Pharmaceutical Manufacturing Line

Rationale: FAT under controlled factory conditions allows verification of HVAC performance against cleanroom specification before GMP facility installation. Six measurement points ensure spatial uniformity is confirmed, not just average values.

Rationale: Safe state transition test is the primary SIL-2 verification method per IEC 61508-4 Section 7.4. The test must be executed with the actual safety PLC and HVAC hardware under worst-case conditions (highest process load) to be valid for the safety case.

Rationale: Integration test at the EMS-MES boundary is the minimum viable verification for a GxP data interface. Twenty consecutive trials at production load provides statistical confidence that the interface meets the 10-second latency requirement under realistic EMS polling cycles.

Rationale: Fail-safe open-circuit behaviour is a SIL-2 architectural requirement per IEC 61508. The hardwired channel cannot be verified by software simulation alone; physical disconnection testing is required to confirm the fail-safe direction and timing for the safety case.

Rationale: End-to-end system integration test validates the SIL-2 safety chain from sensor detection through logic to actuator response and data recording, as required by IEC 61508 Section 7.4 for functional safety verification. This test cannot be replaced by individual component tests because it verifies the timing of the complete chain under realistic conditions.

Rationale: IFC-023 specifies 1-second PID update cycle and 5% position tolerance. The PID response test must be performed at the physical actuator interface to confirm that the analogue 4-20 mA control loop achieves the specified accuracy under realistic HVAC load conditions.

Rationale: Pressure cascade setpoint recovery under door-disturbance is the worst-case realistic test for HVAC PID response in a pharmaceutical cleanroom. The 30-second recovery criterion is the same as the containment safe state transition budget, ensuring the HVAC can restore containment before the safety PLC would trip.

Rationale: SIL-3 H-004 safety function: CQA model latency directly determines how many OOS tablets pass before the diversion valve responds. The 2-second criterion bounds the number of tablets at risk between sensor acquisition and valve actuation at 60 RPM press speed (approximately 4 tablets per second) to fewer than 8 tablets, which is within the divertible buffer volume.

Rationale: SIL-3 H-004 safe state: the valve must reach the reject position before the next tablet reaches the accept stream. At 60 RPM press speed, tablets exit at 1-second intervals; 500ms actuation leaves a 500ms margin. The spring-return test verifies fail-safe behaviour — the hardware safety function independent of software.

Rationale: SIL-3 H-004: sensor degradation that is not detected means CQA model predictions are based on corrupted spectra, potentially releasing OOS product without triggering diversion. The 15-second detection window allows one to two press rotations before the operator is notified to switch to manual sampling mode.

Rationale: SIL-3 H-004 interface criticality: the CQA alarm is the trigger for MES to confirm diversion and lock the batch record. If the alarm is lost or delayed beyond 500ms, OOS product may enter the accept stream. The 1000-event soak test detects intermittent OPC-UA subscription failures that may not appear in short tests.

Rationale: SIL-3 H-004 interface: the acknowledgment confirms to the PAT system that the MES has registered the diversion event and locked the relevant batch record segment. Without this confirmation, the PAT system cannot determine whether a second CQA exceedance is a new event or a duplicate of the unacknowledged prior alarm.

Rationale: SIL-2 H-006 data integrity: unsigned EBR entries are inadmissible as evidence in FDA inspection and can result in consent decree or product recall. The 100% rejection criterion is absolute — no partial authentication tolerance exists under 21 CFR Part 11.50.

Rationale: SIL-2 H-007 mechanical entrapment: the LOTO restart prevention is the primary software barrier preventing a maintenance technician from being caught in moving equipment. The test must exercise the OPC-UA programmatic path — not only the HMI path — because PLC restart commands may bypass the HMI in some process recovery sequences.

Rationale: SIL-2 H-006: the SHA-256 hash chain is the technical control proving EBR entries have not been altered post-signature. The tamper detection test must use direct database manipulation rather than API manipulation because 21 CFR Part 11 treats database-level tampering as the primary threat model for electronic records.

Rationale: The end-to-end test is the definitive SIL-3 H-004 safety case evidence. Individual component tests confirm subsystem compliance but do not demonstrate that the chain functions correctly under realistic load conditions. The 3-second total budget combines the 2-second model evaluation bound plus 500ms alarm transmission plus 500ms valve actuation margin.

Rationale: Raman spectrometer performance verification confirms the instrument meets specification for blend uniformity monitoring. NIST-traceable reference materials provide measurement traceability required for GxP instrument qualification (IQ/OQ).

Rationale: Laser diffraction qualification confirms the instrument meets specification for granulation endpoint monitoring. D50 accuracy within 5% is the ICH Q8 acceptance criterion for particle size measurement in granulation development; repeatability RSD <2% meets GAMP 5 Category 3 instrument qualification requirements.

Rationale: SIL-2 H-006 safe state: when electronic records cannot be guaranteed tamper-evident, GMP requires a fallback to paper records to maintain the manufacturing record continuity required for batch release. The 30-minute window reflects the EU GMP Annex 11 requirement for backup systems to be available promptly.

Rationale: IFC-REQ-006 specifies maximum 30-second spectral data intervals and 5-second CQA model evaluation latency for the G&B-to-PAT NIR interface. The parallel-reference-spectrometer test method is chosen because it provides independent ground truth for both the data values (via certified reference spectra) and the timing (via synchronized timestamps). If this interface has latency >5 seconds under load, the PAT system receives stale LOD values and may issue false blend-endpoint signals — potentially releasing under-dried granulate with LOD above target into the IBC blender.

Rationale: Integration test to verify MES-to-G&B recipe delivery latency and EBR feedback interval under production load conditions.

Rationale: End-to-end integration test verifying the complete G&B process train produces granules meeting all CQA specifications under recipe control. This test is the minimum viable verification for GMP process validation (PV Stage 2) sign-off of the G&B subsystem.

Rationale: IBC handoff integrity is verified by inspection of the seal and genealogy record, with a negative test (blocked press start) confirming the MES access control. This matches the regulatory requirement for documented batch record evidence (21 CFR 211.182).

Rationale: IFC-REQ-002 is the primary early-warning signal for the PAT-MES CQA diversion path. Verification requires injecting a controlled degradation to confirm the OPC UA publish cycle, field completeness, and state machine transition. Failure to verify this interface could allow undetected sensor drift to produce undetected quality deviations in product.

Rationale: IFC-REQ-004 is the real-time CQA measurement stream that drives diversion decisions. End-to-end latency of the MES OPC UA subscription must be verified under live production protocol to confirm diversion is triggered within the 2-second hard limit before non-conforming material passes the diversion valve. This is the safety-critical data path for batch release.

Rationale: SUB-REQ-009 implements the 21 CFR Part 11 (Electronic Records; Electronic Signatures) requirement for tamper-evident records. This is a regulatory compliance test: FDA expects evidence that the hash chain integrity mechanism actually detects record modification. Pass/fail determines whether the batch release system meets 21 CFR Part 11 Subpart B Section 11.10(e) audit trail requirements.

Rationale: SUB-REQ-020 sets the blend uniformity acceptance criterion for IBC blending. ICH Q2(R1) (Validation of Analytical Procedures: Text and Methodology) requires offline HPLC confirmation of the NIR endpoint model during process validation. The 10-sample stratified plan is the minimum statistical design that detects a pattern-based segregation within the IBC at 95% confidence. Failure of this test would require revalidation of the blend process.

Rationale: SUB-REQ-001 defines the minimum spectral parameters of the NIR spectrometer as the primary CQA sensor. Verification of spectral range and channel count ensures the PLS chemometric model built for this instrument remains valid under the as-deployed configuration. A failure here would require re-validation of the entire NIR calibration model before the instrument can be used for batch release decisions.

Rationale: IFC-REQ-009 adds quantified performance thresholds to the degraded mode MES-PAT protocol. The 30-second MES command delivery window and CQA monitoring continuity criteria are the testable acceptance criteria for the degraded mode qualification test. Explicit pass criteria required per IEC 61508 (Functional safety of E/E/PE safety-related systems) for SIL-rated interface verification — binary pass/fail must be demonstrable. Updated per validation session 566 to resolve ambiguousReqs blocker.

Rationale: SUB-REQ-024 quantifies response times and channel-failure thresholds for the PAT degraded-mode protocol. The 5-second suspension window and ≥70% CQA throughput retention on remaining channels are the minimum performance criteria required to assure product quality surveillance is maintained during single-channel failure. Explicit pass criteria are required so the test result is binary and auditable per EU GMP Annex 11.

Rationale: EN ISO 13849-1 (Safety of machinery: Safety-related parts of control systems) Category 3 guard interlock requires Test verification with measured response times. The 200ms and 3-second thresholds derive from the maximum kinetic energy of the turret at 60 RPM and the stopping distance required to prevent punch-tip contact with an intruding hand.

Rationale: The -15 Pa containment threshold is derived from OEL 0.5 µg/m³ containment modelling per ISPE Good Practice Guide for Pharmaceutical Equipment Containment. Test verification is required because containment performance depends on actual airflow dynamics that cannot be confirmed by inspection or analysis alone.

Rationale: The 99.5% delivery rate and 500ms latency limits are derived from the in-process control response time required to detect and reject out-of-specification tablets before more than 2 tablets beyond the detected outlier pass the rejection point. Test verification is mandatory because OPC-UA message delivery performance depends on actual network configuration and cannot be demonstrated by inspection.

Rationale: Zero-drop event delivery is required for 21 CFR Part 11 (Electronic Records; Electronic Signatures) EBR completeness — any dropped rejection event could result in a non-conforming tablet escaping to the batch. The 200ms rejection response limit is derived from tablet press throughput: at 120 RPM × 60 stations, tablets exit at 120/s, so a 200ms window allows at most 24 tablets to pass the reject point after a defect is detected.

Rationale: IFC-REQ-012 requires 30-second update intervals and 60-second EBR write completion. This test validates both timing constraints under representative production load conditions, confirming that the Film Coating Subsystem to MES data channel meets GMP EBR completeness and timeliness requirements.

Rationale: IFC-REQ-013 requires a hard reject gate at the coating subsystem boundary for out-of-specification core attributes. The pass/reject test pair validates both the acceptance and rejection paths, confirming that the inter-subsystem transfer control prevents quality-compromised material from entering the coating operation.

Rationale: IFC-REQ-014 requires 100% serial number reconciliation within 5 minutes and MES block without production order. The 1,000-unit run provides a statistically representative sample for serialisation throughput. The production-order-absent negative test confirms the GMP authority control at packaging.

Rationale: IFC-REQ-015 requires a hard interlock preventing packaging without a valid release record. The dual-path test (compliant/non-compliant transfer) validates both the acceptance and blocking logic, confirming that the packaging subsystem cannot process tablets that fail coating CQA release criteria.

Rationale: IFC-REQ-016 requires a 30-second MES halt response to environmental exceedances. The timing test is critical for OEB 4/5 containment: a pressure differential loss in a potent compound area is a personnel safety event. The 30-second window must be verified under representative system load conditions to confirm the safety-critical response time is achievable.

Rationale: IFC-REQ-017 requires 60-second EBR write completion per dispensing event and a GMP deviation for >±0.5% weight deviation. The 20-operation run validates the timing requirement under representative throughput. The deliberate-exceedance test confirms the rejection gate at the GMP deviation threshold.

Rationale: IFC-REQ-018 requires a secondary identity scan at the granulation charge point to enforce the double-verification anti-mix-up protocol. The negative test (mismatched barcode) is the safety-critical path: a false-pass (allowing a wrong material into the granulator) would contaminate the entire batch. The 15-second response window is consistent with the granulation charge sequence timing.

Rationale: IFC-REQ-019 requires 24-hour advance order notification, 4-hour yield return, and an MES block without production order. These three constraints collectively enforce the GMP authority chain from ERP to MES. Each must be independently verified; the timing constraints cannot be inferred from design inspection alone.

Rationale: IFC-REQ-020 requires a closed-loop LIMS-MES release workflow with the MES blocking batch disposition until all release results are received. The pass and blocking tests together validate the two critical control points: data completeness (all results received) and data quality (passing verdict required). These cannot be validated by inspection of the interface specification alone.

Rationale: SUB-REQ-012 requires complete LOTO event logging covering all four event types. The positive-path (lock and release) tests confirm nominal logging. The override-attempt test is the safety-critical path: a false-permit on an energised machine is an H-007 mechanical entrapment hazard. SIL-2 allocation requires test-method verification, not analysis.

Rationale: SUB-REQ-014 specifies a 15-minute backup interval and 30-minute RTO. These timing requirements protect against H-006 EBR data integrity failure. The 30-minute RTO is the regulatory recovery window before a batch must be quarantined. Neither the backup interval nor the restore time can be verified by analysis of the backup architecture alone; both require measured test execution.

Rationale: SUB-REQ-016 specifies a 10-second stop-and-transfer response at granulation endpoint. Late endpoint response causes over-granulation (too dense granules), producing tablets with hardness outside specification. SIL-2 tagging requires test verification; the 10-second constraint is a real-time control loop timing requirement that cannot be demonstrated by design inspection.

Rationale: SUB-REQ-022 is the degraded-mode safety net for H-004: when PAT is unavailable, a fixed-time blend with supervisory gate prevents release of a potentially non-homogeneous batch. The supervisory authorisation gate (the safety-critical control) can only be verified by attempting blend-complete without authorisation and confirming the block. Analysis of the software design cannot substitute for this negative test.

Rationale: SUB-REQ-025 specifies a 200 ms ejection response and a ±5 kN force gate protecting product quality (H-004). A missed rejection (false negative) releases an OOS tablet; a false acceptance of a false rejection could cause a recall if it becomes systematic. The 200 ms timing requirement cannot be verified by inspection of the ejector actuator specification. Both sensitivity and specificity require physical test execution.

Rationale: SUB-REQ-029 protects against tooling fatigue fracture (a broken punch tip contaminating tablets with metal fragments — an H-007 and product quality risk). The lifecycle limit gate and the read-failure block are the two safety controls. Both require physical test execution with instrumented RFID state because wear accumulation and tag fault simulation cannot be analytically verified against the subsystem implementation.

Rationale: SUB-REQ-030 defines the tablet compression degraded-mode safe-state (reduced speed, manual sampling) that maintains product quality when one IPC channel fails. The 60% throughput limit prevents tablet production rate from outpacing manual sampling capacity. This is a real-time control response that cannot be verified by simulation analysis; all three channel failure modes must be physically induced to confirm the subsystem correctly identifies and responds to each.

Rationale: SYS-REQ-005 is the system-level emergency stop safety function covering H-001 (containment breach), H-003 (dust explosion), and H-007 (mechanical entrapment). The three timing thresholds (3/5/10 s) are safety case evidence required by IEC 61508 (Functional safety of E/E/PE safety-related systems) for SIL-2 allocation. Individual subsystem stop tests (VER-REQ-024 covers press guard interlock) do not demonstrate the system-wide coordinated stop of all drives and valves in the correct sequence. This test is the definitive system-level E-stop qualification evidence.

Rationale: SYS-REQ-006 specifies system-level 60-second alarm and 120-second halt response times for cleanroom environmental exceedances. H-005 (loss of cleanroom environmental control causing microbial contamination) is SIL-1. VER-REQ-032 tests only the IFC-REQ-016 pressure-differential interface; it does not verify the system-level temperature and humidity exceedance response times, nor confirm 100% EBR recording across all three environmental parameters. This system-level test is required for EU GMP Annex 1 environmental monitoring qualification and site inspection evidence.

Rationale: SYS-REQ-008 is SIL-3 (H-002 cross-contamination) requiring changeover cleaning to be verified with quantitative HPLC and TOC acceptance limits. IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL-3 mandates Test verification — Demonstration is insufficient because it cannot inject a deliberate OOS swab failure to confirm the MES blocks production restart. The Test method requires: (a) a passing run confirming normal changeover workflow, (b) a forced OOS swab injection at location 7 (worst-case hopper weld seam) to confirm MES blocks next batch initiation, (c) pass criterion: TOC ≤500µg/L and swab residue ≤0.004µg/cm² at all 15 locations, with MES batch initiation blocked until all electronic signatures complete.

Rationale: IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL-3 requires Test verification (not Analysis alone) for hardware fault tolerance claims. Analysis alone cannot demonstrate that the actual hardware/software implementation achieves HFT=1 — only a live failover test with timing measurements can. This VER resolves the silWithoutVer quality gate blocker and directly validates the hazard H-004 mitigation for OOS product release.

Rationale: SUB-REQ-006 is a degraded-mode safety requirement — test verification is required because timing of alert propagation and EBR logging depends on software state machine transitions that cannot be confirmed from design documentation. The 15-second detection and 30-second alert thresholds are the maximum acceptable delay before manual QC sampling begins.

Rationale: 21 CFR Part 11 and EU GMP Annex 11 require complete and accurate batch genealogy as a prerequisite for batch release. Inspection of design documentation cannot demonstrate that all genealogy linkages are captured and queryable — only a functional test can confirm end-to-end traceability.

Rationale: LOD reduction to target is a CQA for tablet dissolution and stability. Karl Fischer titration per USP 921 provides the reference measurement for GMP validation of the drying endpoint per ICH Q8. Test verification is required because drying performance depends on actual feed granule properties and equipment state.

Rationale: Inlet air temperature is a KPP for granule LOD and physical properties. The control band derives from the ICH Q8 validated design space. Test verification requires calibrated instrumentation because PID control loop response cannot be demonstrated by inspection of parameter settings.

Rationale: Granule particle size directly impacts tablet compressibility and dissolution rate. The D90 and fines acceptance criteria are derived from the compression process validated design space per ICH Q8. Laser diffraction per USP 429 is the reference technique for pharmaceutical granule sizing. Test verification is required because milling performance depends on actual feed properties and equipment wear.

Rationale: Accurate mass recording is required for 21 CFR Part 11 complete batch record and EU GMP Annex 11 data integrity. Mass balance closure is the primary control for detecting unmeasured losses indicating contamination or dispensing errors. The 0.5 percent closure limit detects single-operator dispensing errors exceeding 0.5 percent of batch size.

Rationale: OEB 3 containment is a SIL-2 requirement addressing H-001 airborne potent compound exposure. The 10-second auto-halt threshold is derived from operator dose accumulation modelling at the OEL action limit. Test verification is mandatory because containment interlock logic depends on physical sensor states and pneumatic actuation that cannot be verified by inspection.

Rationale: The every-30th-tablet sampling rate meets USP 905 content uniformity statistical power requirements. The 10-second data transmission limit ensures PAT model inputs are current — stale IPC data reduces CQA prediction accuracy. Test verification is required because sampling rate depends on IPC mechanical timing which cannot be verified from design drawings.

Rationale: SYS-REQ-013 is a SIL-2 safety requirement driving H-001 mitigation. Test verification is required to confirm the alarm propagation latency and EBR logging are consistent with actual system behaviour under simulated exposure conditions.

Rationale: The appropriate verification for data completeness and format compliance is Analysis against the ICH Q8 data requirements checklist. This confirms the EBR structure meets regulatory filing requirements without requiring a live regulatory submission.

Rationale: EU Delegated Regulation 2016/161 compliance requires functional integration with the national EMVS. Test verification against the EMVS test repository is the only way to confirm correct data format and successful API communication with the external system.

Rationale: EN ISO 13849-1 PL determination is a structured analytical process, not a physical test. The PL calculation methodology using MTTFd, DCavg, and CCF per ISO 13849-1 is the accepted verification method for Machinery Directive 2006/42/EC compliance. Analysis is the correct verification type for this standards-based calculation.

Rationale: OEE calculation accuracy cannot be confirmed by inspection of the calculation algorithm alone — it requires end-to-end verification that data collection from all subsystems feeds the OEE calculation correctly. The plus or minus 2 percent tolerance is within measurement uncertainty for a 24-hour production window.

Rationale: SYS-REQ-018 is a SIL-3 requirement addressing H-004 OOS product release. The enforcement of PAT calibration as a real-time release gate must be verified by Test — it cannot be confirmed by inspection because the block depends on runtime status flag evaluation in the MES workflow engine.

Rationale: SUB-REQ for PAT power supply directly supports SIL-3 hazard H-004 mitigation. The 4-hour UPS runtime must be verified by actual battery discharge test — design specifications for UPS capacity cannot substitute for a live runtime test under actual load conditions.

Rationale: The manual override is a SIL-3 safety function — it must be restricted to qualified personnel and fully audit-trailed. Test verification is required because role-based access control enforcement depends on runtime identity and authorisation logic that cannot be confirmed by inspection of configuration settings alone.

Rationale: The MES watchdog is a SIL-2 autonomous system safety control. Test verification is required because watchdog timer logic depends on actual heartbeat timing and state machine transitions — design documentation review cannot confirm the watchdog fires correctly under real failure conditions.

Rationale: Emergency Stop mode exit is a SIL-2 safety gate for H-001 and H-007 hazards. Test verification of the QA sign-off enforcement is mandatory — the effectiveness of an access control gate cannot be demonstrated by inspection of the workflow configuration. The 30-minute clearance period and QA sign-off requirement are both testable pass/fail criteria.

Rationale: The LOTO display and enforcement during Maintenance mode is a SIL-2 safety requirement for H-007 prevention. OSHA 29 CFR 1910.147 requires energy control procedures to be verified — inspection of LOTO registry configuration alone cannot demonstrate that all three command paths are blocked. Testing all three command paths is critical because single-channel protection is insufficient for SIL-2.

Rationale: Blocking real-time release in degraded mode is an H-004 mitigation. The 2-second block response time and 60-second quarantine automation deadline are the minimum performance criteria required for this test to be meaningful. Zero false-pass events (real-time release succeeding in degraded mode) is the absolute safety criterion. Three consecutive runs confirm the control is not intermittent. Numeric criteria added per validation session 566.

Rationale: The 200ms EPO response is a direct contributor to H-007 safe state (equipment de-energised). Measurement of actual de-energisation time by oscilloscope is required because design specifications for contactor response times have manufacturing tolerances that may result in slower actual response. The MES LOTO log entry is required for 21 CFR Part 11 audit completeness.

Rationale: Power supply voltage deviation affects both the HSG impeller speed (granule endpoint CQA) and FBD heating performance (LOD CQA). Test verification requires actual voltage measurement at distribution boards — design specifications cannot account for cable voltage drops and transformer loading effects in the installed facility.

Rationale: Film coating power consumption logging is required for OEE calculation accuracy. The 15 percent tolerance accounts for coating load variability across batches. EPO test is required for H-001 safe state confirmation during coating of potent compounds.

Rationale: The containment UPS runtime is a SIL-2 safety function for H-001 mitigation during power failure. Battery runtime must be verified by actual discharge test — manufacturer UPS capacity ratings do not account for actual connected load and battery ageing in the installed system.

Rationale: Physical installation and access control measures for the MES server are verifiable by Inspection — they are observable physical characteristics that do not require functional testing. The 90-day access log retention directly supports 21 CFR Part 11 audit trail requirements for the physical location housing the EBR system.

Rationale: Startup mode entry gate enforcement is a quality assurance control preventing production on unqualified equipment. Test verification requires injecting each blocking condition individually and in combination to confirm the MES enforcement logic is comprehensive. Inspection of workflow configuration alone cannot confirm all conditions are evaluated.

Rationale: The Degraded mode quarantine gate is an H-004 mitigation control. The 60-second automated quarantine deadline and the 2-second reject response for unauthorised release attempts are the quantified performance criteria required to confirm the control works under operational timing conditions. Zero bypass events is the absolute criterion — the sign-off gate must never fail. Numeric thresholds added per validation session 566 to resolve ambiguousReqs blocker.

Rationale: H-001 is a SIL-2 hazard. Test verification with timing measurements is required for all four automated responses. Design analysis alone cannot confirm actual pneumatic valve actuation and HVAC damper response times match specified values.

Rationale: Air monitoring frequency and data export format compliance cannot be confirmed by inspection of system configuration alone — actual data logging rate must be measured across a 24-hour period to confirm no gaps. Export format validation ensures regulatory inspection accessibility.

Rationale: Automatic quarantine on cleaning validation failure is a H-002 SIL-3 mitigation. Test verification is required to confirm the automatic quarantine trigger and dual notification path are both functional — inspection of workflow configuration cannot confirm the actual message routing and quarantine state enforcement.

Rationale: Two-person API dispensing verification is a 21 CFR Part 211 critical step control for H-002. Test verification must confirm both the enforcement of two distinct operator identities and the role authorisation requirement. These are runtime EBR workflow controls that cannot be verified by inspection.

Rationale: Metal detection performance cannot be verified by equipment specification review alone — actual detection sensitivity depends on tablet mass, line speed, and detector calibration. Testing with 0.5mm particles at known positions confirms the worst-case detection scenario for the punch-tip fragment size most likely to result from tooling breakage.

Rationale: H-003 dust explosion prevention is a SIL-2 safety function. Test verification with a calibrated dust monitor and timed response measurement is required. The 25 percent LEL detection threshold and 10-second response time must be confirmed under actual process conditions — design specifications for sensor sensitivity and pneumatic valve response times may differ from installed performance.

Rationale: Vision inspection at 100 percent confidence is a final critical quality gate before product release. Test verification with known defect types and zero false-reject tolerance is required because vision system performance depends on lighting, tablet colour, and line speed factors that vary with product. The EBR logging requirement ensures rejected pack traceability for batch disposition.

Rationale: LIMS-MES integration latency determines real-time release cycle time. The 30-second receipt and 5-minute result return SLAs must be verified by end-to-end integration test — interface configuration review cannot confirm actual network latency and system processing time under production load conditions.

Rationale: Batch review report SLA and PDF/A format compliance must be verified by a functional end-to-end test. The 15-minute SLA is a business process requirement for same-shift review. PDF/A validity requires format-level testing with a standards-compliant validator — design review cannot confirm PDF/A compliance in the generated output.

Rationale: The 30-day PAT audit log retention is a SIL-3 H-004 data integrity control. Tamper-evidence verification requires attempting a modification and confirming it is rejected — inspection of technical controls alone cannot confirm tamper-evidence effectiveness. The CSV export confirmation is required for regulatory inspection accessibility.

Rationale: Deviation record generation latency must be confirmed by functional test because it depends on real-time EBR write performance under production load. The 10-minute SLA is a patient safety and regulatory compliance requirement under ICH Q10.

Rationale: Cleaning registry enforcement is a SIL-3 H-002 mitigation. Test verification confirms the enforcement gate is functional across the full status lifecycle (expired, cleaning in progress, confirmed clean). Runtime state evaluation cannot be confirmed by inspection of database schema design.

Rationale: Shift handover enforcement is a 21 CFR Part 11 process control. Test verification confirms the MES workflow gate is enforced correctly for the specific scenarios where handover is most critical — active deviations and in-progress batches. Design review of workflow configuration cannot confirm runtime gate enforcement.

Rationale: OEE dashboard accessibility and display correctness is confirmed by Demonstration — a functional walkthrough of the dashboard with known input values. This complements VER-REQ-069 (OEE calculation accuracy test) by confirming the display layer and alerting logic are functional.

Rationale: SYS-REQ-007 system-level batch genealogy is a 21 CFR Part 211 and EU GMP Annex 15 requirement. Test verification of end-to-end genealogy requires an actual production campaign to confirm all data linkages are created correctly across all subsystem interfaces. Design review of database schema cannot confirm that all subsystem integration points populate genealogy records.

Rationale: SYS-REQ-003 is the system-level PAT/CQA requirement covering the safety-critical chain from spectrum acquisition through diversion actuation, addressing SIL-3 H-004. A system-level test with representative sample types is required because individual subsystem tests do not confirm the integrated acquisition-evaluation-actuation chain behaves correctly end-to-end.

Rationale: SYS-REQ-004 is a SIL-2 H-001 safety requirement. Test verification with physical airflow measurement is required by COSHH regulations to confirm the negative pressure isolation is effective under actual production conditions. Design analysis of HVAC specifications cannot confirm in-situ airflow velocities with production equipment in place.

Rationale: SYS-REQ-011 is a SIL-2 H-007 safety requirement — preventing energisation of equipment during maintenance. Test verification with three equipment types and three restart methods confirms the LOTO interlock is implemented uniformly across the system, not just for the specific configurations tested at subsystem level (VER-REQ-007, VER-REQ-037, VER-REQ-066).

Rationale: SYS-REQ-001 is the primary production capacity requirement derived from STK-REQ-001. Test verification requires a full-shift production run to confirm all subsystem throughput contributions combine to meet the system-level target; static analysis of individual subsystem rates cannot confirm dynamic bottlenecks are absent.

Rationale: SYS-REQ-002 covers EBR data integrity and electronic signature enforcement under 21 CFR Part 11 and EU GMP Annex 11. The original Inspection method is insufficient for a SIL-2 H-006 data integrity requirement — Test is required to confirm the hash chain, access controls, and backup intervals function correctly under actual system load.

Rationale: SYS-REQ-009 implements the PAT Sensor Drift ConOps scenario — degraded mode must maintain minimum throughput while protecting product quality. Test verification confirms the mode transition, throughput floor, and supervisor notification all occur within the required time bounds under actual system load.

Rationale: SYS-REQ-010 implements EU FMD and DSCSA serialisation requirements at system level. Test verification requires a production-representative run because barcode reject rate is a statistical metric that cannot be confirmed by inspection of the print-and-verify station in isolation from the full packaging line.

Rationale: SYS-REQ-012 defines the system-level tablet quality rejection criteria. Test verification with deliberate OOS samples per acceptance criterion confirms the rejection logic is implemented for all specified parameters, not just the ones tested at subsystem level. The L1 AV segment rejection is an additional system-level control not covered by individual tablet rejection tests.

Rationale: SUB-REQ-058 is a SIL-3 H-004 safety constraint on the PAT autonomous diversion function. Test is required to confirm the signature gate, duration limit, and automatic restoration all function correctly under operational conditions.

Rationale: SUB-REQ-059 is SIL-2 tagged (G&B containment subsystem contributes to H-002 cross-contamination mitigation via OEB 4 transfer connection integrity). IEC 61508 SIL-2 requires Test verification for safety-critical installation requirements — Inspection alone cannot confirm that the sealed IBC transfer connections withstand operating pressures and do not leak fine powder. The Test method adds: (d) pneumatic pressure integrity test of each ANSI/ISPE OEB 4-compatible transfer connection at 0.7 bar dry-air for 30 seconds with zero detectable powder leakage (leak detector ≤1×10⁻⁶ mbar·L/s). Inspection checks (material certificates, environmental certificate, sensor heights) are retained as Pass criteria (a)-(c) within the same Test protocol.

Rationale: SUB-REQ-060 specifies the PCS power integrity constraints that protect batch execution during utility interruptions. Test verification with physical mains disconnection is the only method that can confirm the 30-minute autonomy period, the 2-second alarm response, and the voltage regulation simultaneously — these are measurable performance parameters that cannot be confirmed by Inspection or Analysis alone. PCS power continuity is an enabler for the MES heartbeat (SUB-REQ-061) and the safe-state transition sequence.

Rationale: SUB-REQ-061 is a SIL-tagged safety requirement covering the MES watchdog timer and operator E-STOP — both are safety-critical functions for the Emergency Stop operating mode. IEC 61511 (Functional Safety — Safety Instrumented Systems for the Process Industry Sector) requires Test verification for SIL-rated functions; Analysis or Inspection alone cannot demonstrate that the actual hardware/software combination meets the 30-second watchdog timeout and 10-second E-STOP response. The HVAC failsafe confirmation is critical because HVAC exhaust mode is the H-001 containment breach safe state.

Rationale: SUB-REQ-062 governs physical sensor placement and material certification — Inspection is the correct method as the requirement is verified by physical presence, position measurement, and certificate review, not by dynamic testing. The commissioning inspection is conducted against installation drawings and GMP qualification records and forms part of the Installation Qualification (IQ) package per ISPE Baseline Guide Volume 5 (Commissioning and Qualification).

Rationale: SYS-REQ-026 specifies sensor accuracy requirements (±1 Pa, ±0.3°C, ±2% RH) and calibration intervals. These tolerances must be demonstrated by calibration test against traceable reference standards — instrument specification alone does not demonstrate field accuracy after installation. ISO 17025-accredited calibration records provide the regulatory evidence required for GMP instrument qualification.

Rationale: SYS-REQ-027 specifies hardware-enforced overrides and 250ms E-stop response. The 250ms timing must be measured with an oscilloscope on the power circuit — software timing logs are insufficient because software failure is the scenario being mitigated. Testing with PLC in RUN mode confirms override works under normal software conditions; hardware bypass test (direct relay input) confirms override is independent of software state. EN ISO 13849-1 requires demonstrated performance level for safety-related control functions.

Rationale: SYS-REQ-023 (operator override capability, 21 CFR Part 11, 60-minute auto-restore) was identified as having no VER trace in the validation session. The override function is safety-relevant because suspension of automated diversion without audit trail creates H-004 (OOS product release) risk. Test verification is required to confirm: (1) electronic signature cannot be bypassed, (2) auto-restore timeout functions correctly, and (3) audit trail is complete per 21 CFR Part 11 requirements.

Rationale: SYS-REQ-022 is a facility layout inspection requirement (ISO 7/Grade C cleanrooms). Inspection is the appropriate verification method since compliance is demonstrated by facility qualification certificates and physical walkthrough, not by instrument test. EU GMP Annex 1 requires documented environmental classification for each cleanroom zone.

Rationale: SYS-REQ-025 specifies physical sensor mounting positions (0.8-1.2m height, three DP boundaries). Inspection is appropriate as sensor placement is verified by physical measurement during commissioning. No VER trace existed prior to this session.

Rationale: SYS-REQ-028 specifies the physical attributes of the environmental monitoring rack (IP54, stainless steel, location in classified area, UPS connection, 4-20mA channels). Inspection is the appropriate verification method: physical attributes are confirmed by inspection and review of material certificates rather than by instrument testing. The inspection record provides the documentary evidence required for GMP facility qualification.

Rationale: Network isolation and access control for safety-critical OT systems cannot be fully tested at the system level without risk of disrupting live production. Inspection of documented architecture and security assessment, combined with targeted authentication testing, provides the required verification for a safety-functional cybersecurity requirement.