System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["system<br>Pharmaceutical Manufacturing Line"] n1["subsystem<br>Material Handling and Dispensing"] n2["subsystem<br>Granulation and Blending"] n3["subsystem<br>Tablet Compression"] n4["subsystem<br>Film Coating"] n5["subsystem<br>Packaging and Serialisation"] n6["subsystem<br>Process Analytical Technology"] n7["subsystem<br>Manufacturing Execution System"] n8["subsystem<br>Containment and Environmental Control"] n9["subsystem<br>Material Handling and Dispensing Subsystem"] n10["subsystem<br>Granulation and Blending Subsystem"] n11["subsystem<br>Tablet Compression Subsystem"] n12["subsystem<br>Process Analytical Technology Subsystem"] n13["subsystem<br>Film Coating Subsystem"] n14["subsystem<br>Containment and Environmental Control Subsystem"] n15["subsystem<br>Packaging and Serialisation Subsystem"] n0 --> n1 n0 --> n2 n0 --> n3 n0 --> n4 n0 --> n5 n0 --> n6 n0 --> n7 n0 --> n8 n1 -->|powder| n2 n2 -->|granules| n3 n3 -->|tablets| n4 n4 -->|coated tablets| n5 n9 -->|weighed API and excipients| n10 n10 -->|dried granulate target PSD| n11 n11 -->|tablet cores| n13 n13 -->|coated tablets| n15 n10 -->|in-process samples NIR/Raman| n12 n14 -->|conditioned air and pressure differential| n10 n0 -->|CONTAINS| n9 n0 -->|CONTAINS| n10 n0 -->|CONTAINS| n11 n0 -->|CONTAINS| n12 n0 -->|CONTAINS| n13 n0 -->|CONTAINS| n14 n0 -->|CONTAINS| n15
Pharmaceutical Manufacturing Line Decomposition
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Process Analytical Technology Subsystem | diagram-1774435062520 | SIL 3 | complete |
| Manufacturing Execution System | diagram-1774435062963 | SIL 2 | complete |
| Granulation and Blending Subsystem | diagram-1774438734122 | SIL 2 | complete |
| Tablet Compression Subsystem | diagram-1774451064357 | SIL 2 | complete |
| Material Handling and Dispensing Subsystem | pending | — | pending |
| Film Coating Subsystem | pending | — | pending |
| Packaging and Serialisation Subsystem | pending | — | pending |
| Containment and Environmental Control Subsystem | diagram-1774480118684 | SIL 2 | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The PAT Subsystem NIR spectrometer SHALL acquire diffuse reflectance spectra (900-1700 nm, minimum 256 wavelength channels, 8 cm-1 resolution) at 30-second intervals from each monitored process point, with signal-to-noise ratio exceeding 5000:1 and automatic dark-current correction between acquisitions. Rationale: NIR is the primary sensor for content uniformity and moisture monitoring. SYS-016 mandates 30-second acquisition. The 5000:1 SNR threshold is the minimum for reliable PLS chemometric model discrimination of API concentration within 2% RSD, derived from ICH Q2(R1) analytical method validation requirements. 8 cm-1 resolution matches pharmaceutical industry standard for solid dosage monitoring. | Test | subsystem, pat, nir, sil-3, session-547, idempotency:sub-pat-nir-acquisition-547 |
| SUB-REQ-002 | The PAT Subsystem Raman spectrometer SHALL acquire spectra (200-3200 cm-1, spectral resolution 4 cm-1) at 30-second intervals using a 785 nm excitation laser at power not exceeding 500 mW, with automatic fluorescence background subtraction and cosmic ray rejection. Rationale: Raman provides polymorphic form identification and API quantification complementary to NIR. SYS-016 mandates 30-second acquisition. 785 nm excitation is the standard for pharmaceutical applications, balancing fluorescence avoidance with Raman cross-section. 500 mW power limit prevents thermal degradation of heat-sensitive APIs. Fluorescence subtraction is essential for excipient-rich formulations. | Test | subsystem, pat, raman, sil-3, session-547, idempotency:sub-pat-raman-acquisition-547 |
| SUB-REQ-003 | The PAT Subsystem SHALL evaluate all CQA chemometric models (content uniformity PLS, blend homogeneity PCA, particle size correlation) within 5 seconds of sensor data acquisition, using cryptographically signed model files with version tracking, and SHALL reject any model file whose SHA-256 checksum does not match the validated model registry. Rationale: SYS-016 mandates CQA model evaluation within 5 seconds. Model integrity is a direct H-004 mitigation: a corrupted or unauthorised model could approve OOS product for release. Cryptographic signing with SHA-256 verification ensures only validated models execute in production, meeting 21 CFR Part 11 requirements for computerised system validation. Version tracking enables post-incident root cause analysis. | Test | subsystem, pat, cqa-model, sil-3, h-004, session-547, idempotency:sub-pat-cqa-model-eval-547 |
| SUB-REQ-004 | When a CQA limit exceedance is detected, the PAT Subsystem SHALL actuate the batch diversion valve to the reject position within 2 seconds, confirm valve position via discrete feedback sensor, and maintain the diversion state until receiving an explicit MES acknowledgment and reset command. Rationale: SYS-016 mandates 2-second diversion actuation. The valve position feedback sensor provides independent confirmation that the diversion physically occurred, critical for SIL 3 integrity of the H-004 mitigation. Latching in divert-state until MES acknowledgment prevents race conditions where PAT could reset before the EBR records the event, ensuring no diversion goes unrecorded. | Test | subsystem, pat, diversion, sil-3, h-004, session-547, idempotency:sub-pat-diversion-valve-547 |
| SUB-REQ-005 | The PAT Subsystem SHALL perform continuous sensor self-diagnostics evaluating signal-to-noise ratio, wavelength calibration accuracy (against internal reference standard), and detector dark-current stability, and SHALL declare sensor-degraded state within 15 seconds when any diagnostic parameter deviates beyond validated operating limits. Rationale: SYS-022 requires degraded-mode transition within 30 seconds. The 15-second detection window allocates half the budget to PAT self-diagnosis and half to MES notification and mode switching. Internal reference standard calibration check (typically polystyrene for NIR, silicon for Raman) is the pharmaceutical industry standard per ASTM E1840. Without continuous self-diagnostics, calibration drift is the primary root cause pathway for H-004. | Test | subsystem, pat, sensor-health, sil-3, h-004, session-547, idempotency:sub-pat-sensor-diagnostics-547 |
| SUB-REQ-006 | While in sensor-degraded state, the PAT Subsystem SHALL suspend real-time CQA model evaluation on the affected sensor channel within 5 seconds of degradation detection, continue acquisition on unaffected channels at ≥70% of nominal per-channel CQA evaluation rate, present manual sampling prompts to operators at 15-minute intervals (±30 seconds) with sample identification barcodes, and record all manual sample submissions with timestamps for MES integration. The PAT Subsystem SHALL maintain a minimum of 1 unaffected sensor channel in active CQA evaluation throughout degraded-mode operation. Rationale: SYS-022 mandates 15-minute manual sampling and 50% throughput maintenance during degraded mode. The 5-second suspension window closes the gap between degradation detection and alert issuance. The ≥70% per-channel evaluation rate on surviving channels ensures that a 3-channel PAT system can sustain meaningful CQA coverage on 2 channels. The ±30-second sampling prompt tolerance accommodates operator workflow without breaching the 15-minute GMPsampling requirement. Minimum 1 active channel requirement prevents total real-time monitoring blackout during multi-sensor degradation. Performance floors added per validation session 566. | Demonstration | pat-subsystem, degraded-mode, superseded-by-session-554, superseded-by:SUB-REQ-024 |
| SUB-REQ-007 | The PAT Subsystem laser diffraction analyser SHALL measure particle size distribution (0.5-2000 micron range, D10/D50/D90 reporting) at 30-second intervals during granulation and blending stages, with measurement repeatability within 2% RSD on D50 for reference standard material. Rationale: SYS-016 lists laser diffraction as a mandated PAT sensor. Particle size distribution is a critical quality attribute for tablet dissolution rate and content uniformity per ICH Q6A. The 2% RSD repeatability on D50 is the ISO 13320 acceptance criterion for pharmaceutical laser diffraction, ensuring the measurement is sufficiently precise to detect granule over-growth that would cause segregation and content uniformity failure. | Test | subsystem, pat, laser-diffraction, session-547, idempotency:sub-pat-laser-diffraction-547 |
| SUB-REQ-008 | The Manufacturing Execution System SHALL enforce 21 CFR Part 11 compliant electronic signatures on all EBR critical entries (batch release, deviation acknowledgment, in-process hold, parameter override), requiring biometric or two-factor authentication, with each signature binding the signer identity, date/time, and signing meaning to the record. Rationale: SYS-015 mandates electronic signatures with access controls. FDA 21 CFR Part 11.50 requires that signed records clearly indicate the printed name, date/time, and meaning of the signature. Two-factor authentication exceeds the minimum Part 11 requirement but is standard practice after FDA warning letters citing weak e-signature controls. H-006 safe state includes system lockout for forensic investigation, making signature integrity the first line of defense. | Test | subsystem, mes, part-11, sil-2, h-006, session-547, idempotency:sub-mes-esig-547 |
| SUB-REQ-009 | The Manufacturing Execution System SHALL maintain a tamper-evident audit trail recording every EBR creation, modification, and deletion event, capturing the original value, new value, operator ID, workstation ID, timestamp (UTC, NTP-synchronised to within 100 ms), and operator-entered reason for change. Rationale: 21 CFR Part 11.10(e) requires complete audit trails; SIL-2 H-006 mandate. Upgraded from Inspection to Test per IEC 61508 (Functional safety of E/E/PE safety-related systems) requirements for SIL-2 safety functions — audit trail completeness must be demonstrated by active test (injection of EBR events and verification of append-only log) not static inspection. Test verification aligns with the VER-REQ-019 which tests audit trail tamper resistance. | Test | subsystem, mes, audit-trail, part-11, sil-2, h-006, session-547, idempotency:sub-mes-audit-trail-547 |
| SUB-REQ-010 | The Manufacturing Execution System SHALL compute and store a SHA-256 cryptographic hash on every EBR write operation, maintain a hash chain linking consecutive writes, and SHALL detect and alert on any hash chain discontinuity within one EBR backup cycle (15 minutes maximum). Rationale: SYS-015 mandates cryptographic hash verification on every write. The hash chain (each hash includes the previous hash) provides tamper evidence stronger than individual hashes, detecting both modification and deletion of intermediate records. Detection within one backup cycle ensures that if H-006 occurs, the maximum exposure window before alert is 15 minutes, aligning with the SYS-015 backup interval. | Test | subsystem, mes, data-integrity, sil-2, h-006, session-547, idempotency:sub-mes-crypto-integrity-547 |
| SUB-REQ-011 | The Manufacturing Execution System SHALL maintain a real-time lockout registry mapping each equipment unit to its lockout state (locked/unlocked), lockout holder (operator ID), lock application timestamp, and lock type (maintenance/cleaning/calibration), and SHALL prevent any equipment start command while at least one active lockout is registered against that equipment. Rationale: SYS-024 mandates electronic lockout verification preventing restart. The lockout registry is the single source of truth for equipment safety state, replacing or augmenting physical padlocks. H-007 (mechanical entrapment) requires that restart prevention is absolute, not advisory. Multiple lock types support concurrent lockout by different disciplines (maintenance LOTO plus cleaning hold), as required in pharmaceutical changeover where cleaning and maintenance overlap. | Test | subsystem, mes, loto, sil-2, h-007, session-547, idempotency:sub-mes-loto-registry-547 |
| SUB-REQ-012 | The Manufacturing Execution System SHALL log every LOTO event (lock application, lock removal, restart attempt while locked, override attempt) in the EBR with operator ID, equipment ID, timestamp, lock type, and event outcome (success/denied), retaining logs for the batch record retention period. Rationale: SYS-024 mandates logging all LOTO events with operator ID, timestamp, and equipment ID. Including restart-attempt-while-locked and override-attempt events provides forensic evidence for H-007 near-miss investigation. Retention for the batch record period (typically 1 year past expiry per 21 CFR 211.180) ensures LOTO records are available for regulatory inspection of any batch produced during the maintenance window. | Inspection | subsystem, mes, loto, audit-trail, session-547, idempotency:sub-mes-loto-logging-547 |
| SUB-REQ-013 | The Manufacturing Execution System SHALL record batch genealogy linking each production batch to raw material lot numbers (via barcode scan at dispensing), equipment IDs (via PLC integration), process parameter time-series (via historian interface), operator IDs (via e-signature at each stage), and PAT CQA results (via OPC UA subscription), enabling recall scope determination within 4 hours of query. Rationale: SYS-020 mandates full batch genealogy with 4-hour recall scope determination. The 4-hour constraint drives the database query architecture: the genealogy must be queryable by any dimension (material lot, equipment, operator, date range) without full table scan. Barcode scan at dispensing is the GMP-standard method for material identity verification, eliminating transcription error that could make genealogy unreliable. | Test | subsystem, mes, batch-genealogy, session-547, idempotency:sub-mes-batch-genealogy-547 |
| SUB-REQ-014 | The Manufacturing Execution System SHALL perform automated EBR database backups at intervals not exceeding 15 minutes, with backup integrity verified by hash comparison, and SHALL restore from the most recent verified backup to a functional state within 30 minutes of a data integrity failure detection. Rationale: SYS-015 mandates backup intervals not exceeding 15 minutes. The 30-minute recovery time objective ensures that H-006 safe state (switch to paper backup) does not persist longer than one production stage. Hash-verified backups prevent restoration of already-corrupted data, which would propagate the H-006 failure mode rather than recovering from it. | Test | subsystem, mes, backup, sil-2, h-006, session-547, idempotency:sub-mes-ebr-backup-547 |
| SUB-REQ-015 | When a data integrity failure is detected (hash chain discontinuity or backup verification failure), the Manufacturing Execution System SHALL switch to verified paper backup record mode within 60 seconds, generating pre-formatted paper batch record forms with the current batch context pre-populated, and SHALL lock the electronic system for forensic investigation. Rationale: H-006 safe state mandates switch to verified paper backup and electronic system lockout. The 60-second switchover ensures no batch recording gap during the transition. Pre-populated paper forms reduce transcription error during the high-stress switchover event. System lockout for forensics preserves the evidence chain for the data integrity investigation required by FDA guidance on data integrity (2018). | Demonstration | subsystem, mes, paper-backup, sil-2, h-006, session-547, idempotency:sub-mes-paper-backup-547 |
| SUB-REQ-016 | When the High Shear Granulator wet mass torque profile or integrated NIR wet-mass spectrum reaches the validated endpoint criterion, the Granulation and Blending Subsystem SHALL stop granulation within 10 seconds and initiate granule discharge transfer to the Fluid Bed Dryer. Rationale: Granulation endpoint detection is the primary process control point ensuring granule size and density are within specification. A 10-second stop-and-transfer limit prevents over-granulation (overwetting increases granule density, reducing tablet compressibility). The dual criterion (torque OR NIR) provides fallback if one sensor is unavailable per the PAT degraded-mode requirement (REQ-SEPHARMAMANUFACTURING-022). | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-hsg-endpoint-549 |
| SUB-REQ-017 | The Fluid Bed Dryer SHALL reduce granule loss-on-drying (LOD) to the target value (product-specific, typically 1.0-3.0% w/w) plus or minus 0.5% w/w within the validated drying time window, as measured by the in-line NIR LOD probe at 60-second intervals. Rationale: LOD at FBD discharge is a CQA because residual moisture directly affects tablet compressibility and chemical stability. Over-drying below 1.0% causes friable granules and poor compaction; under-drying above target increases risk of chemical degradation and sticky blend. The plus or minus 0.5% acceptance band is derived from ICH Q6A tablet dissolution specification tolerance and NIR LOD method validation precision (RSD less than 0.3%). | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-fbd-lod-549 |
| SUB-REQ-018 | The Fluid Bed Dryer SHALL maintain inlet air temperature within plus or minus 2 degrees Celsius of the MES recipe setpoint throughout the drying cycle, and SHALL raise an alarm and suspend drying if the inlet air temperature deviates by more than 5 degrees Celsius for more than 60 seconds. Rationale: Inlet air temperature is a CPP affecting drying rate and product bed temperature. Exceedance beyond plus or minus 5 degrees Celsius risks thermal degradation of heat-sensitive APIs (stability shelf life driven by ICH Q1A). The 60-second tolerance window is derived from the thermal inertia of a 100L product bed — step changes propagate to the product bed within 90 seconds, giving 30 seconds of corrective action margin before product impact. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-fbd-temp-549 |
| SUB-REQ-019 | The Granule Sizing Mill SHALL reduce post-drying granule agglomerates such that the resulting sized granule D90 is less than 800 micrometres and D50 is between 200 and 600 micrometres, verified by off-line laser diffraction sampling within 15 minutes of mill discharge. Rationale: PSD at sizing mill discharge is a CQA for tablet compression: coarse granules (D90 greater than 800 micrometres) cause tablet weight variation exceeding the REQ-SEPHARMAMANUFACTURING-025 plus or minus 5% rejection limit, and fine granules (D50 less than 200 micrometres) cause hopper segregation in the tablet press feed frame. The 15-minute off-line sampling window is the minimum required by stability and process validation protocols before blend step can proceed. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-mill-psd-549 |
| SUB-REQ-020 | The IBC Blender SHALL achieve a blend uniformity of API content RSD less than or equal to 5.0% across the blend mass, as measured by the in-IBC NIR probe at each of three blending speed setpoints (6 RPM, 10 RPM, 14 RPM) validated per ICH Q2(R1), before the MES issues blend-complete authorisation. Rationale: Blend uniformity RSD less than or equal to 5.0% is the USP Chapter 905 content uniformity acceptance criterion for tablets. NIR blend endpoint monitoring in the validated IBC geometry is required by the FDA Process Analytical Technology Guidance (2004) as an alternative to destructive sampling. Three-setpoint validation covers the RPM range across product viscosity variants — a single RPM setpoint would fail for high-viscosity batches where blending time increases non-linearly. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-ibc-blend-endpoint-549 |
| SUB-REQ-021 | The Granulation and Blending Subsystem SHALL record the mass of each material charge and transfer at each process step, and SHALL flag a mass balance error if the cumulative yield from raw material input to IBC discharge is outside the range 97.0% to 101.0% of theoretical batch yield. Rationale: Mass balance tracking from dispensed API weight through granulation, drying, sizing, and blend is a GMP regulatory requirement under 21 CFR 211.182 batch record content. The 97-101% window accounts for expected process losses (dust, sampling, vessel heel) while flagging uncontrolled losses that could indicate material mix-up, spill, or diversion. Values outside this range require investigation per SOPs before batch can proceed. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-mass-balance-549 |
| SUB-REQ-022 | When the PAT NIR blend-endpoint monitoring is unavailable (sensor fault or communication loss), the Granulation and Blending Subsystem SHALL continue IBC blending for the validated fixed-time blend duration specified in the MES recipe (minimum 20 minutes at validated RPM), require a supervisory operator authorisation before issuing blend-complete, and SHALL log the PAT-unavailable event in the EBR with timestamp and reason. Rationale: Degraded-mode performance floor is required per REQ-SEPHARMAMANUFACTURING-022. Fixed-time blending is the validated manual fallback when PAT NIR is unavailable — the 20-minute minimum time is the validated worst-case blend time from development studies. Supervisory authorisation provides a human check replacing the automated NIR endpoint. Without this requirement, PAT NIR failure would halt production with no recovery path, creating a safety-quality trade-off where operators bypass controls. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-degraded-blend-549 |
| SUB-REQ-023 | While processing OEB 3 or higher potency compounds (OEL less than 10 micrograms per cubic metre), the Granulation and Blending Subsystem SHALL maintain contained transfer operations at all inter-vessel transfer points, with airborne API concentration in the operator breathing zone not exceeding 1 microgram per cubic metre as verified by personal air sampling during qualification. Rationale: Containment requirement derives from REQ-SEPHARMAMANUFACTURING-004 (OEB containment integrity) and REQ-SEPHARMAMANUFACTURING-017 (negative pressure isolation). The 1 microgram per cubic metre breathing-zone limit is 10% of the OEL, providing a safety factor of 10 per ICH Q11 and ISPE Risk-MaPP guidance. Granulation-to-dryer and dryer-to-mill transfers are the highest exposure risk points in the OSD line because they involve open powder handling of wet and dry API-containing material. | Test | subsystem, granulation-blending, session-549, sil-2, idempotency:sub-gb-containment-549 |
| SUB-REQ-024 | While in sensor-degraded state, the PAT Subsystem SHALL suspend real-time CQA model evaluation on the affected sensor channel within 10 seconds of degradation detection, continue acquisition on all unaffected channels (minimum: 2 of 3 sensor channels must remain operational before a full-system safe-state transition is required), present manual sampling prompts to operators within 60 seconds of each 15-minute interval expiry with sample identification barcodes, and record all manual sample submissions with timestamps and operator ID for MES EBR integration within 30 seconds of submission. Rationale: Derived from SUB-REQ-006. The 10-second suspension window is the maximum acceptable delay before a degraded channel could contribute an erroneous CQA estimate to the diversion model. The 2-of-3 channel floor ensures the PAT subsystem retains meaningful CQA coverage during single-sensor failure without triggering a full production halt; loss of 2+ sensors removes the basis for continued real-time release. The 60-second prompt window is the maximum allowable latency before a manual sampling event is considered missed under the degraded-mode protocol. | Test | pat-subsystem, degraded-mode, session-554, supersedes:SUB-REQ-006, idempotency:sub-pat-degraded-quantified-554 |
| SUB-REQ-025 | The Rotary Tablet Press SHALL monitor upper punch compression force at each station on every rotation and reject tablets where compression force deviates from the target setpoint by more than ±5 kN, using a pneumatic ejector actuating within 200 ms of ejection point detection. Rationale: Compression force is the primary determinant of tablet hardness and dissolution profile. A ±5 kN tolerance corresponds to a ±15% hardness variation (validated per ICH Q8) beyond which dissolution rate changes by >10%, risking sub-therapeutic dosing. Per-station monitoring is required because tooling wear is station-specific — a worn punch on station 14 will not be caught by average-force monitoring. The 200 ms ejection window is derived from the turret geometry at maximum 120 RPM: 500 ms/revolution ÷ 72 stations = 6.9 ms per station; 200 ms allows for the physical distance from detection to diverter. | Test | subsystem, tablet-compression, sil-2, session-556, idempotency:sub-tc-press-force-556 |
| SUB-REQ-026 | The Tablet In-Process Control System SHALL sample every 30th tablet for individual weight, hardness, and thickness measurement, and shall update the press fill-depth servo setpoint within 3 measurement cycles when the running mean weight deviates by more than ±1.5% from the target. Rationale: USP <905> content uniformity requires weight variation <5% RSD. Sampling every 30th tablet at 120 RPM gives one sample every 1.5 seconds, providing trend data fast enough to detect gradual fill-depth drift before it exceeds the 5% USP limit. The ±1.5% control band provides a correction margin 3× narrower than the limit — consistent with ICH Q8 process analytical technology guidance for real-time release. | Test | session-556, idempotency:sub-tc-ipc-weight-556 |
| SUB-REQ-027 | When a guard door on the Rotary Tablet Press is opened, the Tablet Compression Subsystem SHALL de-energise the main drive motor and engage the mechanical turret brake within 500 ms, and SHALL prevent re-energisation until the guard door is confirmed closed and a positive LOTO key removal is electronically verified by the MES LOTO Registry Module. Rationale: Hazard H-007 (mechanical entrapment in rotating turret) is rated severity:critical, SIL-2 per IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems). The 500 ms stop time is derived from the turret inertia at 120 RPM — stopping within half a revolution ensures no punch station can complete a full stroke after the guard opens. MES LOTO verification creates an electronic record satisfying 21 CFR Part 11 and FDA GMP audit requirements for every maintenance access event. | Test | session-556, idempotency:sub-tc-loto-guard-556 |
| SUB-REQ-028 | The Tablet Compression Containment Housing SHALL maintain negative pressure of -15 Pa (±3 Pa) relative to the surrounding cleanroom at all times during press operation, and SHALL trigger an audible alarm and initiate an automatic press hold within 5 seconds when pressure differential exceeds -10 Pa (loss-of-containment threshold). Rationale: Hazard H-001 (airborne potent compound exposure, OEL 1-10 µg/m³) is rated severity:critical, SIL-2. MoP basis: -15 Pa containment setpoint derived from EU GMP Annex 1 pressure differential specification (≥10 Pa between classified zones); the ±3 Pa tolerance is consistent with ISPE Baseline Guide Vol. 2 (Sterile Manufacturing Facilities) pressure measurement accuracy requirements for unidirectional flow zones. | Test | reqs-eng-session-566 |
| SUB-REQ-029 | The Tablet Compression Subsystem SHALL read the RFID tag on each punch and die station at press startup and shall prevent press operation if any station has accumulated more than 500,000 compressions or if any RFID tag read fails, logging the failed station to the MES batch record. Rationale: Punch tip fracture (failure mode from the H-007 scenario — the 90-minute downtime event) is directly correlated with cumulative compression cycles. The 500,000 compression limit is the manufacturer-validated service life for S7 tool steel at 80 kN maximum force. RFID tracking is required rather than a paper log because 21 CFR Part 11 requires electronic records for all GMP-critical maintenance activities; a failed read treated as an error is a fail-safe — a missing RFID cannot be assumed to be a new punch. | Test | session-556, idempotency:sub-tc-tooling-rfid-556 |
| SUB-REQ-030 | When one of the three Tablet In-Process Control System measurement channels (weight, hardness, or thickness) fails, the Tablet Compression Subsystem SHALL continue press operation at reduced throughput (maximum 60% of nominal RPM) with manual sampling at 5-minute intervals substituting for the failed channel, and SHALL record the degraded-mode start time and reason in the MES batch record. Rationale: A single IPC channel failure (e.g., weight probe jam) does not invalidate product quality if manual sampling is substituted at sufficient frequency. At 60% RPM (maximum 72 RPM), production output is 3,000-4,000 tabs/min; manual sampling every 5 minutes gives a sample of approximately 15,000-20,000 tablets, consistent with the USP <905> sampling plan minimum. Forcing degraded mode to 60% RPM provides headroom for operators to manage the increased manual workload without falling behind. This is consistent with SYS-REQ-009 degraded production mode. | Demonstration | session-556, idempotency:sub-tc-ipc-degraded-556 |
| SUB-REQ-031 | The PAT Subsystem CQA model evaluation and diversion actuation function SHALL be implemented on a hardware architecture achieving at least Hardware Fault Tolerance (HFT) of 1 (IEC 61508 SIL-3 compliant), with the DAC Workstation having a redundant hot-standby instance; the standby instance SHALL assume primary control within 5 seconds of primary failure without loss of the current diversion decision state. Rationale: SIL-3 IEC 61508 (Functional safety of electrical/electronic/programmable electronic safety-related systems): architectural analysis alone (HFT=1 calculation) does not satisfy IEC 61508 SIL-3 requirements. The hardware fault tolerance must be demonstrated by hardware-in-the-loop testing — injecting primary channel failure and confirming the secondary channel takes over within the specified 500ms window. VER-REQ-047 specifies this failover test procedure. Analysis is insufficient as the sole verification method for a SIL-3 safety function. | Test | session-561, validation, pat, sil-3, h-004, architecture, redundancy, idempotency:session561-sub-pat-sil3-hft1-architecture, idempotency:session561-sub-pat-sil3-hft1-architecture |
| SUB-REQ-036 | The Process Analytical Technology Subsystem SHALL operate from a dedicated 230V AC 50Hz UPS-backed power supply providing minimum 4 hours of autonomous operation on battery, with automatic power failure alarm to the MES within 10 seconds of mains loss. Rationale: The PAT subsystem is Powered (UHT trait) and SIL-3 rated. A power failure during active CQA model evaluation must not result in silent loss of diversion control. The 4-hour battery backup ensures continued operation through a typical mains supply incident. The 10-second alarm limit ensures the operator has adequate warning to switch to manual sampling before the UPS is depleted. Addresses lintHigh finding 7. | Test | session-562, validation, pat, power, sil-3, h-004, idempotency:session562-sub-pat-power-supply |
| SUB-REQ-037 | The PAT Subsystem SHALL provide a manual CQA override interface accessible to the QC Analyst role, enabling a qualified operator to override a CQA model limit violation and continue production with enhanced manual sampling, with the override action and justification text recorded in the EBR within 60 seconds of override activation. Rationale: The PAT Subsystem is classified as Functionally Autonomous (UHT trait) and must have a human-in-the-loop override per IEC 61508 SIL-3 requirement for safety-related autonomous systems. This requirement addresses lintHigh finding 16. The QC Analyst role restriction prevents unauthorised overrides. EBR logging within 60 seconds ensures audit trail completeness under 21 CFR Part 11. | Test | session-562, validation, pat, override, sil-3, h-004, autonomy, idempotency:session562-sub-pat-manual-override |
| SUB-REQ-038 | The Manufacturing Execution System SHALL implement a watchdog timer that monitors core EBR processing heartbeat at 30-second intervals, and when three consecutive heartbeats are missed, SHALL log a system health alert to the CMMS, switch the SCADA operator display to a system-unavailable state, and prevent new batch record initiation until the MES health check passes. Rationale: The MES is classified as Functionally Autonomous (UHT trait) and must have a watchdog and fail-safe state per IEC 62443-4-2 (Security for industrial automation and control systems). This requirement addresses lintHigh finding 17. The 30-second heartbeat interval and 3-miss threshold (90 seconds total) provides a balance between false-alarm avoidance and timely failure detection. The fail-safe state prevents new batch records from being initiated on a potentially compromised system. | Test | session-562, validation, mes, watchdog, sil-2, h-006, autonomy, idempotency:session562-sub-mes-watchdog |
| SUB-REQ-039 | The Tablet Compression Subsystem SHALL operate from a dedicated 400V AC 50Hz 3-phase power supply with a soft-starter providing controlled ramp-up to prevent current surge, and SHALL have a monitored emergency power-off (EPO) circuit that de-energises the main drive within 200ms of activation, with EPO status monitored by the MES LOTO registry. Rationale: The Rotary Tablet Press and associated IPC system are Powered (UHT trait) physical components requiring defined power supply parameters for safe operation. The 200ms EPO response directly supports the H-007 safe state (equipment de-energised and mechanically braked) and integrates with the LOTO registry requirement (SUB-REQ-011). Addresses lintHigh finding 8 and 13. | Test | session-562, validation, tablet-compression, power, sil-2, h-007, idempotency:session562-sub-tc-power-epo |
| SUB-REQ-040 | The Granulation and Blending Subsystem SHALL operate from 400V AC 50Hz 3-phase power supply for the High Shear Granulator impeller (rated 37kW) and Fluid Bed Dryer heating element (rated 30kW), with power monitoring that triggers an MES alarm if supply voltage deviates more than 10 percent from nominal, and an EPO that de-energises both machines within 500ms of activation. Rationale: The High Shear Granulator and Fluid Bed Dryer are Powered (UHT trait) physical components. Power deviations exceeding 10 percent affect impeller speed control and heating performance, directly impacting granule LOD CQA. The 500ms EPO supports H-001 and H-003 safe state transitions. Addresses lintHigh findings 9, 12, and 15. | Test | session-562, validation, granulation-blending, power, sil-2, h-001, idempotency:session562-sub-gb-power-supply |
| SUB-REQ-041 | The Film Coating Subsystem SHALL operate from 400V AC 50Hz 3-phase power supply for the pan coater drive (rated 22kW) and inlet air heating system (rated 45kW), with power consumption monitoring that logs actual energy consumption per batch cycle to the MES for OEE calculation, and an EPO that de-energises all drives within 500ms. Rationale: The Film Coating Subsystem is a Powered (UHT trait) physical component requiring defined electrical supply parameters. The power consumption logging supports the OEE and process monitoring requirements of SYS-REQ-017. The 500ms EPO response supports safe-state transition for hazards involving coating materials. Addresses lintHigh finding 11. | Test | session-562, validation, film-coating, power, idempotency:session562-sub-fc-power-supply |
| SUB-REQ-042 | The Containment and Environmental Control Subsystem SHALL operate from a UPS-backed 230V AC power supply providing minimum 2 hours of autonomous operation on battery for all monitoring and alarm functions, and SHALL maintain HVAC damper positions during power interruption (fail-secure to exhaust mode) to preserve containment integrity. Rationale: The Containment Subsystem must remain operational during power failures to maintain H-001 safe state (HVAC switched to full exhaust). The fail-secure exhaust mode on power loss is a SIL-2 safety function. The 2-hour battery runtime covers the maximum expected time for emergency generator activation and transfer. Addresses lintHigh finding indirectly through physical safety system power requirements. | Test | session-562, validation, containment, power, sil-2, h-001, idempotency:session562-sub-cec-power-ups |
| SUB-REQ-043 | The Manufacturing Execution System server hardware SHALL be housed in a dedicated server rack with dual redundant power supplies (each rated for 100 percent load), located in an access-controlled equipment room separate from the production floor, with physical access logged to the CMMS. Rationale: The MES is a software subsystem but requires physical server hardware (Physical Object embodiment). Dual redundant PSUs directly support MES availability for SIL-2 EBR continuity. Physical access control to the server room is a 21 CFR Part 11 data integrity requirement. Inspection is the appropriate verification method for physical installation and access control measures. Addresses lintHigh finding 1. | Inspection | session-562, validation, mes, hardware, physical, 21cfr11, idempotency:session562-sub-mes-server-hardware |
| SUB-REQ-044 | The system SHALL not permit entry to Normal Production mode unless all of the following conditions are met: all equipment IQ/OQ/PQ qualification records are current and QA-approved; all PAT instruments have passed system suitability checks against certified reference materials; all process parameters in the batch record have been reviewed and approved by Production Supervisor; and no active deviation from the previous campaign remains open. Rationale: Startup mode entry criteria are safety-critical controls for product quality and batch release. Undefined or unenforced entry criteria allow production to start on non-qualified equipment, risking OOS product release (H-004). This requirement formalises the Startup/Qualification mode exit condition into a verifiable pre-production gate. Test verification requires a functional check of each pre-production gate in the MES workflow. | Test | session-562, validation, mode-coverage, startup, mes, idempotency:session562-sub-startup-entry-criteria |
| SUB-REQ-045 | When the system transitions from Emergency Stop mode, the Manufacturing Execution System SHALL require explicit QA Manager electronic signature in the EBR, enforce a mandatory 30-minute environmental clearance period with air monitoring below 50% OEL, and generate a deviation record linked to the triggering alarm event, before permitting any production equipment re-energisation. Rationale: Emergency Stop mode exit is a safety-critical transition. Premature re-energisation after a containment breach (H-001) or mechanical jam (H-007) is the primary cause of secondary incidents in pharmaceutical manufacturing. The QA Manager sign-off requirement is mandated by 21 CFR Part 211 supervisory review requirements. The 30-minute clearance period is the minimum time to confirm environmental decontamination by continuous air monitoring. | Test | reqs-eng-session-566 |
| SUB-REQ-046 | While in Maintenance mode, the system SHALL prevent equipment power-on by any means (HMI, PLC, remote command) for any equipment with an active LOTO lock applied, and SHALL display the LOTO status (locked, applied-by, time-applied) on the MES operator display for all maintenance-targeted equipment. Rationale: Maintenance mode requires hardware and software barriers to prevent accidental equipment energisation while personnel are in contact with moving parts (H-007). The LOTO status display requirement supports the operator's situational awareness during multi-person maintenance activities and is a OSHA 29 CFR 1910.147 (Control of Hazardous Energy) compliance requirement. Test verification requires attempting equipment energisation via all three command paths while LOTO is active. | Test | session-562, validation, mode-coverage, maintenance, loto, sil-2, h-007, idempotency:session562-sub-maintenance-loto-display |
| SUB-REQ-047 | While in Degraded Production mode, the system SHALL quarantine all completed batches in MES quarantine status within 60 seconds of batch completion, prevent real-time release of any quarantined batch, and require a QA Manager electronic signature in the EBR before advancing a batch from quarantine following traditional offline QC release (HPLC content uniformity: n≥6, RSD≤2.0%, mean within ±5.0% of label claim). Rationale: Derived from STK-REQ-009 (maintain product quality assurance during PAT sensor degradation) and SYS-REQ-009 (degraded mode production at reduced throughput with traditional QC release). Automatic quarantine within 60 seconds prevents inadvertent real-time release of batches produced without full PAT monitoring. HPLC acceptance criteria (n≥6, RSD≤2.0%) are the validated offline method for content uniformity per USP <905> when real-time PAT release is suspended. | Test | session-562, validation, mode-coverage, degraded, sil-3, h-004, rtrt, idempotency:session562-sub-degraded-rtr-block |
| SUB-REQ-048 | The Containment and Environmental Control Subsystem SHALL detect airborne API concentration above the OEL action limit (80 percent of OEL) and SHALL automatically: (a) activate the Emergency Stop function; (b) close all material transfer valve actuators at the affected station within 5 seconds; (c) switch room HVAC to 100 percent exhaust through HEPA filtration within 15 seconds; and (d) trigger an evacuation alarm audible at 85 dB at 1 metre from the nearest alarm sounder. Rationale: H-001 hazard requires automated response to containment breach without relying on operator action. The 5-second valve closure and 15-second HVAC response times are derived from the airborne dispersion modelling showing that a 20-second response prevents operator dose from exceeding the STEL (Short-Term Exposure Limit). The 85 dB alarm standard meets EN ISO 7731 workplace emergency alarm requirements. | Test | session-562, validation, containment, sil-2, h-001, emergency, idempotency:session562-sub-cec-breach-autoresponse |
| SUB-REQ-049 | The Containment and Environmental Control Subsystem SHALL perform continuous air monitoring at each sampling point at a minimum frequency of 1 sample per 60 seconds during Normal Production and Degraded Production modes, and SHALL maintain air monitoring data in the EBR for a minimum of 10 years for regulatory inspection, with data export in CSV and PDF formats. Rationale: Continuous air monitoring at 1-sample/60-second frequency is required to detect rapid concentration changes before operator exposure reaches the STEL, which is typically measured over 15 minutes. The 10-year data retention requirement derives from 21 CFR Part 211.68 record retention requirements for pharmaceutical manufacturing. Test verification confirms both the monitoring frequency and the data retention/export functionality. | Test | session-562, validation, containment, monitoring, sil-2, h-001, idempotency:session562-sub-cec-air-monitoring-freq |
| SUB-REQ-050 | When the Cleaning Validation results for any swab location exceed the acceptance limit, the Manufacturing Execution System SHALL automatically quarantine the next batch associated with that equipment, alert the QA Manager via SCADA notification and email, and prevent batch record release until the QA Manager reviews the cleaning deviation and signs the EBR for the affected equipment. Rationale: Cleaning validation failure is the primary trigger for H-002 cross-contamination risk. Automatic quarantine prevents accidental release of potentially contaminated product while the cleaning deviation is investigated. This requirement operationalises the Changeover/Cleaning scenario from the ConOps where a first cleaning attempt fails at location 7. The email and SCADA dual notification ensures the QA Manager is alerted even if not actively monitoring the SCADA screen. | Test | session-562, validation, mes, changeover, sil-3, h-002, idempotency:session562-sub-mes-cleaning-fail-quarantine |
| SUB-REQ-051 | The Material Handling and Dispensing Subsystem SHALL enforce a two-person independent check for all API dispensing operations above 1kg, with electronic confirmation from both operators required in the MES before the dispensing step is closed in the EBR, preventing advancement to the next batch step until both confirmations are received. Rationale: Two-person API dispensing check is a 21 CFR Part 211 critical step verification requirement for potent compounds. The EBR workflow gate preventing step advancement until both confirmations are received ensures the check is performed and documented before product enters the manufacturing process. Incorrect API quantity dispensed (H-002) is a catastrophic quality failure mode. | Test | session-562, validation, material-handling, sil-3, h-002, api-dispensing, idempotency:session562-sub-mhd-two-person-api |
| SUB-REQ-052 | The Tablet Compression Subsystem SHALL perform a real-time metal detection check on the tablet stream at the press output, and when a metallic contaminant is detected, SHALL automatically activate the tablet rejection mechanism to divert a minimum of 10 tablets before and after the detection point to the reject stream, and SHALL generate a critical alarm in the MES with the detected fragment size estimate if available. Rationale: Metal detection at the press output is the last automated line of defence against metallic contamination from broken punch tooling (Tablet Press Jam scenario). The 10-tablet pre/post-detection rejection window accounts for the detection zone uncertainty and tablet discharge timing. A single metallic fragment in a batch poses a patient safety risk categorised as a critical defect per FDA 21 CFR Part 211.84. | Test | session-562, validation, tablet-compression, metal-detection, sil-2, idempotency:session562-sub-tc-metal-detection |
| SUB-REQ-053 | The Granulation and Blending Subsystem SHALL monitor for dust explosion risk by measuring dust concentration at the FBD exhaust duct using a continuous dust sensor, and when concentration exceeds 25 percent of the Lower Explosion Limit (LEL), SHALL activate nitrogen inerting flow, reduce FBD airflow to minimum circulation rate, and generate a SIL-2 alarm to the MES within 10 seconds. Rationale: Pharmaceutical powder dust explosion (H-003) is a catastrophic hazard at LEL concentrations. The 25 percent LEL threshold provides a two-fold safety margin below the minimum 50 percent LEL action concentration per ATEX (Directive 2014/34/EU) hazardous area classification. Nitrogen inerting prevents the dust-air mixture from reaching the minimum oxygen concentration required for ignition. The 10-second response time is derived from the maximum dust cloud dispersion rate in the FBD chamber. | Test | session-562, validation, granulation-blending, dust-explosion, sil-2, h-003, atex, idempotency:session562-sub-gb-dust-explosion-inerting |
| SUB-REQ-054 | The Packaging and Serialisation Subsystem SHALL perform 100 percent vision inspection of each blister cavity for correct tablet count, absent tablets, broken tablets, and foreign particles, and SHALL reject any blister pack where the vision system confidence score for any cavity falls below 95 percent, logging rejected pack IDs and rejection reasons to the MES EBR. Rationale: Vision inspection of packaging is the final automated quality gate before product release. Absent or broken tablets in a blister pack constitute a critical defect under 21 CFR Part 211.84 that would require batch recall if released to market. The 95 percent confidence threshold is a conservative limit reflecting the validated detection sensitivity for the smallest tablet size variant in the product range. | Test | session-562, validation, packaging, vision-inspection, sil-2, idempotency:session562-sub-pkg-vision-inspection |
| SUB-REQ-055 | The Laboratory Information Management System (LIMS) interface SHALL receive all QC sample requests from the MES within 30 seconds of sample registration in the EBR, return analytical results to the MES within 5 minutes of result entry in LIMS for samples flagged as time-critical (real-time release), and retain rejected results with the rejection reason in both LIMS and MES audit trails. Rationale: LIMS-MES integration latency directly affects real-time release decision cycle time. The 30-second request receipt and 5-minute result return limits are derived from the maximum allowable hold time for in-process samples awaiting analytical results before product quality degrades. The dual audit trail requirement supports 21 CFR Part 11 data integrity across both systems. | Test | session-562, validation, lims, mes, real-time-release, idempotency:session562-sub-lims-mes-latency |
| SUB-REQ-056 | The Electronic Batch Record Engine within the Manufacturing Execution System SHALL generate a batch review summary report in PDF/A format within 15 minutes of batch completion, including all critical process parameter trends, in-process control results, deviation summary, and a compliance checklist against the approved product specification, available for QA Manager review without additional data queries. Rationale: Batch review report generation within 15 minutes of batch completion is required for same-shift QA review in a 12-hour production schedule. PDF/A format is required for long-term archival per ISO 19005 as mandated by EU GMP Annex 11 electronic record retention requirements. Test verification confirms the report is generated automatically, the 15-minute SLA is met, and the report content matches the EBR data. | Test | session-562, validation, mes, ebr, batch-review, 21cfr11, idempotency:session562-sub-mes-batch-report-gen |
| SUB-REQ-057 | The Process Analytical Technology Subsystem SHALL maintain a rolling 30-day archive of all CQA model inputs, model outputs, diversion decisions, and calibration check results in a tamper-evident audit log, accessible to QA Analyst and QA Manager roles, exportable in CSV format for retrospective trend analysis and regulatory inspection. Rationale: A 30-day retrospective PAT audit log is required to support deviation investigations, regulatory inspections, and real-time release retrospective reviews under 21 CFR Part 211.180 and EU GMP Annex 11. The tamper-evident requirement is mandated by 21 CFR Part 11 audit trail provisions. Test verification confirms the log is populated correctly, exports are accurate, and tamper evidence is detectable. | Test | session-562, validation, pat, audit-log, sil-3, h-004, idempotency:session562-sub-pat-audit-log |
| SUB-REQ-058 | The Process Analytical Technology Subsystem SHALL provide a qualified user override mechanism that enables a QC Analyst or Production Supervisor to suspend automated CQA-based batch diversion, subject to mandatory EBR electronic signature for each override event, a maximum override duration of 60 minutes without re-authorisation, and automatic restoration of autonomous CQA evaluation when the override expires. Rationale: IEC 61508 (Functional safety of E/E/PE safety-related systems) Part 3 requires that functionally autonomous safety systems provide a defined and auditable override mechanism. The PAT subsystem makes autonomous SIL-3 diversion decisions; the override must be bounded in duration and logged to prevent unconstrained bypass of the H-004 safety function while allowing legitimate quality judgement by trained personnel. | Test | session-564, validation, pat, sil-3, h-004, functional-autonomy, override, idempotency:session564-sub-pat-autonomy-override |
| SUB-REQ-059 | The Granulation and Blending Subsystem SHALL be installed within a dedicated ISO 8 (Grade D) cleanroom bay, with all product-contact surfaces constructed from 316L stainless steel, and the equipment train (high-shear granulator, fluid bed dryer, bin blender) enclosed in a shared contained material transfer system using ANSI/ISPE OEB 4-compatible transfer connections. Rationale: Physical installation constraints for the granulation and blending subsystem are set by GMP cleanroom classification requirements and potent compound containment requirements (H-001, OEB 4). The 316L stainless steel and OEB 4 transfer connections are mandated by cGMP and product safety requirements. This requirement defines the physical embodiment of the subsystem to resolve the ontological mismatch with its Substrate classification. | Inspection | session-565, granulation-blending, physical-embodiment, lint-fix-lh2, idempotency:ses565-blend-physical-embodiment, idempotency:ses565-blend-physical-embodiment |
| SUB-REQ-060 | The Process Control System (PCS) SHALL operate from a 24 VDC power supply with a maximum consumption of 500 W per PLC chassis, supported by an uninterruptible power supply (UPS) providing a minimum 30-minute backup at full load, and SHALL annunciate a power failure alarm within 2 seconds of utility power loss. Rationale: PCS power supply and UPS backup requirements are needed to ensure continued operation of safety interlocks and LOTO enforcement logic during utility power failures. The 30-minute UPS duration is derived from the minimum time required to complete a controlled batch shutdown and reach safe state. Without a defined power budget, the PCS cabinet and UPS cannot be correctly specified during detailed design. | Test | session-565, process-control, power-supply, ups, lint-fix-lh6, idempotency:ses565-pcs-power-budget, idempotency:ses565-pcs-power-budget |
| SUB-REQ-061 | The Manufacturing Execution System SHALL implement a hardware watchdog timer with a 30-second timeout that triggers a controlled safe-state transition (suspend batch execution, issue HVAC failsafe command, alert operators) if MES software fails to send a heartbeat signal; and SHALL provide a qualified user emergency override capability enabling a Production Supervisor to halt all MES-controlled automated functions within 10 seconds via a dedicated physical E-STOP button at each operator workstation. Rationale: The MES executes batch recipes autonomously and controls safety-critical equipment interlocks (LOTO, containment). IEC 61508 (Functional safety of E/E/PE safety-related systems) requires that Functionally Autonomous systems at SIL-2 have hardware watchdog supervision and a human-accessible override. The 30-second watchdog timeout is the minimum interval that permits software restart without a spurious safe-state alarm during normal MES operation. | Test | session-565, mes, watchdog, override, functionally-autonomous, sil-2, lint-fix-lh7, idempotency:ses565-mes-watchdog-override, idempotency:ses565-mes-watchdog-override |
| SUB-REQ-062 | The Containment and Environmental Control Subsystem SHALL install differential pressure transmitters at each controlled cleanroom boundary (weigh booth to corridor, granulation bay to corridor, and coating/packaging bay to corridor), temperature probes and humidity sensors at product exposure height (0.8–1.2 m above floor) in each classified bay, with all sensor housings constructed from 316L stainless steel and certified to ISO 8 cleanroom installation standards per EU GMP Annex 1. Rationale: SYS-REQ-025 specifies the physical sensor placement and material standards required for cleanroom environmental monitoring — the SYS requirement is facility-level and needs decomposition to the Containment and Environmental Control Subsystem. The installation positions are defined by EU GMP Annex 1 and ICH Q10 (Pharmaceutical Quality System) requirements for representative environmental monitoring. 316L stainless steel prevents corrosion and microbial harbourage in classified areas. | Inspection | session-565, validation, environmental-control, sensor-installation, sil-1, idempotency:session565-sub-envctl-sensor-installation |
| SUB-REQ-063 | The HVAC Air Handling Unit SHALL maintain cleanroom supply air conditions within the range 20±2°C (temperature), 45±5% RH (humidity), and a minimum of 20 air changes per hour for ISO 7 cleanroom grades, as specified in EU GMP Annex 1 (Manufacture of Sterile Medicinal Products). Rationale: EU GMP Annex 1 and SYS-REQ-022 mandate ISO 7/8 cleanroom classification with specific temperature, humidity, and ACH thresholds. Deviation from these conditions compromises cleanroom classification, product quality (hygroscopic API degradation above 50% RH), and GMP compliance, triggering a batch rejection event under the EBR. | Test | subsystem, containment, hvac, environmental-control, sil-2, session-548, idempotency:sub-cec-hvac-cleanroom-conditions-548 |
| SUB-REQ-064 | The HVAC Air Handling Unit SHALL maintain a minimum differential pressure of +10 Pa between adjacent cleanroom grades and -12.5 Pa inside the Potent Compound Isolator relative to the surrounding cleanroom, with the Differential Pressure Monitoring Controller achieving setpoint within 30 seconds of any disturbance. Rationale: SYS-REQ-004 specifies -12.5 Pa minimum inward pressure in OEB 4/5 containment zones. The +10 Pa cascade for adjacent ISO grades prevents cross-contamination between production areas. 30-second setpoint recovery is derived from the time a cleanroom door can remain open during normal operation without compromising room classification (EU GMP Annex 1 Section 4.4). | Test | subsystem, containment, hvac, pressure-cascade, sil-2, session-548, idempotency:sub-cec-hvac-pressure-cascade-548 |
| SUB-REQ-065 | When the Containment Safety PLC detects a containment integrity failure (isolator pressure above -5 Pa for more than 5 seconds, or airborne API concentration above 80% OEL), the Containment and Environmental Control Subsystem SHALL transition to the safe state — switching HVAC to 100% exhaust mode, sealing supply air dampers, and triggering a Level 1 alarm — within 30 seconds of detection. Rationale: SIL-2 safe state requirement per IEC 61508 (Functional safety of E/E/PE safety-related systems). The H-001 hazard (airborne potent compound exposure) safe state is defined as maximum exhaust to dilute any released API below OEL. 30-second transition time is the maximum allowable period for hazardous concentration build-up before exceeding IDLH limits for OEB 4/5 compounds, based on worst-case room volume and release rate modelling. | Test | subsystem, containment, safe-state, sil-2, h-001, emergency, session-548, idempotency:sub-cec-safe-state-breach-548 |
| SUB-REQ-066 | The Environmental Monitoring System SHALL generate an audible and visual alarm within 60 seconds of any cleanroom environmental parameter (temperature, RH, or differential pressure) exceeding its alarm limit, and SHALL transmit the alarm event to the MES EBR engine via OPC UA within the same 60-second window. Rationale: SYS-REQ-006 specifies 60-second alarm response for environmental excursions. The simultaneous MES notification ensures that the deviation is embedded in the electronic batch record at the time of occurrence, satisfying 21 CFR Part 11 (Electronic records and electronic signatures) audit trail requirements and enabling automatic batch deviation records per SYS-REQ-019. | Test | subsystem, containment, ems, monitoring, alarm, session-548, idempotency:sub-cec-ems-alarm-response-548 |
| SUB-REQ-068 | The Containment and Environmental Control Subsystem SHALL maintain cleanroom particle counts at or below ISO 14644-1 Class 7 limits (352,000 particles per cubic metre at 0.5 µm) in granulation and compression bays during active production, verified by the airborne particle counter network at no less than 1 sample per 30 minutes. Rationale: SYS-REQ-022 requires ISO 7 cleanroom classification in granulation and compression bays. Continuous particle monitoring at 30-minute intervals meets ISO 14644-1 (Cleanrooms and associated controlled environments) statistical sampling requirements and detects filter failure or human incursion events before product contamination occurs. | Test | subsystem, containment, monitoring, cleanroom, session-548, idempotency:sub-cec-particle-count-iso7-548 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-021 | The interface between the Environmental Monitoring System and the Manufacturing Execution System SHALL transmit environmental data (temperature, RH, differential pressure, particle counts) via OPC UA protocol at a maximum latency of 10 seconds, with each data point carrying a validated timestamp, EU GMP Annex 11 (Computerised Systems) compliant audit trail, and alarm severity classification. Rationale: SYS-REQ-006 requires environmental alarms within 60s; the EMS-to-MES OPC UA interface must be faster than the alarm response time to enable batch record embedding before alarm acknowledgment. 10-second latency provides margin. OPC UA selected over MODBUS for its native security model (encryption, authentication) required for GxP network-connected systems per ISPE GAMP 5. | Test | interface, containment, ems, mes, opcua, session-548, idempotency:ifc-ems-mes-opcua-548 |
| IFC-022 | The interface between the Containment Safety PLC and the HVAC Air Handling Unit SHALL use a hardwired 24 VDC discrete signal bus for safety-critical commands (emergency exhaust mode, E-stop, damper seal), with maximum signal propagation latency of 100 ms and fail-safe open-circuit behaviour triggering exhaust mode. Rationale: SIL-2 safety interface per IEC 61508 requires a hardwired discrete channel rather than a software-mediated fieldbus for the containment breach response, eliminating software common-cause failures. Fail-safe open-circuit behaviour (de-energise to trip) is mandatory for SIL-2 logic per IEC 62061 Section 6.7. 100 ms maximum propagation is within the 30-second safe state transition budget for H-001. | Test | interface, containment, safety-plc, hvac, sil-2, session-548, idempotency:ifc-safetyplc-hvac-hardwire-548 |
| IFC-023 | The interface between the Differential Pressure Monitoring Controller and the HVAC Air Handling Unit VAV damper actuators SHALL use a 4-20 mA analogue control signal, with a closed-loop PID control update cycle of no greater than 1 second, and SHALL report a fault alarm if any actuator position deviates from commanded position by more than 5% for more than 10 seconds. Rationale: 4-20 mA analogue is the pharmaceutical HVAC industry standard for damper control, providing continuous modulation required for pressure cascade maintenance. 1-second PID cycle ensures the controller can detect and correct pressure disturbances (door opening, equipment start) before they propagate beyond the ±15 Pa excursion limit that triggers an alarm per SYS-REQ-006. | Test | interface, containment, dp-controller, hvac, session-548, idempotency:ifc-dp-controller-hvac-dampers-548 |
| IFC-REQ-001 | The interface between the Process Analytical Technology Subsystem and the Manufacturing Execution System SHALL transmit CQA limit exceedance alarms as structured OPC UA event notifications containing sensor ID, CQA parameter name, measured value, limit value, and timestamp, with end-to-end latency not exceeding 500 milliseconds. Rationale: H-004 drives SIL 3 on the CQA diversion path. The 500ms latency budget is derived from SYS-016's 2-second diversion actuation window: 500ms for PAT-to-MES signalling leaves 1500ms for MES processing, EBR annotation, and valve actuation command. OPC UA is mandated by ISA-95 for MES-to-process integration and provides built-in event semantics. | Test | interface, pat, mes, sil-3, cqa-diversion, session-547, idempotency:ifc-pat-mes-cqa-alarm-547 |
| IFC-REQ-002 | The Process Analytical Technology Subsystem SHALL publish sensor health status to the Manufacturing Execution System via OPC UA monitored items at 10-second intervals (±1 second tolerance), including signal-to-noise ratio, calibration deviation percentage, and operational state (nominal/degraded/failed) for each PAT sensor; in degraded state, SNR SHALL be reported as an absolute value (minimum detectable: SNR < 3.0 triggers 'failed' state) and calibration deviation SHALL be reported in percentage drift from last reference standard (>3.0% drift triggers 'degraded' state). Rationale: SYS-022 requires degraded-mode switching within 30 seconds of sensor degradation. A 10-second health reporting interval gives MES three data points before the 30-second deadline. The SNR threshold (< 3.0) and calibration deviation threshold (>3.0% drift) are derived from the PAT Sensor Drift scenario and validated instrument qualification parameters. These thresholds make the 'degraded' and 'failed' state transitions testable — pass criterion for IFC qualification tests requires demonstrated state changes at the defined thresholds. Added quantified criteria per validation session 566. | Test | interface, pat, mes, sensor-health, session-547, idempotency:ifc-pat-mes-sensor-health-547 |
| IFC-REQ-003 | The Manufacturing Execution System SHALL transmit diversion acknowledgment and operating mode commands to the Process Analytical Technology Subsystem via OPC UA method calls, confirming EBR annotation of each CQA diversion event within 1 second and commanding PAT mode transitions (nominal/degraded/calibration) with response confirmation. Rationale: Bidirectional handshake ensures the EBR records every diversion event before PAT resets its alarm state. The 1-second acknowledgment window is the MES share of the 2-second total diversion budget from SYS-016. Mode commands from MES ensure PAT does not autonomously resume real-time release after sensor degradation without MES-verified recalibration, critical for H-004 mitigation. | Test | interface, pat, mes, cqa-diversion, sil-3, session-547, idempotency:ifc-mes-pat-diversion-ack-547 |
| IFC-REQ-004 | The Process Analytical Technology Subsystem SHALL stream CQA measurement results to the Manufacturing Execution System at 30-second intervals via OPC UA data subscriptions, with each measurement record containing batch ID, equipment ID, timestamp, CQA parameter values (content uniformity, blend homogeneity, particle size distribution), model version, and confidence score. Rationale: SYS-020 requires full batch genealogy linking finished product to process parameter logs. Model version and confidence score are essential for post-hoc investigation when H-004 occurs, enabling root cause analysis to determine whether an OOS release resulted from model error versus process excursion. 30-second interval aligns with SYS-016 PAT acquisition rate. | Test | interface, pat, mes, batch-genealogy, session-547, idempotency:ifc-pat-mes-cqa-data-547 |
| IFC-REQ-005 | When the Manufacturing Execution System transitions the production line to degraded mode, the MES SHALL issue a manual sampling schedule command to the Process Analytical Technology Subsystem specifying 15-minute sampling intervals, sample point locations, and CQA parameters to test offline within 30 seconds of mode transition; SHALL receive sample submission confirmations from PAT within 120 seconds of each scheduled sample time; and SHALL generate a deviation record if any sample submission is not confirmed within 120 seconds of its scheduled time. Rationale: SYS-022 specifies manual in-process testing every 15 minutes during sensor-degraded mode. The 30-second command issuance deadline ensures the first manual sample is scheduled before the PAT monitoring gap exceeds the first 15-minute interval. The 120-second sample submission confirmation window accommodates laboratory analysis time and is the maximum acceptable lag before operator intervention is triggered. Both thresholds are measurable acceptance criteria for degraded-mode qualification. Explicit performance thresholds added per validation session 566 to resolve ambiguousReqs blocker. | Test | interface, degraded-mode, superseded-by-session-554, superseded-by:IFC-REQ-009 |
| IFC-REQ-006 | The interface between the Granulation and Blending Subsystem and the Process Analytical Technology Subsystem SHALL provide real-time NIR spectral data to the PAT DAC Workstation at maximum 30-second intervals for both the Fluid Bed Dryer in-line LOD probe (900-1700 nm, 2 nm resolution) and the IBC Blender in-vessel NIR probe (900-1700 nm, 4 nm resolution), with latency less than 5 seconds from acquisition to CQA model evaluation result. Rationale: The 30-second maximum interval and 5-second latency are derived from REQ-SEPHARMAMANUFACTURING-016 (30-second minimum PAT sample interval). The G&B-to-PAT spectral interface must meet this timing because both LOD endpoint and blend endpoint decisions are safety-quality decisions: a delayed LOD result could allow an under-dried batch to proceed to sizing, degrading PSD and tablet compressibility. | Test | interface, granulation-blending, session-549, idempotency:ifc-gb-pat-nir-549 |
| IFC-REQ-007 | The interface between the Manufacturing Execution System and the Granulation and Blending Subsystem SHALL transmit recipe setpoints (temperature, RPM, time, LOD target) to each equipment PLC within 2 seconds of step initiation, and SHALL receive process data feedback (CPP actual values, mass readings, alarm states) from the G&B subsystem at 10-second intervals for EBR recording. Rationale: The 2-second setpoint delivery latency ensures equipment reaches setpoint before material processing begins — derived from the slowest PLC scan cycle (500ms) plus up to 3 MES polling retries. The 10-second EBR feedback interval is the minimum required for regulatory compliance (FDA 21 CFR Part 11) to reconstruct process conditions during a deviations investigation — coarser intervals would prevent reconstruction of CPP excursions shorter than one interval. | Test | interface, granulation-blending, session-549, idempotency:ifc-mes-gb-recipe-549 |
| IFC-REQ-008 | The interface between the Granulation and Blending Subsystem and the Tablet Compression Subsystem SHALL transfer blended granules in a sealed IBC with a tamper-evident seal applied by MES-controlled automated sealing station, with the IBC mass and blend-complete authorisation code recorded in the batch genealogy before transfer is permitted. Rationale: The sealed IBC handoff at G&B-to-compression boundary is the primary batch integrity control point. MES-controlled sealing prevents manual opening or material substitution between blend completion and tablet press charging. The authorisation code links the specific IBC to its blend record, satisfying REQ-020 (batch genealogy) and enabling identification of compression batches affected if an upstream blend deviation is discovered during QC review. | Inspection | interface, granulation-blending, session-549, idempotency:ifc-gb-compression-handoff-549 |
| IFC-REQ-009 | When the Manufacturing Execution System transitions the production line to degraded mode, the MES SHALL issue a manual sampling schedule command to the Process Analytical Technology Subsystem within 30 seconds of mode transition, specifying 15-minute sampling intervals, at minimum 3 CQA parameters (API assay, blend uniformity, moisture content), and all required sample point locations. The MES SHALL receive and EBR-record PAT sample submission confirmations within 5 minutes of each scheduled sampling event; if a confirmation is not received within 5 minutes, the MES SHALL generate a critical alert and log a non-conformance event. Rationale: Derived from IFC-REQ-005. The 30-second command delivery window prevents manual sampling gaps when the PAT system transitions to degraded mode mid-batch. The 5-minute confirmation window is the maximum acceptable sampling latency before a non-conformance event must be logged under 21 CFR 211.192 (batch production records). The minimum 3-CQA-parameter floor ensures that API assay, blend uniformity, and moisture are never deferred, as these are the three attributes that determine batch release or rejection. | Test | interface, degraded-mode, mes, pat-subsystem, session-554, supersedes:IFC-REQ-005, idempotency:ifc-mes-degraded-mode-quantified-554 |
| IFC-REQ-010 | The interface between the Tablet In-Process Control System and the Process Analytical Technology Subsystem SHALL transmit individual tablet weight, hardness, and thickness measurements via OPC-UA at a minimum rate of one dataset per sampled tablet (minimum 2 Hz at 120 RPM with every-30th sampling), with timestamp synchronised to UTC ±1 s. Rationale: The PAT CQA model engine uses IPC data combined with NIR content uniformity to generate composite CQA predictions. Time synchronisation to UTC ±1 s is required to correlate IPC tablet weight with the NIR spectral acquisition window — a NIR scan lasts 30 s and covers ~3,600 tablets at 120 RPM; a 1 s timestamp error spans ~120 tablets, acceptable for the correlation model. | Test | session-556, idempotency:ifc-tc-ipc-pat-556 |
| IFC-REQ-011 | The interface between the Tablet Compression Subsystem and the Manufacturing Execution System SHALL write all in-process tablet rejection events (timestamp, station number, force value, reject reason) to the electronic batch record within 10 seconds of the rejection event, and SHALL write a subsystem status change (normal/degraded/stopped) to the MES within 5 seconds of the state transition. Rationale: 21 CFR Part 11 requires complete electronic batch records with no gaps; individual rejection events must be recorded because each rejected tablet represents an attributed product loss that the batch genealogy must account for. The 10-second write latency is a practical limit derived from MES database write performance at high-throughput compression (up to 500 rejections/min at 5% rejection rate); longer would risk buffer overflow and data loss. | Test | session-556, idempotency:ifc-tc-mes-ebr-556 |
| IFC-REQ-012 | The interface between the Film Coating Subsystem and the Manufacturing Execution System SHALL transmit coating recipe parameters (pan speed, inlet temperature, spray rate, atomisation pressure, target weight gain) from the MES to the coating subsystem and return in-process coating parameters (actual inlet/outlet temperature, spray rate, tablet weight gain) and batch disposition decisions to the MES at a minimum 30-second update interval, with all data writes to the Electronic Batch Record completed within 60 seconds of measurement. Rationale: Film coating is a GMP-controlled operation under 21 CFR Part 211 (Current Good Manufacturing Practice for Finished Pharmaceuticals); recipe execution parameters and in-process measurements are mandatory EBR entries. The 30-second update interval matches the coating process dynamics (pan rotation period ~10–20 seconds) and ensures that any excursion from coating weight target is captured within one control cycle before batch rejection criteria are exceeded. | Test | session-558, qc, film-coating, mes, idempotency:ifc-012-film-coating-mes-v1 |
| IFC-REQ-013 | The interface between the Tablet Compression Subsystem and the Film Coating Subsystem SHALL transfer compressed tablet cores via a closed IBC transfer system, with the Tablet Compression Subsystem providing a signed transfer record (batch ID, weight, tablet count, core hardness mean ± 3σ, friability result) to the Film Coating Subsystem before any coating operation commences; the Film Coating Subsystem SHALL reject the transfer if any core attribute falls outside the predefined acceptance range defined in the batch record. Rationale: Physical hand-off between compression and coating is a critical GMP in-process release step under 21 CFR Part 211.110 (Sampling and testing of in-process materials). Core quality attributes (hardness, friability) directly determine coating adhesion and film integrity; out-of-specification cores entering the coater cause coating defects that are difficult to detect without destructive testing post-coating. A signed transfer record with a defined rejection gate prevents downstream waste and protects batch integrity. | Inspection | session-558, qc, tablet-compression, film-coating, idempotency:ifc-013-compression-coating-v1 |
| IFC-REQ-014 | The interface between the Packaging and Serialisation Subsystem and the Manufacturing Execution System SHALL receive batch release authorisation and serialisation master data (product code, batch number, expiry date, GTIN) from the MES prior to line start, and SHALL return completed pack-level and case-level serial number aggregation records to the MES within 5 minutes of line clearance, with 100% serial number reconciliation enforced before the MES records batch disposition as complete. Rationale: EU Falsified Medicines Directive (FMD) Delegated Regulation 2016/161 and US Drug Supply Chain Security Act (DSCSA) mandate unique serialisation of every saleable unit and full aggregation to case and pallet level. The MES is the system of record for batch disposition; packaging cannot begin without MES authorisation (GMP two-person batch release) and the EBR cannot be closed without confirmed serial number reconciliation. The 5-minute reconciliation window is determined by regulatory serialisation verification system response time SLAs. | Test | session-558, qc, packaging, mes, serialisation, idempotency:ifc-014-packaging-mes-v1 |
| IFC-REQ-015 | The interface between the Film Coating Subsystem and the Packaging and Serialisation Subsystem SHALL transfer coated tablets via a closed IBC or chute system, with the Film Coating Subsystem providing a signed in-process release record (coating weight gain mean ± 2σ, dissolution test result if performed, appearance inspection result) to the Packaging Subsystem before any packaging operation commences; the Packaging Subsystem SHALL block line start and alert the MES if the release record is absent or indicates an out-of-specification attribute. Rationale: Coated tablets are the final intermediate product before primary packaging; coating weight gain and dissolution performance are Critical Quality Attributes per ICH Q8 (Pharmaceutical Development) and must be within specification before patients could be exposed to the dosage form. A hard interlock preventing packaging without a valid release record eliminates the GMP deviation risk of packaging non-conforming tablets, which would require a costly and time-consuming recall. | Inspection | session-558, qc, film-coating, packaging, idempotency:ifc-015-coating-packaging-v1 |
| IFC-REQ-016 | The interface between the Containment and Environmental Control Subsystem and the Manufacturing Execution System SHALL transmit classified area environmental parameters (temperature, relative humidity, differential pressure, particle counts at ≥0.5 µm and ≥5 µm) to the MES at a minimum 5-minute update interval; when any parameter exceeds the action limit defined in the Site Master File, the MES SHALL halt all affected manufacturing operations and record an environmental deviation event in the Electronic Batch Record within 30 seconds of alarm receipt. Rationale: GMP cleanroom environments under EU GMP Annex 1 (Manufacture of Sterile Medicinal Products) and ISO 14644-1 (Cleanrooms and associated controlled environments) require continuous environmental monitoring with documented response to excursions. For OEB 4/5 potent compound areas (OEL < 1 µg/m³), pressure differential loss is a safety-critical event: a positive-pressure failure allows potent aerosol escape to adjacent areas. The 30-second MES halt window is set to prevent more than one in-process tablet unit from being produced in an unmonitored environment. | Test | session-558, qc, containment, mes, environmental, idempotency:ifc-016-containment-mes-v1 |
| IFC-REQ-017 | The interface between the Material Handling and Dispensing Subsystem and the Manufacturing Execution System SHALL receive dispensing orders (material code, lot number, target weight, tolerance ±0.1%) from the MES and SHALL return verified dispensing records (material identity confirmed by NIR verification, actual dispensed weight, operator ID, balance calibration status) to the MES within 60 seconds of each weighing operation; the MES SHALL reject any dispensing record where the actual weight deviates from target by more than ±0.5% and record a GMP deviation event. Rationale: Dispensing is the first in-process step in oral solid dosage manufacturing and the point of highest risk for API content non-uniformity. EU GMP Part II (API manufacturing) and 21 CFR Part 211.101 (Charge-in of components) require documented verification of material identity and weight for every dispensing event. A ±0.1% target tolerance with ±0.5% rejection threshold provides a two-sigma safety margin against dosage uniformity failure while remaining achievable by calibrated pharmaceutical balance equipment (typical METTLER-TOLEDO ICS balance accuracy ±0.02%). | Test | session-558, qc, material-handling, mes, dispensing, idempotency:ifc-017-material-handling-mes-v1 |
| IFC-REQ-018 | The interface between the Material Handling and Dispensing Subsystem and the Granulation and Blending Subsystem SHALL physically transfer dispensed and verified raw material containers (IBCs, drums, sacks) to the granulator charge point using a documented, barcode-verified transfer protocol; the Granulation and Blending Subsystem SHALL perform a secondary identity verification scan of each container barcode against the dispensing record before allowing material to be charged into the high shear granulator, and SHALL reject and alert the MES if any container scan fails identity verification. Rationale: The physical handoff from dispensing to granulation is the last point at which a wrong material or wrong lot can be intercepted before it is irreversibly mixed into a granule batch. A double-verification protocol (dispensing NIR + granulation barcode scan) implements a two-barrier defence against mix-ups, which is a root-cause pattern in pharmaceutical recalls (FDA recall database analysis: ~12% of solid dosage form recalls involve wrong API or wrong excipient). Barcode verification at the charge point is low-cost relative to the cost of a contaminated batch recall (~0–50M). | Inspection | session-558, qc, material-handling, granulation, idempotency:ifc-018-material-granulation-v1 |
| IFC-REQ-019 | The interface between the Enterprise Resource Planning System and the Manufacturing Execution System SHALL deliver electronic production orders (product code, target batch size, BOM version, planned start date) from the ERP to the MES at least 24 hours before scheduled manufacturing start, and SHALL receive confirmed batch yield, actual cycle time, and material consumption quantities from the MES within 4 hours of batch completion; the MES SHALL not allow production to commence without a valid, ERP-issued production order reference in the Electronic Batch Record header. Rationale: GMP site operations under EU GMP Part I require that every manufacturing operation is performed against an authorised, documented production order. The ERP-to-MES production order handshake is the GMP-mandated control preventing unauthorised or unplanned manufacturing (an audit finding category). Batch yield and consumption data returned to ERP enable inventory reconciliation and release cost accounting. The 24-hour advance notice requirement allows the MES to stage material dispensing orders and equipment verification tasks within the current shift schedule. | Test | session-558, qc, erp, mes, production-order, idempotency:ifc-019-erp-mes-v1 |
| IFC-REQ-020 | The interface between the Laboratory Information Management System and the Manufacturing Execution System SHALL receive in-process and release sample requests generated by the MES (sample ID, sample point, test method, specification reference), and SHALL return analytical results (test method, result value with units, specification limits, pass/fail verdict, analyst ID, instrument ID) to the MES within the turnaround time specified in the master test schedule; the MES SHALL block batch disposition to 'released' status until all mandatory release test results are received from LIMS with a passing verdict. Rationale: GMP batch release under 21 CFR Part 211.165 and EU GMP Chapter 4 requires that all specified release tests are completed with documented results before a batch is released for distribution. LIMS is the system of record for analytical results; the MES is the system of record for batch disposition. The bi-directional interface ensures a closed-loop release workflow where sample chain of custody, analytical data, and batch status are maintained in separate validated systems with a defined integration point, reducing the risk of manual transcription errors that have historically driven pharmaceutical data integrity citations. | Test | session-558, qc, lims, mes, batch-release, idempotency:ifc-020-lims-mes-v1 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | The PAT Subsystem SHALL comprise three sensor instruments (NIR spectrometer, Raman spectrometer, Laser Diffraction Analyser) connected to a centralised DAC Workstation, sustaining real-time CQA monitoring with any two instruments operational when one fails. Rationale: Three-instrument PAT architecture selected over single-sensor design to enable degraded-mode operation (SIL-3 H-004 mitigation). Updated with SHALL keyword per validation session 566 to correct architecture decision record format. | Inspection | reqs-eng-session-566 |
| ARC-REQ-002 | The Manufacturing Execution System SHALL comprise five functional modules: Electronic Batch Record Engine, Recipe Management, In-Process Control, Equipment Lifecycle Management, and Material Tracking, communicating via a GAMP 5 Category 4 qualified internal event bus. Rationale: Five-module MES architecture selected to align with 21 CFR Part 11 compliance domains and GAMP 5 (Good Automated Manufacturing Practice) categorisation. Updated with SHALL keyword per validation session 566 to correct architecture decision record format. | Inspection | reqs-eng-session-566 |
| ARC-REQ-003 | The Granulation and Blending Subsystem SHALL implement a linear single-train process sequence: High Shear Granulator, Granule Transfer System, Fluid Bed Dryer, Granule Sizing Mill, and IBC Blender, in that order without parallel processing paths. Rationale: Linear single-train topology minimises inter-vessel transfer complexity and OEB containment breaches. Updated with SHALL keyword per validation session 566 to correct architecture decision record format. | Inspection | reqs-eng-session-566 |
| ARC-REQ-004 | The Tablet Compression Subsystem SHALL comprise four components: Rotary Tablet Press operating at 20–80 RPM with per-station punch force monitoring, IPC Sampling Station, Metal Detection Unit, and Tablet Diversion Gate controlled by the PAT Subsystem and MES. Rationale: Four-component architecture provides complete in-process surveillance. The Metal Detection Unit and Tablet Diversion Gate are safety-critical components for H-004 mitigation. Updated with SHALL keyword per validation session 566 to correct architecture decision record format. | Inspection | reqs-eng-session-566 |
| ARC-REQ-005 | The Manufacturing Execution System SHALL be deployed on a dedicated redundant server pair (active-passive) housed in the plant's Grade C server room, with each server providing a minimum of 8 CPU cores, 32 GB RAM, and 2 TB RAID-6 storage, dimensioned to host all MES application components and support concurrent access by 20 users. Rationale: MES physical server infrastructure is a constraint derived from system performance (concurrent users, EBR throughput) and pharmaceutical GMP requirements for dedicated IT environments. The redundant pair ensures SIL-2 availability for the EBR and LOTO safety functions (H-006, H-007). Physical embodiment requirement resolves ontological mismatch between software classification and physical installation constraints. | Test | session-565, mes, physical-embodiment, lint-fix-lh1, idempotency:ses565-mes-physical-server-infra, idempotency:ses565-mes-physical-server-infra |
| ARC-REQ-006 | The Manufacturing Execution System SHALL be validated as ISPE GAMP 5 Category 4 software, with no biological components, no interaction with biological materials or organisms, and no requirement for biocompatibility or sterilisation certification; all MES hardware and software components SHALL be validated for pharmaceutical manufacturing environments per FDA 21 CFR Part 11 and EU GMP Annex 11 only. Rationale: An explicit statement that the MES is Category 4 software with no biological embodiment is required to prevent misclassification in regulatory submissions and risk assessments. The MES interfaces with biological manufacturing processes but is not itself a biological system; this requirement establishes the validation category and confirms that biological safety regulations (ISO 10993) do not apply to MES components. | Inspection | session-565, mes, gamp5, non-biological, lint-fix-lh5, idempotency:ses565-mes-gamp5-non-biological, idempotency:ses565-mes-gamp5-non-biological |
| ARC-REQ-007 | The process control system SHALL be powered from a dedicated 24 VDC industrial power supply rated at 1000 W with ±1% voltage regulation, protected by an online double-conversion UPS providing 30 minutes autonomy at full PLC load, and shall monitor supply voltage continuously, triggering a panel alarm if supply drops below 23.0 VDC or rises above 25.0 VDC. Rationale: The process control system's PLCs and safety I/O are safety-critical components (SIL-2, H-007 LOTO enforcement). A defined power supply specification and UPS backup are required to ensure continued interlocking function during mains power disturbances. The 24 VDC 1000 W specification is typical for mid-size PLC installations supporting 64 I/O modules and safety relay outputs. Voltage monitoring prevents silent hardware faults. | Test | session-565, process-control-system, power, ups, lint-fix, idempotency:ses565-pcs-power-explicit, idempotency:ses565-pcs-power-explicit |
| ARC-REQ-010 | ARC: Material Handling and Dispensing — The material handling function is separated from granulation because it operates in a distinct cleanroom zone (ISO 7 weigh booth with laminar flow), has a different contamination control strategy (lot segregation, cleaning between materials vs. in-process cleaning between batches), and interfaces with ERP for material identity verification. Alternative considered: combining dispensing with granulation as a single feed-to-granulate train. Rejected because dispensing serves multiple downstream processes in multi-product facilities and has independent regulatory audit requirements (material traceability per EU GMP Annex 11). Rationale: Material handling and dispensing is architecturally separated from granulation because it operates under a distinct contamination control regime: ISO 7-classified weigh booth with laminar flow, lot segregation between materials, and independent regulatory audit trail per EU GMP Annex 11. Combining dispensing with granulation would collapse two independent failure domains (material identity error vs. in-process granulation failure) into one subsystem, increasing consequence of a single point failure. | Inspection | architecture, material-handling, session-2, idempotency:arc-material-handling-2, informational |
| ARC-REQ-011 | ARC: Film Coating — The coating function is separated from compression because it operates a fundamentally different process (thermal spray-coating vs. mechanical forming), uses distinct equipment (perforated pan coater vs. rotary press), and has independent failure modes (spray nozzle blockage, coating uniformity) unrelated to compression quality. Alternative considered: integrating coating as a post-compression stage within the tablet compression subsystem. Rejected because coating operates at different throughput rates (45-minute batch cycle vs. continuous compression), requires separate air handling with solvent exhaust, and is optional for some products (uncoated tablets bypass this subsystem entirely). Rationale: Film coating is architecturally separated from tablet compression because the two functions occupy different process domains: thermal spray-coating in a perforated pan coater versus high-speed mechanical forming in a rotary press. Their failure modes are independent (nozzle blockage, coating non-uniformity vs. punch breakage, tooling wear), they operate at incompatible throughput rates (45-minute batch cycle vs. continuous compression), and coating is optional for some products — uncoated tablets bypass the subsystem entirely. Merging them would create an unnecessary operational dependency and a more complex failure analysis. | Inspection | architecture, film-coating, session-2, idempotency:arc-film-coating-2, informational |
| ARC-REQ-012 | ARC: Packaging and Serialisation — Packaging and serialisation are combined into a single subsystem because they operate on the same physical line (blister forming, inspection, serialisation, aggregation are sequential stations on one conveyor), share a common data chain (serial number generation through to EPCIS upload), and are jointly regulated under EU FMD (Delegated Regulation 2016/161) and US DSCSA. Alternative considered: separating serialisation as a standalone IT subsystem. Rejected because the serialisation data flow is tightly coupled to physical packaging events (each blister sealed triggers serial number application), and separating them creates an interface complexity that adds failure modes without reducing coupling. Rationale: Packaging and serialisation are combined into a single subsystem because physical packaging events (blister sealing) and serialisation data events (serial number application) are causally coupled at every station — separating them would require a cross-subsystem interface at the point of highest coupling, adding failure modes without reducing interdependency. EU FMD Delegated Regulation 2016/161 (Falsified Medicines Directive) and US DSCSA jointly regulate the combined function, making a unified compliance boundary architecturally appropriate. | Inspection | architecture, packaging, session-2, idempotency:arc-packaging-serial-2, informational |
| ARC-REQ-013 | ARC: Containment and Environmental Control — Environmental monitoring (HVAC, cleanroom) and containment (potent compound isolation, E-stop, machine safety) are combined because they share a common safety PLC, building utilities interface (air handling, pressure control), and SIL 2 safety integrity requirement. Their failure modes are correlated — loss of HVAC compromises both cleanroom classification and containment pressure cascade. Alternative considered: separating containment (safety function) from HVAC (environmental function). Rejected because the containment strategy depends on HVAC pressure cascade control — a containment breach response (switch to 100% exhaust) is an HVAC operating mode, not a separate system. Splitting them creates a dangerous interface where a containment alarm must command HVAC changes across a subsystem boundary. Rationale: Containment (potent compound isolation, E-stop, machine safety) and environmental monitoring (HVAC, cleanroom) are combined because their failure modes are causally correlated: loss of HVAC directly compromises containment pressure cascade, and the containment breach response (switch to 100% exhaust) is implemented as an HVAC operating mode. Separating them would place a SIL-2 safety function (containment breach response) across a subsystem interface, creating a cross-boundary command latency risk. A shared safety PLC governs both functions, making a single combined subsystem the safer and simpler architecture. | Inspection | architecture, containment, environmental, session-2, idempotency:arc-containment-env-2, informational |
flowchart TB n0["component<br>NIR Spectrometer"] n1["component<br>Raman Spectrometer"] n2["component<br>Laser Diffraction Analyser"] n3["component<br>PAT DAC Workstation"] n4["component<br>CQA Model Engine"] n5["component<br>Diversion Valve Assembly"] n6["external<br>MES (External)"] n7["component<br>PAT NIR Spectrometer"] n8["component<br>PAT Raman Spectrometer"] n9["component<br>PAT Laser Diffraction Analyser"] n10["component<br>PAT Data Acquisition and Processing Workstation"] n11["component<br>PAT CQA Model Engine"] n12["component<br>PAT Batch Diversion Valve Assembly"] n0 -->|spectra USB3/Eth| n3 n1 -->|spectra RS-232| n3 n2 -->|PSD data| n3 n3 -->|model execution| n4 n3 -->|diversion cmd| n5 n3 -->|OPC-UA: CQA alarm, health| n6 n7 -->|NIR spectra 400-2500nm, 30s cycle| n10 n8 -->|Raman spectra 785nm, 60s cycle| n10 n9 -->|PSD data D10/D50/D90 at 2Hz| n10 n11 -->|validated chemometric model predictions| n10 n10 -->|diversion command on CQA fail SIL 3, 2s| n12
Process Analytical Technology Subsystem — Internal
flowchart TB n0["component<br>Electronic Batch Record Engine"] n1["component<br>Electronic Signature Controller"] n2["component<br>Hash Chain Integrity Engine"] n3["component<br>LOTO Registry Module"] n4["component<br>Batch Genealogy Database"] n5["external<br>PAT Subsystem (External)"] n6["external<br>ERP/SAP (External)"] n7["component<br>MES Electronic Batch Record Engine"] n8["component<br>MES Electronic Signature Controller"] n9["component<br>MES Hash Chain Integrity Engine"] n10["component<br>MES LOTO Registry Module"] n1 -.->|e-sig events| n0 n2 -.->|hash chain| n0 n3 -.->|LOTO events to EBR| n0 n4 -->|genealogy data| n0 n5 -->|CQA data, alarms| n0 n0 -->|batch records out| n6 n7 -->|signature request with meaning metadata| n8 n8 -->|signed record with non-repudiation token| n7 n7 -->|EBR entries and signature events for SHA-256 chaining| n9 n10 -->|LOTO lock status and isolation point confirmation| n7
Manufacturing Execution System — Internal
flowchart TB n0["component<br>High Shear Granulator"] n1["component<br>Granule Transfer System"] n2["component<br>Fluid Bed Dryer"] n3["component<br>Granule Sizing Mill"] n4["component<br>IBC Blender"] n5["external<br>MES Recipe Controller"] n6["external<br>PAT DAC Workstation"] n7["component<br>High-Shear Granulator"] n8["component<br>Blending Vessel"] n9["component<br>Granulation Process Controller PLC"] n0 -->|wet granules| n1 n1 -->|wet granules| n2 n2 -->|dried granules| n3 n3 -->|sized granules| n4 n5 -.->|recipe control| n0 n5 -.->|recipe control| n2 n5 -.->|blend recipe| n4 n6 -.->|NIR blend endpoint| n4 n2 -->|LOD NIR signal| n6 n9 -->|recipe setpoints torque, temp, spray rate| n7
Granulation and Blending — Internal
flowchart TB n0["component<br>Rotary Tablet Press"] n1["component<br>Tablet IPC System"] n2["component<br>Punch Die Tooling"] n3["component<br>Containment Housing"] n4["external<br>IBC Blender"] n5["external<br>PAT Workstation"] n6["external<br>MES"] n4 -->|granule feed| n0 n0 -->|compression force| n1 n2 -->|tooling RFID| n0 n1 -->|OPC-UA weight/hardness| n5 n1 -->|rejection events| n6 n3 -.->|guard interlock| n0
Tablet Compression Subsystem — Internal
flowchart TB n0["component<br>HVAC Air Handling Unit"] n1["component<br>Containment Safety PLC"] n2["component<br>Environmental Monitoring System"] n3["component<br>Potent Compound Isolator"] n4["component<br>Differential Pressure Monitoring Controller"] n5["component<br>Exhaust Air Treatment Unit"] n1 -->|safety commands| n0 n4 -->|damper control| n0 n4 -->|pressure data| n2 n2 -->|alarm signals| n1 n0 -->|exhaust air| n5 n3 -->|containment exhaust| n5 n1 -.->|pressure monitoring| n3
Containment and Environmental Control Subsystem — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Airborne potent compound exposure hazard | 40400251 | Hazard in Pharmaceutical Manufacturing Line during production or changeover: containment failure releases airborne active pharmaceutical ingredient (API) with occupational exposure limit below 1µg/m³. Operators inhale potent compound causing acute pharmacological effects or chronic health damage. Consequence ranges from reversible symptoms to permanent organ damage depending on compound potency class. |
| blending subsystem | DE851218 | Physical granulation and blending subsystem of a pharmaceutical manufacturing line. Consists of a high-shear granulator (150L bowl), fluid bed dryer, and bin blender mounted in a Grade D cleanroom bay. All product-contact surfaces are 316L stainless steel. Physical footprint ~20m², weight ~2000kg. Processes dry/wet powders. |
| Changeover and Cleaning mode of Pharmaceutical Manufacturing Line | 40953A58 | Product changeover mode between manufacturing campaigns. All product-contact surfaces must be cleaned to validated levels to prevent cross-contamination. Cleaning validation acceptance criteria are typically <10ppm of previous product or <0.1% of minimum therapeutic dose, verified by swab testing and rinse sampling with HPLC analysis. For potent compounds (OEL <10µg/m³), dedicated equipment or additional containment cleaning is required. Duration: 4-24 hours depending on product toxicity classification. Operators follow product-specific cleaning SOPs. |
| Cleanroom environmental control failure hazard | 00050259 | Hazard in Pharmaceutical Manufacturing Line: HVAC system failure causes loss of cleanroom differential pressure, temperature, or humidity control. Microbial contamination enters product stream. For non-sterile oral solid dosage, bioburden limits apply (TAMC <10³ CFU/g). Loss of humidity control causes powder hygroscopic degradation or electrostatic buildup. Consequence: batch contamination, potential patient infection risk for immunocompromised patients, or product stability failure. |
| Coat Tablets | 54D53218 | System function of Pharmaceutical Manufacturing Line: apply aqueous film coating to compressed tablet cores for moisture protection, taste masking, and product identification in perforated pan coater. Inputs: tablet cores, coating suspension, inlet air at 60C. Outputs: coated tablets with uniform coating thickness ±10%, specified appearance and dissolution profile. Constraints: 45min coating cycle, controlled spray rate, exhaust humidity monitoring. |
| Compress Tablets | 56B73258 | System function of Pharmaceutical Manufacturing Line: form granule blend into tablets of specified weight (±5%), hardness, thickness (±2%), and content uniformity using rotary tablet press at 20-80 RPM. Inputs: blended granule from IBC, compression parameters. Outputs: compressed tablets meeting pharmacopoeial specs. Constraints: per-station force monitoring, automatic out-of-spec rejection, 300k tablets/shift, real-time PAT NIR monitoring. |
| Containment and Environmental Control Subsystem | 55F73858 | Potent compound containment and cleanroom environmental monitoring subsystem. Manages OEB 4/5 (OEL < 1 µg/m³) isolation barriers including laminar flow isolators, split butterfly valves (SBVs), and continuous liner systems for potent compound transfer. Continuous real-time monitoring of airborne particle concentration at operator breathing zones using isokinetic sampling (LPC). Also integrates cleanroom environmental monitoring: differential pressure transducers (±1 Pa accuracy), temperature/humidity sensors (±0.5°C/±1% RH), particle counters (ISO 21501-4 compliant). Alarm generation, automated enclosure lockdown, and emergency purge functions. |
| Containment Safety PLC | 51F77858 | IEC 61508 SIL-2 rated safety programmable logic controller dedicated to the Containment and Environmental Control Subsystem. Executes safety instrumented functions: containment breach detection and automated response (switch HVAC to 100% exhaust within 30s, trigger alarm), emergency stop interlock for all material handling in containment zones, and fail-safe HVAC damper control on power loss. Receives inputs from airborne particle counters, API concentration monitors, and door/access interlocks. Outputs commands to HVAC dampers, alarm system, and MES. Operates in 1oo2D redundant configuration per IEC 62061 (Safety of machinery — Functional safety of safety-related control systems). Certified to EN ISO 13849-1 PLd for machine safety functions. |
| Control Environment and Containment | 51F73858 | System function of Pharmaceutical Manufacturing Line: maintain ISO 7/8 cleanroom conditions (20±2C, 45±5% RH, +15Pa differential pressure, 20 ACH HEPA filtration), enforce negative-pressure containment for potent compounds (OEL <1ug/m3, 0.5m/s inward airflow), execute emergency stop (de-energise all drives within 3 seconds, close transfer valves within 5 seconds), and implement machine safety per EN ISO 13849-1 PLd. Inputs: environmental sensor data, containment air monitors, E-stop signals, safety interlocks. Outputs: conditioned air, containment isolation, emergency shutdown commands. Constraints: SIL 2 for containment, continuous particle/environmental monitoring. |
| Cross-contamination between drug products hazard | 00000259 | Hazard in Pharmaceutical Manufacturing Line during changeover: residual API from previous product campaign contaminates the next product. Patient receives unintended drug at unknown dose. Particularly dangerous when previous product is a cytotoxic, hormone, or sensitising agent. Consequence: patient harm from unintended pharmacological effect, product recall, regulatory action. |
| Degraded Production mode of Pharmaceutical Manufacturing Line | 40941A19 | Production continues with reduced capability after a non-critical equipment fault or PAT sensor degradation. Examples: one of two redundant NIR probes fails (production continues at reduced throughput with single probe plus increased manual sampling), coating pan temperature sensor drift (manual temperature checks substituted), or secondary packaging line fault (tablets held in bulk containers pending packaging repair). Key constraint: product quality must still be demonstrably maintained — if quality cannot be assured, mode transitions to emergency stop. |
| Differential Pressure Monitoring Controller | 55F77A58 | Dedicated digital controller maintaining GMP cleanroom pressure cascade between room grades. Reads calibrated differential pressure transmitters (range 0–100 Pa, accuracy ±1 Pa) at each cleanroom boundary. Drives HVAC VAV damper actuators to maintain target pressure differentials: +10 Pa between ISO 7 and corridor, -12.5 Pa inside containment isolators. Generates alerts within 60 seconds of differential pressure excursion beyond ±15 Pa of target per SYS-REQ-006. Logs all pressure data with timestamp for GMP record, forwarding to EMS. SIL-1 rated per IEC 61508 for pressure cascade maintenance function. |
| Drug serialisation and track-and-trace system | 40E57BD9 | External serialisation system compliant with EU FMD, US DSCSA, and other national track-and-trace regulations. Generates unique serial numbers for each dosage unit, manages aggregation hierarchy (unit→bundle→case→pallet), and uploads data to national verification databases. Interface via EPCIS events over AS2/REST. Owned by supply chain/regulatory team. |
| Electronic batch record data integrity failure hazard | 00010259 | Hazard in Pharmaceutical Manufacturing Line: electronic batch record system loses data integrity — process parameters are corrupted, overwritten without audit trail, or fabricated. Regulatory consequence: FDA 483 observation, warning letter, consent decree. Product consequence: inability to demonstrate product was manufactured under controlled conditions, requiring recall of all batches since last verified data integrity checkpoint. This is the #1 cause of FDA warning letters in pharmaceutical manufacturing. |
| Emergency Stop mode of Pharmaceutical Manufacturing Line | 40B57A51 | Safety-critical mode triggered by detection of conditions that could compromise product quality, operator safety, or equipment integrity. Triggers include: containment breach of potent compound (airborne API exceeds OEL), dust explosion risk (dust concentration exceeds 25% LEL), loss of cleanroom differential pressure (contamination risk), critical PAT failure where quality cannot be assured, or manual emergency stop activation. All motors de-energise, containment dampers close, HVAC switches to full exhaust mode, and the batch is quarantined pending investigation. |
| Enterprise Resource Planning System for pharmaceutical plant | 50A57B58 | SAP or Oracle ERP system external to the manufacturing line. Provides production orders, bill of materials, material master data. Receives batch completion records, material consumption, yield data. Interface via OPC-UA or REST API through DMZ. Owned by corporate IT, not manufacturing. Availability: 99.5% with planned maintenance windows on weekends. |
| Environmental Health and Safety Officer | 008D38F9 | EHS role responsible for occupational safety on the pharmaceutical manufacturing line. Manages containment strategies for potent compounds, dust explosion prevention, ergonomic assessments, personal protective equipment selection, exposure monitoring, and emergency response coordination. Leads incident investigation for containment breaches. |
| Environmental Monitoring System | 54F77B58 | GxP-compliant Environmental Monitoring System (EMS) server software running on validated hardware within the pharmaceutical manufacturing facility's IT infrastructure. Aggregates continuous data streams from differential pressure transmitters, temperature/RH probes, particle counters, and API concentration monitors across all four ISO 7/8 cleanroom bays. Stores 21 CFR Part 11-compliant environmental monitoring records with electronic audit trail. Generates excursion alerts within 60 seconds of out-of-limit conditions per SYS-REQ-006. Interfaces with MES via OPC UA to embed environmental data in electronic batch records. Interfaces with building management system for HVAC setpoint adjustment. ISPE GAMP 5 Category 4 validated software. |
| Exhaust Air Treatment Unit | D6F73058 | Downstream exhaust treatment system processing exhaust air from the potent compound containment isolator and weigh booth before discharge to atmosphere. Comprises a two-stage filtration train: H14 HEPA pre-filter removing API-laden particulates to >99.995% efficiency, followed by activated carbon adsorption for volatile organic compound removal. Interlocked with Containment Safety PLC — if filter differential pressure exceeds replacement threshold, an alarm is generated and the HVAC system is switched to backup exhaust path. Compliant with ATEX Directive 2014/34/EU for operation in pharmaceutical dust environments. Sized for 2000 m³/hour exhaust flow from all containment zones. |
| FDA/EMA Regulatory Inspector | 00847AF9 | Government authority inspector who audits the pharmaceutical manufacturing facility for compliance with 21 CFR Parts 210/211, EU GMP Annex 15, and ICH guidelines. Reviews batch records, data integrity, validation documentation, deviation management, and CAPA effectiveness. Findings range from observations (483) to warning letters to consent decrees. |
| film coating subsystem | DEC51218 | Physical pharmaceutical coating unit comprising a rotary pan coater (60L capacity), inlet/outlet air handling system, coating solution spray system, and tablet discharge conveyor. Applies aqueous film coatings to compressed tablet cores at 45-minute cycle times with inlet air at 60 degrees Celsius. Physically installed in a cleanroom with utility connections for compressed air (7 bar), purified water, and electrical power. Contains rotating drum requiring physical guarding and LOTO interlocks. Weighs approximately 800 kg with a footprint of 2m x 1.5m. |
| Film Coating Subsystem | 56F53218 | Tablet film coating subsystem using an Opadry or HPMC-based aqueous coating system. Pan coater with 800L capacity. Sprays aqueous or organic coating suspension onto tablet bed at controlled inlet air temperature (60-70°C), exhaust temperature (40-45°C), and spray rate (100-300 g/min). PAT integration: in-line colour spectrophotometer for coating thickness endpoint determination. Critical outputs: coated tablets with target weight gain ±1%, uniform colour, and moisture barrier. Interfaces: tablet transfer from tablet press, coated tablet transfer to packaging line, PAT coating endpoint data to MES. Organic solvent coating requires ATEX Zone 1 classification. |
| Fluid Bed Dryer | D6F53218 | |
| GMP Cleanroom Environment ISO Class 7/8 | 44853858 | Controlled manufacturing environment for oral solid dosage pharmaceutical production. ISO Class 7 (10,000 particles/m³ at 0.5µm) in compression and coating areas, ISO Class 8 in granulation and packaging. Temperature 18-25°C ±2°C, relative humidity 30-65% RH, pressure cascade +15Pa between zones. HVAC provides 20 air changes/hour with HEPA filtration. Gowning procedures required. Continuous environmental monitoring (particle counters, temperature/humidity loggers). |
| GMP Material Handler | 00050078 | Warehouse and dispensing role responsible for receiving, storing, and dispensing raw materials to the manufacturing line. Verifies material identity (IR spectroscopy or Raman), checks certificate of analysis, manages material status (quarantined/released/rejected), and maintains chain of custody documentation. Works in both warehouse and cleanroom environments. |
| Granulate and Blend | 54F53218 | System function of Pharmaceutical Manufacturing Line: transform weighed API and excipient powders into uniform, compressible granule through wet granulation (high-shear mixing with binder solution), fluid bed drying to <2% LOD, granule sizing through conical mill, and final blending in IBC blender. Inputs: weighed powder charges, binder solution, drying air. Outputs: homogeneous granule blend with d50 150-300um, controlled moisture and content uniformity. Constraints: 15min blend cycles, 60C drying inlet, 100-500kg batch size. |
| Granulation and Blending Subsystem | 50F53218 | Wet granulation and fluid bed drying subsystem for pharmaceutical oral solid dosage manufacturing. High-shear granulator processes API/excipient powder blends with binding solution to produce uniform granules. Fluid bed dryer reduces moisture to target LOD (loss on drying) < 2%. V-blender or bin blender performs final blend for content uniformity. PAT integration via in-line NIR for blend endpoint determination. Critical inputs: dispensed powders; critical outputs: dried, blended granules with API content uniformity AV < 15. Key hazard: dust explosion risk for fine powders, explosive atmosphere classification Zone 20/21. |
| Granule Sizing Mill | D6C53218 | |
| High Shear Granulator | D7F53218 | |
| HVAC Air Handling Unit | D6F57058 | Industrial-grade HVAC Air Handling Unit serving GMP cleanroom suites in a pharmaceutical manufacturing facility. Manages supply air temperature (20±2°C), relative humidity (45±5% RH), air changes per hour (20 ACH minimum for ISO 7/8 cleanrooms), and drives the pressure cascade (positive-to-negative) between cleanroom grades. Receives control signals from the Containment Safety PLC and the Differential Pressure Monitoring Controller. Operates in emergency exhaust mode (100% exhaust, 0% recirculation) on containment breach signal. Includes supply and exhaust fans, HEPA H14 filters, heating/cooling coils, and variable air volume dampers. Critical for maintaining cleanroom classification and containment pressure differentials per EU GMP Annex 1 (Manufacture of Sterile Medicinal Products). |
| IBC Blender | D6F53218 | |
| Laboratory Information Management System | 50AD7B58 | |
| Manage Manufacturing Records | 40E53B58 | System function of Pharmaceutical Manufacturing Line: generate, execute, and archive electronic batch records with 21 CFR Part 11 compliant electronic signatures, maintain complete batch genealogy from raw material to finished product, manage deviation records, cleaning status registry, LOTO events, operator handovers, and calculate OEE metrics. Inputs: process events from all subsystems, operator actions, material movements. Outputs: compliant EBRs, genealogy database, deviation records, OEE reports. Constraints: audit trail integrity per 21 CFR Part 11, 15-minute backup intervals, SIL 2 for data integrity. |
| manufacturing execution system | D6B51018 | MES is a physical system: a 2U rack server pair installed in a physical server rack in the plant's Grade C server room. The Manufacturing Execution System hardware has dimensions, weight, and power consumption. It IS a physical object — an installed piece of equipment. Software-based but physically embodied in dedicated server hardware. Physical Object: YES. |
| Manufacturing Execution System | 41B77B58 | Production control, electronic batch record, and scheduling software subsystem for the pharmaceutical manufacturing line. Executes validated batch recipes, generates and enforces electronic batch records per 21 CFR Part 11 and EU Annex 11. Collects process parameters from all equipment (granulator, dryer, blender, tablet press, coater) and PAT instruments at 1-second intervals. Manages operator workflow with electronic signatures. Tracks OEE in real time. Generates production reports and deviations. Interfaces: ERP (production orders), LIMS (test results), PAT subsystem (CQA data), serialisation system (packaging data), environmental monitoring (cleanroom alarms). Runs on validated SCADA/DCS platform with 99.5% availability SLA. |
| Manufacturing Execution System (MES) | 40B57B59 | Software platform for pharmaceutical batch execution management. Orchestrates batch lifecycle per electronic batch records (EBR), enforces 21 CFR Part 11 electronic signatures, manages LOTO registry and equipment interlocks via OPC-UA, and provides audit trail. No independent physical embodiment — runs on plant server infrastructure. Executes batch recipes semi-autonomously with mandatory human approval gates at critical steps. Regulated under FDA 21 CFR Part 11 and EU GMP Annex 11. Interfaces: PAT subsystem, equipment PLCs, environmental control, serialisation system. |
| manufacturing line | DE851218 | Physical pharmaceutical manufacturing line — a real engineered production facility occupying ~800m² of cleanroom space. Physically installed ISO 7 and ISO 8 classified rooms with structural, mechanical, and electrical infrastructure. Has physical embodiment: equipment, pipework, HVAC, electrical panels. A tangible installation requiring construction, qualification, and maintenance. |
| Material Handling and Dispensing Subsystem | 56B53A59 | Raw material receipt, quarantine, dispensing, and gravimetric weighing subsystem for the pharmaceutical manufacturing line. Handles APIs and excipients with weights ranging from grams to kilograms. Integrates with ERP for material orders, uses barcode scanning for lot identification, and interfaces with LIMS for CoA verification. Dispenses into stainless steel vessels that are transferred to the granulator. Includes OEB 4/5 high-containment dispensing booths for potent compounds. Critical inputs: raw material lots; critical outputs: dispensed, weighed, and identified material vessels with EBR records. |
| mes | D6E51018 | MES: a physically installed Manufacturing Execution System. The MES is not abstract software — it is an installed physical system: a 2U server rack in the Grade C server room with network switches, HMI terminals, and barcode scanners. It occupies physical space, has weight, consumes electrical power, and is connected to equipment via physical Ethernet cables. The physical MES hardware receives coating recipe parameters and environmental monitoring data from physical subsystems over plant network. It IS a physical object. |
| MES Electronic Batch Record Engine | 50A73B58 | Core EBR management engine within the MES subsystem of a pharmaceutical manufacturing line. Generates, executes, and archives electronic batch records with 21 CFR Part 11 compliant electronic signatures, tamper-evident audit trail with cryptographic hash chain, and 15-minute automated backup. Manages the complete batch lifecycle from material dispense through release. SIL 2 safety function: data integrity failure triggers switch to paper backup (H-006). |
| MES Electronic Signature Controller | 50AD7B78 | 21 CFR Part 11 compliant e-signature enforcement module within the MES. Manages role-based identity verification for critical EBR steps (batch initiation, exception handling, batch release). Implements FDA-mandated meaning-of-signature binding, requiring operators to re-enter credentials (username+password) for each significant record entry. Generates audit trail entries for every signature event with timestamp, user ID, and action performed. LDAP/AD integration for identity provider. |
| MES Hash Chain Integrity Engine | 40A53158 | Data integrity module within the MES implementing SHA-256 cryptographic hash chaining for all EBR entries. Each record entry includes the SHA-256 hash of the previous entry, creating an immutable linked list. Discontinuity in the hash chain (detected on read or nightly integrity job) triggers an audit alert and EBR lock. Hashes are stored in a separate tamper-evident log table with restricted database user access. Validated per ISPE GAMP 5 Category 4. |
| MES LOTO Registry Module | 40B57B58 | Software module within the MES managing the lockout/tagout registry for all energy-isolating devices on the manufacturing line. Maintains real-time state of each lockable device (lock applied, personnel name, work order, expected release time). Enforces restart prevention: equipment restart commands are blocked unless the LOTO registry confirms all locks released and workers signed off. Interfaces to equipment PLC interlocks via OPC-UA hardened gateway. SIL-2 safety function per H-007. |
| Monitor Process Quality | 45F77A18 | System function of Pharmaceutical Manufacturing Line: acquire real-time PAT sensor data (NIR spectrometry, Raman spectrometry, laser diffraction) at 30-second intervals, evaluate Critical Quality Attribute (CQA) prediction models within 5 seconds, generate system suitability alerts on sensor drift or prediction residual exceedance, and actuate automatic batch diversion valves when CQA limits are breached. Inputs: spectral data from in-line probes, calibration models, specification limits. Outputs: real-time CQA predictions, diversion commands, deviation alerts. Constraints: SIL 3 for out-of-spec product release prevention. |
| normal production | 56C51218 | A physical production phase of the pharmaceutical manufacturing line during which process equipment is actively operating to transform raw pharmaceutical materials into finished dosage forms. During Normal Production, physical equipment is energised and running: the high-shear granulator (30kW motor, 316L stainless vessel), fluid bed dryer (heating element 50kW), rotary tablet press (60 RPM, 1.2 tonne compression force), pan film coater, and blister packaging line are all in active mechanical operation. Physical sensors installed in the production bays measure differential air pressure, temperature, and humidity. The mode represents an industrial manufacturing process with physical machinery, physical transformation of pharmaceutical powder into tablets, physical containment of potent compounds, and physical infrastructure for cleanroom environmental control. |
| Normal Production Campaign Scenario | 40841218 | Normal operations scenario: a 3-day production campaign of 500mg ibuprofen tablets, 300,000 units per batch, 2 batches per day |
| Normal Production Mode | 40B53A58 | Operating mode of a pharmaceutical manufacturing line — not a physical object. Entry conditions: all equipment qualified, batch record initiated, raw materials released. Characterised by automated PAT monitoring, real-time EBR documentation, IPC at 15-min intervals. The line executes the batch recipe semi-autonomously under operator supervision; operator approves exceptions and performs manual sampling. Exit: batch completion, changeover, or escalation to degraded/emergency mode. Governed by validated manufacturing procedures and cGMP regulations. |
| Normal Production mode of Pharmaceutical Manufacturing Line | 54E53218 | Steady-state commercial production mode. Raw materials are dispensed from verified inventory, fed through granulation/blending, compressed into tablets or filled into capsules, coated if required, and packaged with serialisation. In-process controls (weight, hardness, dissolution, NIR content uniformity) run continuously. Process analytical technology (PAT) provides real-time quality data. Operators monitor HMI dashboards, perform manual sampling at defined intervals, and manage material flow. Runs 16-24 hours per day in campaign mode, producing 100k-500k units per batch. |
| Out-of-specification dosage form released to market hazard | 40000259 | Hazard in Pharmaceutical Manufacturing Line during production: PAT system failure or calibration drift causes out-of-specification product (incorrect potency, dissolution, content uniformity) to pass real-time release testing and reach the supply chain. Patient receives sub-therapeutic or supra-therapeutic dose. Particularly dangerous for narrow therapeutic index drugs (warfarin, digoxin, lithium). Consequence: therapeutic failure or toxicity, product recall affecting thousands of patients. |
| Package and Serialise | 44E77A59 | System function of Pharmaceutical Manufacturing Line: form coated tablets into blister packs, perform 100% vision inspection for defects, apply unique 2D DataMatrix barcode (GTIN, serial, lot, expiry) to each saleable unit, aggregate serials to case and pallet level, and upload EPCIS events to national registries (EU FMD, US DSCSA). Inputs: coated tablets, packaging materials (PVC/Alu blisters, cartons). Outputs: serialised, inspected finished goods on pallets. Constraints: <0.1% barcode verification reject rate, 100% serialisation coverage. |
| Packaging and Serialisation Subsystem | 54E57258 | Primary and secondary packaging subsystem with integrated serialisation for the pharmaceutical manufacturing line. Primary packaging: blister forming/sealing (PVC/PVDC or Alu-Alu) at up to 300 blisters/min, or HDPE bottle filling and capping at 200 bottles/min. 100% in-line vision inspection for blister seal integrity, missing tablets, and foreign particles. Secondary packaging: cartoning, batch printing (lot, expiry, GTIN), and 2D DataMatrix serialisation with camera verification. Aggregation to case and pallet. Serialisation data transmission to EU FMD/DSCSA repository. Reject stations for serialisation failures (< 0.5% reject rate). Interfaces: coated tablets from film coater, serialisation data to Drug Serialisation System. |
| PAT Batch Diversion Valve Assembly | D7F77018 | Pneumatically-actuated 3-way diversion valve positioned at the tablet press output chute, downstream of the NIR probe. On CQA limit exceedance signal, redirects in-specification product to the accepted stream and out-of-specification product to a sealed reject container. Spring-return-to-reject fail-safe design: loss of pneumatic supply or signal causes diversion to reject stream (safe state). Position feedback via dual limit switches confirmed within 500ms of actuation command. SIL-3 safety function per H-004. |
| PAT CQA Model Engine | 51A73318 | Chemometric model execution engine within the PAT subsystem of a pharmaceutical manufacturing line. Runs PLS (content uniformity), PCA (blend homogeneity), and correlation (particle size) models on NIR, Raman, and laser diffraction spectra. Must evaluate all models within 5 seconds of data acquisition. Uses SHA-256 signed model files with version registry. SIL 3 safety function: incorrect model output can release out-of-specification product (H-004). |
| PAT Data Acquisition and Processing Workstation | D0E57018 | Industrial PC workstation running the PAT software suite (e.g., Thermo Unscrambler, SIMCA). Hosts all chemometric PLS models for NIR, Raman, and laser diffraction sensors. Executes model predictions in <2 seconds from spectrum acquisition, generates CQA alarm signals to MES via OPC-UA, logs all spectra and predictions to a validated SQL database. Redundant power supply, RAID-1 storage, connected to OT network (ISA-99 Zone 3). SIL-3 model execution integrity enforced via checksum validation on model file hashes. |
| PAT Laser Diffraction Analyser | 54C42018 | On-line laser diffraction particle size analyser installed at the fluid-bed dryer outlet. Measures granule particle size distribution (D50, D90, span) in the 1–3500 µm range using Fraunhofer/Mie diffraction theory. Samples granule stream via a dry dispersion accessory at 0.5 bar. Provides 60-second measurement cycle results to PAT workstation. Calibrated quarterly against NIST-traceable reference materials (glass beads, lactose). Informs granulation endpoint determination. |
| PAT NIR Spectrometer | D4E53218 | Inline near-infrared spectrometer probing the tablet stream inside the rotary press exit chute. Acquires diffuse reflectance spectra in the 900–2500 nm range every 30 seconds during compression, providing API content uniformity prediction via partial least squares (PLS) chemometric model. Temperature-stabilised housing (±0.5°C) with built-in reference standard for automated wavelength verification. Interfaces to PAT Data Acquisition Computer via USB3/Ethernet. SIL-3 rated diversion function relies on this data. |
| PAT Raman Spectrometer | D4E41018 | Immersion-probe Raman spectrometer positioned in the fluid-bed granulator and blender for in-situ polymorphic form and API blend uniformity monitoring. 785 nm excitation laser, 200–3200 cm-1 range. Calibrated against certified reference standards quarterly. Provides redundant content uniformity confirmation when NIR signal is ambiguous. Interfaces to PAT Data Acquisition Computer via RS-232/USB. Has independent SIL-3 model evaluation path. |
| PAT Sensor Drift Degraded Operation Scenario | 00000200 | Degraded operation scenario: NIR probe calibration drifts during production, requiring fallback to manual sampling |
| Patient receiving manufactured medication | 00000011 | End user of the pharmaceutical product. Has no direct interaction with the manufacturing system but is the ultimate stakeholder whose safety drives all quality requirements. Includes vulnerable populations: paediatric, geriatric, immunocompromised, and patients on narrow therapeutic index drugs. Represented in the system through product quality specifications and pharmacovigilance feedback. |
| Pharmaceutical dust explosion hazard | 42000051 | Hazard in Pharmaceutical Manufacturing Line during granulation, milling, or tablet compression: fine organic powder (API or excipient) accumulates in enclosed equipment at concentration exceeding lower explosive limit (LEL). Ignition source (static discharge, hot bearing, mechanical spark) triggers deflagration. Pharmaceutical powders typically have Kst values of 50-200 bar·m/s and MIE of 1-100mJ. Consequence: equipment destruction, operator burn injuries or fatality, facility damage. |
| Pharmaceutical Equipment Maintenance Technician | 000420F8 | Skilled technician responsible for preventive and corrective maintenance of tablet presses, granulators, coating equipment, and packaging lines. Performs LOTO, tooling changes, instrument calibration, and equipment qualification. Must work in cleanroom environment and follow GMP documentation requirements. |
| Pharmaceutical Manufacturing Line | 55F73A59 | Automated continuous pharmaceutical manufacturing line for oral solid dosage forms (tablets/capsules). Operates in a GMP-compliant cleanroom environment (ISO Class 7/8). Encompasses raw material dispensing, granulation/blending, tablet compression or capsule filling, coating, in-process quality control (NIR spectroscopy, weight/hardness testing), packaging, and serialisation. Must comply with FDA 21 CFR Parts 210/211, EU GMP Annex 15, and ICH Q8-Q12 guidelines. Produces 100,000–500,000 dosage units per batch with real-time release testing capability. Safety concerns include potent compound containment (OEL <1µg/m³ for some APIs), dust explosion prevention, and cross-contamination control between product changeovers. |
| Pharmaceutical regulatory compliance framework | 40853AD9 | Regulatory constraints on the pharmaceutical manufacturing line from multiple authorities: FDA 21 CFR Parts 210/211 (cGMP), 21 CFR Part 11 (electronic records), EU GMP Annex 15 (qualification and validation), ICH Q8 (pharmaceutical development), ICH Q9 (quality risk management), ICH Q10 (pharmaceutical quality system), ICH Q12 (lifecycle management). ISPE GAMP 5 for computerised system validation. Product-specific constraints from marketing authorisations filed with FDA, EMA, PMDA, and national authorities. |
| Pharmaceutical utilities systems | 54C51058 | Building utility systems external to the manufacturing line: HVAC providing conditioned air to cleanrooms, purified water system (USP grade) for cleaning and granulation, clean steam for sterilisation-in-place, compressed air (ISO 8573-1 Class 1.2.1) for pneumatic actuators and product contact, nitrogen supply for inerting. These are shared building systems serving multiple manufacturing suites. |
| Potent Compound Containment Breach Emergency Scenario | 00800A51 | Emergency scenario: containment breach during high-potency API processing triggers full emergency response |
| Potent Compound Isolator | DE851058 | Pharmaceutical-grade hard-shell containment isolator for handling OEB 4/5 compounds (OEL < 1 µg/m³) during weighing and dispensing operations. Provides closed, glove-port access with continuous negative pressure isolation (-12.5 Pa minimum inward airflow, 0.5 m/s minimum at access openings per SYS-REQ-004). H14 HEPA filtered supply and dedicated exhaust with downstream scrubbing. Integrated rapid transfer port (RTP) for material transfer without exposing operators to potent API dust. Monitored by Containment Safety PLC for pressure integrity. Physical boundary between operator and potent compound per ISPE Good Practice Guide for Handling Highly Potent Compounds. |
| Preventive Maintenance mode of Pharmaceutical Manufacturing Line | 40843A58 | Scheduled or corrective maintenance mode. Equipment is isolated per lockout/tagout (LOTO) procedures. Maintenance activities include: tablet press tooling changes (every 1-5M tablets), compression roll replacement, filter changes, instrument calibration (pressure, temperature, weight, NIR), conveyor belt replacement, and software/firmware updates to PLCs and PAT systems. Some maintenance requires cleanroom re-qualification afterward. Maintenance is tracked in a computerised maintenance management system (CMMS) and must be reconciled with batch records for any in-campaign interventions. |
| Process Analytical Technology Subsystem | 55F77A18 | Real-time in-process quality monitoring subsystem for the pharmaceutical manufacturing line. Integrates NIR (near-infrared) spectrometer for API content uniformity and moisture monitoring during blending and drying, Raman spectrometer for API identity and polymorphic form verification, and laser diffraction for granule particle size distribution. Embedded chemometric models (PLS, PCA) evaluate CQA compliance in real time. Interfaces: sensor data from granulation, blend, and tablet press; model outputs to MES for batch diversion decisions; model calibration data from LIMS. Safety-critical function: automatic divert valve actuation when CQA limit breached. |
| process control system | D7FF7018 | Process control system: physically installed PLC-based control system in a pharmaceutical manufacturing line. Consists of physical hardware: PLC cabinets (Siemens S7 or equivalent), DCS workstations, physical I/O modules, control panels, HMI touchscreens, and instrument loops. The PLC hardware is housed in electrical panels in the plant utility area. Physical footprint ~2m² of panel space. Consumes 24 VDC power. Connected to sensors and actuators by physical field wiring. A tangible piece of electrical equipment installed in the facility. |
| Process Material | 44A53258 | System function of Pharmaceutical Manufacturing Line: receive, identity-verify (barcode/RFID), weigh, and dispense raw materials (API and excipients) to the production line. Inputs: raw material containers with lot-level identity, bill of materials from ERP. Outputs: verified, weighed material charges in clean containers ready for granulation. Constraints: must maintain full lot traceability, operate under laminar flow in ISO 7 weigh booth, prevent cross-contamination between lots. |
| Product Changeover Cleaning Validation Scenario | 00802A59 | Maintenance/changeover scenario: full product changeover between a cytotoxic compound and a standard NSAID, requiring enhanced cleaning validation |
| Production Supervisor | 018D5AF9 | Senior manufacturing role responsible for shift operations on the pharmaceutical manufacturing line. Initiates batch records, authorises line startup, manages operator team, makes real-time decisions on production deviations, and is accountable for OEE targets (>70%). Reports to Plant Manager. |
| Punch and Die Tooling Set | CE851058 | Interchangeable precision tooling for the rotary tablet press: upper punches, lower punches, and dies. Manufactured to EU/ISO tablet specifications (D, B, BB tooling). Material: hardened S7 or D3 tool steel, chrome-coated for corrosive compounds. Each station tracked by RFID tag for usage count (max 500,000 compressions before mandatory replacement). Worn or damaged tooling causes weight variation, capping/lamination, or metal contamination. Failure mode: punch tip fracture lodging in die bore. |
| Quality Control Analyst | 008D3AF9 | Laboratory and in-process quality role for the pharmaceutical manufacturing line. Reviews PAT data in real-time, performs offline HPLC/dissolution testing, executes cleaning validation sampling, approves real-time release decisions. Must comply with 21 CFR Part 211 laboratory controls. Reports to QA Manager. |
| Rotary Tablet Press | D6D51018 | High-speed multi-station rotary tablet press. 36-72 punch stations, 30-120 RPM turret speed, throughput 100,000-500,000 tabs/hr. Compression force 5-80 kN (upper and lower punches independently monitored). Fill depth and pre-compression/main compression adjustable via servo drives. Integrated containment housing for OEB3+ (negative pressure, local exhaust ventilation). Safety interlocks: guard door, torque overload (300 Nm cutoff), emergency stop. Feeds directly from IBC Blender via contained transfer chute. |
| Startup and Line Qualification mode of Pharmaceutical Manufacturing Line | 40953A58 | Initial startup mode where the manufacturing line undergoes equipment qualification (IQ/OQ/PQ), process validation runs, and cleaning validation before being released for commercial production. Operators execute predefined qualification protocols, instruments are calibrated against NIST-traceable standards, and environmental monitoring confirms cleanroom classification. Entry: new installation or post-major-maintenance. Exit: all qualification protocols pass acceptance criteria and QA signs off. |
| Tablet Compression Containment Housing | CE851858 | Sealed enclosure surrounding the tablet press turret and die table. Maintains negative pressure (-15 Pa relative to cleanroom) to contain pharmaceutical dust. Local exhaust ventilation at 1.5 m³/min connected to HEPA filtration. Interlocked guard doors: press cannot run with any guard open. Instrumented: differential pressure transmitter triggers alarm at >-10 Pa (loss of containment). Designed for OEB3 potent compounds (OEL 1-10 µg/m³). Complies with ISPE Baseline Guide for Containment. |
| tablet compression subsystem | DEC51018 | Physical manufacturing subsystem comprising a Rotary Tablet Press, Tablet In-Process Control (IPC) sampling station, and tooling management system. Receives granule-filled IBCs and produces compressed tablets at 60 RPM (120 RPM max). Physical dimensions of 2m x 1.5m x 2m, weighing approximately 2000 kg. Contains rotating mechanical components (turret, compression rolls, feed frame) requiring physical safety interlocks and LOTO provisions. Interfaces physically with conveyors, sampling systems, and downstream packaging. |
| Tablet Compression Subsystem | 54E51018 | Multi-station rotary tablet press subsystem for pharmaceutical oral solid dosage manufacturing. Compresses final blend into tablets at rates up to 500,000 tablets/hour. Turret with up to 75 stations; upper and lower punches apply compression force of 5-50 kN. In-line tablet inspection integrates 100% weight check (±0.5% individual; ±5% mean), hardness measurement (Schleuniger), and thickness measurement. Automatic rejection of out-of-specification tablets via pneumatic ejector. Major interfaces: blend reception from granulation, tablet transfer to film coating, IPC data to PAT subsystem, OEE data to MES. |
| Tablet In-Process Control System | 55F77A18 | Automated in-process control (IPC) system integrated with the rotary tablet press. Samples every 30th tablet. Measures: weight (±2mg, USP <905> tolerances), hardness (Newton, target 80-120N), thickness (±0.1mm), friability proxy. Communicates with press servo to adjust fill depth and compression force in closed-loop. Outputs: OPC-UA data stream to PAT workstation and MES. Rejects individual out-of-spec tablets via pneumatic diverter on ejection track. |
| Tablet press mechanical entrapment hazard | 40000011 | Hazard in Pharmaceutical Manufacturing Line during maintenance or production: operator hand or finger drawn into rotary tablet press turret, compression rollers, or granulator impeller. Tablet presses operate at 40-100 RPM with compression forces of 5-100 kN. Consequence: crush injury, amputation, or fatality. Most common during turret cleaning, tooling changeover, or clearing tablet press jam while machine is energised. |
| Tablet Press Mechanical Jam Failure Scenario | 40000210 | Equipment failure scenario: tablet press jams during production requiring maintenance intervention with safety protocols |
| Component | Belongs To |
|---|---|
| Material Handling and Dispensing Subsystem | Pharmaceutical Manufacturing Line |
| Granulation and Blending Subsystem | Pharmaceutical Manufacturing Line |
| Tablet Compression Subsystem | Pharmaceutical Manufacturing Line |
| Process Analytical Technology Subsystem | Pharmaceutical Manufacturing Line |
| Film Coating Subsystem | Pharmaceutical Manufacturing Line |
| Manufacturing Execution System | Pharmaceutical Manufacturing Line |
| Containment and Environmental Control Subsystem | Pharmaceutical Manufacturing Line |
| Packaging and Serialisation Subsystem | Pharmaceutical Manufacturing Line |
| PAT NIR Spectrometer | Process Analytical Technology Subsystem |
| PAT Raman Spectrometer | Process Analytical Technology Subsystem |
| PAT Batch Diversion Valve Assembly | Process Analytical Technology Subsystem |
| PAT Data Acquisition and Processing Workstation | Process Analytical Technology Subsystem |
| PAT Laser Diffraction Analyser | Process Analytical Technology Subsystem |
| PAT CQA Model Engine | Process Analytical Technology Subsystem |
| MES LOTO Registry Module | Manufacturing Execution System |
| MES Electronic Signature Controller | Manufacturing Execution System |
| MES Hash Chain Integrity Engine | Manufacturing Execution System |
| MES Electronic Batch Record Engine | Manufacturing Execution System |
| High Shear Granulator | Granulation and Blending Subsystem |
| Fluid Bed Dryer | Granulation and Blending Subsystem |
| Granule Sizing Mill | Granulation and Blending Subsystem |
| IBC Blender | Granulation and Blending Subsystem |
| Rotary Tablet Press | Tablet Compression Subsystem |
| Tablet In-Process Control System | Tablet Compression Subsystem |
| Punch and Die Tooling Set | Tablet Compression Subsystem |
| Tablet Compression Containment Housing | Tablet Compression Subsystem |
| HVAC Air Handling Unit | Containment and Environmental Control Subsystem |
| Containment Safety PLC | Containment and Environmental Control Subsystem |
| Environmental Monitoring System | Containment and Environmental Control Subsystem |
| Potent Compound Isolator | Containment and Environmental Control Subsystem |
| Differential Pressure Monitoring Controller | Containment and Environmental Control Subsystem |
| Exhaust Air Treatment Unit | Containment and Environmental Control Subsystem |
| From | To |
|---|---|
| PAT NIR Spectrometer | PAT Data Acquisition and Processing Workstation |
| PAT Raman Spectrometer | PAT Data Acquisition and Processing Workstation |
| PAT Laser Diffraction Analyser | PAT Data Acquisition and Processing Workstation |
| PAT Data Acquisition and Processing Workstation | Manufacturing Execution System |
| PAT Data Acquisition and Processing Workstation | PAT Batch Diversion Valve Assembly |
| Tablet In-Process Control System | PAT Data Acquisition and Processing Workstation |
| Tablet In-Process Control System | Manufacturing Execution System |
| Tablet In-Process Control System | PAT CQA Model Engine |
| Tablet Compression Subsystem | Manufacturing Execution System |
| Containment Safety PLC | HVAC Air Handling Unit |
| Containment Safety PLC | Environmental Monitoring System |
| Differential Pressure Monitoring Controller | HVAC Air Handling Unit |
| Environmental Monitoring System | Manufacturing Execution System |
| Component | Output |
|---|---|
| PAT NIR Spectrometer | diffuse reflectance spectra 900-2500nm at 30s intervals |
| PAT Raman Spectrometer | Raman spectra 200-3200 cm-1 for blend uniformity |
| PAT Batch Diversion Valve Assembly | physical stream diversion to reject container |
| PAT Data Acquisition and Processing Workstation | CQA predictions and OPC-UA alarm signals to MES |
| PAT Laser Diffraction Analyser | particle size distribution D50/D90/span at 60s intervals |
| High Shear Granulator | wet granule mass with controlled PSD endpoint |
| Fluid Bed Dryer | dried granules at target LOD for milling |
| Granule Sizing Mill | sized granules with D90 <500 µm for compression |
| IBC Blender | blended granule batch at target content uniformity for compression |
| Rotary Tablet Press | compressed tablets at target weight/hardness/thickness |
| Tablet In-Process Control System | weight/hardness/thickness measurements and individual tablet rejection signals |
| Tablet Compression Containment Housing | negative pressure containment zone and exhaust airflow to HEPA |
| HVAC Air Handling Unit | conditioned supply air at 20±2°C, 45±5% RH, 20 ACH minimum |
| Containment Safety PLC | SIL-2 safety function outputs: HVAC damper control, alarm, E-stop |
| Environmental Monitoring System | GxP environmental data records embedded in EBR via OPC UA |
| Differential Pressure Monitoring Controller | room differential pressure control and excursion alarms |