Hazard & Risk Analysis (HRA) — ISO/IEC/IEEE 15289 — Report | IEC 61508 Phase 3
Generated 2026-03-27 — UHT Journal / universalhex.org
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| H-001: Airborne potent compound exposure from containment breach during tablet compression, material transfer, or cleaning | critical | low | SIL 2 | all material transfer stopped, containment isolators sealed, HVAC switched to full exhaust with HEPA filtration, operators evacuate to clean zone |
| H-002: Cross-contamination of drug product with residual API from previous campaign | catastrophic | low | SIL 3 | batch quarantined, line locked out pending full cleaning validation with HPLC confirmation below acceptance limit |
| H-003: Dust explosion from fine pharmaceutical powder exceeding LEL in enclosed equipment with ignition source present | catastrophic | rare | SIL 2 | equipment de-energised, nitrogen inerting activated, explosion vents open, dust extraction at maximum flow |
| H-004: Out-of-specification product released due to PAT system failure or calibration drift | catastrophic | low | SIL 3 | batch quarantined for offline laboratory testing, real-time release suspended, production continues only with traditional QC release until PAT recalibrated and verified |
| H-005: Loss of cleanroom environmental control (pressure cascade, temperature, humidity) causing microbial contamination or product degradation | major | medium | SIL 1 | product exposure points sealed, HVAC alarm initiates automatic damper closure, exposed product quarantined, production halted until environmental conditions restored and verified |
| H-006: Electronic batch record data integrity failure — corrupted, incomplete, or falsified manufacturing records | critical | medium | SIL 2 | system switches to verified paper backup records, electronic system locked for forensic investigation, affected batches quarantined pending data integrity review |
| H-007: Operator mechanical entrapment in tablet press turret, compression rollers, or granulator impeller | critical | low | SIL 2 | all rotating equipment de-energised and mechanically braked, safety interlocks prevent restart until guards closed and confirmed, LOTO applied for maintenance access |
| Ref | SIL | Requirement | V&V |
|---|---|---|---|
| IFC-022 | SIL 2 | The interface between the Containment Safety PLC and the HVAC Air Handling Unit SHALL use a hardwired 24 VDC discrete signal bus for safety-critical c... | Test |
| IFC-REQ-001 | SIL 3 | The interface between the Process Analytical Technology Subsystem and the Manufacturing Execution System SHALL transmit CQA limit exceedance alarms as... | Test |
| IFC-REQ-003 | SIL 3 | The Manufacturing Execution System SHALL transmit diversion acknowledgment and operating mode commands to the Process Analytical Technology Subsystem ... | Test |
| SUB-REQ-001 | SIL 3 | The PAT Subsystem NIR spectrometer SHALL acquire diffuse reflectance spectra (900-1700 nm, minimum 256 wavelength channels, 8 cm-1 resolution) at 30-s... | Test |
| SUB-REQ-002 | SIL 3 | The PAT Subsystem Raman spectrometer SHALL acquire spectra (200-3200 cm-1, spectral resolution 4 cm-1) at 30-second intervals using a 785 nm excitatio... | Test |
| SUB-REQ-003 | SIL 3 | The PAT Subsystem SHALL evaluate all CQA chemometric models (content uniformity PLS, blend homogeneity PCA, particle size correlation) within 5 second... | Test |
| SUB-REQ-004 | SIL 3 | When a CQA limit exceedance is detected, the PAT Subsystem SHALL actuate the batch diversion valve to the reject position within 2 seconds, confirm va... | Test |
| SUB-REQ-005 | SIL 3 | The PAT Subsystem SHALL perform continuous sensor self-diagnostics evaluating signal-to-noise ratio, wavelength calibration accuracy (against internal... | Test |
| SUB-REQ-008 | SIL 2 | The Manufacturing Execution System SHALL enforce 21 CFR Part 11 compliant electronic signatures on all EBR critical entries (batch release, deviation ... | Test |
| SUB-REQ-009 | SIL 2 | The Manufacturing Execution System SHALL maintain a tamper-evident audit trail recording every EBR creation, modification, and deletion event, capturi... | Test |
| SUB-REQ-010 | SIL 2 | The Manufacturing Execution System SHALL compute and store a SHA-256 cryptographic hash on every EBR write operation, maintain a hash chain linking co... | Test |
| SUB-REQ-011 | SIL 2 | The Manufacturing Execution System SHALL maintain a real-time lockout registry mapping each equipment unit to its lockout state (locked/unlocked), loc... | Test |
| SUB-REQ-014 | SIL 2 | The Manufacturing Execution System SHALL perform automated EBR database backups at intervals not exceeding 15 minutes, with backup integrity verified ... | Test |
| SUB-REQ-015 | SIL 2 | When a data integrity failure is detected (hash chain discontinuity or backup verification failure), the Manufacturing Execution System SHALL switch t... | Demonstration |
| SUB-REQ-016 | SIL 2 | When the High Shear Granulator wet mass torque profile or integrated NIR wet-mass spectrum reaches the validated endpoint criterion, the Granulation a... | Test |
| SUB-REQ-017 | SIL 2 | The Fluid Bed Dryer SHALL reduce granule loss-on-drying (LOD) to the target value (product-specific, typically 1.0-3.0% w/w) plus or minus 0.5% w/w wi... | Test |
| SUB-REQ-018 | SIL 2 | The Fluid Bed Dryer SHALL maintain inlet air temperature within plus or minus 2 degrees Celsius of the MES recipe setpoint throughout the drying cycle... | Test |
| SUB-REQ-019 | SIL 2 | The Granule Sizing Mill SHALL reduce post-drying granule agglomerates such that the resulting sized granule D90 is less than 800 micrometres and D50 i... | Test |
| SUB-REQ-020 | SIL 2 | The IBC Blender SHALL achieve a blend uniformity of API content RSD less than or equal to 5.0% across the blend mass, as measured by the in-IBC NIR pr... | Test |
| SUB-REQ-021 | SIL 2 | The Granulation and Blending Subsystem SHALL record the mass of each material charge and transfer at each process step, and SHALL flag a mass balance ... | Test |
| SUB-REQ-022 | SIL 2 | When the PAT NIR blend-endpoint monitoring is unavailable (sensor fault or communication loss), the Granulation and Blending Subsystem SHALL continue ... | Test |
| SUB-REQ-023 | SIL 2 | While processing OEB 3 or higher potency compounds (OEL less than 10 micrograms per cubic metre), the Granulation and Blending Subsystem SHALL maintai... | Test |
| SUB-REQ-025 | SIL 2 | The Rotary Tablet Press SHALL monitor upper punch compression force at each station on every rotation and reject tablets where compression force devia... | Test |
| SUB-REQ-031 | SIL 3 | The PAT Subsystem CQA model evaluation and diversion actuation function SHALL be implemented on a hardware architecture achieving at least Hardware Fa... | Test |
| SUB-REQ-036 | SIL 3 | The Process Analytical Technology Subsystem SHALL operate from a dedicated 230V AC 50Hz UPS-backed power supply providing minimum 4 hours of autonomou... | Test |
| SUB-REQ-037 | SIL 3 | The PAT Subsystem SHALL provide a manual CQA override interface accessible to the QC Analyst role, enabling a qualified operator to override a CQA mod... | Test |
| SUB-REQ-038 | SIL 2 | The Manufacturing Execution System SHALL implement a watchdog timer that monitors core EBR processing heartbeat at 30-second intervals, and when three... | Test |
| SUB-REQ-039 | SIL 2 | The Tablet Compression Subsystem SHALL operate from a dedicated 400V AC 50Hz 3-phase power supply with a soft-starter providing controlled ramp-up to ... | Test |
| SUB-REQ-040 | SIL 2 | The Granulation and Blending Subsystem SHALL operate from 400V AC 50Hz 3-phase power supply for the High Shear Granulator impeller (rated 37kW) and Fl... | Test |
| SUB-REQ-042 | SIL 2 | The Containment and Environmental Control Subsystem SHALL operate from a UPS-backed 230V AC power supply providing minimum 2 hours of autonomous opera... | Test |
| SUB-REQ-046 | SIL 2 | While in Maintenance mode, the system SHALL prevent equipment power-on by any means (HMI, PLC, remote command) for any equipment with an active LOTO l... | Test |
| SUB-REQ-047 | SIL 3 | While in Degraded Production mode, the system SHALL quarantine all completed batches in MES quarantine status within 60 seconds of batch completion, p... | Test |
| SUB-REQ-048 | SIL 2 | The Containment and Environmental Control Subsystem SHALL detect airborne API concentration above the OEL action limit (80 percent of OEL) and SHALL a... | Test |
| SUB-REQ-049 | SIL 2 | The Containment and Environmental Control Subsystem SHALL perform continuous air monitoring at each sampling point at a minimum frequency of 1 sample ... | Test |
| SUB-REQ-050 | SIL 3 | When the Cleaning Validation results for any swab location exceed the acceptance limit, the Manufacturing Execution System SHALL automatically quarant... | Test |
| SUB-REQ-051 | SIL 3 | The Material Handling and Dispensing Subsystem SHALL enforce a two-person independent check for all API dispensing operations above 1kg, with electron... | Test |
| SUB-REQ-052 | SIL 2 | The Tablet Compression Subsystem SHALL perform a real-time metal detection check on the tablet stream at the press output, and when a metallic contami... | Test |
| SUB-REQ-053 | SIL 2 | The Granulation and Blending Subsystem SHALL monitor for dust explosion risk by measuring dust concentration at the FBD exhaust duct using a continuou... | Test |
| SUB-REQ-054 | SIL 2 | The Packaging and Serialisation Subsystem SHALL perform 100 percent vision inspection of each blister cavity for correct tablet count, absent tablets,... | Test |
| SUB-REQ-057 | SIL 3 | The Process Analytical Technology Subsystem SHALL maintain a rolling 30-day archive of all CQA model inputs, model outputs, diversion decisions, and c... | Test |
| SUB-REQ-058 | SIL 3 | The Process Analytical Technology Subsystem SHALL provide a qualified user override mechanism that enables a QC Analyst or Production Supervisor to su... | Test |
| SUB-REQ-061 | SIL 2 | The Manufacturing Execution System SHALL implement a hardware watchdog timer with a 30-second timeout that triggers a controlled safe-state transition... | Test |
| SUB-REQ-062 | SIL 1 | The Containment and Environmental Control Subsystem SHALL install differential pressure transmitters at each controlled cleanroom boundary (weigh boot... | Inspection |
| SUB-REQ-063 | SIL 2 | The HVAC Air Handling Unit SHALL maintain cleanroom supply air conditions within the range 20±2°C (temperature), 45±5% RH (humidity), and a minimum of... | Test |
| SUB-REQ-064 | SIL 2 | The HVAC Air Handling Unit SHALL maintain a minimum differential pressure of +10 Pa between adjacent cleanroom grades and -12.5 Pa inside the Potent C... | Test |
| SUB-REQ-065 | SIL 2 | When the Containment Safety PLC detects a containment integrity failure (isolator pressure above -5 Pa for more than 5 seconds, or airborne API concen... | Test |
| SYS-REQ-002 | SIL 2 | The system SHALL generate, execute, and archive electronic batch records (EBRs) with electronic signatures, access controls, audit trails, and backup ... | Test |
| SYS-REQ-016 | SIL 2 | The system SHALL implement machine safety controls compliant with EN ISO 13849-1 (Safety of machinery — Safety-related parts of control systems) for a... | Test |
| SYS-REQ-018 | SIL 3 | The system SHALL enforce PAT qualification procedures per FDA Process Analytical Technology Guidance (2004) and ICH Q8, requiring calibration verifica... | Test |
| SYS-REQ-019 | SIL 2 | The system SHALL generate an automatic deviation record in the EBR whenever any critical process parameter exceeds its validated specification limit, ... | Test |
| SYS-REQ-020 | SIL 3 | The system SHALL maintain a cleaning status registry for every product-contact equipment item, updated in real-time as cleaning activities are perform... | Test |
| SYS-REQ-027 | SIL 2 | The Process Control System SHALL provide a hardware-enforced manual override capability at each equipment control panel that allows an operator to de-... | Test |
| SYS-REQ-029 | SIL 2 | The system SHALL implement dust explosion prevention measures compliant with ATEX Directive 2014/34/EU (Equipment and protective systems intended for ... | Test |
| VER-109 | SIL 2 | Verify SUB-REQ-065: In a qualified test environment, simulate containment integrity failure by reducing isolator pressure above -5 Pa for 6 seconds. M... | Test |
| VER-111 | SIL 2 | Verify IFC-022: Interrupt the 24 VDC hardwired signal bus between the Containment Safety PLC and the HVAC Air Handling Unit by disconnecting the emerg... | Test |
| VER-112 | SIL 2 | Verify end-to-end containment response chain: introduce a simulated OEB 4 API dust release at the Potent Compound Isolator exhaust port and measure th... | Test |
| VER-114 | SIL 2 | Verify SUB-REQ-064: Disturb cleanroom pressure by propping a pass-through door open for 10 seconds during operational conditions. Measure time for Dif... | Test |
| VER-REQ-037 | SIL 2 | The verification activity for SUB-REQ-012 SHALL apply a maintenance lock to a designated piece of equipment via the MES LOTO registry, attempt a resta... | Test |
| VER-REQ-038 | SIL 2 | The verification activity for SUB-REQ-014 SHALL run the MES EBR database for a simulated 4-hour production period, confirm automated backup events occ... | Test |
| VER-REQ-039 | SIL 2 | The verification activity for SUB-REQ-016 SHALL execute three consecutive High Shear Granulator runs using a validated placebo formulation with a char... | Test |
| VER-REQ-040 | SIL 2 | The verification activity for SUB-REQ-022 SHALL disable the PAT NIR blend-endpoint monitor (simulate sensor fault) mid-blending cycle, confirm the IBC... | Test |
| VER-REQ-041 | SIL 2 | The verification activity for SUB-REQ-025 SHALL run the Rotary Tablet Press at nominal speed with instrumented punches and inject 20 deliberate out-of... | Test |
| VER-REQ-044 | SIL 2 | The verification activity for SYS-REQ-005 SHALL actuate the emergency stop function via operator E-stop button, automatic interlock, and software-init... | Test |
| VER-REQ-045 | SIL 1 | The verification activity for SYS-REQ-006 SHALL inject simulated parameter exceedances (differential pressure exceedance, temperature exceedance, humi... | Test |
| VER-REQ-046 | SIL 3 | The verification activity for SYS-REQ-008 SHALL execute one complete product changeover sequence (cytotoxic to standard product) with a qualified oper... | Test |
| VER-REQ-047 | SIL 3 | The verification activity for SUB-REQ-031 SHALL deploy a primary DAC Workstation and a configured hot-standby instance in a test environment, inject a... | Test |
| VER-REQ-050 | SIL 2 | The verification activity for SUB-REQ-017 SHALL execute three drying cycles with placebo granules at the product-specific LOD recipe target, collect 3... | Test |
| VER-REQ-051 | SIL 2 | The verification activity for SUB-REQ-018 SHALL install calibrated thermocouples at FBD inlet air duct and product chamber, run three consecutive dryi... | Test |
| VER-REQ-052 | SIL 2 | The verification activity for SUB-REQ-019 SHALL run a post-drying milling cycle on a representative placebo granule batch, collect a sample at mill di... | Test |
| VER-REQ-053 | SIL 2 | The verification activity for SUB-REQ-021 SHALL execute a complete granulation and blending campaign in the MES test environment and confirm: (a) the ... | Test |
| VER-REQ-054 | SIL 2 | The verification activity for SUB-REQ-023 SHALL activate OEB 3 compound handling mode in the test environment, execute a full granulation and blending... | Test |
| VER-REQ-056 | SIL 2 | The verification activity for the OEL/OEB containment system requirement (SYS-REQ-013) SHALL operate a production run with a potent compound simulant ... | Test |
| VER-REQ-061 | SIL 3 | The verification activity for the PAT qualification enforcement requirement (SYS-REQ-018) SHALL set one PAT instrument's calibration status to expired... | Test |
| VER-REQ-062 | SIL 3 | The verification activity for the PAT power supply requirement SHALL simulate a mains power failure by switching off the PAT subsystem UPS input, conf... | Test |
| VER-REQ-063 | SIL 3 | The verification activity for the PAT manual override requirement SHALL log in as QC Analyst role in the MES test environment, trigger a CQA limit vio... | Test |
| VER-REQ-064 | SIL 2 | The verification activity for the MES watchdog timer requirement SHALL stop the EBR processing heartbeat in the test environment, wait 95 seconds (3 c... | Test |
| VER-REQ-065 | SIL 2 | The verification activity for the Emergency Stop recovery requirement SHALL trigger a simulated containment breach alarm, confirm the system enters Em... | Test |
| VER-REQ-066 | SIL 2 | The verification activity for the Maintenance LOTO display requirement SHALL apply a LOTO lock to the rotary tablet press via the MES LOTO registry, a... | Test |
| VER-REQ-067 | SIL 3 | The verification activity for the Degraded Production mode real-time release block requirement SHALL activate degraded production mode in the MES test... | Test |
| VER-REQ-071 | SIL 2 | The verification activity for the Containment and Environmental Control Subsystem UPS requirement SHALL disconnect mains power from the containment su... | Test |
| VER-REQ-075 | SIL 2 | The verification activity for SUB-REQ-048 SHALL inject a simulated airborne concentration at 85 percent of OEL into the continuous monitoring system, ... | Test |
| VER-REQ-077 | SIL 3 | The verification activity for SUB-REQ-050 SHALL inject a cleaning validation failure result (location 7 swab result exceeding acceptance limit) into t... | Test |
| VER-REQ-078 | SIL 3 | The verification activity for SUB-REQ-051 SHALL attempt to advance an API dispensing step in the MES test environment with only one operator confirmat... | Test |
| VER-REQ-080 | SIL 2 | The verification activity for SUB-REQ-053 SHALL connect a calibrated dust concentration monitor to the FBD exhaust duct, inject a dust aerosol to reac... | Test |
| VER-REQ-084 | SIL 3 | The verification activity for SUB-REQ-057 SHALL operate the PAT subsystem for 31 days in the test environment, query the audit log for day 1 entries a... | Test |
| VER-REQ-086 | SIL 3 | The verification activity for the cleaning status registry requirement (SYS-REQ-020) SHALL set equipment item A's cleaning status to expired in the ME... | Test |
| VER-REQ-090 | SIL 3 | The verification activity for SYS-REQ-003 SHALL inject 50 pre-characterised CQA test spectra spanning 10 nominal, 10 OOS-API, 10 OOS-dissolution, 10 s... | Test |
| VER-REQ-091 | SIL 2 | The verification activity for SYS-REQ-004 SHALL install calibrated airflow velocity probes at all access point openings of a qualified potent compound... | Test |
| VER-REQ-092 | SIL 2 | The verification activity for SYS-REQ-011 SHALL register an active LOTO lockout device in the MES for three separate equipment types (tablet press, gr... | Test |
| VER-REQ-094 | SIL 2 | The verification activity for SYS-REQ-002 SHALL execute a complete batch lifecycle in the MES test environment: create an EBR, execute all lifecycle s... | Test |
| VER-REQ-098 | SIL 3 | The verification activity for SUB-REQ-058 SHALL log in as QC Analyst in the MES test environment, trigger a CQA limit violation, activate the manual o... | Test |
| VER-REQ-099 | SIL 2 | The verification activity for SUB-REQ-059 SHALL conduct a physical inspection of the Granulation and Blending Subsystem installation during commission... | Test |
| VER-REQ-101 | SIL 2 | The verification activity for SUB-REQ-061 SHALL: (a) Watchdog test — suspend the MES heartbeat signal in a test environment and confirm the watchdog t... | Test |
| VER-REQ-104 | SIL 2 | The verification activity for SYS-REQ-027 SHALL confirm: (a) with PLC in RUN mode, pressing the manual override pushbutton at each equipment panel de-... | Test |
Goal Structuring Notation per GSN Community Standard v3. Top goal decomposes into hazard mitigation sub-goals, each supported by SIL-allocated requirements and verification evidence.
flowchart TD
G0["<b>G0: Top Goal</b><br/>Pharmaceutical Manufacturing Line is acceptably safe"]
S0{"<b>S0: Strategy</b><br/>Argument by hazard<br/>mitigation per IEC 61508"}
G0 --> S0
G1["<b>G1: H-001</b><br/>Airborne potent compound exposure from containment breach du...<br/>SIL 2"]
S0 --> G1
Sn0_0(["<b>IFC-022</b>"])
G1 --> Sn0_0
Sn0_1(["<b>SUB-REQ-040</b>"])
G1 --> Sn0_1
Sn0_2(["<b>SUB-REQ-042</b>"])
G1 --> Sn0_2
G2["<b>G2: H-002</b><br/>Cross-contamination of drug product with residual API from p...<br/>SIL 3"]
S0 --> G2
Sn1_0(["<b>SUB-REQ-050</b>"])
G2 --> Sn1_0
Sn1_1(["<b>SUB-REQ-051</b>"])
G2 --> Sn1_1
Sn1_2(["<b>SYS-REQ-020</b>"])
G2 --> Sn1_2
G3["<b>G3: H-003</b><br/>Dust explosion from fine pharmaceutical powder exceeding LEL...<br/>SIL 2"]
S0 --> G3
Sn2_0(["<b>SUB-REQ-040</b>"])
G3 --> Sn2_0
Sn2_1(["<b>SUB-REQ-053</b>"])
G3 --> Sn2_1
Sn2_2(["<b>SYS-REQ-029</b>"])
G3 --> Sn2_2
G4["<b>G4: H-004</b><br/>Out-of-specification product released due to PAT system fail...<br/>SIL 3"]
S0 --> G4
Sn3_0(["<b>IFC-REQ-001</b>"])
G4 --> Sn3_0
Sn3_1(["<b>IFC-REQ-003</b>"])
G4 --> Sn3_1
Sn3_2(["<b>SUB-REQ-003</b>"])
G4 --> Sn3_2
G5["<b>G5: H-005</b><br/>Loss of cleanroom environmental control (pressure cascade, t...<br/>SIL 1"]
S0 --> G5
Sn4_0(["<b>VER-REQ-045</b>"])
G5 --> Sn4_0
G6["<b>G6: H-006</b><br/>Electronic batch record data integrity failure — corrupted, ...<br/>SIL 2"]
S0 --> G6
Sn5_0(["<b>SUB-REQ-008</b>"])
G6 --> Sn5_0
Sn5_1(["<b>SUB-REQ-009</b>"])
G6 --> Sn5_1
Sn5_2(["<b>SUB-REQ-010</b>"])
G6 --> Sn5_2
G7["<b>G7: H-007</b><br/>Operator mechanical entrapment in tablet press turret, compr...<br/>SIL 2"]
S0 --> G7
Sn6_0(["<b>SUB-REQ-011</b>"])
G7 --> Sn6_0
Sn6_1(["<b>SUB-REQ-039</b>"])
G7 --> Sn6_1
Sn6_2(["<b>SUB-REQ-046</b>"])
G7 --> Sn6_2 Machine-readable safety case structure. Import into GSN tools (Astah GSN, ASCE, NOR-STA).
# GSN Safety Case — Pharmaceutical Manufacturing Line
# Generated 2026-03-27
# Goal Structuring Notation (GSN) per GSN Community Standard v3
goals:
G0:
text: "Pharmaceutical Manufacturing Line is acceptably safe"
type: top-goal
supported_by: [S0]
strategies:
S0:
text: "Argument by hazard mitigation per IEC 61508"
supported_by: [G1, G2, G3, G4, G5, G6, G7]
G1:
text: "H-001: Airborne potent compound exposure from containment breach during tablet compression, material transfer, or cleaning"
sil: 2
safe_state: "all material transfer stopped, containment isolators sealed, HVAC switched to full exhaust with HEPA filtration, operators evacuate to clean zone"
supported_by: [IFC-022, SUB-REQ-040, SUB-REQ-042, SUB-REQ-048, SUB-REQ-065, VER-REQ-044, VER-REQ-054, VER-REQ-056, VER-REQ-065, VER-REQ-071, VER-REQ-075, VER-REQ-091, VER-REQ-101]
evidence: [VER-111, VER-REQ-069, VER-REQ-071, VER-REQ-075, VER-109, REQ-SEPHARMAMANUFACTURING-018, SUB-REQ-023, SYS-REQ-013, SUB-REQ-045, SUB-REQ-042, SUB-REQ-048, REQ-SEPHARMAMANUFACTURING-017, SUB-REQ-061]
G2:
text: "H-002: Cross-contamination of drug product with residual API from previous campaign"
sil: 3
safe_state: "batch quarantined, line locked out pending full cleaning validation with HPLC confirmation below acceptance limit"
supported_by: [SUB-REQ-050, SUB-REQ-051, SYS-REQ-020, VER-REQ-046, VER-REQ-077, VER-REQ-078, VER-REQ-086, VER-REQ-099]
evidence: [VER-REQ-077, VER-REQ-078, VER-REQ-086, REQ-SEPHARMAMANUFACTURING-021, SUB-REQ-050, SUB-REQ-051, SYS-REQ-020, SUB-REQ-059]
G3:
text: "H-003: Dust explosion from fine pharmaceutical powder exceeding LEL in enclosed equipment with ignition source present"
sil: 2
safe_state: "equipment de-energised, nitrogen inerting activated, explosion vents open, dust extraction at maximum flow"
supported_by: [SUB-REQ-040, SUB-REQ-053, SYS-REQ-029, VER-REQ-044, VER-REQ-080]
evidence: [VER-REQ-069, VER-REQ-080, REQ-SEPHARMAMANUFACTURING-018, SUB-REQ-053]
G4:
text: "H-004: Out-of-specification product released due to PAT system failure or calibration drift"
sil: 3
safe_state: "batch quarantined for offline laboratory testing, real-time release suspended, production continues only with traditional QC release until PAT recalibrated and verified"
supported_by: [IFC-REQ-001, IFC-REQ-003, SUB-REQ-003, SUB-REQ-004, SUB-REQ-005, SUB-REQ-058, SYS-REQ-018, VER-REQ-040, VER-REQ-041, VER-REQ-047, VER-REQ-061, VER-REQ-062, VER-REQ-067, VER-REQ-084, VER-REQ-090, VER-REQ-098]
evidence: [VER-REQ-004, VER-REQ-009, VER-REQ-004, VER-REQ-005, VER-REQ-005, VER-REQ-001, VER-REQ-001, VER-REQ-002, VER-REQ-002, VER-REQ-003, VER-REQ-003, VER-REQ-098, VER-REQ-061, SUB-REQ-022, SUB-REQ-025, SUB-REQ-031, SYS-REQ-018, SUB-REQ-036, SUB-REQ-047, SUB-REQ-057, REQ-SEPHARMAMANUFACTURING-016, SUB-REQ-058]
G5:
text: "H-005: Loss of cleanroom environmental control (pressure cascade, temperature, humidity) causing microbial contamination or product degradation"
sil: 1
safe_state: "product exposure points sealed, HVAC alarm initiates automatic damper closure, exposed product quarantined, production halted until environmental conditions restored and verified"
supported_by: [VER-REQ-045]
evidence: [REQ-SEPHARMAMANUFACTURING-019]
G6:
text: "H-006: Electronic batch record data integrity failure — corrupted, incomplete, or falsified manufacturing records"
sil: 2
safe_state: "system switches to verified paper backup records, electronic system locked for forensic investigation, affected batches quarantined pending data integrity review"
supported_by: [SUB-REQ-008, SUB-REQ-009, SUB-REQ-010, SUB-REQ-014, SUB-REQ-015, VER-REQ-038, VER-REQ-094]
evidence: [VER-REQ-006, VER-REQ-006, VER-REQ-019, VER-REQ-019, VER-REQ-008, VER-REQ-008, VER-REQ-012, VER-REQ-038, VER-REQ-012, VER-REQ-012, SUB-REQ-014, REQ-SEPHARMAMANUFACTURING-015, REQ-SEPHARMAMANUFACTURING-015]
G7:
text: "H-007: Operator mechanical entrapment in tablet press turret, compression rollers, or granulator impeller"
sil: 2
safe_state: "all rotating equipment de-energised and mechanically braked, safety interlocks prevent restart until guards closed and confirmed, LOTO applied for maintenance access"
supported_by: [SUB-REQ-011, SUB-REQ-039, SUB-REQ-046, VER-REQ-037, VER-REQ-044, VER-REQ-065, VER-REQ-066, VER-REQ-092]
evidence: [VER-REQ-007, VER-REQ-007, VER-REQ-068, VER-REQ-066, SUB-REQ-012, REQ-SEPHARMAMANUFACTURING-018, SUB-REQ-045, SUB-REQ-046, REQ-SEPHARMAMANUFACTURING-024]
solutions:
IFC-022:
text: "The interface between the Containment Safety PLC and the HVAC Air Handling Unit SHALL use a hardwired 24 VDC discrete si"
verification: Test
sil: 2
IFC-REQ-001:
text: "The interface between the Process Analytical Technology Subsystem and the Manufacturing Execution System SHALL transmit "
verification: Test
sil: 3
IFC-REQ-003:
text: "The Manufacturing Execution System SHALL transmit diversion acknowledgment and operating mode commands to the Process An"
verification: Test
sil: 3
SUB-REQ-001:
text: "The PAT Subsystem NIR spectrometer SHALL acquire diffuse reflectance spectra (900-1700 nm, minimum 256 wavelength channe"
verification: Test
sil: 3
SUB-REQ-002:
text: "The PAT Subsystem Raman spectrometer SHALL acquire spectra (200-3200 cm-1, spectral resolution 4 cm-1) at 30-second inte"
verification: Test
sil: 3
SUB-REQ-003:
text: "The PAT Subsystem SHALL evaluate all CQA chemometric models (content uniformity PLS, blend homogeneity PCA, particle siz"
verification: Test
sil: 3
SUB-REQ-004:
text: "When a CQA limit exceedance is detected, the PAT Subsystem SHALL actuate the batch diversion valve to the reject positio"
verification: Test
sil: 3
SUB-REQ-005:
text: "The PAT Subsystem SHALL perform continuous sensor self-diagnostics evaluating signal-to-noise ratio, wavelength calibrat"
verification: Test
sil: 3
SUB-REQ-008:
text: "The Manufacturing Execution System SHALL enforce 21 CFR Part 11 compliant electronic signatures on all EBR critical entr"
verification: Test
sil: 2
SUB-REQ-009:
text: "The Manufacturing Execution System SHALL maintain a tamper-evident audit trail recording every EBR creation, modificatio"
verification: Test
sil: 2
SUB-REQ-010:
text: "The Manufacturing Execution System SHALL compute and store a SHA-256 cryptographic hash on every EBR write operation, ma"
verification: Test
sil: 2
SUB-REQ-011:
text: "The Manufacturing Execution System SHALL maintain a real-time lockout registry mapping each equipment unit to its lockou"
verification: Test
sil: 2
SUB-REQ-014:
text: "The Manufacturing Execution System SHALL perform automated EBR database backups at intervals not exceeding 15 minutes, w"
verification: Test
sil: 2
SUB-REQ-015:
text: "When a data integrity failure is detected (hash chain discontinuity or backup verification failure), the Manufacturing E"
verification: Demonstration
sil: 2
SUB-REQ-016:
text: "When the High Shear Granulator wet mass torque profile or integrated NIR wet-mass spectrum reaches the validated endpoin"
verification: Test
sil: 2
SUB-REQ-017:
text: "The Fluid Bed Dryer SHALL reduce granule loss-on-drying (LOD) to the target value (product-specific, typically 1.0-3.0% "
verification: Test
sil: 2
SUB-REQ-018:
text: "The Fluid Bed Dryer SHALL maintain inlet air temperature within plus or minus 2 degrees Celsius of the MES recipe setpoi"
verification: Test
sil: 2
SUB-REQ-019:
text: "The Granule Sizing Mill SHALL reduce post-drying granule agglomerates such that the resulting sized granule D90 is less "
verification: Test
sil: 2
SUB-REQ-020:
text: "The IBC Blender SHALL achieve a blend uniformity of API content RSD less than or equal to 5.0% across the blend mass, as"
verification: Test
sil: 2
SUB-REQ-021:
text: "The Granulation and Blending Subsystem SHALL record the mass of each material charge and transfer at each process step, "
verification: Test
sil: 2
SUB-REQ-022:
text: "When the PAT NIR blend-endpoint monitoring is unavailable (sensor fault or communication loss), the Granulation and Blen"
verification: Test
sil: 2
SUB-REQ-023:
text: "While processing OEB 3 or higher potency compounds (OEL less than 10 micrograms per cubic metre), the Granulation and Bl"
verification: Test
sil: 2
SUB-REQ-025:
text: "The Rotary Tablet Press SHALL monitor upper punch compression force at each station on every rotation and reject tablets"
verification: Test
sil: 2
SUB-REQ-031:
text: "The PAT Subsystem CQA model evaluation and diversion actuation function SHALL be implemented on a hardware architecture "
verification: Test
sil: 3
SUB-REQ-036:
text: "The Process Analytical Technology Subsystem SHALL operate from a dedicated 230V AC 50Hz UPS-backed power supply providin"
verification: Test
sil: 3
SUB-REQ-037:
text: "The PAT Subsystem SHALL provide a manual CQA override interface accessible to the QC Analyst role, enabling a qualified "
verification: Test
sil: 3
SUB-REQ-038:
text: "The Manufacturing Execution System SHALL implement a watchdog timer that monitors core EBR processing heartbeat at 30-se"
verification: Test
sil: 2
SUB-REQ-039:
text: "The Tablet Compression Subsystem SHALL operate from a dedicated 400V AC 50Hz 3-phase power supply with a soft-starter pr"
verification: Test
sil: 2
SUB-REQ-040:
text: "The Granulation and Blending Subsystem SHALL operate from 400V AC 50Hz 3-phase power supply for the High Shear Granulato"
verification: Test
sil: 2
SUB-REQ-042:
text: "The Containment and Environmental Control Subsystem SHALL operate from a UPS-backed 230V AC power supply providing minim"
verification: Test
sil: 2
SUB-REQ-046:
text: "While in Maintenance mode, the system SHALL prevent equipment power-on by any means (HMI, PLC, remote command) for any e"
verification: Test
sil: 2
SUB-REQ-047:
text: "While in Degraded Production mode, the system SHALL quarantine all completed batches in MES quarantine status within 60 "
verification: Test
sil: 3
SUB-REQ-048:
text: "The Containment and Environmental Control Subsystem SHALL detect airborne API concentration above the OEL action limit ("
verification: Test
sil: 2
SUB-REQ-049:
text: "The Containment and Environmental Control Subsystem SHALL perform continuous air monitoring at each sampling point at a "
verification: Test
sil: 2
SUB-REQ-050:
text: "When the Cleaning Validation results for any swab location exceed the acceptance limit, the Manufacturing Execution Syst"
verification: Test
sil: 3
SUB-REQ-051:
text: "The Material Handling and Dispensing Subsystem SHALL enforce a two-person independent check for all API dispensing opera"
verification: Test
sil: 3
SUB-REQ-052:
text: "The Tablet Compression Subsystem SHALL perform a real-time metal detection check on the tablet stream at the press outpu"
verification: Test
sil: 2
SUB-REQ-053:
text: "The Granulation and Blending Subsystem SHALL monitor for dust explosion risk by measuring dust concentration at the FBD "
verification: Test
sil: 2
SUB-REQ-054:
text: "The Packaging and Serialisation Subsystem SHALL perform 100 percent vision inspection of each blister cavity for correct"
verification: Test
sil: 2
SUB-REQ-057:
text: "The Process Analytical Technology Subsystem SHALL maintain a rolling 30-day archive of all CQA model inputs, model outpu"
verification: Test
sil: 3
SUB-REQ-058:
text: "The Process Analytical Technology Subsystem SHALL provide a qualified user override mechanism that enables a QC Analyst "
verification: Test
sil: 3
SUB-REQ-061:
text: "The Manufacturing Execution System SHALL implement a hardware watchdog timer with a 30-second timeout that triggers a co"
verification: Test
sil: 2
SUB-REQ-062:
text: "The Containment and Environmental Control Subsystem SHALL install differential pressure transmitters at each controlled "
verification: Inspection
sil: 1
SUB-REQ-063:
text: "The HVAC Air Handling Unit SHALL maintain cleanroom supply air conditions within the range 20±2°C (temperature), 45±5% R"
verification: Test
sil: 2
SUB-REQ-064:
text: "The HVAC Air Handling Unit SHALL maintain a minimum differential pressure of +10 Pa between adjacent cleanroom grades an"
verification: Test
sil: 2
SUB-REQ-065:
text: "When the Containment Safety PLC detects a containment integrity failure (isolator pressure above -5 Pa for more than 5 s"
verification: Test
sil: 2
SYS-REQ-002:
text: "The system SHALL generate, execute, and archive electronic batch records (EBRs) with electronic signatures, access contr"
verification: Test
sil: 2
SYS-REQ-016:
text: "The system SHALL implement machine safety controls compliant with EN ISO 13849-1 (Safety of machinery — Safety-related p"
verification: Test
sil: 2
SYS-REQ-018:
text: "The system SHALL enforce PAT qualification procedures per FDA Process Analytical Technology Guidance (2004) and ICH Q8, "
verification: Test
sil: 3
SYS-REQ-019:
text: "The system SHALL generate an automatic deviation record in the EBR whenever any critical process parameter exceeds its v"
verification: Test
sil: 2
SYS-REQ-020:
text: "The system SHALL maintain a cleaning status registry for every product-contact equipment item, updated in real-time as c"
verification: Test
sil: 3
SYS-REQ-027:
text: "The Process Control System SHALL provide a hardware-enforced manual override capability at each equipment control panel "
verification: Test
sil: 2
SYS-REQ-029:
text: "The system SHALL implement dust explosion prevention measures compliant with ATEX Directive 2014/34/EU (Equipment and pr"
verification: Test
sil: 2
VER-109:
text: "Verify SUB-REQ-065: In a qualified test environment, simulate containment integrity failure by reducing isolator pressur"
verification: Test
sil: 2
VER-111:
text: "Verify IFC-022: Interrupt the 24 VDC hardwired signal bus between the Containment Safety PLC and the HVAC Air Handling U"
verification: Test
sil: 2
VER-112:
text: "Verify end-to-end containment response chain: introduce a simulated OEB 4 API dust release at the Potent Compound Isolat"
verification: Test
sil: 2
VER-114:
text: "Verify SUB-REQ-064: Disturb cleanroom pressure by propping a pass-through door open for 10 seconds during operational co"
verification: Test
sil: 2
VER-REQ-037:
text: "The verification activity for SUB-REQ-012 SHALL apply a maintenance lock to a designated piece of equipment via the MES "
verification: Test
sil: 2
VER-REQ-038:
text: "The verification activity for SUB-REQ-014 SHALL run the MES EBR database for a simulated 4-hour production period, confi"
verification: Test
sil: 2
VER-REQ-039:
text: "The verification activity for SUB-REQ-016 SHALL execute three consecutive High Shear Granulator runs using a validated p"
verification: Test
sil: 2
VER-REQ-040:
text: "The verification activity for SUB-REQ-022 SHALL disable the PAT NIR blend-endpoint monitor (simulate sensor fault) mid-b"
verification: Test
sil: 2
VER-REQ-041:
text: "The verification activity for SUB-REQ-025 SHALL run the Rotary Tablet Press at nominal speed with instrumented punches a"
verification: Test
sil: 2
VER-REQ-044:
text: "The verification activity for SYS-REQ-005 SHALL actuate the emergency stop function via operator E-stop button, automati"
verification: Test
sil: 2
VER-REQ-045:
text: "The verification activity for SYS-REQ-006 SHALL inject simulated parameter exceedances (differential pressure exceedance"
verification: Test
sil: 1
VER-REQ-046:
text: "The verification activity for SYS-REQ-008 SHALL execute one complete product changeover sequence (cytotoxic to standard "
verification: Test
sil: 3
VER-REQ-047:
text: "The verification activity for SUB-REQ-031 SHALL deploy a primary DAC Workstation and a configured hot-standby instance i"
verification: Test
sil: 3
VER-REQ-050:
text: "The verification activity for SUB-REQ-017 SHALL execute three drying cycles with placebo granules at the product-specifi"
verification: Test
sil: 2
VER-REQ-051:
text: "The verification activity for SUB-REQ-018 SHALL install calibrated thermocouples at FBD inlet air duct and product chamb"
verification: Test
sil: 2
VER-REQ-052:
text: "The verification activity for SUB-REQ-019 SHALL run a post-drying milling cycle on a representative placebo granule batc"
verification: Test
sil: 2
VER-REQ-053:
text: "The verification activity for SUB-REQ-021 SHALL execute a complete granulation and blending campaign in the MES test env"
verification: Test
sil: 2
VER-REQ-054:
text: "The verification activity for SUB-REQ-023 SHALL activate OEB 3 compound handling mode in the test environment, execute a"
verification: Test
sil: 2
VER-REQ-056:
text: "The verification activity for the OEL/OEB containment system requirement (SYS-REQ-013) SHALL operate a production run wi"
verification: Test
sil: 2
VER-REQ-061:
text: "The verification activity for the PAT qualification enforcement requirement (SYS-REQ-018) SHALL set one PAT instrument's"
verification: Test
sil: 3
VER-REQ-062:
text: "The verification activity for the PAT power supply requirement SHALL simulate a mains power failure by switching off the"
verification: Test
sil: 3
VER-REQ-063:
text: "The verification activity for the PAT manual override requirement SHALL log in as QC Analyst role in the MES test enviro"
verification: Test
sil: 3
VER-REQ-064:
text: "The verification activity for the MES watchdog timer requirement SHALL stop the EBR processing heartbeat in the test env"
verification: Test
sil: 2
VER-REQ-065:
text: "The verification activity for the Emergency Stop recovery requirement SHALL trigger a simulated containment breach alarm"
verification: Test
sil: 2
VER-REQ-066:
text: "The verification activity for the Maintenance LOTO display requirement SHALL apply a LOTO lock to the rotary tablet pres"
verification: Test
sil: 2
VER-REQ-067:
text: "The verification activity for the Degraded Production mode real-time release block requirement SHALL activate degraded p"
verification: Test
sil: 3
VER-REQ-071:
text: "The verification activity for the Containment and Environmental Control Subsystem UPS requirement SHALL disconnect mains"
verification: Test
sil: 2
VER-REQ-075:
text: "The verification activity for SUB-REQ-048 SHALL inject a simulated airborne concentration at 85 percent of OEL into the "
verification: Test
sil: 2
VER-REQ-077:
text: "The verification activity for SUB-REQ-050 SHALL inject a cleaning validation failure result (location 7 swab result exce"
verification: Test
sil: 3
VER-REQ-078:
text: "The verification activity for SUB-REQ-051 SHALL attempt to advance an API dispensing step in the MES test environment wi"
verification: Test
sil: 3
VER-REQ-080:
text: "The verification activity for SUB-REQ-053 SHALL connect a calibrated dust concentration monitor to the FBD exhaust duct,"
verification: Test
sil: 2
VER-REQ-084:
text: "The verification activity for SUB-REQ-057 SHALL operate the PAT subsystem for 31 days in the test environment, query the"
verification: Test
sil: 3
VER-REQ-086:
text: "The verification activity for the cleaning status registry requirement (SYS-REQ-020) SHALL set equipment item A's cleani"
verification: Test
sil: 3
VER-REQ-090:
text: "The verification activity for SYS-REQ-003 SHALL inject 50 pre-characterised CQA test spectra spanning 10 nominal, 10 OOS"
verification: Test
sil: 3
VER-REQ-091:
text: "The verification activity for SYS-REQ-004 SHALL install calibrated airflow velocity probes at all access point openings "
verification: Test
sil: 2
VER-REQ-092:
text: "The verification activity for SYS-REQ-011 SHALL register an active LOTO lockout device in the MES for three separate equ"
verification: Test
sil: 2
VER-REQ-094:
text: "The verification activity for SYS-REQ-002 SHALL execute a complete batch lifecycle in the MES test environment: create a"
verification: Test
sil: 2
VER-REQ-098:
text: "The verification activity for SUB-REQ-058 SHALL log in as QC Analyst in the MES test environment, trigger a CQA limit vi"
verification: Test
sil: 3
VER-REQ-099:
text: "The verification activity for SUB-REQ-059 SHALL conduct a physical inspection of the Granulation and Blending Subsystem "
verification: Test
sil: 2
VER-REQ-101:
text: "The verification activity for SUB-REQ-061 SHALL: (a) Watchdog test — suspend the MES heartbeat signal in a test environm"
verification: Test
sil: 2
VER-REQ-104:
text: "The verification activity for SYS-REQ-027 SHALL confirm: (a) with PLC in RUN mode, pressing the manual override pushbutt"
verification: Test
sil: 2