V&V Pass: 27 Trace Gaps Closed, SIL-3 DAC Architecture Gap Surfaced
System
Pharmaceutical Manufacturing Line, {{entity:Process Analytical Technology Subsystem}} and {{entity:Manufacturing Execution System}} focus. 126 requirements, 139 trace links, 6 documents. Project was in qc-reviewed state with quality gate blockers: 4 orphans, 122 requirements below 200 target, 15 high-severity lint findings, 6 ambiguous requirements.
Verification Audit
All 43 {{entity:Verification Requirements}} were sampled. Quality is high — requirements from sessions 555–560 follow EARS pattern with quantified acceptance criteria, test setup, procedure, and pass/fail binary criteria. Standout examples:
- {{sub:VER-REQ-002}}: valve actuation pneumatic solenoid test at 5–7 bar, 10 consecutive actuations, spring-return verified — adequate SIL-3 H-004 evidence.
- {{sub:VER-REQ-009}}: end-to-end PAT-to-diversion chain latency measured across all four hops (spectrometer → CQA model → OPC-UA alarm → MES → valve), 3 consecutive runs — definitive SIL-3 safety case evidence.
- {{sub:VER-REQ-040}}: PAT-unavailable blend supervisory gate, negative test (block without authorisation) included — correct H-004 degraded-mode verification.
One weakness: {{sub:VER-REQ-013}} had a generic rationale. Updated to specify that latency >5 seconds on the G&B-to-PAT NIR interface produces stale LOD values and may cause false blend-endpoint signals releasing under-dried granulate.
Critical gap found: 27 of 43 VER requirements (VER-REQ-001 through VER-REQ-027) had no trace links — they named their target requirements in text but lacked formal verifies linkset entries. All 27 traces were created, establishing the {{trait:System-Essential}} verification path for every PAT, MES, and G&B requirement.
Scenario Validation
Scenario 1 (Normal Production Campaign): Covered. {{stk:STK-REQ-001}} → {{sys:SYS-REQ-001}} → G&B subsystem requirements → VER chain complete for PAT monitoring and EBR. Minor gap: no end-to-end throughput system test across all five process stages.
Scenario 2 (PAT Sensor Drift): Covered. {{stk:STK-REQ-009}} → {{sys:SYS-REQ-009}} → {{sub:SUB-REQ-024}} → {{sub:VER-REQ-023}}/{{sub:VER-REQ-022}}/{{sub:VER-REQ-040}}. Quantified degraded-mode thresholds and supervisory gate are all tested. Adequate.
Scenario 3 (Containment Breach Emergency Stop): Gap. {{stk:STK-REQ-005}} → {{sys:SYS-REQ-005}} had no VER entry and no SUB derivations. {{sys:SYS-REQ-005}} specifies 3-second drive de-energisation, 5-second valve closure, and 10-second standstill — these timing thresholds are SIL-2 safety case evidence for H-001 and H-003. New {{sub:VER-REQ-044}} created: three activation paths (operator E-stop, automatic interlock, software-initiated), three consecutive runs per path, calibrated high-speed timer measurement.
Scenario 4 (Tablet Press Mechanical Jam): Covered. {{stk:STK-REQ-012}} → {{sys:SYS-REQ-011}} → {{sub:SUB-REQ-027}}/{{sub:SUB-REQ-012}}/{{sub:SUB-REQ-011}} → {{sub:VER-REQ-024}}/{{sub:VER-REQ-037}}/{{sub:VER-REQ-007}}. LOTO chain complete with guard-door stop-time statistics.
Scenario 5 (Cytotoxic Changeover): Gap. {{stk:STK-REQ-007}} → {{sys:SYS-REQ-008}} had no VER entry and no SUB derivations. MES workflow guidance and electronic sign-off gate were unverified. New {{sub:VER-REQ-046}} created: full cytotoxic-to-standard changeover demonstration with swab sampling at 15 locations, MES production-start blocking pending all signatures, and elapsed time logged in EBR.
Mode Coverage
All six operating modes checked. Critical mode gap: Changeover/Cleaning mode had no requirements directly covering MES-guided workflow entry, execution, or exit — now addressed by {{sub:VER-REQ-046}}.
Cleanroom environmental response: {{sys:SYS-REQ-006}} (60-second alarm, 120-second halt) was only partially tested by {{ifc:IFC-REQ-016}} interface test covering pressure differential only. New {{sub:VER-REQ-045}} created covering temperature and humidity exceedances across all three parameter types.
Safety Argument
H-001 through H-007 walked against the requirement chains:
| Hazard | SIL | Chain Status |
|---|---|---|
| H-001 Potent compound exposure | 2 | Partial — E-stop chain added; HVAC exhaust mode activation not explicitly tested |
| H-002 Cross-contamination | 3 | Partial — VER-REQ-046 closes changeover gap; swab acceptance limit not in quantified requirement |
| H-003 Dust explosion | 2 | Gap — no SYS/SUB/VER for LEL monitoring, N₂ inerting, explosion vents |
| H-004 OOS product via PAT failure | 3 | Covered — end-to-end chain test VER-REQ-009 is definitive evidence |
| H-005 Cleanroom environmental loss | 1 | Covered after VER-045 addition |
| H-006 EBR data integrity failure | 2 | Covered — hash chain, backup, paper fallback all tested |
| H-007 Mechanical entrapment | 2 | Covered — LOTO, guard interlock, 10-trial statistics |
Critical architectural finding for H-004: {{entity:Process Analytical Technology Subsystem}} (SIL-3) runs CQA model evaluation on a single DAC Workstation. IEC 61508 (Functional safety of E/E/PE safety-related systems) Table 2 requires Hardware Fault Tolerance ≥ 1 for SIL-3 Type B software subsystems. A single-channel architecture cannot achieve SIL-3 regardless of software quality. New {{sub:SUB-REQ-031}} added requiring a hot-standby DAC Workstation with 5-second failover.
Cross-Domain Findings
Semantic search for real-time spectroscopic safety-critical monitoring returned the STEP Fusion Reactor Real-Time Plasma Controller ({{hex:51F77208}}, Jaccard 74% with PAT subsystem concepts). That system uses dual-redundant SIL-3 control at 1 kHz — directly analogous to the DAC Workstation function. The analogy confirmed the H-004 architectural gap and prompted {{sub:SUB-REQ-031}}.
Surgical Robot Joint Force Monitor ({{hex:57a4afa0}}) provided confirmation that the 200 ms ejection response in VER-REQ-041 is consistent with published force-threshold safety architectures.
Gaps Closed
| Item | Action | Impact |
|---|---|---|
| 27 missing VER trace links | Created | All VER-001..027 now formally linked to their target SUB/IFC requirements |
| VER-REQ-044 (E-stop) | Created | {{sys:SYS-REQ-005}} now has VER coverage |
| VER-REQ-045 (cleanroom) | Created | {{sys:SYS-REQ-006}} all-parameter coverage |
| VER-REQ-046 (changeover) | Created | {{sys:SYS-REQ-008}} Scenario 5 qualification evidence |
| SUB-REQ-031 (PAT SIL-3 HFT) | Created | IEC 61508 architectural gap for H-004 |
| ARC-REQ-001..004 reassigned + traced | Resolved | Orphan count: 4 → 0 |
| VER-REQ-013 rationale strengthened | Updated | Specificity improved |
Final state: 126 requirements, 139 trace links, 0 orphans (was 4). Quality gate blocker orphans > 0 cleared.
Verdict
Partial pass — advancing to next phase with noted residuals. Five of five ConOps scenarios have VER coverage after gap-closure. H-004, H-006, H-007 safety chains are complete and adequate. H-001, H-002, H-005 chains are substantially complete. H-003 (dust explosion) remains unaddressed and should be the first SUB-level requirement work in the next decomposition session. The SIL-3 HFT architecture gap ({{sub:SUB-REQ-031}}) requires an architecture decision update and a paired VER entry before the system can be considered formally verified.
flowchart TB
n0["Pharmaceutical Manufacturing Line"]
n9["Material Handling and Dispensing"]
n10["Granulation and Blending"]
n11["Tablet Compression"]
n12["Process Analytical Technology"]
n13["Film Coating"]
n14["Containment and Environmental Control"]
n15["Packaging and Serialisation"]
MES["Manufacturing Execution System"]
n0 --> n9
n0 --> n10
n0 --> n11
n0 --> n12
n0 --> n13
n0 --> n14
n0 --> n15
n0 --> MES
n9 -->|weighed API and excipients| n10
n10 -->|dried granulate| n11
n11 -->|tablet cores| n13
n13 -->|coated tablets| n15
n10 -->|NIR/Raman in-process| n12
n14 -->|conditioned air and pressure| n10
n12 -->|CQA alarm OPC-UA| MES
MES -->|recipe setpoints| n10
MES -->|LOTO registry| n11
Next
Priority: (1) Create SUB requirements for H-003 dust explosion — LEL monitoring, nitrogen inerting activation, explosion vent requirements in the tablet compression and granulation containment housings; (2) Create VER requirement for {{sub:SUB-REQ-031}} PAT hot-standby failover test; (3) Update ARC-001 to document DAC Workstation dual-redundancy decision; (4) Address remaining quality gate blockers: reqCount (126 vs 200 target) requires ~74 new requirements, primarily covering Startup/Qualification mode, Emergency Stop subsystem decomposition, and serialisation packaging subsystem.