Sample Gallery›Healthcare›D2 — Governance Design Specification

⚕Healthcare · D2 · Regional Medical CenterAnonymized — Real Engagement

D2 — Governance Design Specification

This specification translates the five governance gaps identified in D1 into configuration-ready rules, authority structures, and integration designs. Engineering loads directly from this document — no translation layer. 5 governance rules · 7 authority roles · 10 signal normalization specs · SHA-256 receipt chain · 6 system integrations.

📄 D2 Deliverable — Governance Design Specification · Engagement ENG-001 · PDIO Phase 2 of 4

Signal Normalization Rules

Environmental Signals

ID	Signal	Source	Raw Format	Normalized	Calibration	Failover
CC-004	Clean Room Differential Pressure	BMS pressure sensor	Pascals (continuous)	0–100 (100 = ≥2.5 Pa)	Every 6 months	Alert on sensor dropout; lock room to restricted access
CC-005	Indoor PM2.5 (Oncology Unit)	Laser scattering sensor	μg/m³ (every 5 min)	0–100 (100 = 0 μg/m³)	Monthly	Fall back to HVAC auto-recirculation; alert Facility Ops

Human Signals

ID	Signal	Source	Raw Format	Normalized	Calibration	Failover
CC-001	Absolute Neutrophil Count (ANC)	EHR FHIR (DiagnosticReport)	cells/μL	0–100 (100 = ≥1500)	Per lab draw	Last known value + time-decay flag

External Intelligence Signals

ID	Signal	Source	Raw Format	Normalized	Calibration	Failover
CC-006	Outdoor AQI	EPA AirNow API	AQI integer	0–100 (100 = AQI 0)	Hourly	Cache last reading; escalate if stale >4 hours
CC-007	UV Index	EPA/NWS UV Index API	UV Index 0–11+	0–100 (100 = UV 0)	Daily forecast	Use previous day's reading
CC-008	Respiratory Virus Activity	CDC Wastewater Surveillance	Relative activity level	0–100 (100 = minimal)	Weekly	Use previous week; flag staleness
CC-009	Wildfire Proximity	NASA FIRMS (Earthdata)	Lat/lon + FRP	0–100 (100 = no fire <100mi)	12-hour satellite pass	Flag no-data window; raise alert threshold
CC-010	Weather Alerts	NOAA/NWS Alerts API	CAP XML	Binary (alert/no alert)	Real-time	Cache last; escalate if API unreachable >1hr

Genomics Signals

ID	Signal	Source	Raw Format	Normalized	Calibration	Failover
CC-002	DPYD Genotype	Molecular Lab + CPIC API	Allele designation	Categorical (normal/intermediate/poor)	Once (germline)	BLOCK all fluoropyrimidine orders if genotype unavailable
CC-003	Tumor Mutation Panel	Molecular Pathology + ClinVar	VCF / PDF	Categorical (actionable/VUS/benign)	Per specimen	Flag as 'genomics pending' in treatment eligibility check

Governance Rules

GOV-001

Chemotherapy Dosing Governance

NON-NEGOTIABLE

Trigger Condition

DPYD genotype result available AND fluoropyrimidine order placed

Trigger Signal(s)

CC-002 (DPYD Genotype)

Threshold

ANY variant other than normal metabolizer (*1/*1)

Primary Authority

AUTH-001: Pharmacogenomics Specialist

Escalation Authority

AUTH-002: Oncology Pharmacist

Response Window

Immediate — < 5 minutes

Action

Poor metabolizer → BLOCK order + require 50% dose reduction. Intermediate → FLAG + recommend reduced dose. Normal → PASS with receipt.

Regulatory Basis

FDA Black Box Warning (fluorouracil/capecitabine), CPIC Guideline for DPYD, CMS CoP §482.25

Judge Criteria

Is DPYD genotype confirmed (not pending)?
Does the allele match CPIC poor/intermediate classification?
Is the dose reduction ≥50% for poor metabolizers?
Was the Pharmacogenomics Specialist the signer?

GOV-002

Immunocompromised Patient Environment

Trigger Condition

ANC < 500 cells/μL AND (clean room pressure < 1.0 Pa OR indoor PM2.5 > 35.5 μg/m³)

Trigger Signal(s)

CC-001 (ANC) + CC-004 (Pressure) + CC-005 (PM2.5)

Threshold

ANC < 500 AND pressure < 1.0 Pa, or ANC < 500 AND PM2.5 > 35.5

Primary Authority

AUTH-003: Infection Preventionist

Escalation Authority

AUTH-004: Environmental Services Manager

Response Window

30 minutes

Action

Initiate emergency HEPA protocol, restrict visitor access, notify nursing, log environmental snapshot.

Regulatory Basis

Joint Commission EC.02.06.01 (Environment of Care), CMS CoP §482.42 (Infection Prevention)

Judge Criteria

Is ANC confirmed < 500 (not estimated)?
Is the environmental reading from the correct room/zone?
Is the response proportionate (HEPA + restriction, not just notification)?

GOV-003

Treatment Eligibility Governance

Trigger Condition

Tumor mutation panel results available AND treatment decision pending

Trigger Signal(s)

CC-003 (Tumor Mutation Panel)

Threshold

Actionable mutation detected (BRCA1/2, EGFR, KRAS, HER2, ALK, ROS1, BRAF, MSI-H)

Primary Authority

AUTH-005: Molecular Tumor Board Coordinator

Escalation Authority

AUTH-001: Pharmacogenomics Specialist

Response Window

Pre-tumor-board (≥24 hours before scheduled review)

Action

Cross-reference mutation against ClinVar/COSMIC eligibility table. Flag contraindicated therapies. Route to tumor board with structured recommendation.

Regulatory Basis

CMS CoP §482.43(c)(1) (Medical Staff — Clinical Privileges), NCCN Biomarker Compendium

Judge Criteria

Is the mutation classified as actionable (not VUS)?
Does the therapy recommendation match NCCN/FDA approvals for the specific mutation?
Are contraindicated therapies explicitly listed?

GOV-004

Wildfire Smoke Response

Trigger Condition

Indoor PM2.5 > 35.5 μg/m³ OR outdoor AQI > 150 OR NASA FIRMS fire within 50 miles

Trigger Signal(s)

CC-005 (Indoor PM2.5) + CC-006 (AQI) + CC-009 (NASA FIRMS)

Threshold

PM2.5 > 35.5, or AQI > 150, or active fire < 50 mi

Primary Authority

AUTH-004: Facility Operations Manager

Escalation Authority

AUTH-006: Safety Officer

Response Window

15 minutes

Action

Activate HVAC recirculation, issue patient advisory for immunocompromised units, notify Facility Operations.

Regulatory Basis

OSHA Indoor Air Quality Standards, TJC EC.02.06.01

Judge Criteria

Are environmental readings corroborated across ≥2 sources?
Is the HVAC action proportionate to severity?
Were immunocompromised units prioritized?

GOV-005

Hereditary Cancer Screening Governance

Trigger Condition

Positive BRCA1/2, Lynch syndrome, or other hereditary cancer germline variant

Trigger Signal(s)

CC-002 (germline panel) + CC-003 (hereditary screening result)

Threshold

Pathogenic or likely pathogenic variant detected

Primary Authority

AUTH-007: Genetic Counselor

Escalation Authority

AUTH-005: Molecular Tumor Board Coordinator

Response Window

48 hours

Action

Schedule genetic counseling within 48 hours. Assign risk-reducing screening protocol per NCCN guidelines. Notify primary oncologist and navigator.

Regulatory Basis

NCCN Genetic/Familial High-Risk Assessment Guidelines, ACMG Practice Guidelines

Judge Criteria

Is the variant classified pathogenic/likely pathogenic (not VUS)?
Was counseling scheduled within 48 hours?
Does the screening protocol match the NCCN recommendation for the specific gene?

Decision Routing Map

Signal Trigger → ERI/LPRM Score → Confidence Check
                                      │
                           ≥ 0.70 → ATLAS Brain Recommendation
                                      │
                                  LLM-as-a-Judge Evaluation
                                      │
                              Pass → Route to Primary Authority
                              Fail → Block + Log + Escalate
                                      │
                              Authority Decision → Seal Receipt (SHA-256)
                                      │
                              Response Window Exceeded → Auto-Escalate

Routing Table

Rule	Primary Authority	Escalation	Response Window	Auto-Escalation
GOV-001	AUTH-001: PGx Specialist	AUTH-002: Oncology Pharmacist	< 5 min	Yes — at 5 min
GOV-002	AUTH-003: Infection Preventionist	AUTH-004: Env Services Manager	30 min	Yes — at 30 min
GOV-003	AUTH-005: Tumor Board Coordinator	AUTH-001: PGx Specialist	Pre-tumor-board	Yes — 2 hrs before board
GOV-004	AUTH-004: Facility Ops Manager	AUTH-006: Safety Officer	15 min	Yes — at 15 min
GOV-005	AUTH-007: Genetic Counselor	AUTH-005: Tumor Board Coordinator	48 hrs	Yes — at 48 hrs

Receipt Specification

Receipt Template

═══════════════════════════════════════════════════════════
  ATLAS GOVERNANCE RECEIPT
═══════════════════════════════════════════════════════════
  DECISION ID:     GR-{YYYYMMDD}-{FACILITY}-{SEQ}
  TIMESTAMP:       {UTC ISO 8601}
  FACILITY:        Regional Medical Center — {Unit/Zone}
  TRIGGER:         {GOV-XXX: Rule Name}
  RISK SCORE:      {ERI/LPRM value} ({risk_type})
  CONFIDENCE:      {0.XX}
  JUDGE RESULT:    {PASSED / BLOCKED — reason}
  RECOMMENDATION:  {ATLAS Brain recommendation text}
  AUTHORITY:       {AUTH-XXX: Role — Title}
  HUMAN ACTION:    {What the authority decided}
  RATIONALE:       {Authority's stated reason}
  SHA-256 HASH:    {computed from all fields above}
  RECEIPT CHAIN:   {SHA-256 of previous receipt}
  PATENT REF:      TPP96862
  STATUS:          SEALED
═══════════════════════════════════════════════════════════

Receipt Integrity Rules

No field may be modified after STATUS = SEALED
SHA-256 is computed over all fields in deterministic order (Decision ID through Patent Ref)
Receipt chain links to the immediately prior receipt's hash — genesis receipt uses GENESIS-{facility_id}
Chain break = integrity violation → automatic escalation to CISO-CIO
All receipts are immutable and auditable by the client's compliance team
Receipts are stored in both Cromtec's governance ledger and the client's audit system

Integration Architecture

System	Direction	Protocol	Data Exchanged	Authentication	PHI Handling
EHR (FHIR R4)	Inbound	HL7 FHIR R4	Vitals, labs, meds, allergies, dx, care plans	OAuth 2.0 (SMART on FHIR)	De-identified before LLM; raw stays in EHR
CPIC API	Inbound	REST (HTTPS)	DPYD/PGx dosing guidelines	API key	No PHI — reference data only
ClinVar/COSMIC	Inbound	REST (HTTPS)	Variant classifications, treatment eligibility	API key	No PHI — reference data only
EPA AirNow	Inbound	REST (HTTPS)	AQI readings	API key (free)	No PHI
NASA FIRMS	Inbound	REST (HTTPS)	Active fire locations + FRP	Earthdata token (DN-2469)	No PHI
CDC Wastewater	Inbound	REST (HTTPS)	Pathogen surveillance by county	Public (no key)	No PHI
Client Audit System	Outbound	REST/sFTP	Sealed governance receipts	Client-issued cert	Receipts contain de-identified data only

Security Architecture

Data at rest

AES-256 encryption

Data in transit

TLS 1.3

Sovereign data

W3C Solid protocol — client data stays in client-controlled pod

Access control

RBAC per authority matrix (validated in VAL-008)

PHI handling

De-identified before LLM processing; original PHI never leaves client infrastructure

Audit logging

All access attempts logged, including denied attempts

D2 → Engineering Handoff

This specification is configuration-ready. Engineering loads directly from this document:

Signal normalization rules → sensor configuration + calibration schedules
Governance rules (GOV-001–005) → rule engine configuration + trigger definitions
Authority matrix (AUTH-001–007) → RBAC + routing + escalation configuration
Receipt specification → receipt service + chain-linking hash + deterministic field ordering
Integration architecture → connector configuration + auth provisioning
Judge criteria per rule → Judge prompt configuration (one prompt per governance rule)

No translation layer between D2 and ATLAS configuration. Any ambiguity in this document is a defect.

← D1 — Process Intelligence Brief D3 — Validation & Acceptance Report →

Anonymized · Real Engagement · CROMTEC.AI · Patent TPP96862

See what ATLAS would produce for your organization.

This D2 specification is the technical blueprint — it defines exactly what gets built. Start a conversation to scope your use case.

Start a conversation →← Back to samples