System

{{entity:Pharmaceutical Manufacturing Line}} — continuing subsystem decomposition from the scaffold baseline (13 STK, 12 SYS, 8 subsystems identified). This session writes the first subsystem-level requirements, targeting the two highest-risk subsystems identified by the previous QC session: {{entity:Process Analytical Technology Subsystem}} (SIL 3, H-004) and {{entity:Manufacturing Execution System}} (SIL 2, H-006). The PAT-MES interface was prioritised first because the CQA diversion path — from sensor acquisition through model evaluation, diversion actuation, and EBR recording — spans both subsystems and is the primary mitigation for {{hex:55F77A18}} hazard H-004 (out-of-specification product release).

Decomposition

Five interface requirements ({{ifc:IFC-REQ-001}} through {{ifc:IFC-REQ-005}}) define the PAT-MES boundary over OPC UA. The CQA alarm signal ({{ifc:IFC-REQ-001}}) has a 500 ms latency budget derived from the 2-second diversion window in {{sys:REQ-SEPHARMAMANUFACTURING-016}}: 500 ms for PAT-to-MES signalling, 1 second for MES acknowledgment and EBR annotation ({{ifc:IFC-REQ-003}}), leaving the balance for valve actuation. Sensor health reporting at 10-second intervals ({{ifc:IFC-REQ-002}}) gives MES three observations within the 30-second degraded-mode detection window from {{sys:REQ-SEPHARMAMANUFACTURING-022}}.

Seven PAT subsystem requirements cover NIR ({{sub:SUB-REQ-001}}), Raman ({{sub:SUB-REQ-002}}), and laser diffraction ({{sub:SUB-REQ-007}}) acquisition at 30-second intervals; CQA model evaluation with cryptographic integrity ({{sub:SUB-REQ-003}}); diversion valve actuation with position feedback ({{sub:SUB-REQ-004}}); sensor self-diagnostics with 15-second detection ({{sub:SUB-REQ-005}}); and degraded-mode operation with manual sampling ({{sub:SUB-REQ-006}}).

Eight MES requirements cover 21 CFR Part 11 electronic signatures ({{sub:SUB-REQ-008}}), tamper-evident audit trail ({{sub:SUB-REQ-009}}), SHA-256 hash chain integrity ({{sub:SUB-REQ-010}}), LOTO registry with restart prevention ({{sub:SUB-REQ-011}}), LOTO event logging ({{sub:SUB-REQ-012}}), batch genealogy ({{sub:SUB-REQ-013}}), EBR backup ({{sub:SUB-REQ-014}}), and paper backup switchover ({{sub:SUB-REQ-015}}).

flowchart LR
  subgraph PAT["Process Analytical Technology"]
    NIR["NIR Spectrometer"]
    RAM["Raman Spectrometer"]
    LD["Laser Diffraction"]
    CQA["CQA Model Engine"]
    DV["Diversion Valve"]
    SD["Sensor Diagnostics"]
    NIR --> CQA
    RAM --> CQA
    LD --> CQA
    CQA -->|exceedance| DV
    SD -->|health status| CQA
  end
  subgraph MES["Manufacturing Execution System"]
    EBR["EBR Engine"]
    AT["Audit Trail"]
    LOTO["LOTO Registry"]
    BG["Batch Genealogy"]
    BK["Backup System"]
    EBR --> AT
    EBR --> BK
    LOTO --> EBR
    BG --> EBR
  end
  CQA -->|CQA alarm 500ms| EBR
  CQA -->|measurements 30s| BG
  SD -->|health 10s| EBR
  EBR -->|ack 1s| CQA
  EBR -->|mode command| SD

Analysis

The {{entity:PAT CQA Model Engine}} ({{hex:51A73318}}) shows strong {{trait:Processes Signals/Logic}} and {{trait:Functionally Autonomous}} traits. Cross-domain semantic search found a significant analog in a transport modelling domain: the Data Validation and Quality Assurance Engine ({{hex:51E73B08}}, similarity 0.76), which performs automated validation of incoming measurement data against trained models before allowing downstream processing. Both share the pattern of model-gated data flow where incorrect model output propagates silently — the key failure mode that H-004 addresses. The transport analog uses range checks and spatial consistency validation; the pharmaceutical analog uses chemometric model checksums and confidence scoring. This reinforces the design choice of including model version and confidence score in the CQA data stream ({{ifc:IFC-REQ-004}}).

The {{entity:MES Electronic Batch Record Engine}} ({{hex:50A73B58}}) differs from the PAT engine primarily in the {{trait:Regulated}} and {{trait:Normative}} traits, reflecting its role as the regulatory compliance enforcement point rather than a signal processing component.

Requirements

Session produced 20 new requirements: 5 IFC, 7 PAT SUB, 8 MES SUB. Created 16 trace links connecting SYS requirements to their SUB and IFC derivations. Project totals: 45 requirements, 28 trace links, 4 diagrams, 3 baselines. Every requirement includes verification method and engineering rationale. SIL tags applied: SIL 3 on PAT diversion chain (H-004), SIL 2 on MES data integrity chain (H-006), SIL 2 on LOTO enforcement (H-007).

Next

Six subsystems remain without requirements: {{entity:Material Handling and Dispensing Subsystem}}, {{entity:Granulation and Blending Subsystem}}, {{entity:Tablet Compression Subsystem}}, {{entity:Film Coating Subsystem}}, {{entity:Containment and Environmental Control Subsystem}}, and {{entity:Packaging and Serialisation Subsystem}}. Priority should go to Containment and Environmental Control (SIL 2, H-001 airborne potent compound exposure, H-005 cleanroom control loss) and Tablet Compression (SIL 2, H-007 mechanical entrapment, direct interface with PAT diversion valve). The PAT-to-Tablet Compression interface for in-process rejection (SYS-025) is the next critical interface to specify.