System

Pharmaceutical Manufacturing Line (se-pharma-manufacturing), session 562. V-model validation pass (Flow D) on a project entering the qc-reviewed state. Entry state: 126 requirements, 4 quality gate blockers: reqCount 126 < 200, lintHigh 17, ambiguousReqs 6 > 3, silWithoutVer 1 > 0. Exit state: 200 requirements, silWithoutVer resolved, lintHigh reduced 17→11, 4 format-ambiguous VER reqs upgraded to full EARS standard.

Verification Audit

Ten VER requirements sampled (VER-REQ-001 through VER-REQ-010). Quality was high for the PAT and MES requirements from sessions 555–558: all specified test setup, quantified pass/fail criteria, and edge-case coverage. The weaker entries were four requirements added in session 556 using a short-form “Verify X: …” prefix — VER-REQ-024 through 027. These had QA scores of 57 and lacked the EARS framing required for unambiguous test specification. All four were rewritten to the full “The verification activity for X SHALL … Pass criterion: …” format with quantified thresholds and explicit repetition counts.

The critical silWithoutVer blocker was {{sub:SUB-REQ-031}}: the SIL-3 DAC Workstation hot-standby architecture requirement had only Analysis verification — no live failover test. VER-REQ-047 was created: a 3-trial failover test measuring standby assumption time (≤5 seconds), diversion state preservation, and valve hold-position throughout transition. IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL-3 mandates Test, not Analysis, for hardware fault tolerance claims.

Coverage audit identified 13 {{sub:SUB-REQ-006}} to {{sub:SUB-REQ-035}} entries without VER. Eight new VER entries were created (SUB-REQ-006, 013, 017, 018, 019, 021, 023, 026) with quantified acceptance criteria — LOD by Karl Fischer titration, granule D90 by laser diffraction, mass balance closure ±0.5%, OEB 3 containment auto-halt within 10 seconds.

Scenario Validation

Five ConOps scenarios traced end-to-end:

Normal Production Campaign — COVERED. {{sys:SYS-REQ-001}} through {{sys:SYS-REQ-003}} cover throughput, EBR, and PAT; SUB decomposition through {{sub:SUB-REQ-026}}; VER chain to VER-REQ-046. The PAT calibration enforcement gate (new {{sys:SYS-REQ-018}}, VER-REQ-062) closes a gap: previously no requirement prevented real-time release when PAT instruments were out of calibration.

PAT Sensor Drift — COVERED. {{sys:SYS-REQ-009}} → {{sub:SUB-REQ-005}}/006/024 → VER-REQ-003/022/023/048 covers degraded-mode detection and sampling frequency escalation. New {{sub:SUB-REQ-047}} and VER formally block real-time release in degraded mode — a gap in the prior session that allowed theoretical RTR continuation under sensor-degraded conditions.

Containment Breach Emergency — COVERED. H-001 trace: {{sys:SYS-REQ-004}}/005 → {{sub:SUB-REQ-023}}/028/048/049 → VER-REQ-044/048/049. New {{sub:SUB-REQ-048}} adds quantified automated response (5-second valve closure, 15-second HVAC switch, 85 dB alarm), closing a gap where timing was implicitly assumed. Emergency Stop recovery gate ({{sub:SUB-REQ-045}}, VER-REQ-063) adds QA Manager sign-off and 30-minute environmental clearance as formal exit criteria.

Tablet Press Mechanical Jam — COVERED. H-007 trace: {{sys:SYS-REQ-011}} → {{sub:SUB-REQ-027}}/029/046/052 → VER-REQ-024/037/042/063. New {{sub:SUB-REQ-052}} adds metal detection with 10-tablet pre/post rejection window — the scenario describes operators performing a precautionary check; this formalises it as an automated function. {{sys:SYS-REQ-021}} (shift handover EBR gate) addresses the night-shift context of this scenario, ensuring deviations are documented before the next shift proceeds.

Product Changeover Cytotoxic to Standard — COVERED. H-002 trace: {{sys:SYS-REQ-008}}/020 → {{sub:SUB-REQ-050}}/051 → VER-REQ-046/069/070. {{sub:SUB-REQ-050}} automates quarantine on cleaning validation failure (the scenario explicitly describes a location 7 failure), removing reliance on operator memory. {{sub:SUB-REQ-051}} formalises the two-person API dispensing check as an EBR workflow gate.

Mode Coverage

Six modes assessed. Entry/exit requirements added for three:

• Startup/Qualification — {{sub:SUB-REQ-044}} formalises all four entry conditions (qualification current, PAT suitability passed, batch record reviewed, no open deviations). Previously these were procedural, not enforced by the MES.
• Emergency Stop — {{sub:SUB-REQ-045}} adds QA sign-off and 30-minute environmental clearance as exit conditions with Test VER.
• Maintenance — {{sub:SUB-REQ-046}} formalises LOTO enforcement across all three command paths (HMI, PLC direct, MES remote) with Test VER across all three.
• Degraded Production — {{sub:SUB-REQ-047}} adds real-time release block with quarantine, closing the H-004 residual risk from the PAT Sensor Drift scenario.

Normal Production and Changeover/Cleaning modes already had adequate entry/exit coverage.

Cross-Domain Findings

Semantic search on “fault tolerant hardware redundancy failover” surfaced the {{entity:Workstation Redundancy Controller}} (railway signalling, Jaccard 0.75) — a hot-standby workstation controller that achieves 5-second state-transfer failover, identical to the {{sub:SUB-REQ-031}} DAC Workstation requirement. The railway analog uses a dedicated heartbeat link for split-brain prevention, a pattern not yet specified in the pharmaceutical PAT architecture. This gap is flagged for the next architecture session. The {{entity:Vital Processing Unit}} (SIL-4 railway CBI, 2oo3 voting) provides a more conservative architecture analog if the DAC Workstation’s SIL rating escalates to SIL-4 under future hazard reassessment.

Lint deduplication removed 57 global entity namespace leaks, reducing false-positive ontological mismatch findings. After deduplication, lintHigh reduced from 17 to 11; the 6 resolved findings were all Powered without power requirements — addressed by adding power supply SUB requirements for PAT ({{sub:SUB-REQ-036}}), tablet compression ({{sub:SUB-REQ-039}}), G&B ({{sub:SUB-REQ-040}}), film coating ({{sub:SUB-REQ-041}}), and containment ({{sub:SUB-REQ-042}}).

Gaps Closed

74 requirements added: 9 new {{sys:SYS-REQ-013}} to {{sys:SYS-REQ-021}} (OEL/OEB, ICH Q8 process validation, EU Delegated Regulation 2016/161, EN ISO 13849-1, OEE, PAT qualification, auto-deviation, cleaning registry, shift handover); 22 new SUB requirements (power supply, safety override/watchdog, mode-specific gates, scenario-specific functions); 43 new VER entries. Architecture Decision records (SUB-REQ-032 to 035) were reassigned from subsystem-requirements to architecture-decisions document. All requirements include --rationale and --verification flags.

flowchart TB
  n0["system - Pharmaceutical Manufacturing Line"]
  n9["subsystem - Material Handling and Dispensing"]
  n10["subsystem - Granulation and Blending"]
  n11["subsystem - Tablet Compression"]
  n12["subsystem - Process Analytical Technology"]
  n13["subsystem - Film Coating"]
  n14["subsystem - Containment and Environmental Control"]
  n15["subsystem - Packaging and Serialisation"]
  n0 --> n9
  n0 --> n10
  n0 --> n11
  n0 --> n12
  n0 --> n13
  n0 --> n14
  n0 --> n15
  n9 -->|weighed API and excipients| n10
  n10 -->|dried granulate| n11
  n11 -->|tablet cores| n13
  n13 -->|coated tablets| n15
  n10 -->|in-process samples NIR/Raman| n12
  n14 -->|conditioned air and pressure differential| n10

Verdict

Conditional pass. All five ConOps scenarios are covered with complete STK → SYS → SUB → VER trace chains. All seven hazards in the register have complete safety argument chains with Test verification for SIL-2 and SIL-3 functions. silWithoutVer is resolved. reqCount gate cleared at 200.

Residual blockers: lintHigh 11 (down from 17; remaining 11 are Physical Object trait mismatches on software-dominant subsystems and one mes Biological/Biomimetic misclassification — require entity reclassification, not requirement additions). ambiguousReqs metric depends on next QA scorer run — 4 VER reqs were upgraded to standard format. The split-brain prevention gap in the {{entity:PAT Data Acquisition and Processing Workstation}} hot-standby architecture (identified from railway analog) should be addressed in the next architecture session before progressing to final review.