System Requirements Specification (SyRS) — ISO/IEC/IEEE 15289 — Specification | IEEE 29148 §6.2–6.4
Generated 2026-03-27 — UHT Journal / universalhex.org
| Standard | Title |
|---|---|
| EN 14034 | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-4 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61511 | Functional safety — Safety instrumented systems for the process industry sector |
| IEC 62061 | Safety of machinery — Functional safety of safety-related control systems |
| IEC 62443-3-3 | System security requirements and security levels |
| IEC 62443-4-2 | Industrial communication networks — Network and system security |
| ISO 10993 | — |
| ISO 13320 | — |
| ISO 13849-1 | Safety of machinery — Safety-related parts of control systems — General principles for design |
| ISO 13850 | — |
| ISO 14644-1 | — |
| ISO 14644-2 | — |
| ISO 17025-accredited | — |
| ISO 19005 | — |
| ISO 7 | — |
| ISO 7-classified | — |
| ISO 7/8 | — |
| ISO 7/Grade | — |
| ISO 7731 | — |
| ISO 8 | — |
| ISO 8/Grade | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| CCCS | Completeness, Consistency, Correctness, Stability |
| COSHH | Control of Substances Hazardous to Health |
| DSCSA | Drug Supply Chain Security Act |
| EARS | Easy Approach to Requirements Syntax |
| EMA | European Medicines Agency |
| EU | Equipment and protective systems intended for use in potentially explosive atmospheres |
| FMD | Falsified Medicines Directive |
| HFT | Hardware Fault Tolerance |
| IFC | Interface Requirements |
| IQ | Installation Qualification |
| LEL | Lower Explosion Limit |
| LIMS | The Laboratory Information Management System |
| OEE | Overall Equipment Effectiveness |
| OEL | Occupational Exposure Limit |
| PAT | Process Analytical Technology |
| PCS | The Process Control System |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-REQ-001 | The manufacturing line SHALL achieve a minimum Overall Equipment Effectiveness (OEE) of 75% during Normal Production mode, measured over a rolling 30-day production period. Rationale: Production Supervisor and Plant Manager stakeholder need: 75% OEE is the pharmaceutical industry minimum acceptable threshold for commercial viability; falling below this threshold jeopardises product supply continuity and plant economics. Derived from Normal Production Campaign scenario (300,000 tablets/day ibuprofen campaign). | Test | idempotency:stk-pharma-oee-001 |
| STK-REQ-002 | The manufacturing line SHALL maintain electronic batch records (EBRs) that fully comply with FDA 21 CFR Part 11 and EU Annex 11, providing a complete, unbroken audit trail for every production batch from material receipt to product release. Rationale: FDA/EMA Regulatory Inspector stakeholder need: 21 CFR Part 11 and Annex 11 are mandatory legal requirements for electronic records in pharmaceutical manufacturing. An incomplete audit trail constitutes a critical GMP deficiency that can trigger a warning letter, consent decree, or product recall. Derived from Electronic batch record data integrity failure hazard. | Inspection | idempotency:stk-pharma-ebr-002 |
| STK-REQ-003 | The manufacturing line SHALL perform continuous real-time in-process quality monitoring using Process Analytical Technology (PAT) instruments, with automatic batch diversion when any critical quality attribute (CQA) exceeds its acceptance limit. Rationale: QC Analyst stakeholder need: real-time PAT monitoring prevents out-of-specification product from reaching patients. Automatic diversion on CQA breach eliminates the latency of offline laboratory testing. Derived from Out-of-specification dosage form released to market hazard and PAT Sensor Drift Degraded Operation scenario. | Test | idempotency:stk-pharma-pat-003 |
| STK-REQ-004 | The manufacturing line SHALL maintain containment integrity for potent compounds with Occupational Exposure Limit (OEL) below 1 µg/m³, achieving an airborne concentration at operator breathing zone of less than 10% of OEL during all production, maintenance, and changeover operations. Rationale: EHS Officer stakeholder need: potent compound airborne exposure is the primary occupational health risk in pharmaceutical manufacturing. MoP basis: OEB 1-5 classification scale is the industry-standard banding system defined in ISPE Risk-MaPP Baseline Guide and referenced in EMA (European Medicines Agency) Guideline on Setting Health Based Exposure Limits; OEL banding requires corresponding containment strategy per COSHH Regulation 7 engineering controls hierarchy. | Test | reqs-eng-session-566 |
| STK-REQ-005 | When an emergency condition is detected, the manufacturing line SHALL achieve a full controlled stop of all process equipment within 10 seconds, isolating energy sources and securing product-contact surfaces. Rationale: EHS Officer and Production Supervisor stakeholder need: 10-second emergency stop time is consistent with machinery safety directive EN ISO 13850 performance level requirements for pharmaceutical equipment in GMP environments. Slow emergency stop risks operator injury and product contamination. Derived from Emergency Stop mode and Tablet Press Mechanical Jam Failure scenario. | Test | idempotency:stk-pharma-estop-005 |
| STK-REQ-006 | The manufacturing line SHALL comply with EU GMP Annex 1 (for sterile areas if applicable), EU GMP Annex 15 (validation), FDA Guidance on Process Validation, and ICH Q10 pharmaceutical quality system requirements throughout its operational lifecycle. Rationale: FDA/EMA Regulatory Inspector stakeholder need: compliance with GMP regulations is a legal prerequisite for product release; non-compliance results in regulatory action up to facility closure. Derived from Pharmaceutical regulatory compliance framework entity. | Inspection | idempotency:stk-pharma-gmp-006 |
| STK-REQ-007 | The manufacturing line SHALL support validated product changeover procedures that achieve cross-contamination residue levels below 10 ppm (API to API) or the toxicological threshold of 0.1% of minimum daily therapeutic dose of the previous product, whichever is lower. Rationale: QC Analyst and Production Supervisor stakeholder need: cross-contamination limits are defined by MACO (Maximum Allowable Carry-Over) calculations per EMA cleaning validation guideline. Exceeding these limits causes drug product adulteration. Derived from Cross-contamination between drug products hazard and Product Changeover Cleaning Validation scenario. | Test | idempotency:stk-pharma-changeover-007 |
| STK-REQ-008 | The manufacturing line SHALL integrate with the external drug serialisation system to apply unique identifiers to 100% of saleable units and report serialisation data compliant with EU FMD (Delegated Regulation 2016/161) and US DSCSA (21 USC 360eee) within 24 hours of packaging completion. Rationale: FDA/EMA Regulatory Inspector stakeholder need: serialization is a legal requirement for drug traceability and anti-counterfeiting. Failure to serialize 100% of units within 24 hours creates regulatory violations and prevents product distribution. Derived from Drug serialization and track-and-trace system external entity. | Test | idempotency:stk-pharma-serial-008 |
| STK-REQ-009 | When a non-critical equipment fault or PAT sensor degradation is detected, the manufacturing line SHALL maintain production capability at a minimum of 50% nominal throughput while operating under enhanced manual in-process testing protocols, until the fault is rectified. Rationale: Production Supervisor stakeholder need: partial production capability prevents complete supply chain disruption during minor equipment faults. 50% minimum throughput is the commercial viability threshold for continued manufacturing against urgent patient supply orders. Derived from Degraded Production mode and PAT Sensor Drift scenario. | Test | idempotency:stk-pharma-degraded-009 |
| STK-REQ-010 | The manufacturing line SHALL maintain bidirectional traceability of all raw materials, intermediates, and finished product, enabling complete batch genealogy reconstruction — identifying all equipment, operators, and materials involved in any given batch — within 4 hours of a recall investigation request. Rationale: GMP Material Handler and Regulatory Inspector stakeholder need: bidirectional traceability is required by FDA 21 CFR 211.188 and EU GMP Chapter 4. The 4-hour reconstruction requirement aligns with FDA CDER recall assessment timelines; failure to produce genealogy delays field corrections and increases recall scope. | Test | idempotency:stk-pharma-traceability-010 |
| STK-REQ-011 | While operating in Normal Production mode, the manufacturing line SHALL maintain cleanroom conditions at ISO Class 7 (EU GMP Grade C, ≤352,000 particles ≥0.5µm/m³) with positive pressure differential of at least 15 Pa relative to adjacent unclassified areas. Rationale: QC Analyst and EHS Officer stakeholder need: ISO Class 7 is the minimum cleanroom classification required for tablet and capsule manufacturing under EU GMP. Positive pressure prevents particulate ingress. Loss of pressure differential is a critical GMP excursion requiring batch investigation. Derived from Cleanroom environmental control failure hazard. | Test | idempotency:stk-pharma-cleanroom-011 |
| STK-REQ-012 | The manufacturing line SHALL provide documented lockout/tagout (LOTO) procedures and physical isolation points for all energy sources on every equipment unit, achieving a machinery safety performance level of PLd per EN ISO 13849-1 for guard interlocking circuits. Rationale: Equipment Maintenance Technician and EHS Officer stakeholder need: LOTO is required by OSHA 29 CFR 1910.147 and EU Machinery Directive 2006/42/EC. PLd is the minimum performance level for pharmaceutical equipment with medium frequency use and moderate injury severity. Derived from Tablet press mechanical entrapment hazard. | Inspection | idempotency:stk-pharma-loto-012 |
| STK-REQ-013 | The manufacturing line SHALL produce finished drug products that comply with pharmacopoeial specifications for tablet hardness, disintegration, dissolution, content uniformity (AV ≤ 15.0 for L1 per Ph.Eur./USP), and potency (98.0–102.0% label claim) for 100% of released batches. Rationale: Patient stakeholder need: pharmacopoeial compliance directly ensures patient safety and therapeutic efficacy. AV ≤ 15.0 at Stage 1 and potency 98-102% are USP/Ph.Eur. release criteria; out-of-range product poses direct patient harm risk including under-dosing and over-dosing. This is the terminal quality gate for all manufactured product. | Test | idempotency:stk-pharma-product-quality-013 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQ-001 | The system SHALL operate the production sequence — from raw material dispense through granulation, blending, compression, and packaging — at a nominal throughput of 300,000 tablets per shift (12-hour shift), with OEE tracked continuously by the MES and reported hourly. Rationale: Derived from STK-001 (OEE ≥ 75%). 300,000 tablets/12-hour shift is the system design capacity from the Normal Production Campaign scenario; OEE tracking is the mechanism by which compliance with the 75% OEE threshold is measured and demonstrated. | Test | idempotency:sys-pharma-throughput-001 |
| SYS-REQ-002 | The system SHALL generate, execute, and archive electronic batch records (EBRs) with electronic signatures, access controls, audit trails, and backup intervals not exceeding 15 minutes, with record integrity verified by cryptographic hash on every write operation. Rationale: Derived from STK-002 (21 CFR Part 11 / EU Annex 11 EBR compliance). Cryptographic hashing on every write and 15-minute backup intervals are the technical controls that satisfy data integrity requirements. 15-minute interval ensures a maximum of 15 minutes of data loss in a catastrophic failure, meeting typical GMP data recovery expectations. | Test | session-564, validation, ver-method-upgraded, ebr, 21cfr11, sil-2, h-006 |
| SYS-REQ-003 | The system SHALL acquire PAT sensor data (NIR, Raman, laser diffraction) at a minimum sample interval of 30 seconds, evaluate CQA models within 5 seconds of acquisition, and actuate automatic batch diversion valves within 2 seconds of a CQA limit exceedance. Rationale: Derived from STK-003 (real-time PAT with automatic diversion). 30-second sampling ensures sufficient time resolution for blend uniformity and granule size monitoring. 5-second model evaluation and 2-second actuation give a total response latency of 7 seconds, which is within the 10-second diversion window before the affected material exits the process vessel. | Test | idempotency:sys-pharma-pat-003 |
| SYS-REQ-004 | The system SHALL maintain negative pressure isolation in potent compound processing enclosures (OEB 4/5 compounds, OEL < 1 µg/m³) with a minimum inward airflow velocity of 0.5 m/s at all open access points, continuous real-time airborne particle monitoring at operator breathing zone, and automatic enclosure lockdown when particle concentration exceeds 20% of OEL alarm threshold. Rationale: Derived from STK-REQ-004 (OEL containment integrity) and H-001 airborne potent compound exposure hazard. MoP basis: 0.5 m/s inward airflow specification derived from EU GMP Annex 1 (2022) Section 4.6 (negative pressure room design for hazardous substances) and COSHH (Control of Substances Hazardous to Health) Regulation 7 engineering control hierarchy; -50 Pa minimum pressure differential consistent with ISPE Risk-MaPP (Baseline Guide for Risk-Based Manufacture of Pharmaceutical Products) OEB 4 containment strategy. | Test | reqs-eng-session-566, h-001 |
| SYS-REQ-005 | When an emergency stop is triggered (by operator actuator, interlock, or automatic safety function), the system SHALL de-energise all drive systems within 3 seconds, close all product-transfer valves within 5 seconds, and achieve full equipment standstill within 10 seconds. Rationale: Derived from STK-005 (emergency stop ≤ 10 seconds) and EN ISO 13850. 3-second drive de-energisation and 5-second valve closure are the subsystem-level allocations of the 10-second total emergency stop time budget. These values are achievable with standard pneumatic valve actuators and safety-rated drive modules. | Test | idempotency:sys-pharma-estop-005 |
| SYS-REQ-006 | While in Normal Production mode, the system SHALL continuously monitor cleanroom differential pressure, temperature (20±2°C), and relative humidity (45±5% RH), generating an alarm within 60 seconds of any parameter exceeding its alert limit, and a production halt within 120 seconds of any parameter exceeding its action limit. Rationale: Derived from STK-011 (ISO Class 7 cleanroom maintenance) and Cleanroom environmental control failure hazard. 60-second alert and 120-second action response times align with EU GMP Annex 1 environmental monitoring expectations. Temperature and humidity affect granule moisture content and tablet hardness; action limits require production halt to protect batch quality. | Test | lint-ack-ontological-mismatch, session-565, lint-ack-normal-production-mode-not-physical, session-567, h-005 |
| SYS-REQ-007 | The system SHALL record and maintain a full batch genealogy database linking every finished product unit to its input raw material lot numbers, equipment IDs, process parameter logs, and operator IDs, enabling recall scope determination for any batch within 4 hours. Rationale: Derived from STK-010 (material traceability). The genealogy database is the technical implementation of bidirectional traceability; it must be queryable to reconstruct batch history within FDA CDER 4-hour recall assessment window. All equipment IDs, operator IDs, and material lot numbers must be captured in real-time during processing. | Test | idempotency:sys-pharma-genealogy-007 |
| SYS-REQ-008 | The system SHALL guide operators through validated cleaning procedures during product changeover, verify cleaning completion via rinse water TOC analysis (≤ 500 µg/L TOC) and swab sampling, and prevent restart of the next production campaign until all cleaning verification steps are electronically signed and recorded in the EBR. Rationale: Derived from STK-007 (cross-contamination limits) and Product Changeover Cleaning Validation scenario. TOC ≤ 500 µg/L is the ICH Q3C Class 2 solvent threshold used as a surrogate for cleaning verification; electronic sign-off lock prevents operator bypass. The EBR lock is the enforcement mechanism ensuring cleaning validation is never skipped. | Test | idempotency:sys-pharma-changeover-008 |
| SYS-REQ-009 | When the PAT subsystem enters sensor-degraded mode, the system SHALL automatically switch to manual in-process testing mode with sampling every 15 minutes, maintain production at ≥ 50% nominal throughput, and alert the Production Supervisor with a prominent EBR annotation, within 30 seconds of sensor degradation detection. Rationale: Derived from STK-009 (degraded production at ≥ 50% throughput) and PAT Sensor Drift Degraded Operation scenario. 15-minute manual sampling interval is the maximum interval consistent with EU GMP in-process testing requirements in the absence of continuous PAT monitoring. 30-second notification ensures operator awareness before manual testing regime begins. | Test | idempotency:sys-pharma-degraded-009 |
| SYS-REQ-010 | The system SHALL apply 2D DataMatrix barcodes encoding a unique serial number, GTIN, lot number, and expiry date to 100% of saleable units at the packaging line, with a barcode verification reject rate of less than 0.5% and aggregation data uploaded to the external serialization system within 2 hours of packaging lot completion. Rationale: Derived from STK-008 (EU FMD / US DSCSA serialization). GS1 DataMatrix is the mandated barcode standard under EU FMD Delegated Regulation 2016/161. 0.5% reject rate is the equipment supplier performance specification; 2-hour upload window satisfies the 24-hour regulatory reporting window with margin for data review. | Test | idempotency:sys-pharma-serialization-010 |
| SYS-REQ-011 | The system SHALL enforce electronic lockout verification for maintenance activities, preventing equipment restart while any active lockout device is registered, and logging all LOTO events with operator ID, timestamp, and equipment ID in the EBR. Rationale: Derived from STK-012 (LOTO PLd) and Tablet press mechanical entrapment hazard. Electronic lockout verification adds a software layer to physical LOTO that prevents inadvertent restart by a second operator; EBR logging creates the GMP evidence trail required for OSHA compliance and incident investigation. | Test | idempotency:sys-pharma-loto-011 |
| SYS-REQ-012 | The system SHALL enforce an automated in-process rejection of any tablet with weight outside ±5% of target, hardness outside specification range, or thickness outside ±2% of target, and shall reject the entire production segment when content uniformity AV exceeds 15.0 on L1 sampling. Rationale: Derived from STK-013 (pharmacopoeial specification compliance). Weight ±5%, hardness, and thickness ±2% are in-process control (IPC) limits defined in the product master batch record; automated rejection eliminates human judgment errors in OOS handling. AV > 15.0 triggers mandatory L2 retest or batch rejection per USP 905. | Test | idempotency:sys-pharma-product-quality-012 |
| SYS-REQ-013 | The system SHALL maintain worker occupational exposure below the compound-specific Occupational Exposure Limit (OEL) by enforcing the OEB containment strategy defined in the compound safety data sheet, and generating an alarm when airborne monitoring exceeds 80% of the OEL action limit. Rationale: Worker protection from potent compound exposure is a primary stakeholder requirement (H-001, H-003). OEL compliance is mandated by COSHH (Control of Substances Hazardous to Health Regulations 2002) and OSHA 29 CFR 1910.1000 PEL requirements. The 80 percent alarm threshold provides a response window before the OEL action limit is breached. | Test | reqs-eng-session-566, h-001 |
| SYS-REQ-014 | The system SHALL support process validation per ICH Q8 (Pharmaceutical Development) and ICH Q11 (Development and Manufacture of Drug Substances) by recording all critical process parameters (CPPs), critical quality attributes (CQAs), and key process indicators (KPIs) for every batch in a retrievable electronic format suitable for prospective and concurrent validation programmes. Rationale: ICH Q8 requires that CPPs and CQAs be identified, monitored, and documented as part of the validated design space. This system-level requirement ensures the manufacturing line generates the data required for regulatory filings (NDA, MAA). Analysis verification is appropriate because compliance with data completeness and format requirements can be demonstrated by reviewing the EBR data structure against ICH Q8 guidance. | Analysis | session-562, validation, process-validation, ich-q8, idempotency:session562-sys-process-validation-014 |
| SYS-REQ-015 | The system SHALL comply with EU Delegated Regulation 2016/161 (Falsified Medicines Directive) requirements for unique identifier placement, tamper-evident device application, and verification and decommissioning of unique identifiers at point of supply, and SHALL integrate with national medicines verification systems via the EMVO EMVS API. Rationale: EU Delegated Regulation 2016/161 is a legal requirement for all prescription medicines placed on the EU market from 9 February 2019. Non-compliance results in inability to sell product in EU. Test verification requires a connection to the EMVS test repository to confirm that serialisation data is correctly formatted and accepted by the external system. | Test | session-562, validation, serialisation, eu-fmd, regulatory, idempotency:session562-sys-eu-delegated-regulation-015 |
| SYS-REQ-016 | The system SHALL implement machine safety controls compliant with EN ISO 13849-1 (Safety of machinery — Safety-related parts of control systems) for all rotating and moving equipment, achieving a minimum Performance Level d (PLd) for guard interlocks, emergency stops, and LOTO verification functions, with proof test intervals documented in the safety case. Rationale: SIL-2 IEC 61508 requirements mandate that safety functions — not just their design documents — be verified by test. EN ISO 13849-1 (Safety of machinery: safety-related parts of control systems) compliance analysis (PLr, MTTFd, DC calculations) establishes the design meets the required performance level, but the safety functions themselves (E-stop response, guard interlock, brake engagement) must be tested under realistic operating conditions to demonstrate the actual realised performance level. Verification by Analysis alone is insufficient for SIL-2 functional safety claims. | Test | session-562, validation, machine-safety, en-iso-13849, sil-2, idempotency:session562-sys-en-iso-13849-016, h-007 |
| SYS-REQ-017 | The system SHALL calculate and display Overall Equipment Effectiveness (OEE) per the SEMI E10 equipment productivity standard, updated at least every 4 hours, decomposed into Availability, Performance, and Quality components, and SHALL generate an alert when OEE for any subsystem falls below 75 percent for more than one production shift. Rationale: OEE tracking is a primary stakeholder requirement for production efficiency. The SEMI E10 standard provides an unambiguous OEE calculation methodology. The 75 percent threshold is the industry benchmark for world-class pharmaceutical manufacturing. Test verification is required because OEE calculation accuracy depends on the integration of downtime, speed loss, and quality rejection data streams from multiple subsystems. | Test | session-562, validation, oee, production-efficiency, idempotency:session562-sys-oee-tracking-017 |
| SYS-REQ-018 | The system SHALL enforce PAT qualification procedures per FDA Process Analytical Technology Guidance (2004) and ICH Q8, requiring calibration verification of all PAT instruments against certified reference materials before each campaign, with calibration status logged in the EBR and any out-of-calibration instrument triggering automatic suspension of real-time release. Rationale: FDA PAT Guidance requires that PAT instruments be calibrated and their performance verified before use. An out-of-calibration PAT instrument that continues to drive real-time release decisions would constitute a data integrity failure (H-004). Test verification confirms that the calibration check workflow triggers correctly and that real-time release is actually suspended when calibration status is invalid. | Test | session-562, validation, pat, calibration, sil-3, h-004, idempotency:session562-sys-pat-qualification-018 |
| SYS-REQ-019 | The system SHALL generate an automatic deviation record in the EBR whenever any critical process parameter exceeds its validated specification limit, linking the deviation to the affected batch, the out-of-specification measurement, the subsystem responsible, and the time of occurrence, with the record available for QA Manager review within 10 minutes of the exceedance event. Rationale: Automatic deviation record generation at the point of CPP exceedance is required by ICH Q10 (Pharmaceutical Quality System) to ensure no exceedances are missed in manual batch review. The 10-minute availability target ensures the QA Manager can make a real-time batch hold decision before additional product is produced under the exceedance conditions. | Test | session-562, validation, mes, deviation, sil-2, idempotency:session562-sys-auto-deviation-record |
| SYS-REQ-020 | The system SHALL maintain a cleaning status registry for every product-contact equipment item, updated in real-time as cleaning activities are performed, and SHALL prevent assignment of any equipment with an expired or unconfirmed clean status to a new batch record, providing an explicit status reason to the operator when assignment is blocked. Rationale: Equipment cleaning status control is a primary H-002 cross-contamination mitigation. An equipment item with expired clean status that is inadvertently assigned to a new batch would result in potential cross-contamination without detection. Test verification confirms the assignment block is enforced across all equipment status states and the reason is communicated clearly. | Test | session-562, validation, mes, changeover, sil-3, h-002, idempotency:session562-sys-cleaning-registry |
| SYS-REQ-021 | The system SHALL provide a production supervisor handover capability in the MES, enabling the outgoing supervisor to formally close their shift in the EBR with an electronic signature, documenting any in-progress deviations, out-of-specification results, and equipment status, and preventing the next shift from starting new operations until the incoming supervisor has reviewed and acknowledged the handover record. Rationale: Structured shift handover with EBR documentation prevents loss of critical operational context between shifts. The Tablet Press Jam ConOps scenario occurs on night shift — unresolved deviations from the previous shift that are not formally documented at handover could result in incorrect batch disposition decisions. | Test | session-562, validation, mes, handover, 21cfr11, idempotency:session562-sys-shift-handover |
| SYS-REQ-022 | The Pharmaceutical Manufacturing Line SHALL be installed in a GMP-compliant facility comprising a minimum of four classified cleanrooms: a weigh booth (ISO 7 / Grade C), a granulation and compression area (ISO 8 / Grade D), a coating and packaging area (ISO 8 / Grade D), and a quality control laboratory; with an equipment footprint not exceeding 800 m² and physical access controlled by HVAC pressure cascade and electronic interlocks. Rationale: Physical facility and layout constraints for the manufacturing line are required by EU GMP Annex 1 and FDA 21 CFR Part 211 to ensure product quality, containment, and cleanroom classification are maintained. The specification of classified rooms and controlled access is not derivable from functional requirements alone and must be explicitly stated to support facility qualification activities. | Inspection | session-565, facility, physical-layout, lint-fix-lh3, idempotency:ses565-mfg-line-physical-layout, idempotency:ses565-mfg-line-physical-layout |
| SYS-REQ-023 | While in Normal Production mode, the system SHALL provide an operator override capability allowing a qualified Production Supervisor or QC Analyst to suspend automated batch diversion, IPC rejection, or PAT-triggered alarms, subject to mandatory electronic signature per 21 CFR Part 11, a maximum override duration of 60 minutes before automatic restoration, and audit trail entry recording the operator identity, override reason, and duration. Rationale: Normal production mode executes batch logic semi-autonomously; any autonomous control system operating in a regulated pharmaceutical environment must have a defined human-in-the-loop override per FDA guidance on computer-aided manufacturing and IEC 61508 requirements for Functionally Autonomous systems with SIL classification. The 60-minute limit prevents indefinite bypass of safety functions while allowing short-term operational decisions. | Test | session-565, normal-production, override, functionally-autonomous, lint-fix-lh4, lint-fix-lh8, idempotency:ses565-np-mode-override, idempotency:ses565-np-mode-override |
| SYS-REQ-025 | The physical sensors and instruments implementing environmental monitoring during normal production SHALL be mounted within the manufacturing line cleanroom bays, with differential pressure transmitters installed at each controlled room boundary, temperature and humidity probes at product exposure height, and all sensor housings constructed from 316L stainless steel meeting ISO 8 cleanroom installation standards. Rationale: Specifying the physical location and construction of sensors implementing the normal production environmental monitoring requirement (SYS-REQ-006) is needed to support facility qualification documentation. Physical embodiment of the monitoring function during normal production must be defined separately from the functional monitoring requirement. | Inspection | session-565, normal-production, sensors, physical-embodiment, idempotency:ses565-np-sensors-v2, idempotency:ses565-np-sensors-v2 |
| SYS-REQ-026 | The system SHALL provide a dedicated physical cleanroom monitoring network comprising calibrated differential pressure transmitters (range 0–100 Pa, accuracy ±1 Pa), temperature transmitters (range 15–30°C, accuracy ±0.3°C), and relative humidity transmitters (range 30–70% RH, accuracy ±2% RH), wired to the Environmental Control Subsystem PLC via 4–20 mA loops, with all instruments calibrated against ISO 17025-accredited standards at intervals not exceeding 12 months. Rationale: SYS-REQ-006 requires continuous monitoring of cleanroom differential pressure, temperature, and humidity during Normal Production mode. This requirement defines the physical sensor infrastructure required to fulfil that monitoring obligation. EU GMP Annex 1 (Manufacture of Sterile Medicinal Products) and ISO 14644-2 (Cleanrooms and associated controlled environments — Monitoring) specify instrument accuracy requirements. The 12-month calibration interval is consistent with GMP instrument qualification norms. Resolves lint finding: 'normal production lacks Physical Object trait but has physical embodiment'. | Test | session-, validation, cleanroom, environmental, physical-embodiment, lint-fix, idempotency:ses566-sys-cleanroom-physical-embodiment |
| SYS-REQ-027 | The Process Control System SHALL provide a hardware-enforced manual override capability at each equipment control panel that allows an operator to de-energise any individual equipment actuator independently of software state, and SHALL accept Emergency Stop commands from any safety relay input within 250 milliseconds regardless of software execution state or PLC program mode. Rationale: The PCS is classified as Functionally Autonomous (controlling equipment without continuous human input) per EN ISO 13849-1 (Safety of machinery — Safety-related parts of control systems). Autonomous control systems require hardware-level safety overrides that cannot be defeated by software failure — IEC 61508 (Functional safety of E/E/PE safety-related systems) clause 7.4.2 requires manual overrides for SIL-2 systems. The 250ms E-stop response is the maximum reaction time that limits rundown energy in tablet press and granulator applications. This resolves the lint finding: 'process control system is Functionally Autonomous but has no safety/override constraints'. | Test | session-566, validation, process-control-system, safety-override, lint-fix, sil-2, idempotency:ses566-sys-pcs-manual-override |
| SYS-REQ-028 | While in Normal Production mode, the system SHALL be housed within a GMP-compliant equipment rack or panel enclosure (IP54 or better, stainless steel housing) that physically integrates the Environmental Monitoring System controller, the SCADA PCS I/O modules, and the 4-20mA signal conditioning hardware for at least three differential pressure transmitters (weigh booth, granulation bay, coating/packaging bay boundaries), RTD temperature probes, and capacitive humidity sensors at 0.8–1.2 m above finished floor level in each classified bay; the rack SHALL be installed within the manufacturing line classified area and connected to the clean power UPS supply specified in SYS-REQ-007. Rationale: Lint finding: 'normal production' concept (hex 40B53A50) lacks Physical Object trait but SYS-REQ-006 imposes physical monitoring constraints. This requirement provides the physical embodiment specification for the environmental monitoring infrastructure that executes during Normal Production mode, resolving the ontological mismatch. Derived from SYS-REQ-006 (cleanroom monitoring parameters and response times) and consistent with SYS-REQ-025 (sensor mounting) and SYS-REQ-026 (4-20mA loop infrastructure). EU GMP Annex 1 mandates continuous environmental monitoring in classified zones during production. | Inspection | session-567, validation, lint-fix-lintHigh, normal-production, physical-embodiment, idempotency:session567-sys-normal-production-physical-embodiment |
| SYS-REQ-029 | The system SHALL implement dust explosion prevention measures compliant with ATEX Directive 2014/34/EU (Equipment and protective systems intended for use in potentially explosive atmospheres) for all enclosed powder processing equipment (granulator, mill, blender, tablet press hopper, dust extraction ducting), including continuous LEL monitoring with automatic equipment de-energisation at 25% LEL, nitrogen inerting capability for high-risk enclosures, and explosion venting or suppression on all vessels exceeding 0.1 m³ volume. Rationale: H-003: Fine pharmaceutical powder (API and excipient particles <100um) in enclosed equipment with ignition sources (motors, static discharge, hot surfaces) creates a dust explosion hazard. ATEX Directive 2014/34/EU mandates equipment classification and protection measures. The 25% LEL trigger provides a 4:1 safety margin per EN 14034. Nitrogen inerting reduces oxygen below the Limiting Oxygen Concentration. SIL 2 allocation reflects catastrophic severity with rare frequency. | Test | system, sil-2, h-003, safety, session-2, idempotency:sys-pharma-dust-explosion-h003-2 |
| SYS-REQ-030 | The Process Control System (PCS) network SHALL be isolated from enterprise IT networks by a firewall or unidirectional security gateway, implementing network segmentation per IEC 62443-3-3 (Industrial communication networks — IT security) Security Level 2, with no direct internet connectivity, and SHALL enforce role-based access control with individual user authentication for all HMI and engineering workstation access. Rationale: The PCS executes SIL-2 safety functions (LOTO enforcement per SYS-REQ-016) and controls potent compound containment (SYS-REQ-004). Cyber intrusion could bypass safety interlocks, release hazardous compounds, or corrupt batch records. IEC 62443-3-3 SL-2 provides the minimum mitigations for industrial control systems with potential safety consequences. Network isolation prevents lateral movement from enterprise IT systems, a common OT attack vector. | Inspection | session-549, qc, cybersecurity, pcs, idempotency:sys-pcs-cybersecurity-session-549 |
| Source | Target | Type | Description |
|---|