_VERIFIER`, `VERIFIER_IS_MAINTAINER` |
| POST | `/equipment/:id/requalification/initiate` | equipment owner | reason (electronic-signed) | `200` | `equipment_owner` | `EQUIPMENT_REQUALIFICATION_INITIATED` | validation |
| POST | `/equipment/:id/requalification/complete` | validation + QA (+ Founder for critical) | refs (electronic-signed + co-signs) | `200` | `validation_approver` + `final_quality_approver` (+ executive authority for critical) | `EQUIPMENT_REQUALIFIED` | `MISSING_FOUNDER_COSIGN` |

#### 6.3.3 Impact assessment, status gate, discovery

| Method | Endpoint | Actor | Request | Response | Permission | Audit | Error codes |
|---|---|---|---|---|---|---|---|
| GET | `/equipment/:id/impact-assessments` | tenant-scoped | filters | `ImpactAssessment[]` | asset-role or `audit:read` | none | none |
| POST | `/equipment/:id/impact-assessments/:iaId/close` | assessor + QA (independent of calibrator) | closure + reason (electronic-signed + co-sign) | `200` | `metrology_lead` + `final_quality_approver` per `CALIBRATOR_NEQ_IMPACT_CLOSER` | `EQUIPMENT_IMPACT_ASSESSMENT_CLOSED` | `IMPACT_CLOSER_IS_CALIBRATOR`, `DEVIATION_NOT_LINKED` |
| GET | `/equipment/:id/status-gate` | consuming service identity (URS-33/23/24/25/15) or tenant-scoped | `{at: T}` | `{result, reasonCode, contributingEvidence, pinnedSnapshotRef}` | service identity / asset-role | `EQUIPMENT_STATUS_GATE_EVALUATED` (coarse) | `NOT_FOUND` |
| GET | `/equipment/:id/discovery` | tenant-scoped | filters | `DiscoveryRecord[]` | asset-role or `audit:read` | `EQUIPMENT_DISCOVERY_VIEW_OPENED` once per session | none |
| POST | `/equipment/:id/discovery/export` | equipment owner + `audit:export` | filters + format (electronic-signed) | signed download URL + integrity manifest | `equipment_owner` + `audit:export` | `EQUIPMENT_REGISTER_EXPORTED` | none |

### 6.4 Workflow / lifecycle requirements

| Workflow | Step | Time-to-live or timer | Auto-action | Reminder |
|---|---|---|---|---|
| Calibration due | per asset interval (DEC-37-05) | continuous | set `out_of_calibration` + impact assessment on lapse | T-30, T-7, T-1 |
| PM due | per asset interval (DEC-37-06) | continuous | set overdue-PM (block use) + impact assessment on overdue | T-30, T-7, T-1 |
| Periodic requalification (critical) | per DEC-37-04 (≥ annual review) | continuous | URS-30 reminders; out-of-service + `regulatory_concern` on miss beyond grace | T-90, T-30, T-7 |
| Periodic requalification (major) | per DEC-37-04 | continuous | URS-30 reminders; out-of-service on miss beyond grace | T-90, T-30, T-7 |
| Periodic requalification (minor) | per DEC-37-04 | continuous | URS-30 reminders | T-90, T-30, T-7 |
| Out-of-cal / overdue-PM impact assessment | on trigger | continuous | auto-create impact + deviation; flag batches; link OOS | on creation |
| EQ-006 gate evaluation | on demand (consumed by other modules) | n/a | log evaluation + pin snapshot | n/a |
| Overdue escalation | on overdue | daily while overdue | escalate per ladder; `regulatory_concern` for critical | daily |

Grace windows for requalification miss are configurable; the default grace window is `Implementation detail Unknown — evidence required` (proposed +30 days, to be confirmed in configuration specification).

### 6.5 Business rules

- **BR-37-01** — Initial qualification completion requires `validation_approver` + `final_quality_approver`, with the approver independent of the registrar / calibrator per `AUTHOR_NEQ_APPROVER`; critical assets additionally require executive-authority co-sign with MFA per DEC-37-13.
- **BR-37-02** — Qualification evidence (IQ/OQ/PQ protocols + report references) per the DEC-37-03 matrix MUST be present before `in_qualification → qualified`; missing returns `QUALIFICATION_EVIDENCE_INCOMPLETE`.
- **BR-37-03** — `qualified` (base state) is a precondition for any GxP use; EQ-006 returns not-available for any non-`qualified` base state.
- **BR-37-04** — A `fail` calibration or a lapsed calibration MUST set the `out_of_calibration` modifier and MUST auto-create an impact assessment + linked deviation (URS-16) per DEC-37-09.
- **BR-37-05** — An open PM / repair work order, or an overdue PM, MUST set the `under_maintenance` / overdue-PM condition and MUST cause EQ-006 to return not-available per DEC-37-06.
- **BR-37-06** — PM work-order verification MUST require an independent verifier per `MAINTAINER_NEQ_PM_VERIFIER`; the verifier cannot be the maintainer.
- **BR-37-07** — Out-of-calibration / overdue-PM impact-assessment closure MUST require a closer independent of the calibrator per `CALIBRATOR_NEQ_IMPACT_CLOSER`, and MUST have a linked deviation (URS-16).
- **BR-37-08** — The EQ-006 gate MUST be deterministic: given an `equipment_id` and time `T`, it returns the same result for the same underlying state; it MUST evaluate base state, calibration coverage, and PM currency at `T` per Diagram 6.1-D.
- **BR-37-09** — Every EQ-006 evaluation consumed by an in-flight regulated decision MUST be persisted as a pinned snapshot per DEC-37-15 so the decision basis is reconstructable.
- **BR-37-10** — Base-state transitions affecting GxP use MUST be authority-gated (URS-05) and e-signed via the regulated e-signature service, with a substrate-verified, bound `electronic_signatures` row per DEC-37-12.
- **BR-37-11** — Hard delete of equipment / calibration / PM / qualification / impact records is prohibited per DEC-37-14; retirement is a lifecycle state; soft-delete applies only to non-qualified draft registrations.
- **BR-37-12** — Criticality downgrade MUST require `regulatory_oversight_admin` co-sign; upgrade is permitted with QA lead signature per DEC-37-02.
- **BR-37-13** — Equipment scope MUST use `scope_jsonb` compatible with URS-05; visibility / authority resolved at decision time with `scopeSource: 'context'` per DEC-37-16.
- **BR-37-14** — Module 37 mutations MUST be blocked when tenant lifecycle (URS-08) is anything other than `active`.
- **BR-37-15** — Audit-log writes MUST be atomic with the originating action; on audit-write failure the originating action MUST NOT commit.
- **BR-37-16** — Status / lifecycle events MUST emit dual audit per URS-08 DEC-08-18 where applicable.
- **BR-37-17** — Calibration-due / PM-due / overdue / requalification-due reminders and escalations MUST be delivered through URS-30 per DEC-37-10; lapsed critical → `regulatory_concern` flag.
- **BR-37-18** — Calibration certificates, qualification protocols / reports, and PM plans MUST be stored as URS-12 controlled documents per DEC-37-11; Module 37 holds references only.
- **BR-37-19** — No generative AI / LLM / probabilistic model MAY participate in the register, qualification, calibration, PM, impact-assessment, or EQ-006 paths per DEC-37-17 / QS-21; any AI assist is advisory only per §8.
- **BR-37-20** — The suspect window for an impact assessment MUST span from the last good calibration / verified PM to the point of detection, and MUST be used to flag affected batches / results (URS-23).

### 6.6 Audit trail requirements

Module 37 governance event vocabulary (canonical launch list):

`EQUIPMENT_REGISTERED`, `EQUIPMENT_QUALIFICATION_INITIATED`, `EQUIPMENT_QUALIFIED`, `EQUIPMENT_REQUALIFICATION_INITIATED`, `EQUIPMENT_REQUALIFIED`, `EQUIPMENT_REQUALIFICATION_MISSED`, `EQUIPMENT_CALIBRATION_SCHEDULED`, `EQUIPMENT_CALIBRATION_RECORDED`, `EQUIPMENT_CALIBRATION_LAPSED`, `EQUIPMENT_OUT_OF_CALIBRATION_FLAGGED`, `EQUIPMENT_OUT_OF_CALIBRATION_CLEARED`, `EQUIPMENT_PM_SCHEDULED`, `EQUIPMENT_PM_WORK_ORDER_OPENED`, `EQUIPMENT_PM_WORK_ORDER_COMPLETED`, `EQUIPMENT_PM_WORK_ORDER_VERIFIED`, `EQUIPMENT_PM_OVERDUE`, `EQUIPMENT_UNDER_MAINTENANCE_CLEARED`, `EQUIPMENT_IMPACT_ASSESSMENT_OPENED`, `EQUIPMENT_IMPACT_ASSESSMENT_LINKED_TO_OOS`, `EQUIPMENT_IMPACT_ASSESSMENT_CLOSED`, `EQUIPMENT_TAKEN_OUT_OF_SERVICE`, `EQUIPMENT_RETURNED_TO_SERVICE`, `EQUIPMENT_RETIRED`, `EQUIPMENT_CRITICALITY_CHANGED`, `EQUIPMENT_STATUS_GATE_EVALUATED` (coarse), `EQUIPMENT_DISCOVERY_VIEW_OPENED` (coarse), `EQUIPMENT_REGISTER_VIEW_OPENED` (coarse), `EQUIPMENT_REGISTER_EXPORTED`, `EQUIPMENT_ROLE_ASSIGNED`, `EQUIPMENT_ROLE_REMOVED`, `EQUIPMENT_REGULATORY_CONCERN_FLAGGED`, `PLATFORM_TENANT_ACCESS_USED`, `PLATFORM_TENANT_ACCESS_DENIED`.

### 6.7 Record versioning and class-of-change governance

- Append-only: `equipment_calibration_records`, `equipment_status_events`, `equipment_status_gate_evaluations`.
- Stateful with append-only audit history: `equipment`, `equipment_qualifications`, `equipment_calibration_schedules`, `equipment_pm_schedules`, `equipment_pm_work_orders`, `equipment_impact_assessments`, `equipment_role_roster`.
- Soft-delete: `equipment` (draft pre-qualification only; retired preserved as a lifecycle state).

---

## 7. Cross-Module Wiring and Change-Impact

### 7.1 Cross-module wiring

```mermaid
graph LR
  subgraph M37 [Module 37 — Equipment / Calibration / PM]
    REG[Register]
    QUAL[Qualification]
    CAL[Calibration]
    PM[Maintenance]
    IMP[Impact]
    GATE[EQ-006 Gate]
    LCY[Lifecycle]
  end
  M3[URS-03 Active Scope] <--> REG
  M4[URS-04 Workflow / E-Sign] --> LCY
  M5[URS-05 Authority] --> LCY
  M6[URS-06 Audit Substrate] --> LCY
  M8[URS-08 Tenant Lifecycle] --> REG
  M9[URS-09 Site] <--> REG
  M11[URS-11 Supplier] <--> CAL
  M12[URS-12 Document Control] <--> QUAL
  M12 <--> CAL
  M12 <--> PM
  M15[URS-15 OOS] <--> IMP
  M16[URS-16 Deviations] <--> IMP
  M23[URS-23 Batch Records] <--> GATE
  M24[URS-24 Stability] <--> GATE
  M25[URS-25 EM] <--> GATE
  M30[URS-30 Notifications] --> CAL
  M30 --> PM
  GATE --> M33[URS-33 GMP Batch Disposition]
```

### 7.2 Change-Impact Matrix (CIM)

| Change | Class | Impact on (modules) | Required revalidation |
|---|---|---|---|
| Add equipment category / sub-classification (DEC-37-01) | 1 | qualification / calibration / PM matrices | Full regression |
| Add criticality level (DEC-37-02) | 1 | interval / cadence matrices | Full regression |
| Add base lifecycle state (DEC-37-07) | 1 | EQ-006 gate; every consuming module | Full regression |
| Change EQ-006 gate logic (DEC-37-08) | 1 | URS-33 / URS-23 / URS-24 / URS-25 / URS-15 | Full regression |
| Change qualification / calibration / PM interval matrix (DEC-37-03/05/06) | 2 | schedule engines; URS-30 | Targeted regression |
| Change impact-assessment trigger / severity defaults (DEC-37-09) | 2 | URS-16 / URS-23 / URS-15 linkage | Targeted regression |
| Change reminder horizons / escalation ladder (DEC-37-10) | 3 | URS-30 schedule | Unit regression |
| Add audit event code | 3 | URS-06 | Writer-presence regression |
| UI copy or layout change | 4 | none | Visual regression |

### 7.3 Cross-module dependencies (consumed by / consuming Module 37)

| Dependency | Source | Impact | Blocking? |
|---|---|---|---|
| Authentication, MFA | URS-01 | Substrate | Blocking |
| Effective permissions | URS-02 | Base role gate | Blocking |
| Active scope | URS-03 | Scope resolution; discovery | Blocking |
| Workflow / e-sig ceremony | URS-04 | Lifecycle / status signatures | Blocking |
| Authority resolver, scope dimensions | URS-05 | Status-change authority gating; executive authority | Blocking |
| Audit substrate | URS-06 | Audit | Blocking |
| Tenant lifecycle | URS-08 | Mutation gating | Blocking |
| Site catalogue | URS-09 | Asset location reference | Blocking |
| Supplier management | URS-11 | Equipment-vendor / calibration-provider reference | Blocking |
| Document control | URS-12 | Certificates / protocols / PM plans — **document storage** | Blocking |
| OOS investigation | URS-15 | EQ-006 / calibration-history instrument check; impact-assessment OOS linkage | Blocking (consumer) |
| Deviation management | URS-16 | Auto-deviation on out-of-cal / overdue PM | Blocking (consumer) |
| Batch records / execution | URS-23 | EQ-006 at point of use; affected-batch flagging | Blocking (consumer) |
| Stability | URS-24 | EQ-006 at point of use (chambers) | Blocking (consumer) |
| Environmental monitoring | URS-25 | EQ-006 at point of use (EM instruments) | Blocking (consumer) |
| Notifications | URS-30 | Due / overdue reminders, escalations | Non-blocking (direct e-mail fallback) |
| GMP batch disposition | URS-33 | EQ-006 disposition gate (closes URS-33 §21 finding for equipment) | Blocking (consumer) |
| Backup / restore / cold storage | URS-35 | Long-term archive | Blocking for PQ |

---

## 8. AI / Automation / Human-in-the-Loop Controls

Module 37 contains **no AI / ML components** in any quality-critical path: the register, qualification, calibration, preventive maintenance, impact-assessment, and EQ-006 gate are all **static / deterministic** (same inputs → same outputs), per DEC-37-17, CLAUDE.md QS-21, and EU Annex 22 (draft). The EQ-006 gate, the calibration due-date engine, the PM due-date engine, and the impact-assessment trigger MUST be rule-based.

Any AI assist that may later inform this module — for example a calibration-interval suggestion or an equipment-failure-prediction signal surfaced from URS-32 / MIRA — is **advisory only** per ARCH-AI-001 / QS-21. It MUST NOT take autonomous action, MUST NOT be written to any GxP record field without explicit human confirmation, MUST set `ai_advisory = true`, MUST be logged to `ai_requests` / `llm_audit_log`, and the human accepting / rejecting the suggestion is attributed in the audit trail as the decision-maker. No AI output may set a calibration interval, change a status, close an impact assessment, or alter an EQ-006 result.

The HITL lifecycle is owned by URS-04. Module 37 consumes the Controlled Approval Modal for every electronic signature. Static analysis MUST verify zero references to LLM SDKs in Module 37 source per CLAUDE.md QS-21. **Target binding — greenfield; the zero-LLM property is a design constraint to be verified at build, implementation evidence required.**

---

## 9. Reports, Dashboards, and Exports

| Report | Purpose | Audience | Format |
|---|---|---|---|
| Per-tenant equipment register | Inventory and status posture | Engineering, QA, RA | CSV + PDF |
| Per-asset detail and history | Lifecycle, qualification, calibration, PM, impact | Asset roles | PDF + JSON |
| Calibration-due timeline | Upcoming calibrations | Metrology, QA | Calendar |
| PM-due timeline | Upcoming preventive maintenance | Maintenance, QA | Calendar |
| Overdue register | Out-of-calibration / overdue-PM assets | QA, RA, executive authority | CSV + PDF |
| Qualification status register | Per-tenant qualification posture | QA, Validation | CSV + PDF |
| Impact-assessment register | Out-of-cal / overdue-PM impacts and linkages | QA, RA | CSV + PDF |
| EQ-006 gate evaluation log | Gate evaluations with pinned snapshots | QA, auditor, inspector | PDF + JSON + integrity manifest |
| Equipment-bound discovery | Inspection-ready list of records using the asset | QA, auditor, inspector | PDF + JSON + integrity manifest |

Every export routes through the Controlled Approval Modal, carries an electronic signature, a signed download URL with 15-minute TTL unless a stricter TTL is specified, and an integrity manifest per URS-06.

---

## 10. Notifications and Queues

| Trigger | Recipient | Channel | Latency |
|---|---|---|---|
| Asset qualified (critical) | asset roles, QA, executive authority | URS-30 in-app + e-mail | within 60 seconds |
| Calibration due | metrology lead, equipment owner | URS-30 e-mail | T-30, T-7, T-1 |
| Calibration lapsed / failed | metrology lead, equipment owner, QA | URS-30 in-app + e-mail | within 60 seconds |
| PM due | maintenance lead, equipment owner | URS-30 e-mail | T-30, T-7, T-1 |
| PM overdue | maintenance lead, equipment owner, QA | URS-30 in-app + e-mail | within 60 seconds |
| Out-of-cal / overdue-PM impact opened | metrology lead, QA, RA | URS-30 in-app + e-mail | within 60 seconds |
| Asset taken out of service | asset roles, QA | URS-30 in-app + e-mail | within 60 seconds |
| Asset returned to service | asset roles | URS-30 in-app + e-mail | within 60 seconds |
| Requalification due | equipment owner, QA | URS-30 e-mail | T-90, T-30, T-7 |
| Requalification missed (regulatory concern) | equipment owner, QA, RA, executive authority | URS-30 in-app + e-mail | within 60 seconds (out-of-service) |
| EQ-006 not-available blocking a disposition (URS-33) | QA, equipment owner | URS-30 in-app + e-mail | within 60 seconds |
| Asset retired (critical) | tenant admin, QA, executive authority | URS-30 in-app + e-mail | within 60 seconds |

---

## 11. Error Handling and Negative Paths

### 11.1 Error envelope

Standard envelope (human message, machine code in upper-snake-case, optional details, correlation identifier). NEVER exposes stack traces, SQL errors, table / column names, or internal paths per QS-9.

### 11.2 Error-code catalogue

| Code | HTTP | Path | UI behaviour |
|---|---|---|---|
| QUALIFICATION_EVIDENCE_INCOMPLETE | 409 | qualification complete | inline list of missing IQ/OQ/PQ evidence |
| APPROVER_IS_REGISTRAR | 403 | qualification approval | inline error |
| MISSING_FOUNDER_COSIGN | 401 | critical qualification / retirement / return-to-service | open executive-authority co-sign request |
| MISSING_RA_COSIGN | 401 | criticality downgrade / regulatory return-to-service | open RA co-sign request |
| MISSING_INDEPENDENT_VERIFIER | 401 | PM verify | open independent-verifier route |
| VERIFIER_IS_MAINTAINER | 403 | PM verify | inline error |
| IMPACT_CLOSER_IS_CALIBRATOR | 403 | impact-assessment closure | inline error |
| DEVIATION_NOT_LINKED | 409 | impact-assessment closure | inline error citing DEC-37-09 |
| RESOLUTION_EVIDENCE_MISSING | 400 | return-to-service | inline error |
| STATE_NOT_REGISTERED | 409 | qualification initiate | inline error |
| STATE_NOT_IN_QUALIFICATION | 409 | qualification complete | inline error |
| STATE_NOT_QUALIFIED | 409 | out-of-service / calibration / PM | inline error |
| STATE_NOT_OUT_OF_SERVICE | 409 | return-to-service | inline error |
| STATE_NOT_RETIREABLE | 409 | retire | inline error |
| STATE_NOT_IN_PROGRESS | 409 | PM complete | inline error |
| EQUIPMENT_NOT_AVAILABLE_FOR_USE | 409 | EQ-006 consumer block | banner at consuming surface with reason code + suspect window |
| TENANT_NOT_ACTIVE | 403 | any Module 37 mutation when tenant not `active` | banner |
| AUDIT_TRAIL_WRITE_FAILED | 500 | any state-changing action | toast; the originating action did NOT commit |
| PLATFORM_TENANT_ACCESS_DENIED | 403 | platform identity outside support envelope | inline error; SOC alert |

### 11.3 Negative-path catalogue

| Scenario | Detection | Response | UI behaviour |
|---|---|---|---|
| Critical asset qualification without executive-authority co-sign | back end | `401 MISSING_FOUNDER_COSIGN` | open executive-authority co-sign |
| Qualification complete without IQ/OQ/PQ evidence | back end | `409 QUALIFICATION_EVIDENCE_INCOMPLETE` | inline list |
| Qualification approver equals registrar / calibrator | back end | `403 APPROVER_IS_REGISTRAR` | inline error |
| PM verification by the maintainer | back end | `403 VERIFIER_IS_MAINTAINER` | inline error |
| Impact-assessment closure by the calibrator who failed it | back end | `403 IMPACT_CLOSER_IS_CALIBRATOR` | inline error |
| Impact-assessment closure without linked deviation | back end | `409 DEVIATION_NOT_LINKED` | inline error |
| Calibration lapsed (overdue) | scheduler | `EQUIPMENT_CALIBRATION_LAPSED`; set `out_of_calibration`; auto impact + deviation | banner; URS-30 alerts |
| Calibration failed | back end | `EQUIPMENT_OUT_OF_CALIBRATION_FLAGGED`; auto impact + deviation | banner; URS-30 alerts |
| PM overdue | scheduler | `EQUIPMENT_PM_OVERDUE`; block use; auto impact + deviation | banner; URS-30 alerts |
| EQ-006 returns not-available to a consumer | back end | consumer receives `not_available` + reason + suspect window | consuming surface blocks the step / disposition |
| Requalification missed beyond grace | scheduler | `EQUIPMENT_REQUALIFICATION_MISSED`; out-of-service; `regulatory_concern` | banner; URS-30 alerts |
| Mutation when tenant not `active` | back end | `403 TENANT_NOT_ACTIVE` | banner |
| Audit-write failure mid-decision | back end | `500 AUDIT_TRAIL_WRITE_FAILED` | toast; action did NOT commit |

---

## 12. Security, Privacy, and Tenant Isolation

### 12.1 Authentication dependency

URS-37 reached only through authenticated session per URS-01. Every Module 37 mutation goes through the URS-04 Controlled Approval Modal with electronic signature; high-risk transitions (critical-asset qualification, critical-asset retirement, return-to-service from regulatory-concern out-of-service, criticality downgrade) require multi-factor step-up.

### 12.2 Authorisation pipeline

`authenticate hook → tenant hook → rbac hook → context gate hook → asset-role overlay hook → esigService.createSignature where applicable → module37 surface action`. Module 37 owns the asset-role overlay hook position. **Target binding — greenfield; pipeline position is the intended design, implementation evidence required.**

### 12.3 Tenant isolation

Every equipment query routes through TDAL with tenant context bound per QS-5. RLS on `equipment.tenant_id` and on every child table via the parent equipment per QS-6. The EQ-006 gate, when invoked by a consuming service identity, MUST resolve within the consuming caller's tenant context; cross-tenant gate evaluation is prohibited.

### 12.4 Encryption

At rest: equipment identity, calibration certificates references, and impact-assessment content protected by RLS plus KMS at the storage layer; tenant residency per URS-08. In transit: TLS 1.2 or higher.

### 12.5 Logging hygiene

Logs scrub passwords, MFA tokens, and any sensitive fields. Structured logs carry the correlation identifier on every request. No `console.log` in production code per QS-19.

### 12.6 Privacy and data residency

Inherits tenant data-residency configuration from URS-08. Performed-by user identities are operational personnel data and respect residency.

### 12.7 Periodic access review

Per URS-05 §12.7: asset role overlays (`equipment_owner`, `metrology_lead`, `maintenance_lead`) reviewed at a defined cadence; the exact cadence is an `Implementation detail Unknown — evidence required` (proposed annual).

### 12.8 Periodic audit-trail review

Per URS-06 DEC-06-14: high-risk Module 37 events triaged within one business day: `EQUIPMENT_CALIBRATION_LAPSED` for critical assets; `EQUIPMENT_PM_OVERDUE` for critical assets; `EQUIPMENT_REQUALIFICATION_MISSED`; `EQUIPMENT_IMPACT_ASSESSMENT_OPENED` with severity `high`; `EQUIPMENT_STATUS_GATE_EVALUATED` returning `not_available` while blocking a URS-33 disposition.

### 12.9 Security-operations alert thresholds

| Pattern | Threshold | Severity | Channel |
|---|---|---|---|
| `EQUIPMENT_CALIBRATION_LAPSED` for critical asset | any single event | high | SOC chat + QA Lead |
| `EQUIPMENT_PM_OVERDUE` for critical asset | any single event | high | SOC chat + QA Lead |
| `EQUIPMENT_REQUALIFICATION_MISSED` | any single event | high | SOC chat + RA Lead + executive authority |
| `EQUIPMENT_IMPACT_ASSESSMENT_OPENED` severity high | any single event | high | SOC chat + QA Lead + RA Lead |
| `EQUIPMENT_STATUS_GATE_EVALUATED` not-available blocking URS-33 | any single event | informational (real-time) | SOC chat + QA Lead |
| `PLATFORM_TENANT_ACCESS_USED` for Module 37 | any single event | informational (real-time) | SOC chat |

### 12.10 Self-modification block

Registrar / calibrator cannot approve own qualification. PM maintainer cannot verify own work order. Impact-assessment closer cannot be the calibrator who failed it.

### 12.11 Secure export

Every export routes through the Controlled Approval Modal. Signed download URLs with 15-minute TTL. Integrity manifest per URS-06.

### 12.12 Cross-tenant confidentiality envelope

Equipment is strictly tenant-scoped. There is no cross-tenant equipment visibility in this module.

---

## 13. Data Integrity and ALCOA+ Controls

| Principle | Module 37 control | Requirement | Verification |
|---|---|---|---|
| Attributable | Lifecycle, calibration, PM, and impact events record signing / performing user(s) per QS-2 | URS-37-AUD-001 | Integration test |
| Legible | Asset detail rendered structured; exports in PDF + JSON | URS-37-REP-001 | Export test |
| Contemporaneous | Server-set timestamps per QS-3; calibration / PM performed-at captured at point of action | URS-37-AUD-002 | Integration test |
| Original | Calibration records and status / gate events append-only; original preserved per QS-4 | URS-37-AUD-003 | Validation test |
| Accurate | Tolerance-checked calibration; multi-cosign qualification; independent PM verification; deterministic EQ-006 | URS-37-DATA-001 | Validation test |
| Complete | Every event in §6.6 has at least one writer; suspect window captured in full | URS-37-AUD-004 | Validation test |
| Consistent | Pinned EQ-006 snapshots; dual-chain emission where applicable | URS-37-AUD-005 | Concurrency test |
| Enduring | Long-term retention; retired assets preserved; no hard delete per DEC-37-14 | URS-37-DATA-002 | Migration test |
| Available | Retired assets query-accessible; cold-tier supported via URS-35 | URS-37-REP-002 | End-to-end test |

---

## 14. Regulatory Mapping

Clauses are cited as pointers to public regulation / guidance, not reproduced text. Applicability is subject to confirmed jurisdictional and intended-use assessment.

| Identifier | Control | Regulation / Guidance | Clause | Applicable | Implementation expectation |
|---|---|---|---|---|---|
| RG-37-001 | Equipment (general) | 21 CFR Part 211 | §211.63 / §211.67 (equipment cleaning & maintenance) | Yes | Register + PM schedule + work orders |
| RG-37-002 | Automatic / mechanical / electronic equipment; calibration | 21 CFR Part 211 | §211.68 | Yes | Register + qualification + calibration |
| RG-37-003 | Calibration of instruments | 21 CFR Part 211 | §211.160(b)(4) | Yes | Calibration schedule + records + tolerance |
| RG-37-004 | Laboratory controls / OOS instrument check | 21 CFR Part 211 | §211.165 / §211.192 | Yes | EQ-006 + impact assessment + URS-15 linkage |
| RG-37-005 | Qualification & validation (IQ/OQ/PQ) | EU GMP Annex 15 | applicable | Yes | Qualification lifecycle per DEC-37-03 |
| RG-37-006 | Premises & equipment | EU GMP Chapter 3 | applicable | Yes | Register + maintenance |
| RG-37-007 | Documentation / records | EU GMP Chapter 4 | applicable | Yes | URS-12 controlled documents; audit trail |
| RG-37-008 | Equipment maintenance & calibration (API) | ICH Q7 | §5 (equipment) | Where applicable (API operations) | Calibration + PM for API equipment |
| RG-37-009 | Audit trail | 21 CFR Part 11 | §11.10(e) | Yes | URS-06 substrate |
| RG-37-010 | Electronic signatures | 21 CFR Part 11 | §11.100 / §11.200 | Yes | Regulated e-signature service per DEC-37-12 |
| RG-37-011 | Computerised systems / e-records & e-signatures | EU GMP Annex 11 | §4, §9, §12, §14 | Yes | CSV / CSA pack; audit trail; access control; e-sign |
| RG-37-012 | Records retention | EU GMP Annex 11 | §17 | Yes | Long-term retention per DEC-37-14 |
| RG-37-013 | Calibration traceability (laboratory) | ISO/IEC 17025 | applicable | Where applicable (calibration laboratory / external provider) | Standard traceability captured per DEC-37-05 |
| RG-37-014 | Risk-based qualification / impact | ICH Q9(R1) | applicable | Yes | Criticality-driven rigor; impact severity |
| RG-37-015 | Risk-based assurance | FDA CSA Final Guidance | applicable | Yes | Risk classification per validation pack |
| RG-37-016 | ALCOA+ data integrity | MHRA Data Integrity Guidance (2018) | nine principles | Yes | §13 mapping |
| RG-37-017 | AI/ML in GMP (draft) | EU GMP Annex 22 | **Draft** | Forward-looking only | No AI in critical path per DEC-37-17; documented exclusion |
| RG-37-018 | EU AI Act applicability | Regulation (EU) 2024/1689 | Article 3(1) | Not applicable | No AI in module; documented exclusion |
| RG-37-019 | Analytical instrument qualification | USP <1058> | applicable | Where applicable (analytical instruments) | Qualification grouping informs DEC-37-03 matrix |
| RG-37-020 | India equipment / calibration expectations | India Drugs and Cosmetics Act 1940; Drugs Rules 1945; Revised Schedule M (equipment, calibration, maintenance of premises & equipment) | applicable per India tenant operation | Conditional (India operation) | Subject to external jurisdictional legal / RA confirmation; `Conclusion fact-dependent — jurisdiction required` |

### 14.1 Predicate-rule applicability matrix

| Record / artifact | Predicate-rule basis | Part 11 applicable? | Retention | Owner | Evidence |
|---|---|---|---|---|---|
| Equipment record (lifecycle states) | Equipment control evidence (211.63/68) | Yes | retain (long-term) | Engineering / QA | Lifecycle audit chain |
| Qualification records (IQ/OQ/PQ) | Qualification evidence (Annex 15) | Yes | retain (long-term) | Validation / QA | Qualification rows + URS-12 evidence |
| Calibration schedule + records | Calibration evidence (211.160(b)(4)) | Yes | retain (long-term) | Metrology / QA | Schedule + records + URS-12 certificate |
| PM schedule + work orders | Maintenance evidence (211.67) | Yes | retain (long-term) | Maintenance / QA | Schedule + work orders + URS-12 plan |
| Impact assessments | OOS / deviation evidence (211.192) | Yes | retain (long-term) | QA / Metrology | Impact rows + URS-16 + URS-15 |
| EQ-006 gate evaluations (pinned) | Decision-basis evidence | Yes | retain (long-term) | QA | Gate evaluation rows + pinned snapshots |
| Status / lifecycle events | Equipment control evidence | Yes | retain (long-term) | Engineering / QA | Status event chain |

---

## 15. URS Requirements Register

Each requirement is a target requirement for a greenfield module; all are `Evidence Status: Unknown — repo evidence required` until implemented and tested.

### 15.1 Front-end (FE)

- URS-37-FE-001 — Equipment register browser MUST surface filters by category, criticality, status, scope, calibration-due, PM-due, overdue. Priority MUST. Risk MEDIUM.
- URS-37-FE-002 — Per-asset detail tabbed view per §5.2 with status banner showing base state, modifiers, and EQ-006 availability. Priority MUST. Risk MEDIUM.
- URS-37-FE-003 — Asset registration wizard MUST flag critical assets and surface required co-signs. Priority MUST. Risk HIGH.
- URS-37-FE-004 — Qualification workflow MUST present the IQ/OQ/PQ stage checklist with URS-12 evidence links. Priority MUST. Risk HIGH.
- URS-37-FE-005 — Calibration record surface MUST capture as-found / as-left, tolerance, standard, result, certificate link, and highlight fail. Priority MUST. Risk HIGH.
- URS-37-FE-006 — PM work-order surface MUST present the `open → in_progress → completed → verified` lifecycle and highlight overdue. Priority MUST. Risk HIGH.
- URS-37-FE-007 — Impact-assessment surface MUST display suspect window, affected-batch list, and URS-15/16 links. Priority MUST. Risk HIGH.
- URS-37-FE-008 — Status / lifecycle surface MUST present only allowed transitions and require reason + co-sign. Priority MUST. Risk HIGH.
- URS-37-FE-009 — Discovery view MUST surface records intersecting the asset scope. Priority MUST. Risk MEDIUM.
- URS-37-FE-010 — Every route in §5.1 MUST be registered. Priority MUST. Risk LOW.
- URS-37-FE-011 — All Module 37 surfaces MUST meet WCAG 2.1 Level AA and wrap pages in an ErrorBoundary per QS-17. Priority MUST. Risk MEDIUM.

### 15.2 Back-end (BE)

- URS-37-BE-001 — Qualification completion MUST require an approver independent of the registrar / calibrator per `AUTHOR_NEQ_APPROVER`. Priority MUST. Risk HIGH.
- URS-37-BE-002 — Critical-asset qualification / retirement / regulatory return-to-service MUST require executive-authority co-sign with MFA per DEC-37-13. Priority MUST. Risk CRITICAL.
- URS-37-BE-003 — IQ/OQ/PQ evidence per DEC-37-03 MUST be present before `in_qualification → qualified`. Priority MUST. Risk HIGH.
- URS-37-BE-004 — Failed / lapsed calibration MUST set `out_of_calibration` and auto-create impact + deviation per DEC-37-09. Priority MUST. Risk CRITICAL.
- URS-37-BE-005 — Open / overdue PM MUST set `under_maintenance` / overdue-PM and block GxP use per DEC-37-06. Priority MUST. Risk HIGH.
- URS-37-BE-006 — PM verification MUST require an independent verifier per `MAINTAINER_NEQ_PM_VERIFIER`. Priority MUST. Risk HIGH.
- URS-37-BE-007 — Impact-assessment closure MUST require a closer independent of the calibrator and a linked deviation per `CALIBRATOR_NEQ_IMPACT_CLOSER` / DEC-37-09. Priority MUST. Risk HIGH.
- URS-37-BE-008 — EQ-006 MUST be deterministic and evaluate base state + calibration coverage + PM currency at time `T` per DEC-37-08. Priority MUST. Risk CRITICAL.
- URS-37-BE-009 — EQ-006 evaluations consumed by in-flight regulated decisions MUST be persisted as pinned snapshots per DEC-37-15. Priority MUST. Risk HIGH.
- URS-37-BE-010 — Base-state transitions affecting GxP use MUST be authority-gated + e-signed with a bound `electronic_signatures` row per DEC-37-12. Priority MUST. Risk CRITICAL.
- URS-37-BE-011 — Hard delete prohibited; retirement is a lifecycle state; soft-delete only for non-qualified drafts per DEC-37-14. Priority MUST. Risk HIGH.
- URS-37-BE-012 — Criticality downgrade MUST require `regulatory_oversight_admin` co-sign per DEC-37-02. Priority MUST. Risk MEDIUM.
- URS-37-BE-013 — Equipment scope MUST use `scope_jsonb` compatible with URS-05; authority resolved at decision time `scopeSource:'context'` per DEC-37-16. Priority MUST. Risk HIGH.
- URS-37-BE-014 — Module 37 mutations MUST be blocked when tenant not `active`. Priority MUST. Risk CRITICAL.
- URS-37-BE-015 — Audit-log writes MUST be atomic with the originating action. Priority MUST. Risk CRITICAL.
- URS-37-BE-016 — Suspect window MUST span last good calibration / verified PM to detection and flag affected batches (URS-23) per BR-37-20. Priority MUST. Risk HIGH.
- URS-37-BE-017 — Calibration certificates / qualification protocols / PM plans MUST be stored as URS-12 controlled documents per DEC-37-11. Priority MUST. Risk MEDIUM.
- URS-37-BE-018 — No `any` types; parameterized SQL only; typed query results per QS-10 and prohibited-pattern rules. Priority MUST. Risk HIGH.

### 15.3 Workflow (WF)

- URS-37-WF-001 — Equipment base-state machine per Diagram 6.1-B. Priority MUST. Risk CRITICAL.
- URS-37-WF-002 — Calibration due-date engine per Diagram 6.1-C. Priority MUST. Risk HIGH.
- URS-37-WF-003 — PM work-order lifecycle with independent verification. Priority MUST. Risk HIGH.
- URS-37-WF-004 — Out-of-cal / overdue-PM impact-assessment flow per J-12. Priority MUST. Risk CRITICAL.
- URS-37-WF-005 — EQ-006 status-gate decision per Diagram 6.1-D. Priority MUST. Risk CRITICAL.

### 15.4 Data (DATA)

- URS-37-DATA-001 — Deterministic EQ-006 + tolerance-checked calibration + independent verification. Priority MUST. Risk CRITICAL.
- URS-37-DATA-002 — Long-term retention; no hard delete. Priority MUST. Risk HIGH.
- URS-37-DATA-003 — `scope_jsonb` compatibility with URS-05 §6.2.1. Priority MUST. Risk HIGH.

### 15.5 Security (SEC)

- URS-37-SEC-001 — Tenant isolation via TDAL + RLS on every table. Priority MUST. Risk CRITICAL.
- URS-37-SEC-002 — Multi-factor step-up for critical-asset transitions. Priority MUST. Risk HIGH.
- URS-37-SEC-003 — Self-modification block (registrar / calibrator / maintainer). Priority MUST. Risk HIGH.

### 15.6 Audit (AUD)

- URS-37-AUD-001 — Every Module 37 mutation produces an audit row through URS-06. Priority MUST. Risk CRITICAL.
- URS-37-AUD-002 — Server-set timestamps. Priority MUST. Risk HIGH.
- URS-37-AUD-003 — Append-only calibration records, status events, gate evaluations. Priority MUST. Risk HIGH.
- URS-37-AUD-004 — Every event in §6.6 has at least one writer. Priority MUST. Risk HIGH.
- URS-37-AUD-005 — Pinned EQ-006 snapshots preserve decision basis. Priority MUST. Risk HIGH.

### 15.7 AI / HITL (AI)

- URS-37-AI-001 — No AI / ML in any quality-critical path; static analysis MUST find zero LLM SDK references per QS-21 / DEC-37-17. Priority MUST. Risk HIGH.
- URS-37-AI-002 — Any AI assist (interval suggestion, failure prediction) is advisory only, `ai_advisory = true`, logged to `ai_requests` / `llm_audit_log`, human-accepted. Priority MUST. Risk HIGH.

### 15.8 Integration (INT)

- URS-37-INT-001 — EQ-006 consumed by URS-33 batch disposition (closes URS-33 §21 equipment finding). Priority MUST. Risk CRITICAL.
- URS-37-INT-002 — EQ-006 consumed at point of use by URS-23 / URS-24 / URS-25. Priority MUST. Risk CRITICAL.
- URS-37-INT-003 — Auto-deviation into URS-16 on out-of-cal / overdue PM. Priority MUST. Risk HIGH.
- URS-37-INT-004 — OOS instrument-check linkage with URS-15. Priority MUST. Risk HIGH.
- URS-37-INT-005 — URS-04 e-sig ceremony for every signed action. Priority MUST. Risk CRITICAL.
- URS-37-INT-006 — URS-05 authority gating; executive authority for critical. Priority MUST. Risk HIGH.
- URS-37-INT-007 — URS-06 audit substrate. Priority MUST. Risk CRITICAL.
- URS-37-INT-008 — URS-08 tenant lifecycle gating. Priority MUST. Risk CRITICAL.
- URS-37-INT-009 — URS-09 site reference; URS-11 supplier reference. Priority MUST. Risk MEDIUM.
- URS-37-INT-010 — URS-12 certificates / protocols / PM plans. Priority MUST. Risk MEDIUM.
- URS-37-INT-011 — URS-30 due / overdue notifications and escalation. Priority MUST. Risk MEDIUM.

### 15.9 Reporting (REP)

- URS-37-REP-001 — Reports per §9 exportable with electronic signature. Priority MUST. Risk MEDIUM.
- URS-37-REP-002 — EQ-006 gate-log and discovery exports carry integrity manifest end-to-end. Priority MUST. Risk HIGH.
- URS-37-REP-003 — Signed download URL TTL 15 minutes. Priority MUST. Risk MEDIUM.

### 15.10 Notifications (NOTIF)

- URS-37-NOTIF-001 — Notifications per §10 delivered through URS-30. Priority MUST. Risk MEDIUM.
- URS-37-NOTIF-002 — Overdue critical calibration / PM escalates with `regulatory_concern`. Priority MUST. Risk HIGH.

### 15.11 Validation (VAL)

- URS-37-VAL-001 — Test execution covers IQ (schema, RLS, indexes, lifecycle bootstrap, EQ-006 bootstrap), OQ, PQ, regression.
- URS-37-VAL-002 — OQ validates every API endpoint, every error code, every base-state transition, every modifier set/clear path, every audit event writer.
- URS-37-VAL-003 — PQ validates EQ-006 gate and due-date engines under representative tenant volume and concurrent consumers.
- URS-37-VAL-004 — Regression on every Class 1 / Class 2 change (especially EQ-006 gate logic).
- URS-37-VAL-005 — Requirements-to-test traceability per §16.4.
- URS-37-VAL-006 — Configuration specification authored for qualification / calibration / PM interval matrices (currently `Implementation detail Unknown — evidence required`).
- URS-37-VAL-007 — Inspection-ready evidence index per §17.2.
- URS-37-VAL-008 — Migration evidence gate: schema migrations idempotent with rollback comment per QS-13; restore drill verifies equipment / calibration / PM / gate history integrity.

---

## 16. Acceptance Criteria and Test Cases

### 16.1 Plain-language test cases

- TC-37-P-01 — A new HPLC cannot be placed in service until IQ/OQ/PQ are complete and signed.
- TC-37-P-02 — A critical asset requires executive-authority co-sign at qualification.
- TC-37-P-03 — The user who registered / calibrated an asset cannot approve its qualification.
- TC-37-P-04 — A passed calibration advances the next-due date by the interval.
- TC-37-P-05 — A failed calibration marks the asset out-of-calibration and blocks its use.
- TC-37-P-06 — A lapsed (overdue) calibration marks the asset out-of-calibration and raises a deviation.
- TC-37-P-07 — A failed / lapsed calibration auto-creates an impact assessment and flags affected batches.
- TC-37-P-08 — A PM work order cannot be verified by the person who performed it.
- TC-37-P-09 — Overdue preventive maintenance blocks GxP use of the equipment.
- TC-37-P-10 — Batch disposition (URS-33) is blocked when EQ-006 reports a critical instrument was out of calibration during the manufacturing window.
- TC-37-P-11 — An impact assessment cannot be closed by the calibrator who failed the calibration.
- TC-37-P-12 — A retired asset and its full history remain visible for inspection.
- TC-37-P-13 — Equipment mutations are blocked when the tenant is not `active`.
- TC-37-P-14 — An overdue requalification takes the asset out of service with a regulatory-concern flag.

### 16.2 Technical test cases

- TC-37-T-01 — Qualification completion by registrar returns `403 APPROVER_IS_REGISTRAR`.
- TC-37-T-02 — Critical-asset qualification without executive-authority co-sign returns `401 MISSING_FOUNDER_COSIGN`.
- TC-37-T-03 — Qualification complete without IQ/OQ/PQ evidence returns `409 QUALIFICATION_EVIDENCE_INCOMPLETE`.
- TC-37-T-04 — Passed calibration sets `next_due = record_date + interval`.
- TC-37-T-05 — Failed calibration sets `out_of_calibration_flag` and emits `EQUIPMENT_OUT_OF_CALIBRATION_FLAGGED`.
- TC-37-T-06 — Scheduler past next-due emits `EQUIPMENT_CALIBRATION_LAPSED` and sets `out_of_calibration_flag`.
- TC-37-T-07 — Failed / lapsed calibration auto-creates `equipment_impact_assessments` row + linked URS-16 deviation.
- TC-37-T-08 — PM verify by the maintainer returns `403 VERIFIER_IS_MAINTAINER`.
- TC-37-T-09 — Overdue PM causes EQ-006 to return `not_available` with reason `overdue_pm`.
- TC-37-T-10 — EQ-006 for `T` inside a calibration-lapse window returns `not_available` with reason `out_of_calibration` and the suspect window.
- TC-37-T-11 — EQ-006 evaluation consumed by URS-33 persists a pinned snapshot row.
- TC-37-T-12 — Impact-assessment closure by the failing calibrator returns `403 IMPACT_CLOSER_IS_CALIBRATOR`.
- TC-37-T-13 — Impact-assessment closure without linked deviation returns `409 DEVIATION_NOT_LINKED`.
- TC-37-T-14 — Mutation when tenant `suspended` returns `403 TENANT_NOT_ACTIVE`.
- TC-37-T-15 — Schema migrations idempotent; RLS enabled on every table; rollback comment present.
- TC-37-T-16 — Penetration test: cross-tenant equipment query returns RLS-empty.
- TC-37-T-17 — EQ-006 determinism: identical inputs over the same state yield identical results across repeated calls.
- TC-37-T-18 — Discovery export integrity manifest includes Merkle proofs per URS-06.
- TC-37-T-19 — Static analysis finds zero LLM SDK references in Module 37 source.
- TC-37-T-20 — Base-state transition `qualified → out_of_service` requires a bound `electronic_signatures` row.
- TC-37-T-21 — Requalification missed beyond grace emits `EQUIPMENT_REQUALIFICATION_MISSED` and sets out-of-service.
- TC-37-T-22 — Hard delete of a calibration record is rejected; soft-delete only on a non-qualified draft asset.
- TC-37-T-23 — `EQUIPMENT_REGISTER_VIEW_OPENED` and `EQUIPMENT_DISCOVERY_VIEW_OPENED` emit once per session.
- TC-37-T-24 — Criticality downgrade without `regulatory_oversight_admin` co-sign returns `401 MISSING_RA_COSIGN`.

### 16.3 Acceptance criteria

- AC-37-FUN-01 — Given a registrar attempts qualification approval, When called, Then `403 APPROVER_IS_REGISTRAR`.
- AC-37-FUN-02 — Given a critical asset, When qualification submitted without executive-authority co-sign, Then `401 MISSING_FOUNDER_COSIGN`.
- AC-37-FUN-03 — Given missing IQ/OQ/PQ evidence, When qualification complete attempted, Then `409 QUALIFICATION_EVIDENCE_INCOMPLETE`.
- AC-37-FUN-04 — Given a failed calibration, When recorded, Then `out_of_calibration` set, EQ-006 not-available, impact + deviation created.
- AC-37-FUN-05 — Given a lapsed calibration, When scheduler fires, Then `EQUIPMENT_CALIBRATION_LAPSED`, out-of-calibration, impact + deviation.
- AC-37-FUN-06 — Given a PM verify by the maintainer, When attempted, Then `403 VERIFIER_IS_MAINTAINER`.
- AC-37-FUN-07 — Given an overdue PM, When EQ-006 queried, Then `not_available` reason `overdue_pm`.
- AC-37-FUN-08 — Given a critical instrument out of calibration during a batch window, When URS-33 calls EQ-006, Then disposition is blocked.
- AC-37-FUN-09 — Given a mutation when tenant not `active`, Then `403 TENANT_NOT_ACTIVE`.
- AC-37-DI-01 — EQ-006 is deterministic over identical state.
- AC-37-DI-02 — Pinned snapshot reproduces the decision basis at time `T`.
- AC-37-DI-03 — Backup-restore drill reproduces equipment lifecycle, calibration, PM, and gate history and chain HEAD.
- AC-37-AUD-01 — Every Module 37 mutation produces an audit row through URS-06.
- AC-37-AUD-02 — Audit-write failure rolls back the originating action.
- AC-37-INT-01 — EQ-006 consumed by URS-33 / URS-23 / URS-24 / URS-25 / URS-15 returns the correct availability.
- AC-37-INT-02 — Out-of-cal / overdue PM auto-raises a URS-16 deviation.
- AC-37-AI-01 — Static analysis finds zero LLM SDK references.
- AC-37-NEG-01 — Every error code in §11.2 reachable by automated test.
- AC-37-PERF-01 — EQ-006 gate p95 response time: `Performance threshold Unknown — evidence required`.
- AC-37-SEC-01 — Penetration test: cross-tenant equipment query returns RLS-empty.
- AC-37-MIG-01 — Module 37 migrations idempotent with rollback comment.
- AC-37-MIG-02 — Restore drill reproducible.

### 16.4 Requirements-to-test traceability

| Requirement | Plain-language | Technical | Given / When / Then |
|---|---|---|---|
| URS-37-FE-001 | — | (UI test) | — |
| URS-37-FE-002 | — | (UI test) | — |
| URS-37-FE-003 | TC-37-P-02 | TC-37-T-02 | AC-37-FUN-02 |
| URS-37-FE-004 | TC-37-P-01 | TC-37-T-03 | AC-37-FUN-03 |
| URS-37-FE-005 | TC-37-P-05 | TC-37-T-05 | AC-37-FUN-04 |
| URS-37-FE-006 | TC-37-P-08, TC-37-P-09 | TC-37-T-08, TC-37-T-09 | AC-37-FUN-06, AC-37-FUN-07 |
| URS-37-FE-007 | TC-37-P-07, TC-37-P-11 | TC-37-T-07, TC-37-T-12 | AC-37-INT-02 |
| URS-37-FE-008 | — | TC-37-T-20 | — |
| URS-37-FE-009 | — | TC-37-T-23 | — |
| URS-37-FE-010 | — | TC-37-T-15 | — |
| URS-37-FE-011 | — | (accessibility test) | — |
| URS-37-BE-001 | TC-37-P-03 | TC-37-T-01 | AC-37-FUN-01 |
| URS-37-BE-002 | TC-37-P-02 | TC-37-T-02 | AC-37-FUN-02 |
| URS-37-BE-003 | TC-37-P-01 | TC-37-T-03 | AC-37-FUN-03 |
| URS-37-BE-004 | TC-37-P-05, TC-37-P-06 | TC-37-T-05, TC-37-T-06, TC-37-T-07 | AC-37-FUN-04, AC-37-FUN-05 |
| URS-37-BE-005 | TC-37-P-09 | TC-37-T-09 | AC-37-FUN-07 |
| URS-37-BE-006 | TC-37-P-08 | TC-37-T-08 | AC-37-FUN-06 |
| URS-37-BE-007 | TC-37-P-11 | TC-37-T-12, TC-37-T-13 | — |
| URS-37-BE-008 | TC-37-P-10 | TC-37-T-10, TC-37-T-17 | AC-37-FUN-08, AC-37-DI-01 |
| URS-37-BE-009 | — | TC-37-T-11 | AC-37-DI-02 |
| URS-37-BE-010 | — | TC-37-T-20 | — |
| URS-37-BE-011 | TC-37-P-12 | TC-37-T-22 | — |
| URS-37-BE-012 | — | TC-37-T-24 | — |
| URS-37-BE-013 | — | (scope test) | — |
| URS-37-BE-014 | TC-37-P-13 | TC-37-T-14 | AC-37-FUN-09 |
| URS-37-BE-015 | — | (atomicity test) | AC-37-AUD-02 |
| URS-37-BE-016 | TC-37-P-07 | TC-37-T-07 | AC-37-INT-02 |
| URS-37-BE-017 | — | (URS-12 integration test) | — |
| URS-37-BE-018 | — | (static type / SQL test) | — |
| URS-37-WF-001 | — | (state machine test) | — |
| URS-37-WF-002 | TC-37-P-04, TC-37-P-06 | TC-37-T-04, TC-37-T-06 | AC-37-FUN-05 |
| URS-37-WF-003 | TC-37-P-08 | TC-37-T-08 | AC-37-FUN-06 |
| URS-37-WF-004 | TC-37-P-07 | TC-37-T-07 | AC-37-INT-02 |
| URS-37-WF-005 | TC-37-P-10 | TC-37-T-10, TC-37-T-17 | AC-37-FUN-08, AC-37-DI-01 |
| URS-37-DATA-001 | — | TC-37-T-17 | AC-37-DI-01 |
| URS-37-DATA-002 | TC-37-P-12 | TC-37-T-22 | — |
| URS-37-DATA-003 | — | (scope test) | — |
| URS-37-SEC-001 | — | TC-37-T-15, TC-37-T-16 | AC-37-SEC-01 |
| URS-37-SEC-002 | TC-37-P-02 | TC-37-T-02 | — |
| URS-37-SEC-003 | TC-37-P-03, TC-37-P-08, TC-37-P-11 | TC-37-T-01, TC-37-T-08, TC-37-T-12 | — |
| URS-37-AUD-001 | — | TC-37-T-23 | AC-37-AUD-01 |
| URS-37-AUD-002 | — | (server timestamp test) | — |
| URS-37-AUD-003 | — | TC-37-T-22 | — |
| URS-37-AUD-004 | — | (writer-presence test) | — |
| URS-37-AUD-005 | — | TC-37-T-11 | AC-37-DI-02 |
| URS-37-AI-001 | — | TC-37-T-19 | AC-37-AI-01 |
| URS-37-AI-002 | — | (URS-32 advisory test) | — |
| URS-37-INT-001 | TC-37-P-10 | TC-37-T-11 | AC-37-FUN-08, AC-37-INT-01 |
| URS-37-INT-002 | — | (URS-23/24/25 integration test) | AC-37-INT-01 |
| URS-37-INT-003 | TC-37-P-06 | TC-37-T-07 | AC-37-INT-02 |
| URS-37-INT-004 | — | (URS-15 integration test) | — |
| URS-37-INT-005 | — | TC-37-T-20 | — |
| URS-37-INT-006 | TC-37-P-02 | TC-37-T-02 | — |
| URS-37-INT-007 | — | TC-37-T-23 | AC-37-AUD-01 |
| URS-37-INT-008 | TC-37-P-13 | TC-37-T-14 | AC-37-FUN-09 |
| URS-37-INT-009 | — | (URS-09 / URS-11 integration test) | — |
| URS-37-INT-010 | — | (URS-12 integration test) | — |
| URS-37-INT-011 | TC-37-P-14 | TC-37-T-21 | — |
| URS-37-REP-001 | — | TC-37-T-18 | — |
| URS-37-REP-002 | — | TC-37-T-18 | — |
| URS-37-REP-003 | — | (TTL test) | — |
| URS-37-NOTIF-001 | — | (notification delivery test) | — |
| URS-37-NOTIF-002 | TC-37-P-14 | TC-37-T-21 | — |
| URS-37-VAL-001 | — | TC-37-T-15 | — |
| URS-37-VAL-002 | All applicable | All applicable | All applicable |
| URS-37-VAL-003 | — | (PQ test) | AC-37-PERF-01 |
| URS-37-VAL-004 | — | full TC-37-T suite | — |
| URS-37-VAL-005 | — | this table is the seed | — |
| URS-37-VAL-006 | — | (configuration specification) | — |
| URS-37-VAL-007 | — | (evidence index) | — |
| URS-37-VAL-008 | — | TC-37-T-15 | AC-37-MIG-01, AC-37-MIG-02 |

---

## 17. Validation and CSV/CSA Evidence Expectations

| Item | Required evidence |
|---|---|
| URS traceability | Per §16.4 |
| Risk assessment | GAMP 5 risk register; risk-based assurance per FDA CSA; EQ-006 gate classified High Process Risk |
| Configuration specification | Documented seed of equipment-category registry; criticality matrix; qualification / calibration / PM interval matrices (currently `Implementation detail Unknown — evidence required`) |
| Functional specification | Matches §6 (to be authored against the target design) |
| Design specification | Matches §6.1–§6.4 (to be authored; greenfield) |
| Test protocols | IQ (schema, RLS, indexes, lifecycle bootstrap, EQ-006 bootstrap), OQ per URS-37-VAL-002, PQ per URS-37-VAL-003, regression per URS-37-VAL-004 |
| Test evidence | Pass / fail per protocol step |
| Defect log | Defects mapped to URS requirements |
| Requirements traceability matrix | Per §16.4 |
| Release approval | Electronically signed by Quality Lead, Validation Lead, Engineering / Metrology Lead, Information Security Lead, Regulatory Affairs Lead, executive authority |
| Training record | Engineering, QA, validation, RA, metrology, maintenance personnel trained on Module 37 |
| Periodic review | Annual per Annex 11 §11; trigger reviews on every Class 1 / Class 2 change (especially EQ-006 gate logic) |
| Data migration evidence | Backfill of equipment-category registry; interval matrices; restore drill verifies equipment / calibration / PM / gate history integrity |

### 17.1 Supplier and service-provider qualification pack

| Category | Required evidence |
|---|---|
| Cloud hosting provider | Inherited from URS-01 §17.1 |
| Document control provider (URS-12) | Right-to-audit; retention compliance |
| Notification provider (URS-30) | Inherited from URS-01 §17.1 |
| Backup / restore provider (URS-35) | Restore drill preserving equipment lifecycle, calibration, PM, and gate history and chain HEAD |
| Security-operations / SIEM | Alert routing per §12.9 |
| External calibration providers (where used; qualified via URS-11) | Calibration-provider qualification + metrological traceability evidence |

### 17.2 Inspection-ready evidence index

| Evidence item | Owner | Location / system of record | Retention | Linked requirement | Inspection use |
|---|---|---|---|---|---|
| Equipment record (lifecycle) | Engineering / QA | `equipment` + `equipment_status_events` + URS-06 | retain (long-term) | URS-37-WF-001 | demonstrate equipment control |
| Qualification records | Validation / QA | `equipment_qualifications` + URS-12 | retain (long-term) | URS-37-BE-003 | demonstrate IQ/OQ/PQ |
| Calibration schedule + records | Metrology / QA | `equipment_calibration_schedules` + `equipment_calibration_records` + URS-12 | retain (long-term) | URS-37-WF-002 | demonstrate calibration control |
| PM schedule + work orders | Maintenance / QA | `equipment_pm_schedules` + `equipment_pm_work_orders` + URS-12 | retain (long-term) | URS-37-WF-003 | demonstrate maintenance control |
| Impact assessments | QA / Metrology | `equipment_impact_assessments` + URS-16 + URS-15 | retain (long-term) | URS-37-WF-004 | demonstrate out-of-cal / overdue-PM governance |
| EQ-006 gate evaluations (pinned) | QA | `equipment_status_gate_evaluations` | retain (long-term) | URS-37-WF-005 | demonstrate disposition / point-of-use gating |
| Validation evidence pack (IQ / OQ / PQ) | Validation | testing system of record | retain per release | URS-37-VAL-001..008 | release approval |
| Release approval (electronically signed) | Founder, QA, RA, Validation, IS, Engineering / Metrology | URS-12 | retain per release | URS-37-VAL-007 | demonstrate authority chain for release |

---

## 18. Closed Decision and Dependency Register

### 18.1 Closed Decisions Register

| Closed decision | Spec reference |
|---|---|
| Equipment categories and sub-classifications | DEC-37-01 |
| Criticality classification (critical / major / minor) | DEC-37-02 |
| Equipment qualification (IQ/OQ/PQ) matrix | DEC-37-03 |
| Periodic requalification cadence | DEC-37-04 |
| Calibration schedule + records + tolerance + traceability | DEC-37-05 |
| Preventive-maintenance schedule + work-order states | DEC-37-06 |
| Equipment status lifecycle (base states + modifiers) | DEC-37-07 |
| EQ-006 equipment-status-gate (read-only, deterministic) | DEC-37-08 |
| Out-of-cal / overdue-PM impact assessment + deviation linkage | DEC-37-09 |
| Calibration / PM / overdue notification + escalation | DEC-37-10 |
| Certificates / protocols / PM plans as URS-12 documents | DEC-37-11 |
| Authority-gated + e-signed GxP-use transitions | DEC-37-12 |
| Executive-authority co-sign for critical transitions | DEC-37-13 |
| No hard delete; retirement as lifecycle state | DEC-37-14 |
| Snapshot pinning for EQ-006 decision basis | DEC-37-15 |
| `scope_jsonb` scope + decision-time authority resolution | DEC-37-16 |
| Static / deterministic only; no AI in critical path | DEC-37-17 |

### 18.2 Dependencies

| ID | Dependency | Source | Impact | Blocking? | Mitigation |
|---|---|---|---|---|---|
| DEP-37-01 | URS-01 authentication, MFA | URS-01 | Substrate | Blocking | none |
| DEP-37-02 | URS-02 base roles, permissions | URS-02 | Role / permission gate | Blocking | none |
| DEP-37-03 | URS-03 active scope | URS-03 | Scope resolution; discovery | Blocking | none |
| DEP-37-04 | URS-04 e-sig ceremony | URS-04 | Lifecycle / status signatures | Blocking | none |
| DEP-37-05 | URS-05 authority resolver, scope dimensions | URS-05 | Status-change authority; new `engineering_metrology_authority` profile | Blocking | URS-05 catalogue addition required |
| DEP-37-06 | URS-06 audit substrate | URS-06 | Audit | Blocking | none |
| DEP-37-07 | URS-08 tenant lifecycle | URS-08 | Mutation gating | Blocking | none |
| DEP-37-08 | URS-09 site catalogue | URS-09 | Asset location reference | Blocking | none |
| DEP-37-09 | URS-11 supplier management | URS-11 | Equipment-vendor / calibration-provider reference | Blocking | none |
| DEP-37-10 | URS-12 document control | URS-12 | Certificates / protocols / PM plans | Blocking | none |
| DEP-37-11 | URS-15 OOS | URS-15 | Instrument-check + impact-assessment OOS linkage | Blocking (consumer) | none |
| DEP-37-12 | URS-16 deviations | URS-16 | Auto-deviation on out-of-cal / overdue PM | Blocking (consumer) | none |
| DEP-37-13 | URS-23 batch records | URS-23 | EQ-006 point-of-use; affected-batch flagging | Blocking (consumer) | none |
| DEP-37-14 | URS-24 stability / URS-25 EM | URS-24 / URS-25 | EQ-006 point-of-use | Blocking (consumer) | none |
| DEP-37-15 | URS-30 notifications | URS-30 | Reminders / escalation | Non-blocking | direct e-mail fallback |
| DEP-37-16 | URS-33 GMP batch disposition | URS-33 | EQ-006 disposition gate (closes §21 finding) | Blocking (consumer) | none |
| DEP-37-17 | URS-35 backup / restore / cold storage | URS-35 | Long-term archive | Blocking for PQ | DR drill |
| DEP-37-18 | Configuration specification (interval matrices) | this module | Qualification / calibration / PM defaults | Blocking for OQ | author before validation; `Implementation detail Unknown — evidence required` |

---

## 19. Completeness Checklist

| Item | Yes / No | Evidence |
|---|---|---|
| Controlled-document metadata complete? | Yes | front matter |
| Greenfield / target-binding disclosure present? | Yes | front matter + §1 + §§5–6 headers |
| Approval block complete? | Yes (signatures pending) | Document Approval section |
| Version history complete? | Yes | Version History |
| Glossary complete? | Yes | §0.6 |
| Scope complete? | Yes | §2 |
| Closed decisions registered? | Yes | §2.3 (DEC-37-01..17) |
| Roles and permissions complete? | Yes | §3 |
| User journeys complete? | Yes | §4 (24 journeys) |
| Front-end complete? | Yes (target) | §5 |
| Backend complete? | Yes (target) | §6 |
| Data model complete? | Yes (target) | §6.2 |
| APIs complete? | Yes (target) | §6.3 |
| Workflow / lifecycle complete? | Yes | §6.4 |
| Business rules complete? | Yes | §6.5 |
| Audit trail complete? | Yes | §6.6 |
| AI / Human-in-the-Loop complete? | Yes (no AI in critical path) | §8 |
| Reports complete? | Yes | §9 |
| Notifications complete? | Yes | §10 |
| Cross-module wiring complete? | Yes | §7 |
| Change-impact matrix complete? | Yes | §7.2 |
| Negative paths complete? | Yes | §11 |
| Security / privacy / tenant isolation complete? | Yes | §12 |
| ALCOA+ complete? | Yes | §13 |
| Regulatory mapping complete? | Yes | §14 |
| Predicate-rule applicability matrix complete? | Yes | §14.1 |
| Requirements register complete? | Yes | §15 |
| Acceptance tests complete? | Yes | §16 |
| Requirements-to-test traceability complete? | Yes | §16.4 |
| Validation evidence complete? | Yes | §17 |
| Supplier / service-provider qualification pack complete? | Yes | §17.1 |
| Decisions and dependencies registered? | Yes | §18.1, §18.2 |
| Final quality gate answered? | Yes | §20 |
| Items marked Unknown — evidence required surfaced? | Yes | §20 |

---

## 20. Final Module Output Quality Gate

**This is a greenfield module: no current Verixa code, UI, API, schema, or migration exists for it.** Every code-module / API / schema / table / endpoint reference in this document is a TARGET binding; no implementation evidence has been reviewed or claimed. **URS approval is separate from validation execution.** This document becomes "Approved Controlled URS — released for engineering implementation and validation planning" upon signature capture in the Document Approval block; it becomes "Released for validation execution" only after URS-37-VAL-008 (Migration Evidence Gate), the §17 validation evidence pack, and the §17 configuration specification are satisfied.

**Status: `Draft — not validation-ready`.**

- **Specification ready for engineering review?** Yes (as a target-state design contract).
- **Specification ready for quality validation review?** Yes (validation cannot execute until implementation exists).
- **Specification ready for compliance review?** Yes — pointers to 21 CFR 211.63/67/68/160(b)(4)/165/192, EU GMP Annex 15, EU GMP Chapter 3/4, ICH Q7, 21 CFR Part 11, EU Annex 11, ICH Q9(R1), ISO/IEC 17025, USP <1058>, with EU Annex 22 marked draft and EU AI Act marked not applicable.
- **Specification ready for inspector / client review?** Yes (as a target-state design).
- **Specification ready for Founder approval?** Yes.
- **Items marked `Implementation detail Unknown — evidence required`:** the qualification / calibration / PM interval matrices (DEC-37-03/04/05/06); the requalification grace-window default (§6.4); the escalation ladder beyond QA lead (DEC-37-10); the small-tenant compensating-control configuration for `EQUIPMENT_OWNER_NEQ_METROLOGY_LEAD` (§3.4); the periodic-access-review cadence (§12.7); whether the module is implemented as one module or three (front matter); various exact column types (§6.2).
- **Items marked `Performance threshold Unknown — evidence required`:** EQ-006 gate p95 response time (AC-37-PERF-01); all PQ throughput targets (§6.4 / §17).
- **Items marked `Conclusion fact-dependent — jurisdiction required`:** India equipment / calibration clause applicability (RG-37-020).
- **Blocking gaps?** Implementation does not exist (greenfield) — all of §§5–6 require build before any requirement can be marked verified. The configuration specification (interval matrices) must be authored before OQ. The new `engineering_metrology_authority` Authority Profile must be added to the URS-05 catalogue.
- **Two-step release path:**
  1. **Approved Controlled URS — released for engineering implementation and validation planning.** Reached upon signature capture.
  2. **Released for validation execution.** Reached after URS-37-VAL-008, the §17 evidence pack, and the configuration specification are complete and the module is implemented.

---

## Appendix A — Equipment Lifecycle & Gate Composite

```mermaid
flowchart TD
  A([Equipment owner registers asset]) --> B[EQUIPMENT_REGISTERED state registered]
  B --> C[Equipment owner initiates qualification]
  C --> D[state in_qualification; IQ/OQ/PQ executed; protocols/reports to URS-12]
  D --> E{Critical asset per DEC-37-13?}
  E -- yes --> F[validation_approver + final_quality_approver + executive authority co-sign with MFA]
  E -- no --> G[validation_approver + final_quality_approver co-sign independent of registrar]
  F --> H[EQUIPMENT_QUALIFIED state qualified/in_service]
  G --> H
  H --> I[Calibration + PM schedules activated]
  I --> J[Asset in service; EQ-006 returns available]
  J --> K{Calibration / PM event?}
  K -- pass calibration --> L[next_due advances; remains available]
  L --> J
  K -- fail / lapse calibration --> M[set out_of_calibration; EQ-006 not-available]
  K -- PM overdue / open WO --> N[set under_maintenance / overdue_pm; EQ-006 not-available]
  M --> O[Auto impact assessment + deviation URS-16; suspect window; flag batches URS-23; link OOS URS-15]
  N --> O
  O --> P[Impact closed by metrology_lead + final_quality_approver independent of calibrator]
  P --> Q[Re-calibrate / verify PM; modifier clears; EQ-006 available]
  Q --> J
  J --> R{Lifecycle event?}
  R -- requalification due --> S{On time?}
  S -- yes --> T[EQUIPMENT_REQUALIFIED]
  T --> J
  S -- no beyond grace --> U[EQUIPMENT_REQUALIFICATION_MISSED; out-of-service; regulatory_concern]
  R -- withdraw --> V[EQUIPMENT_TAKEN_OUT_OF_SERVICE state out_of_service]
  V --> W{Resolved?}
  W -- yes --> X[EQUIPMENT_RETURNED_TO_SERVICE incl executive authority for regulatory-concern critical]
  X --> J
  W -- no / decommission --> Y[EQUIPMENT_RETIRED state retired; history preserved]
  J --> Z[URS-33 disposition / URS-23/24/25 point-of-use call EQ-006 with pinned snapshot]
  Z --> AA{EQ-006 available at T?}
  AA -- no --> AB[Consuming module blocks step/disposition; surfaces deviation link]
  AA -- yes --> AC[Step / disposition proceeds]
```

— End of Module 37 User Requirements Specification —
